STOPPING ZERO DAY THREATS
PROTECTION FROM EMERGING THREATS
Webroot’s cloud-based approach significantly decreases the window of vulnerability that exists with traditional endpoint security. Webroot delivers real-time protection against all types of malicious threats, from when an exploit is released to when it is detected. If a Zero Day threat does make it onto a machine, journaling and rollback ensure that no permanent damage is done. And more importantly, as soon as a Zero Day threat is detected on one endpoint protected by Webroot, every other machine in the world is immediately protected from ever encountering it again by being connected to the Webroot Intelligence Network.
- RELATED FEATURES:
- Journaling, Monitoring and Rollback | Cloud Predictive Intelligence
JOURNALING, MONITORING AND ROLLBACK
I've found the rollback feature to be really interesting and useful. Usually, there is a lot of management involved but this is much simpler. Now, it's just automatic.
A unique capability that sets Webroot SecureAnywhere apart from every other antivirus solution is the way unknown or ‘undetermined’ malware is handled, and the automatic remediation that is provided to ensure endpoint protection.
If a brand new program is introduced to an endpoint protected by Webroot SecureAnywhere, and it has no existing relationship to anything else on that machine, then local heuristics and other defenses are automatically applied to make a good or bad determination.
This logic will automatically block virtually every threat. However, in the rare case that a threat does get through the heuristics, sandbox, and other defenses, the ongoing journaling and monitoring of behavior ensures it cannot do any permanent damage to a user’s machine.
For example, if a suspicious or undetermined program has passed the several layers of local and Webroot Intelligence Network checks, it is monitored extremely closely, and watched to see which files, registry keys and memory locations it alters.
The journaling function then records and remembers the before and after state of each change made. If a monitored program is later found to be behaving maliciously, Webroot SecureAnywhere can step-in to block and quarantine it, alert the user and administrator, and proceed to automatically clean-up the threat.
This ability to safely defer a decision reduces false positive and false negative categorizations, and comes into play when Webroot SecureAnywhere is not sure if a program is potentially ‘suspicious’ or ‘bad’. Other AV solutions only make good or bad determinations and have no journaling or rollback, so any remediation is standardized and likely to be ineffective.
The inability of legacy solutions to offer individualized and tailored protection often results in administrators having to re-image infected machines. This causes huge losses in productivity and man-time. On the other hand, Webroot SecureAnywhere’s rollback process ensures every change made to that particular machine by a piece of malware is reversed, getting the endpoint back to its prior pre-infected state. This results in fewer endpoints needing to be reimaged due to missing or changed files that cause the machine to operate in an unstable or unsafe way.
Legacy endpoint security solutions do not incorporate monitoring and journaling, so even if they do offer post-infection remediation, they often cannot fully restore the endpoint to its pre-infected state.
CLOUD PREDICTIVE INTELLIGENCE
While we were using a competitor's product, we were averaging at least one infection each month. I'd have to determine the infection type and attempt to remove it - but sometimes removal wouldn't work and I'd have to either re-create the user account on the PC to restore to a previous point or do a clean install. The process could take anywhere from one to five hours for each event.
Cloud Predictive Intelligence is the method Webroot uses to assess whether existing, new or changed files and processes are safe to run on a user’s machine.
When the Webroot SecureAnywhere Agent is first installed, it scans the endpoint to build a local cache of all the files and processes already present. It then continuously monitors for new or changed files that are attempting, or are poised, to execute. Files are instantaneously validated against the Webroot Intelligence Network to make a categorization as ‘known good’ or ‘known bad’. If a determination of ‘known good’ or ‘known bad’ cannot be made, files go into a third category: ‘unknown/undetermined’.
The Cloud Predictive Intelligence process flow for a 'known bad' file
The Cloud Predictive Intelligence process flow for a 'known good' file
How it Works
When a new file is identified or an existing file is changed, a file hash is created on the local endpoint. That hash is then encrypted and securely sent to the Webroot Intelligence Network.
If the Webroot Intelligence Network has seen the file before, and it is ‘known good’, the determination is sent back to the endpoint and the file is allowed to execute.
If the Webroot Intelligence Network has seen the file before, and makes a ‘known bad’ determination, the file is immediately quarantined and blocked from being able to execute.
The Cloud Predictive Intelligence process flow for an 'unknown/undetermined' file
The most significant risk to endpoints is from newly released malware, also known as a Zero Day threat. In this scenario, the file has never been seen before, so the Webroot Intelligence Network is unable to make an instantaneous determination based on the file hash alone. Rather than simply assuming the file is a non-threat because the file is not ‘known bad’, the agent does a trial execution of the file within a Sandbox on the local Agent to examine what other files are touched, any changes that are made, and any network activity that is attempted without compromising the endpoint. The behaviors from this pseudo-execution are analyzed in more detail and matched against the Webroot Intelligence Network’s database of behavioral rule sets.
If a definitive determination is still not possible based on the behavior, the file is then allowed to run on the endpoint. Full monitoring and journaling runs alongside all the other Webroot security shields until the new file can be clearly identified as ‘known good’ or ‘known bad’. Any behaviors that exhibit malware behaviors are immediately blocked despite the allowed file execution.
When the Webroot Intelligence Network has enough information about the file to accurately identify it as ‘known bad’, it will block any further execution, quarantine the file, and roll back any changes that have been made based on the information journaled since the file was first identified on the endpoint. This will restore the machine to the pre-infection state.
Strength in Numbers
Additionally, if a file is determined as 'known bad', all other endpoints in the network that might encounter this program are automatically protected as well because the file hash is updated in the Webroot Intelligence Network. This means the next time that file is seen, there is no need to do a behavioral analysis or journaling, because the file hash will immediately be identified as malware upon the first check.
Safeguards Against False Positives
If a file has been determined as ‘known bad’ by the Webroot Intelligence Network, but is being run intentionally in an environment, administrators have the ability to set an override to allow its continued use. For instance, a keylogger may have been legitimately deployed within a network for IT or development work. Webroot SecureAnywhere is likely to classify this type of file as ‘known bad’ since it exhibits malicious keylogger behaviors. This would be an inaccurate determination for a specific set of users in this environment. With Webroot SecureAnywhere, an administrator is able to immediately override a ‘known bad’ determination with a few mouse clicks from within the web management console and re-classify the file as ‘known good’ for their network.
We take our security and the welfare and protection of our employees very seriously. Webroot enables us to fulfill our role as guardians of our firm's Web security, and to carry it out as simply and effectively as possible.
Webroot SecureAnywhere is at its most effective when online and connected to the Webroot Intelligence Network; however, it also provides significant offline protection as well.
If a new program is introduced when offline, for example via a USB stick, Webroot SecureAnywhere’s advanced heuristics review the file. Then, if it fails inspection, it is immediately quarantined if there are telltale attributes of malware. By applying this local offline security logic, Webroot SecureAnywhere blocks many threats automatically. However, in the event that a threat does get past the heuristics, the behavior monitoring shield ensures it cannot do any real damage. The behavior monitoring shield means that the program will be allowed to execute, but that every action it performs is meticulously journaled. If the program is later deemed as malicious, all the changes made by the program will be rolled back. Then the machine is restored to its pre-infected state with no further action needed.
Offline security protects endpoints by utilizing
Webroot's Advanced Heuristics
If a suspicious program tries to modify the system in a way that couldn't be repaired, then the change is automatically blocked and the administrator is notified when the endpoint is back online. Also, if any similar infections (i.e. a mutated version of the infection) are introduced to the system while it’s offline, they will be blocked. Webroot SecureAnywhere’s local protection is able to evaluate the overall flow and layout of a program rather than its exact checksum.
Webroot SecureAnywhere doesn’t solely rely upon being online to protect endpoints. And because of its behavioral monitoring, journaling, and rollback it protects an offline endpoint far better than a solution that relies on a signature database and offers no remediation.