How ® SecureAnywhere™ Business—Endpoint Protection and Windows® 8 Change Everything

George Anderson—Senior Product Marketing Manager July 2012 Table of Contents

3 Introduction and Background

3 Windows 8 and Security 4 Secure Boot 4 SmartScreen 5 Active Antivirus 5 Applocker 6 Endpoint Security based upon Antivirus is not enough

6 Enhancing Windows 8 Security 6 Enhanced Firewall 7 Additional Security Shields 7 Webroot SecureAnywhere—Self-Protection 7 Webroot SecureAnywhere—Heuristics 8 Webroot SecureAnywhere—Real-time Shield 8 Webroot SecureAnywhere—Behavior Shield 8 Webroot SecureAnywhere—Core System Shield 8 Webroot SecureAnywhere—Web Threat Shield 9 Webroot SecureAnywhere—Identity Shield

9 Enhancing Windows 8 Performance

11 Enhancing App Security

11 Enhancing Windows 8 Application Visibility and Security Management

12 Summary

12 About Webroot Introduction and Background Operating System (OS) launches typically do not generate too much excitement, unless you work in IT, however, Windows 8 is different. The release of Windows 8 this October is the start of a technology step-change. It starts with removing the Start Button and pull-down program list way of interacting with PCs, that has existed since Windows 95, and instead offering a brand new touch-based user interface (UI) code named Metro. Windows 8, with its new UI and API (Application Programing Interface) set is the first step towards a new programming model—Windows Runtime (WinRT), while Windows 8 also offers WinNT legacy support, allowing you to keep running traditional Win32 programs alongside the new WinRT apps. The Windows 8 Metro interface acknowledges the shift from static to mobile computing and the advance of apps. It also removes the old form factor and operating system ‘silos’ of working with either a laptop, tablet or smart phone devices, and allows for the convergence and creation of new devices and new form factors. Examples include Microsoft’s first ever PC hardware devices, known as ‘Surface’ tablets. These are small and light, offering tablet like operational simplicity, as well as the ‘traditional’ laptop experi- ence. By the time Windows 8 launches this autumn there will be a wide range of new devices that capitalize on this flexibility to move seamlessly between different work styles yet using the same Windows 8 OS. Performance and device resource usage are also major design goals in Windows 8 with fast boot times being important as well as the consumption of CPU, RAM, and Bandwidth—especially in the context of mobile devices with less power to go around and high bandwidth costs. Of course, with this new freedom to work and play and mix data across devices, there is a vital need for excellent security. So it’s no coincidence that major steps have been taken by Microsoft in Windows 8 to improve the security over Windows 7. Windows 8 includes Windows Defender software—a combination of the Microsoft® Security Essentials Antivirus (AV) and Microsoft’s antispyware. This paper looks at the key new security features within Windows 8, the inclusion Microsoft’s AV for free, and what it is really saying about device protection and the implications for IT security. In addition, we’ll look at a brand new approach to endpoint security—that’s fast, light on device resources and bandwidth, and could easily have been designed to be the new next generation antivirus for Windows 8. There is a new computing evolution aiming to change everything about personal computing and endpoint security for the better.

Windows 8 and Security Windows 8 takes some leaps forward from Windows 7 with regard to the new security features it offers, although these enhancements vary according to the version of Windows 8 and the intended user—consumer or business. In this analysis of Windows 8 security we take a look primarily at the universal security enhancements and those that help counter and reduce malware infection.

How Webroot® SecureAnywhere™ Business–Endpoint Protection and Windows® 8 Change Everything 3 Secure Boot One of the key security features found in all versions of Windows 8 is UEFI (Unified Extensible Firmware Interface). That, combined with the Secure Boot feature is intended to replace the traditional BIOS (Basic Input Output System) that has been present as a key component of Windows operating systems since the dawn of the PC. Secure Boot Windows 8 validates the digital signatures of all boot components including the antimalware/antivirus driver to detect if there has been any tampering. This makes it difficult for low-level malware to infect a device, as it would normally tamper with these key operating system files at start-up. Secure Boot stops this happening. Webroot® SecureAnywhere™—Endpoint Protection is accredited to run as an AntiVirus under Windows 8 and benefits from this digital signature checking with the ability to load very early on boot-up as a trusted application. And, because of how low down in the kernel Webroot SecureAnywhere—Endpoint Protection operates, it offers detection and removal of any — if any manage to avoid the new Secure Boot defense. Of course with traditional AV protection, getting an external AV to run alongside the Windows 8 AV is not an option. In fact, Windows 8 protection will turn itself off, and defer entirely to any third-party AV product that is already installed. Microsoft’s only activates itself if there’s no third-party protection at all, or if the 3rd party AV software installed has no up-to-date signatures. Webroot SecureAnywhere, due the way it operates and its cloud-based architecture, doesn’t conflict, has no local signatures, and will run alongside the Windows 8 Defender offering.

SmartScreen Windows 8 also takes its SmartScreen® content filtering technology from the Internet Explorer browser and extends it to the entire Windows 8 offering. SmartScreen URL reputation filtering helps block socially-engineered malware and will protect Windows 8 users against attacks, while its file and application reputation protection looks at file downloads and verifies their safety reputation—automatically blocking malicious and unknown files. Webroot SecureAnywhere—Endpoint Protection compliments this screening approach perfectly. With difficult to classify ‘unknown’ files, or those that have fooled the reputation filtering, the added power of the Webroot Intelligence Network layer enables real-time analysis of the true behavior of unknown files and instantaneous and accurate categorization to whether they’re malicious, or not. Webroot SecureAnywhere—Endpoint Protection also offers full file monitoring, journaling and rollback remediation. Should a file be missed by the Microsoft AV because signature files are incomplete or out of date, then Webroot SecureAnywhere—Endpoint Protection will catch and block it, and even if it does partly execute, Webroot SecureAnywhere—Endpoint Protection is able to roll-back the endpoint immediately to a its last ‘known good’ state.

How Webroot® SecureAnywhere™ Business–Endpoint Protection and Windows® 8 Change Everything 4 Active Antivirus Windows 8 checks to see if an active AV is present and operating; if not it will activate the pre-loaded Windows Defender. This ensures full endpoint protection from day one of ownership. If another third party AV is present but inactive, or its signature definition files are out of date, then Windows 8 kicks-off a 15 day countdown. During those 15 days the Action Center warns users that their AV software is expired and provides information about how to renew coverage. After the 15 days the user has the option to renew what they have, activate Windows Defender, or select another AV option from the Microsoft Store, or click a ‘remind me later’ button—which starts a further seven-day notice period. Microsoft’s goal is for all Windows 8 users to automatically have basic antivirus protection enabled and working from the moment they switch on their new endpoint device. Given the pre-loading of AV that currently exists with every new PC, laptop and tablet shipped, this will not make a huge difference until the pre-loaded AV free-trial ends. Windows 8 AV has been designed using the traditional method which relies heavily on local sig- nature malware definition files, so it can never be completely up-to-date, and has limited new and unknown file and malicious process identification. Like most other traditional AV, the enterprise deployments of the Microsoft solution need a separate Management Console for managing users’ endpoints, and for the best on-network performance an update server is advisable as well. However, while the AV protection might be basic, it does mean that Windows 8 devices are protected for free and that IT Security needs to focus on whether this protection is good enough, or needs to be replaced, or be supplemented with other complimentary endpoint protection. Webroot SecureAnywhere—Endpoint Protection allows security administrators to protect and enhance endpoint security. It adds the advanced real-time detection of ‘unknown’ malware that is missing in Windows 8 AV through the Webroot Intelligence Network, and then other complimen- tary security layers that completely replace the Windows 8 AV. What’s more it is really easy to deploy as an AV solution with the MSI under 700KB, it requires zero definition updates, and since it’s fully managed from a cloud-based console there are no ‘hidden’ costs, as with Windows 8.

Applocker For organizations with Microsoft Software Assurance agreements, they will be able to run Windows 8 Enterprise edition and the Applocker® security feature that first appeared in Windows 7 and protects endpoints from malware. With Applocker the administrator can create specific application white and black list policies over which applications are allowed to run on that endpoint, and with Windows 8 that control now extends to the new Metro apps. Along the way, Webroot SecureAnywhere—Endpoint Protection works is by revealing all applications and processes running on every endpoint. Its application Override feature enables white and black listing of applications too.

How Webroot® SecureAnywhere™ Business–Endpoint Protection and Windows® 8 Change Everything 5 Endpoint Security Based Upon Antivirus Software Is Not Enough One thing that has become extremely clear, as the threats targeting endpoints increase to over 70 1 new types of malware per minute, traditional antivirus software on its own is simply not enough. There needs to be a defense-in-depth strategy to protecting endpoints. Email and Web filtering are two aspects of this, as is a Personal firewall, patch management, network access control, host base intrusion protection, endpoint encryption, application white and black listing, and DLP content filtering, with some contributing far more than others. For instance, a recent Aberdeen Group Analyst Insight paper noted that patch management is good practice and 58% 2 of vulnerabilities disclosed in 2011 had vendor patches available on the same day, but also that 38% still have NO patches available! Within the same paper, the topic “Anti-Virus Alone Is Not Enough” confirmed that prevailing wisdom as correct. The paper concluded—the inclusion of anti-virus solutions such as Microsoft’s Forefront® Endpoint Protection as part of the underlying endpoint platform may mislead some organiza- tions to make an erroneous conclusion—i.e., that “free A/V” is “good enough for me”. In addition—‘Not investing in additional endpoint security solutions is shown to be a false economy’ and Endpoint security initiatives for all organizations should adopt a more comprehensive, defense-in-depth approach to protecting their platforms, networks, applications and data.’ The next section of this paper looks at how Webroot SecureAnywhere provides a more compre- hensive defense-in-depth protection of Windows 8 endpoints.

Enhancing Windows 8 Security Apart from the significant security advantage real-time prevention of unknown malware that is gained by running Webroot SecureAnywhere—Endpoint Protection, there are other valuable security enhancements provided that significantly enhance the basic security provided by the 8 AV. What follows are some of the other considerable security capabilities and benefits provided by Webroot SecureAnywhere—Endpoint Protection.

Enhanced Firewall Webroot SecureAnywhere—Endpoint Protection works alongside enhancing the existing inbound Windows firewall by adding automatic monitoring of all outbound traffic and blocking illegitimate ‘call homes’ and other types of malware from successfully extracting and stealing data. By looking for untrusted processes that try to connect to the Internet, Webroot SecureAnywhere— Endpoint Protection complements the Windows firewall, which only monitors data traffic coming into endpoints. So, Webroot SecureAnywhere—Endpoint Protection and the Windows firewall together protect inbound and outbound endpoint data completely, plus they stop malware data theft and leakage from the endpoint.

1 Source AV-Test.org—New Malware 2 Source Aberdeen Group Analyst Insight April 2012

How Webroot® SecureAnywhere™ Business–Endpoint Protection and Windows® 8 Change Everything 6 Additional Security Shields Webroot SecureAnywhere—Endpoint Protection also provides a number of additional security shields and protections that are not found within the free Windows 8 AV.

Webroot SecureAnywhere—Endpoint Protection—Self-Protection The Webroot SecureAnywhere—Endpoint Protection Self Protection Shield prevents malicious software from modifying its program settings and processes, and when it detects another product trying to interfere with its functions it starts a protective scan to look for the threats targeting it. Protective scans also update the internal self-protection status and prevent incompatibilities with other security software, for instance running alongside the Windows 8 AV. Self-Protection means that even if the Windows 8 AV is disabled by a malware attack, Webroot SecureAnywhere—Endpoint Protection will continue to protect the endpoint. The very small footprint of Webroot SecureAnywhere – Endpoint Protection and its cloud architecture also makes it more difficult for hackers to disable the Webroot SecureAnywhere—Endpoint Protection Agent compared to larger footprint on device only AV defenses.

Webroot SecureAnywhere—Endpoint Protection—Heuristics Heuristics settings within Webroot SecureAnywhere—Endpoint Protection adjust the level of threat analysis performed when it scans an endpoint. Webroot SecureAnywhere—Endpoint Protection heuristic scans are adjustable for local drive(s), USB drives, Internet access, Network access, local CD/DVDs, and when the endpoint is offline (unconnected to the Internet). Three heuristic scan levels are available: 1. Advanced Heuristics—responsible for analyzing new programs for suspicious actions that are typical of malware. 2. Age Heuristics—analyze new programs based on the amount of time the program has been known. Legitimate programs are generally well known, while malware often has a short known lifespan. 3. Popularity Heuristics—analyze new programs based on statistically how often the program is used and how often it changes. Legitimate programs do not change quickly but malware often mutates rapidly. Unlike the fixed heuristics found in other solutions, the heuristic threat analysis settings in Webroot SecureAnywhere—Endpoint Protection are flexible and offer five levels from disabled through to low; medium; high and maximum, to provide fine control over how new programs are treated from any source, and whether the user is on or offline. This feature provides improved device control and additional security for endpoints when they are not connected to the Internet or when a user inserts a USB or CD/DVD. This device, network, internet and local endpoint security on its own considerably increases malware prevention.

How Webroot® SecureAnywhere™ Business–Endpoint Protection and Windows® 8 Change Everything 7 Webroot SecureAnywhere—Endpoint Protection - Real-time Shield The Webroot SecureAnywhere—Endpoint Protection Real-time Shield blocks known threats that are listed in Webroot’s threat definitions and found in the Webroot Intelligence Network. If the Shield detects a suspicious file, it opens an alert and prompts the administrator to block or allow the item. If it detects a known threat, it immediately blocks and quarantines the item before it causes any damage to an endpoint, or steals any information. This prevention also leverages the ‘collective’ protection offered by Webroot Intelligence Network where if a ‘known threat’ is blocked for one user it’s blocked instantly for all users. This provides a further malware prevention layer to that offered in the Windows 8 AV.

Webroot SecureAnywhere—Endpoint Protection—Behavior Shield The Behavior Shield analyzes all the applications and processes running on an endpoint. When it detects suspicious file behaviors it opens an alert and prompts the administrator to block or allow the item. And if it detects known behavioral threats ,it immediately blocks and quarantines the process before it causes any damage. The Webroot Intelligence Network holds literally hundreds of thousands of behavioral rule sets to check for malware. When coupled to the standard monitoring and journaling of any processes unknown to the Webroot Intelligence Network, Webroot SecureAnywhere—Endpoint Protection is also able to fully rollback and remediate an endpoint automatically to its ‘last good known state’, should the behavior prove malicious malware.

Webroot SecureAnywhere—Endpoint Protection—Core System Shield The Core System shield continually monitors the system structures on an endpoint to ensure that malware has not tampered with them. If the shield detects a suspicious file trying to make changes, it opens an alert and immediately prompts the administrator to block or allow the item. If it detects a known threat, it immediately and automatically blocks and quarantines the item. The Webroot SecureAnywhere—Endpoint Protection Core Shield assesses all system modifications before they are allowed to take place, and intercepts any activity that attempts to make system changes, such as a new service installation. It also detects and repairs broken system components by locating corrupted components such as broken Layered Service Provider (LSP) chains, or a virus- infected file, and will restore the component or file to its original state. The Core Shield is responsible for ensuring the endpoint device system is continuously protected from malware infection. This security layer again leverages the incredible power of Webroot Intelligence Network and the ability of Webroot SecureAnywhere—Endpoint Protection to automatically repair endpoints.

Webroot SecureAnywhere—Endpoint Protection—Web Threat Shield The Web Threat Shield protects users as they surf the Internet, and as such compliments and enhances the protection offered from the SmartScreen technology that is already provided in Windows 8. If the Web Threat Shield detects a website that might be a threat, it will open an alert for the user to block the site, or continue despite the warning. And, when using a search engine, the shield

How Webroot® SecureAnywhere™ Business–Endpoint Protection and Windows® 8 Change Everything 8 analyzes all the links on the search results page and displays an image next to each link that signifies whether it’s a trusted site (Green Checkmark) or a potential risk (Red Cross). The Web Threat Shield also runs all URL’s through its own malware-identification engine, and if the site is associated with malware it automatically blocks it from loading into the user’s browser. While this protection is not the same as user level URL or content filtering it does mean that Webroot SecureAnywhere—Endpoint Protection endpoints are protected by an additional layer of web security.

Webroot SecureAnywhere—Endpoint Protection—Identity Shield The Identity Shield protects users’ sensitive data that might be exposed through their browser when they are making online transactions. The Identity Shield may also be used for other endpoint applications nominated and added by an administrator to the Identity Shield protection list. The Identity Shield automatically looks for online identity threats by analyzing the websites being browsed and detecting and blocking any malicious content. It will also analyze websites for phish- ing threats and blocks the site if a phishing threat is found. The Identity Shield verifies each website a user visits to determine its legitimacy and analyzes IP addresses to determine if there has been redirection, or the site is on the Webroot Intelligence Network blacklist. The Identity Shield also verifies DNS/IP resolution to detect if there is a man-in-the-middle attack taking place, and if so, it will then it block it. It also stops websites from creating high risk tracking information and blocks third-party cookies from installing—if the cookies originate from malicious tracking websites. Another key security function of the Identity Shield is that it prevents programs from accessing users protected credentials—for example login credentials such as name and password, or a website request to remember credentials, and it will also automatically block untrusted programs from accessing protected data. Screen scrapers and keyloggers are also blocked and only trusted screen capture programs are permitted access to protected screen contents. Given that so much of users work and play is now conducted online, and requires secure access to online applications, the Webroot SecureAnywhere— Endpoint Protection Identity Shield considerably enhances the preventive and protective security for users above that of Windows 8.

Enhancing Windows 8 Performance As mentioned earlier, the move to Windows RT and a more mobile App type environment Microsoft is aiming to reduce device boot times to a few seconds, making it clear through their Action Center user alerts when apps are having a high impact on their device’s resources. Now, Windows 8 users will be able to easily disable start-up apps that they feel are resource hogs. Battery consumption and network utilization are top of considerations for the new OS too. The battery consumption is an obvious target as mobile computing is limited by battery life on laptops, tablets and smart phones. But Network chatter is perhaps a new concern, this reflects the need to minimize network usage too, particularly as mobile devices’ may connect to cellular networks where 3G/4G and other data traffic is often very expensive.

How Webroot® SecureAnywhere™ Business–Endpoint Protection and Windows® 8 Change Everything 9 Unlike all other AV products, including the Windows 8 AV, Webroot SecureAnywhere—Endpoint Protection could easily have been built to meet all of the new performance goals Microsoft wants Windows 8 to set. For instance a traditional or standard AV is likely to see at least 500MB of definition file updates and other data transferred in a month. While Webroot SecureAnywhere— Endpoint Protection (because of its cloud architecture) transfers in both directions a total of around 32MB per month—less than 7% of other AV’s typical network traffic! The overall results for Webroot SecureAnywhere—Endpoint Protection in performance tests by PassMark Software in February 2012 were amazingly good.

Overall Score Product Name %

78 Webroot SecureAnywhere Endpoint Protection 97.50% 55 Symantec Endpoint Protection 12.1 Small Business 68.75% 47 ESET NOD32 Antivirus 4 Business 58.75% 46 Microsoft Forefront Endpoint Protection 57.50% 40 Kaspersky Endpoint Security 8.0 50.00% 38 Worry Free Business Security 7.0 Standard 47.50% 29 McAfee Total Protection for Secure Business 36.25% 27 Endpoint Security 10.0 33.75% 80 Maximum Score Possible 100.00%

PassMark Software—Overall Endpoint Protection Performance Results

These PassMark Software results are for Windows 7 (which in its WinNT form is still within Windows 8) and included testing against Microsoft Forefront Endpoint Protection which is very similar to Windows Defender. Webroot does not believe they will change radically in Windows 8. Webroot SecureAnywhere—Endpoint Protection scores over 97% out of a possible 100% on tests that cover a wide range of performance metrics including–Initial Scan Time, Installation Size, Installation Time, Boot Time, Memory Usage at Idle, Memory Usage while Scanning, Browse Time, File Copy, Move, Delete; File Write, Open, Close and File Compression. Webroot SecureAnywhere—Endpoint Protection fundamentally offers best-in-class performance and is faster and lighter on device and network resources usage than any other AV on the market, reflecting its new generation, cloud-driven approach to preventing malware.

How Webroot® SecureAnywhere™ Business–Endpoint Protection and Windows® 8 Change Everything 10 Enhancing App Security Windows 8 introduces a new online e-commerce platform, the Windows Store, which will offer both traditional Windows NT desktop applications as well as the new Windows RT apps. Webroot SecureAnywhere—Endpoint Protection is a Windows NT desktop application (although its foot- print is so small at under 700KB it could easily be mistaken for a Windows RT app), but it does offer considerable protection for and from all the new web-based Microsoft apps as well. Apps from the Windows Store will be verified and checked by Microsoft, but as seen in other app environments this checking is not always foolproof. When an app installs its far easier for a user to ignore the ‘permissions’ being given. The Identity Shield within Webroot Intelligence Network will stop Microsoft apps from accessing protected user credentials and continuously monitor the be- havior of new apps for malicious intents. As the Identity Shield within Webroot SecureAnywhere— Endpoint Protection is unique it will provide a level of visibility, protection and control over Microsoft apps unavailable to users or administrators elsewhere. Webroot also plans to introduce Windows RT apps for both our consumer and business customers that will offer a continually updated security status, so you will be instantly aware if there is a problem that needs attention. Other Webroot apps are also planned that will make managing data simpler for users.

Enhancing Windows 8 Application Visibility and Security Management For both desktop and Windows 8 Metro apps to be secure, its important that all the applications present on a device are visible to administrators. Webroot SecureAnywhere – Endpoint Protection provides and maintains a current applications list and provides full visibility of every app installed on each user device. This makes it straightforward to use the Override application functionality within Webroot SecureAnywhere—Endpoint Protection, to easily create a blacklist of applications that may not run on any device, and similarly a whitelist of applications that are permitted to run under Windows 8. This degree of remote control over device applications greatly simplifies security management and lets the administrator decide and control what will be allowed to run within the Windows 8 devices connecting to a network. The new touch UI is particularly suitable for and in 2012 there are plans for Webroot SecureAnywhere—Endpoint Protection to fully support Windows 8 devices. Also in development is a new Sync and Share Metro app that will allow both business and consumer users of Webroot SecureAnywhere—Endpoint Protection to keep an easy track of their data and where it is synchronized and backed-up. Another very useful capability when increased mobility brings with it increased threats from data loss and the theft of devices. Overall Webroot’s aim is to keep simplifying and removing the complexity of securely managing and protecting endpoint devices and their data when running Windows 8.

How Webroot® SecureAnywhere™ Business–Endpoint Protection and Windows® 8 Change Everything 11 Summary Webroot SecureAnywhere—Endpoint Protection, used in parallel with or as a replacement for the Windows 8 AV, provides a highly complementary set of advanced endpoint security features that ensures users are protected, and ensures malware is prevented from infecting Windows 8 devices. While Windows 8 security is being boosted by the inclusion of an AV this only provides a foundation level of security. Since the Windows 8 AV traditional design relies on regular definition updates, it cannot provide the real-time malware determinations delivered by Webroot SecureAnywhere—Endpoint Protection and the Webroot Intelligence Network. Real-time preven- tion that is now mandatory given the 70+1 new malware threats discovered every minute. From a performance perspective Webroot SecureAnywhere—Endpoint Protection is ideal. It fully supports the Windows 8 goals to be fast and efficient, minimizing the use of endpoint resources from battery usage to bandwidth, CPU and RAM to disk space. When you add the unique protec- tion and prevention benefits of the Webroot SecureAnywhere—Endpoint Protection Identity Shield, it means that the new Metro RT apps and data are secure, while with application Override func- tionality endpoints can be securely locked down. The Windows 8 revolution is about to happen, and Webroot SecureAnywhere—Endpoint Protection ensures it will accelerate faster and more securely by providing endpoint security that also changes everything—for the better.

1 Source: AV-Test.org

About Webroot Webroot is committed to taking the misery out of Internet security for businesses and consumers. Founded in 1997, privately held Webroot is headquartered in Colorado and employs approximately 400 people globally in operations across North America, Europe and the Asia Pacific region.

Webroot Headquarters: 385 Interlocken Crescent, Suite 800, Broomfield, Colorado 80021 USA

©2012 Webroot Inc. All rights reserved. Webroot, SecureAnywhere, Webroot SecureAnywhere, and the globe design are trademarks or registered trademarks of Webroot Inc. in the United States and/or other countries. Microsoft, Windows, Internet Explorer, Applocker, Forefront, and SmartScreen are registered trademarks of Microsoft Corporation in the United States and other countries. All other trademarks are the properties of their respective owners. Webroot is not affiliated with, nor has it or Webroot SecureAnywhere Business—Endpoint Protection been authorized, sponsored, or otherwise approved by Microsoft Corporation.