USING FORENSICS AND ROLLBACK
UNMATCHED REMEDIATION AND GREATER FORENSIC VISIBILITY
Webroot’s journaling and rollback feature allows Webroot SecureAnywhere to have more granular insight into malware dwell time than any other provider can offer. This allows administrators greater control when remediating infected endpoints or determining the origin of an infection, as well as the ability to restore any program back to a previous state.
- RELATED FEATURES:
- Journaling, Monitoring and Rollback | Agent Visability and Control
Mangement Console Reporting
JOURNALING, MONITORING AND ROLLBACK
I've found the rollback feature to be really interesting and useful. Usually, there is a lot of management involved but this is much simpler. Now, it's just automatic.
A unique capability that sets Webroot SecureAnywhere apart from every other antivirus solution is the way unknown or ‘undetermined’ malware is handled, and the automatic remediation that is provided to ensure endpoint protection.
If a brand new program is introduced to an endpoint protected by Webroot SecureAnywhere, and it has no existing relationship to anything else on that machine, then local heuristics and other defenses are automatically applied to make a good or bad determination.
This logic will automatically block virtually every threat. However, in the rare case that a threat does get through the heuristics, sandbox, and other defenses, the ongoing journaling and monitoring of behavior ensures it cannot do any permanent damage to a user’s machine.
For example, if a suspicious or undetermined program has passed the several layers of local and Webroot Intelligence Network checks, it is monitored extremely closely, and watched to see which files, registry keys and memory locations it alters.
The journaling function then records and remembers the before and after state of each change made. If a monitored program is later found to be behaving maliciously, Webroot SecureAnywhere can step-in to block and quarantine it, alert the user and administrator, and proceed to automatically clean-up the threat.
This ability to safely defer a decision reduces false positive and false negative categorizations, and comes into play when Webroot SecureAnywhere is not sure if a program is potentially ‘suspicious’ or ‘bad’. Other AV solutions only make good or bad determinations and have no journaling or rollback, so any remediation is standardized and likely to be ineffective.
The inability of legacy solutions to offer individualized and tailored protection often results in administrators having to re-image infected machines. This causes huge losses in productivity and man-time. On the other hand, Webroot SecureAnywhere’s rollback process ensures every change made to that particular machine by a piece of malware is reversed, getting the endpoint back to its prior pre-infected state. This results in fewer endpoints needing to be reimaged due to missing or changed files that cause the machine to operate in an unstable or unsafe way.
Legacy endpoint security solutions do not incorporate monitoring and journaling, so even if they do offer post-infection remediation, they often cannot fully restore the endpoint to its pre-infected state.
AGENT VISIBILITY AND CONTROL
The console is very easy to navigate and is very quick to browse giving visibility of all systems quickly with a lot of customized features.
Overrides empower Administrators by giving them the control to override automated file determinations made by the Webroot Intelligence Network. Overrides can be applied to the entire organization or to an individual policy that only affects a subset of users.
For example, if an administrator decided that their users should not be allowed to use a specific program, such as torrent software, the administrator can use an override to flag the file as ‘Bad’ during scans and quarantine it. This allows administrators to stop endpoints from running undesirable applications.
Alternatively, if corporate policies change or a blocked application needs to be restored, administrators also have the ability to reverse any overrides and restore the files from quarantine.
Overrides may be applied from several locations within Webroot SecureAnywhere:
- From the Overrides tab in the Management Console
- From the Group Management tab in the Management Console
- From the Reports tab in the Management Console
- From any area of the Management console that offers the ‘Create override’ option flag
As stated above, overrides may be applied globally or applied to individual policies. For example, an MD5 file might be treated as ‘Bad’ at the global level and ‘Good’ at the individual policy level. A real world example of this would be a keylogger program that is used legitimately by the IT department to have audits for financial compliance in a trading room, but would be considered malicious if active on any other department’s endpoints.
Overrides are also a powerful way of blocking attacks as an administrator is immediately in a position to stop applications that have compromised or are causing the spread of an infection.
MANAGEMENT CONSOLE REPORTING
Because of the Web-based Management Console, we only need to designate one person to be in charge of managing the system. They can print many different types of reports and then they provide a detailed report which we review and discuss at our monthly security meeting - our management team loves it!
The endpoint reporting within Webroot SecureAnywhere aims to provide highly interactive drill-down visibility into the status of all endpoints. However, it also plays another role by allowing the administrator to directly create policy overrides. This ability to immediately interact with endpoints greatly simplifies management and allows administrators to work pro-actively.
The management console reporting immediately shows administrators if there are any threats or unidentified software on their network, as well as every version of Webroot SecureAnywhere running on their endpoints. All reports are fully interactive and presented by default in a graphical form. However, administrators may also export the data into a .csv file for external analysis, or as a .pdf for sharing with others.
The management console comes with a number of pre-built reports that can be further customized around variables such as date ranges, included endpoints and more.
The Agent Version Spread Report shows the versions of Webroot SecureAnywhere that are being used in each user group, and the total number of endpoints using each version.
An additional endpoint report - the Agents Installed Report - allows Administrators to filter installed Agents by date, and it is especially useful during deployment to ensure Agents have populated all the desired endpoints.
The All Threats Seen Report shows all threats that were seen on all the endpoints and details about each threat.
From this report, administrators can create an override by selecting a threat from the list and then clicking “Create override.” Similarly, if any files have been mistakenly quarantined from this report, administrators can select them and click on ‘Restore this file from Quarantine’ so the files will be released as ‘Known Good’.
The All Undetermined Software Seen Report shows any processes or applications that have not been categorized by the Webroot Intelligence Network. It is useful for highlighting potential threats and from this report the administrator can select items and either block or allow them by clicking on the ‘Create override’ flag.
The console also includes an Endpoints with Undetermined Software on Last Scan Report which shows any endpoints that have been flagged as having undetermined software during their most recent scan.
The Endpoints with Threats on Last Scan Report shows all endpoints that have reported threats. This is the most important report when quantifying and remediating any infected endpoints. The administrator can view additional details specific to any endpoint.
The Threat History (Collated) Report provides a summary of the threats found on all endpoints and the number of programs blocked on all endpoints, based upon the date range chosen.
There is also a Threat History (Daily) Report which produces a date range summary of all the threats found on all endpoints.