ELIMINATING RELIANCE ON SIGNATURES
NO MORE 5-15MB DEFINITION FILE UPDATES, MULTIPLE TIMES PER DAY PER DEVICE
Using Cloud Predictive Intelligence and behavior-based threat analysis, the Webroot SecureAnywhere client is not reliant on heavy signature databases on the endpoint that must be updated regularly to maintain proper protection. It instead relies on advanced heuristics and the Webroot Intelligence Network to make threat determinations and to protect the endpoint. This eliminates the burden updates can place on your endpoints and your network infrastructure, as well as the need to regulate signature updates with a dedicated internal server and rotating schedule.
MINIMAL SYSTEM IMPACT
The Webroot SecureAnywhere Agent is an ultra-light 700KB client designed for significantly better operational speed than other AV solutions.
On disk, it occupies less than 4MB* of space. During scanning, its RAM usage is around 12MB*or less. It is by far the world’s lightest, smallest and most efficient endpoint protection Agent.1
Webroot succeeds where other solutions have failed, with a smaller footprint and faster scanning. It’s an easy-to-manage, time-saving product.
The Webroot SecureAnywhere Agent works by sending file signatures and ancillary data on programs and objects to the Webroot Intelligence Network. It then receives real-time predictions and determinations on whether an object is ‘known’ good, ‘known’ bad, or unknown/undetermined.
The reduction of on-device processing directly contributed to Webroot SecureAnywhere scoring a record 78/80, or 97.5%, in independent performance testing. These tests focused on different performance metrics determined by PassMark Software and compare Webroot SecureAnywhere to seven of the world’s leading AV vendors.
Webroot SecureAnywhere uses a variety of techniques to reduce the impact it has upon local endpoint resources. These include parsing the disk at the RAW level (to maximize scan speeds), minimizing network communication and intelligently tuning its memory usage when resource-intensive applications are detected. This feature is especially useful in traditional and virtualized server environments as well as on PCs.
During the most comprehensive scans, Webroot SecureAnywhere typically sends between 300KB and 2MB of data to the Webroot Intelligence Network for analysis. It normally receives back less than 250KB of data. On average, normal daily operation of the Webroot SecureAnywhere Agent exchanges less than 100KB of data with the Webroot Intelligence Network.
The result of optimizing Agent size, functionality, scanning, communications and interoperability within the endpoint environment is that it’s never obvious to end users that the program is using any CPU or RAM resources, and therefore never gets in their way.
Such low resource usage also permits Webroot SecureAnywhere to run concurrent scans, or effortlessly scale and run on virtual machines operating within a single physical server - without any disruption.
This low system impact also improves security, as Administrators may schedule regular security scans during the working day without impacting a user’s ability to keep using their machine; something not achievable with other solutions.
CLOUD PREDICTIVE INTELLIGENCE
While we were using a competitor's product, we were averaging at least one infection each month. I'd have to determine the infection type and attempt to remove it - but sometimes removal wouldn't work and I'd have to either re-create the user account on the PC to restore to a previous point or do a clean install. The process could take anywhere from one to five hours for each event.
Cloud Predictive Intelligence is the method Webroot uses to assess whether existing, new or changed files and processes are safe to run on a user’s machine.
When the Webroot SecureAnywhere Agent is first installed, it scans the endpoint to build a local cache of all the files and processes already present. It then continuously monitors for new or changed files that are attempting, or are poised, to execute. Files are instantaneously validated against the Webroot Intelligence Network to make a categorization as ‘known good’ or ‘known bad’. If a determination of ‘known good’ or ‘known bad’ cannot be made, files go into a third category: ‘unknown/undetermined’.
The Cloud Predictive Intelligence process flow for a 'known bad' file
The Cloud Predictive Intelligence process flow for a 'known good' file
How it Works
When a new file is identified or an existing file is changed, a file hash is created on the local endpoint. That hash is then encrypted and securely sent to the Webroot Intelligence Network.
If the Webroot Intelligence Network has seen the file before, and it is ‘known good’, the determination is sent back to the endpoint and the file is allowed to execute.
If the Webroot Intelligence Network has seen the file before, and makes a ‘known bad’ determination, the file is immediately quarantined and blocked from being able to execute.
The Cloud Predictive Intelligence process flow for an 'unknown/undetermined' file
The most significant risk to endpoints is from newly released malware, also known as a Zero Day threat. In this scenario, the file has never been seen before, so the Webroot Intelligence Network is unable to make an instantaneous determination based on the file hash alone. Rather than simply assuming the file is a non-threat because the file is not ‘known bad’, the agent does a trial execution of the file within a Sandbox on the local Agent to examine what other files are touched, any changes that are made, and any network activity that is attempted without compromising the endpoint. The behaviors from this pseudo-execution are analyzed in more detail and matched against the Webroot Intelligence Network’s database of behavioral rule sets.
If a definitive determination is still not possible based on the behavior, the file is then allowed to run on the endpoint. Full monitoring and journaling runs alongside all the other Webroot security shields until the new file can be clearly identified as ‘known good’ or ‘known bad’. Any behaviors that exhibit malware behaviors are immediately blocked despite the allowed file execution.
When the Webroot Intelligence Network has enough information about the file to accurately identify it as ‘known bad’, it will block any further execution, quarantine the file, and roll back any changes that have been made based on the information journaled since the file was first identified on the endpoint. This will restore the machine to the pre-infection state.
Strength in Numbers
Additionally, if a file is determined as 'known bad', all other endpoints in the network that might encounter this program are automatically protected as well because the file hash is updated in the Webroot Intelligence Network. This means the next time that file is seen, there is no need to do a behavioral analysis or journaling, because the file hash will immediately be identified as malware upon the first check.
Safeguards Against False Positives
If a file has been determined as ‘known bad’ by the Webroot Intelligence Network, but is being run intentionally in an environment, administrators have the ability to set an override to allow its continued use. For instance, a keylogger may have been legitimately deployed within a network for IT or development work. Webroot SecureAnywhere is likely to classify this type of file as ‘known bad’ since it exhibits malicious keylogger behaviors. This would be an inaccurate determination for a specific set of users in this environment. With Webroot SecureAnywhere, an administrator is able to immediately override a ‘known bad’ determination with a few mouse clicks from within the web management console and re-classify the file as ‘known good’ for their network.
NO DEFINITION UPDATES
With the Webroot SecureAnywhere Agent, there are no local signature definition updates, so user productivity is never impacted by recurring updates.
Our light impact on system resources also means that Administrators can schedule regular security scans during the working day without impacting the user’s ability to use their machine; something that’s impossible with most other solutions.
Definition Updates ‘In the cloud’
Usually, there is a lot of management involved but this is much simpler. Now, it’s just automatic.
Webroot SecureAnywhere maintains all threat updates at the cloud level within the Webroot Intelligence Network, so every Webroot SecureAnywhere user world-wide is instantly protected at exactly the same time.
This collective approach has several substantial benefits that turn into significant cost savings in person-hours, hardware, software and bandwidth.
Most importantly from a prevention and compliance perspective, every user is continually up-to-date when they are connected to the Internet and at the greatest risk. However, separately configurable Offline policies ensure they are fully protected when offline too.
There are now no operational risks such as ’blue screens’ due to a corrupt definition updated and the unplanned compatibility changes they may produce. Network bandwidth is also minimized, as there is no longer the need to distribute large definition update files that can consume 5MB+ per day. Plus, IT saves time thanks to never having to test and administer new updates. There is also no need to maintain or pay for any on-premise servers dedicated to AV signature definitions.
Eliminating definition updates represents a huge advance in the design of antivirus technology and one that is unique to Webroot SecureAnywhere.