About Dwell Time



Hello. You have arrived at an outdated topic. Please click this link to be redirected to the updated Endpoint Protection Admin Guide.

Webroot has the smallest, lightest least intrusive agent on the market with multiple protection mechanisms on the agent, which provide incredible protection against the latest threats.
On our Webroot Intelligence Network, we process millions of events a day to better improve the efficacy in the solution from a detection perspective. However, as we do not, nor can anyone in the industry, catch every piece of malware on the device at first sight – although Webroot does a very good job at this.
In 2014, Gartner Magic Quadrant named Webroot as the only vendor with the ability to see Dwell Time.
We continue to introduce more forensic-like capabilities to ensure our customers have as much context around malicious events as possible, without the noise associated with other event-based solutions.
So what happens with applications that have yet to be classified?
During the time which an application is yet to be classified, the agent journals the changes made on disk while ensuring persistent changes are not made. If the application has been classified as Bad, the agent will rollback those journal changes made by the application and remediate the PC. This acts as a safety net, along with components like the Identity Shield, against malware that has yet to be classified by Webroot.
What does Dwell Time mean?
Dwell Time is defined as the time the threat has been present on the device. It is calculated from the first time the file is active to when the file was last seen.
  • Dwell Times of zero (0) seconds mean that the file was blocked at first sight.
  • Dwell Times greater than zero (0) seconds mean that the file has been present for a period of time prior to Webroot removing the file from the system.
    Reasons for a Dwell Time of greater than zero (0) seconds may be that the user has yet to complete the clean-up routine, the file has been re-introduced onto the system after being originally removed, or the file did not yield malicious behaviour at first sight, therefore the file was not immediately classified as malicious.
Webroot SecureAnywhere constantly monitors the system and journals the changes made by any potentially malicious file. We then roll back the changes. Other protection mechanisms are in place, as well, to ensure that the system is protected against malicious attacks, no matter how long the dwell time is.
Why doesn't Webroot classify everything at first sight?
The model of blacklisting every file at first sight is unachievable and the only way to combat threats is by monitoring all the changes made on the device and ensuring these changes can be rolled back. This differentiates us further against the rest of our competition.
Where will Dwell Time be visible?
This first phase of implementation will show the Dwell Time in all reports and areas where an infection can be seen in the console. The next phases will include email alert integration and specific dwell time reports and summaries.