The cloud-based Webroot® Intelligence Network™ forms the foundation of our real-time threat detection capabilities. Webroot's cloud-based database was initially seeded with over 50 terabytes of threat data and grows daily. It delivers real-time protection against all known threats and eliminates the need for bulky agent signature downloads which also minimizes bandwidth consumption.
Another risk factor that is a result of signature-based protection is the potential for a definition update to negatively impact machines. By eliminating the need to download signature updates and definition files, Webroot has substantially alleviated this risk. Furthermore, if for some reason an action that Webroot takes negatively effects an endpoint, Webroot's administrator controls allow for immediate rollback and remediation remotely – with no need for support intervention.
With the Webroot SecureAnywhere® Agent, there are no local signature definition updates, so user productivity is never impacted by recurring updates.
Our light impact on system resources also means that Administrators can schedule regular security scans during the working day without impacting the user’s ability to use their machine; something that’s impossible with most other solutions.
Definition Updates ‘In the cloud’
Usually, there is a lot of management involved but this is much simpler. Now, it’s just automatic.
Webroot SecureAnywhere maintains all threat updates at the cloud level within the Webroot® Intelligence Network™, so every Webroot SecureAnywhere user world-wide is instantly protected at exactly the same time.
This collective approach has several substantial benefits that turn into significant cost savings in person-hours, hardware, software and bandwidth.
Most importantly from a prevention and compliance perspective, every user is continually up-to-date when they are connected to the Internet and at the greatest risk. However, separately configurable Offline policies ensure they are fully protected when offline too.
There are now no operational risks such as ’blue screens’ due to a corrupt definition updated and the unplanned compatibility changes they may produce. Network bandwidth is also minimized, as there is no longer the need to distribute large definition update files that can consume 5MB+ per day. Plus, IT saves time thanks to never having to test and administer new updates. There is also no need to maintain or pay for any on-premise servers dedicated to AV signature definitions.
Eliminating definition updates represents a huge advance in the design of antivirus technology and one that is unique to Webroot SecureAnywhere.
While we were using a competitor's product, we were averaging at least one infection each month. I'd have to determine the infection type and attempt to remove it - but sometimes removal wouldn't work and I'd have to either re-create the user account on the PC to restore to a previous point or do a clean install. The process could take anywhere from one to five hours for each event.
Cloud Predictive Intelligence is the method Webroot® uses to assess whether existing, new or changed files and processes are safe to run on a user’s machine.
When the Webroot SecureAnywhere® Agent is first installed, it scans the endpoint to build a local cache of all the files and processes already present. It then continuously monitors for new or changed files that are attempting, or are poised, to execute. Files are instantaneously validated against the Webroot Intelligence Network to make a categorization as ‘known good’ or ‘known bad’. If a determination of ‘known good’ or ‘known bad’ cannot be made, files go into a third category: ‘unknown/undetermined’.
The Cloud Predictive Intelligence process flow for a 'known bad' file
The Cloud Predictive Intelligence process flow for a 'known good' file
When a new file is identified or an existing file is changed, a file hash is created on the local endpoint. That hash is then encrypted and securely sent to the Webroot Intelligence Network.
If the Webroot Intelligence Network has seen the file before, and it is ‘known good’, the determination is sent back to the endpoint and the file is allowed to execute.
If the Webroot Intelligence Network has seen the file before, and makes a ‘known bad’ determination, the file is immediately quarantined and blocked from being able to execute.
The Cloud Predictive Intelligence process flow for an 'unknown/undetermined' file
The most significant risk to endpoints is from newly released malware, also known as a Zero Day threat. In this scenario, the file has never been seen before, so the Webroot Intelligence Network is unable to make an instantaneous determination based on the file hash alone. Rather than simply assuming the file is a non-threat because the file is not ‘known bad’, the agent does a trial execution of the file within a Sandbox on the local Agent to examine what other files are touched, any changes that are made, and any network activity that is attempted without compromising the endpoint. The behaviors from this pseudo-execution are analyzed in more detail and matched against the Webroot Intelligence Network’s database of behavioral rule sets.
If a definitive determination is still not possible based on the behavior, the file is then allowed to run on the endpoint. Full monitoring and journaling runs alongside all the other Webroot security shields until the new file can be clearly identified as ‘known good’ or ‘known bad’. Any behaviors that exhibit malware behaviors are immediately blocked despite the allowed file execution.
When the Webroot Intelligence Network has enough information about the file to accurately identify it as ‘known bad’, it will block any further execution, quarantine the file, and roll back any changes that have been made based on the information journaled since the file was first identified on the endpoint. This will restore the machine to the pre-infection state.
Additionally, if a file is determined as 'known bad', all other endpoints in the network that might encounter this program are automatically protected as well because the file hash is updated in the Webroot Intelligence Network. This means the next time that file is seen, there is no need to do a behavioral analysis or journaling, because the file hash will immediately be identified as malware upon the first check.
If a file has been determined as ‘known bad’ by the Webroot Intelligence Network, but is being run intentionally in an environment, administrators have the ability to set an override to allow its continued use. For instance, a keylogger may have been legitimately deployed within a network for IT or development work. Webroot SecureAnywhere is likely to classify this type of file as ‘known bad’ since it exhibits malicious keylogger behaviors. This would be an inaccurate determination for a specific set of users in this environment. With Webroot SecureAnywhere, an administrator is able to immediately override a ‘known bad’ determination with a few mouse clicks from within the web management console and re-classify the file as ‘known good’ for their network.