Webroot
- 
 So I did a little futile looking around earlier as our Kaspersky subscription runs out in June. Got to looking at Webroot, and I like the sound of the sales pitch (lightweight agent and scans), but the website is very light on detail... As in, how it achieves such a lightweight nature, particularly in the area of scans. (Kaspersky 10 is crippling during scans, as are most other big name AVs. We still use KAV6) 
 Can anyone help me out with details? Experiences?@nic maybe you can hook me up with someone who can give me functional detail rather than sales pitch? 
- 
 
- 
 @shauns It doesn't store the definitions on the local machine or on a server. It keeps them in a cloud account which then simply communicates back to the agent. The agent, I've been told, is quite literally, almost invisible as far as resource usage. I believe Webroot was the first to have a means to stop Cryptolocker. I had it explained to me once that if it detects an anomaly it doesn't like, it starts tracking every single change made by that file/process/service. In the event it turns out to be malicious, it then rolls back all those changes and quarantines the file at the least. 
- 
 Sure, happy to help out. I can get you a keycode to play with and answer any questions you have. @ajstringham has explained it well. We have a gigantic database of files, domain names and IP addresses. Everything that runs on your machine gets an MD5 signature, which is sent up for comparison. Known good files are allowed to run. Known bad aren't. Unknowns are monitored and all the changes journaled in case it has to roll back. Then it sits back and watches the unknown for suspicious behavior and also signals it as something for research by our threat team. That means the scans are very fast - the only time you'll notice a performance hit is for an unknown, due to the journaling. When that happens you can see the unknown in the agent and contact support to get it sorted out quickly. Since we have millions of endpoints out there, new files get categorized quickly and we can analyze a lot of data. We also have OEM partners who use our database to power their own devices, firewalls or sites, and the data from those gets fed back to us too. For the business app you have a portal where you can see all your machines and kick off scans, issue remote commands or scripts, and manage policies. We also do mobile protection and a light-weight MDM solution (basically lock, wipe, locate and set policy) that is included with the business endpoint service. There's also a web content filtering service that we use that is powered by the same reputation database that can allow you to block unwanted sites (porn, gambling, etc.) It lets you lock down their proxy settings so they are still filtered even when off your network. That's a separate product from the AV though. Hope that helps and let me know if you need more info or want a code to test out. 
- 
 @shauns The thing about this approach that makes sense is that instead of hosting definition files on your user machines or on a local server and have to make sure that those are pushed out from Webroot to you to your endpoints, it's A to B and nothing in the middle. I remember the first time I heard about Webroot being used in business and almost choked on my drink. However, they have done what most businesses only try to do and that's actually start fresh. Most are afraid to do the necessary work or go the extra mile. They managed to go from about as bad as you could be to really taking over the industry. as a leader. 
- 
 Also, because your definitions aren't hosted locally and, as @nic said, everyone helps everyone else, their updates to definitions are faster and are basically available the instant they are published. 
- 
 Well fabulous.. Had a nice long reply typed out and as I get half way through the last word my tablet crashes out losing the lot. >.< Will redo it in the morning when I have an actual keyboard to use! I really appreciate the quick response guys! 
- 
 That's the beauty of MangoLassi! Bringing the IT Pros and the vendors together  
- 
 @scottalanmiller and considering this is a new community, the other beauty is I have a chance to outpost Scott and keep it that way!  
- 
 @ajstringham said: @scottalanmiller and considering this is a new community, the other beauty is I have a chance to outpost Scott and keep it that way!  Keep it that way? You do understand that I post exclusively from an iPhone, right? 
- 
 @scottalanmiller Not in the evening. 
- 
 Ok, trying this again. Here in this particular backwater of rural Oklahoma, we have a local phone company with a total monopoly. This means that up till now 'Cloud' has been a dirty word around here as all we had was a semi-reliable 1.5mb DSL line. anything that involved critical communication with the outside world just to run was a no go. 
 Recently we acquired a 5mb wireless link from outside the monopoly, and a Barracuda Link Balancer, so now we have a little more reliability and speed because even if the new 5mb flakes out, we still have the 1.5mb... having both flake out together should be relatively infrequent, but around here it only takes one fool with a backhoe or jackhammer to nerf the whole areas internet.So I guess my questions here would be: - How much traffic are we looking at just for Webroot? If all its doing is passing MD5 back & forth it shouldn't be much I wouldn't think, but as our bandwidth is already somewhat limited, it is a concern. (100 endpoints, approx)
- What level of protection do we have when the internet is offline? if the client is reliant on connectivity for answers to "good or bad", is it just monitoring idly with no real clue when it has no connection?
 
- 
 @ShaunS Good questions - the data averages about 3MB a day per machine, for communication back and forth of the MD5 files and answers. For offline status, it remembers already identified files. If you introduce anything new that is unknown, like from a USB drive, then it will do the monitoring and journaling until it gets back online to check the status. It also has heuristics to watch for malicious behavior, like modifying suspicious parts of the registry, or copying files to suspicious locations, and can shut malicious unknowns down that way. I feel your pain on being in a rural area with bad Internet. I worked at one job in northern California where our options were 26k dialup or satellite. We ended up using satellite with a couple of dialup lines bonded for backup. Good times. The funny thing was that processing credit cards was faster on the dialup than the satellite, because of the latency and all the back and forth to establish the secure connection. 500ms ping times FTW! 
- 
 Oh, and what are you using to monitor and restrict bandwidth? If you don't have anything in place, our Web Shield product lets you set quotas for bandwidth, and restrict categories like streaming video and music. 
- 
 Thanks @nic 
 We use a Barracuda Web Filter to manage things. We did look at Webroot before buying that, but once again, Cloud got in the way.
 So about 300MB per day.... not too heavy at all.
 A couple of our sales guys get regular Trojan-laced emails. Kaspersky strips this out before they ever even see them. Does Webroot function in a similar fashion? (POP3 in Outlook.... dont have anything fancy like Exchange)
- 
 It won't filter the emails, but it will pick it up at the time they try to run them. We also have anti-phishing technology in case they click on a link from a phishing email. 
- 
 Ok, so its all just at the base machine level. You can have dozens of trojan emails stored on your computer, and Webroot wont do anything until you try to open one, correct? 
- 
 @ShaunS said: Thanks @nic 
 We use a Barracuda Web Filter to manage things. We did look at Webroot before buying that, but once again, Cloud got in the way.
 So about 300MB per day.... not too heavy at all.
 A couple of our sales guys get regular Trojan-laced emails. Kaspersky strips this out before they ever even see them. Does Webroot function in a similar fashion? (POP3 in Outlook.... dont have anything fancy like Exchange)You should look at a hosted email filter to solve your email problem. We moved to one about 10 years ago, it stops 99.9% spam and kills all known viruii. The best part it keeps the bad emails from ever traveling down your internet pipe (assuming you're hosting your own email server) so you have that bandwidth as well. 
- 
 @ShaunS it'll do deep scans regularly (you can adjust the schedule) to find stuff that isn't running yet, but the initial scan just does running processes. Agreed with Dashrender on the email filtering - should be part of the spam filter to pick up any obvious trojans. 
- 
 Ok, and the deep scans are nice and light too? Its the full system scans where we run into real issues with Kaspersky after V6, and all other vendors we have tried so far. 
 Emails coming through from our google accounts are usually fine, its those that come in through our web hosting company that give us grief. They offer a mail AV product from McAfee on the server, but want something like $10 per email address which is just not worth it when our on-premise AV filters incoming mails. If we have to purchase something different to do that task alongside Webroot on the endpoint, that would increase our current cost dramatically ( The listed price for Webroot is already quite a jump from what it cost to renew last time with Kaspersky).




