Webroot SecureAnywhere® employs heuristics that not only rank potential threats on age and popularity, but also on their behavior. This adds tremendous depth to the rapid characterization of malware. Additionally, Webroot SecureAnywhere allows administrators to tune heuristics to suit the environment and user activity, allowing for different levels of sensitivity when using external media like USB sticks or CD/DVDs, or when the endpoint is offline.
Webroot offers security that is far superior to anything else on the market.
Webroot SecureAnywhere®’s heuristics settings allow administrators to adjust the level of heuristic threat analysis that is performed when an endpoint is scanned (on or offline). They can also be adjusted for analyzing any newly introduced programs as they run.
Heuristic setting are adjustable for:
Flexible heuristics settings can be tuned to meet your needs
Unlike the fixed heuristics settings found in other endpoint solutions, Webroot SecureAnywhere’s heuristic threat analysis settings are flexible. They may be tailored to suit individual policy needs and also provide granular control over how new programs are analyzed. Three types of heuristic scans are available, and each offers five levels of protection ranging from disabled to maximum.
We take our security and the welfare and protection of our employees very seriously. Webroot enables us to fulfill our role as guardians of our firm's Web security, and to carry it out as simply and effectively as possible.
Webroot SecureAnywhere® is at its most effective when online and connected to the Webroot Intelligence Network; however, it also provides significant offline protection as well.
If a new program is introduced when offline, for example via a USB stick, Webroot SecureAnywhere’s advanced heuristics review the file. Then, if it fails inspection, it is immediately quarantined if there are telltale attributes of malware. By applying this local offline security logic, Webroot SecureAnywhere blocks many threats automatically. However, in the event that a threat does get past the heuristics, the behavior monitoring shield ensures it cannot do any real damage. The behavior monitoring shield means that the program will be allowed to execute, but that every action it performs is meticulously journaled. If the program is later deemed as malicious, all the changes made by the program will be rolled back. Then the machine is restored to its pre-infected state with no further action needed.
Offline security protects endpoints by utilizing
Webroot's Advanced Heuristics
If a suspicious program tries to modify the system in a way that couldn't be repaired, then the change is automatically blocked and the administrator is notified when the endpoint is back online. Also, if any similar infections (i.e. a mutated version of the infection) are introduced to the system while it’s offline, they will be blocked. Webroot SecureAnywhere’s local protection is able to evaluate the overall flow and layout of a program rather than its exact checksum.
Webroot SecureAnywhere doesn’t solely rely upon being online to protect endpoints. And because of its behavioral monitoring, journaling, and rollback it protects an offline endpoint far better than a solution that relies on a signature database and offers no remediation.
While we were using a competitor's product, we were averaging at least one infection each month. I'd have to determine the infection type and attempt to remove it - but sometimes removal wouldn't work and I'd have to either re-create the user account on the PC to restore to a previous point or do a clean install. The process could take anywhere from one to five hours for each event.
Cloud Predictive Intelligence is the method Webroot® uses to assess whether existing, new or changed files and processes are safe to run on a user’s machine.
When the Webroot SecureAnywhere® Agent is first installed, it scans the endpoint to build a local cache of all the files and processes already present. It then continuously monitors for new or changed files that are attempting, or are poised, to execute. Files are instantaneously validated against the Webroot Intelligence Network to make a categorization as ‘known good’ or ‘known bad’. If a determination of ‘known good’ or ‘known bad’ cannot be made, files go into a third category: ‘unknown/undetermined’.
The Cloud Predictive Intelligence process flow for a 'known bad' file
The Cloud Predictive Intelligence process flow for a 'known good' file
When a new file is identified or an existing file is changed, a file hash is created on the local endpoint. That hash is then encrypted and securely sent to the Webroot Intelligence Network.
If the Webroot Intelligence Network has seen the file before, and it is ‘known good’, the determination is sent back to the endpoint and the file is allowed to execute.
If the Webroot Intelligence Network has seen the file before, and makes a ‘known bad’ determination, the file is immediately quarantined and blocked from being able to execute.
The Cloud Predictive Intelligence process flow for an 'unknown/undetermined' file
The most significant risk to endpoints is from newly released malware, also known as a Zero Day threat. In this scenario, the file has never been seen before, so the Webroot Intelligence Network is unable to make an instantaneous determination based on the file hash alone. Rather than simply assuming the file is a non-threat because the file is not ‘known bad’, the agent does a trial execution of the file within a Sandbox on the local Agent to examine what other files are touched, any changes that are made, and any network activity that is attempted without compromising the endpoint. The behaviors from this pseudo-execution are analyzed in more detail and matched against the Webroot Intelligence Network’s database of behavioral rule sets.
If a definitive determination is still not possible based on the behavior, the file is then allowed to run on the endpoint. Full monitoring and journaling runs alongside all the other Webroot security shields until the new file can be clearly identified as ‘known good’ or ‘known bad’. Any behaviors that exhibit malware behaviors are immediately blocked despite the allowed file execution.
When the Webroot Intelligence Network has enough information about the file to accurately identify it as ‘known bad’, it will block any further execution, quarantine the file, and roll back any changes that have been made based on the information journaled since the file was first identified on the endpoint. This will restore the machine to the pre-infection state.
Additionally, if a file is determined as 'known bad', all other endpoints in the network that might encounter this program are automatically protected as well because the file hash is updated in the Webroot Intelligence Network. This means the next time that file is seen, there is no need to do a behavioral analysis or journaling, because the file hash will immediately be identified as malware upon the first check.
If a file has been determined as ‘known bad’ by the Webroot Intelligence Network, but is being run intentionally in an environment, administrators have the ability to set an override to allow its continued use. For instance, a keylogger may have been legitimately deployed within a network for IT or development work. Webroot SecureAnywhere is likely to classify this type of file as ‘known bad’ since it exhibits malicious keylogger behaviors. This would be an inaccurate determination for a specific set of users in this environment. With Webroot SecureAnywhere, an administrator is able to immediately override a ‘known bad’ determination with a few mouse clicks from within the web management console and re-classify the file as ‘known good’ for their network.
We are saving users from being infected, which is a boost in productivity for everyone. It simply works and does what it says it does. You can't ask for more than that!
Conventional endpoint firewalls require the user or administrator to decide whether a program may access the Internet - Webroot SecureAnywhere® does it differently.
Webroot SecureAnywhere integrates a completely new outbound firewall helper that offers additional capabilities to protect and analyze all outbound connections and manage all outbound application traffic. This intelligent outbound firewall functionality considerably enhances the existing inbound protection offered by the Windows Firewall. It automatically monitors all outbound traffic and blocks illegitimate call home and other types of malware communication - thus immediately stopping them from successfully extracting and stealing data.
This intelligent firewall functionality is managed via the local Agent and by using the Webroot Intelligence Network to validate the legitimacy of outbound traffic communications. It taps into this real-time automated decision making to avoid errors or pestering users with requests for online access from applications that they know nothing about.
By taking firewall decisions about outbound application communication away from the users, we minimize firewall request popups, and prevent user judgment errors that lead to endpoint infections. This approach to firewall management is another unique way that we leverage the benefits of the Webroot Intelligence Network in a very practical, time-saving, yet secure way. And by having the combined capabilities of the Webroot and Windows Firewalls, your endpoint data has reliable inbound and outbound data loss prevention.
The Intelligent Outbound Firewall offers additional security by protecting and analyzing outbound connections and managing application traffic.