Setting the training period

Before you turn on traffic filtering, set a firewall training period. The Webroot firewall uses this training period as a baseline to analyze normal traffic patterns. When the training period ends, the firewall can more easily determine what activities deviate from normal when you connect to the Internet or to a network.

You should specify a training period of at least seven days. During this period, the firewall does not open alerts for every activity it encounters.

If you do not set a training period, the firewall opens numerous alerts for all Internet applications and Windows API (WinAPI) processes as they launch, which requires you to take action by selecting “allow” or “block” each time one of these events first occurs.

The Webroot software includes three types of training modes for detecting computer processes, e-mail anomalies, and system anomalies. Each mode is preconfigured to run seven days, but you can change that time period if desired.

To enable or change training modes:

1.	In the Icon panel, click Firewall.

2.	Click the Training Mode tab.

The Training Mode screen opens. Items with a check mark  are enabled.

3.	Set the Training Mode fields, as described in the following table. We recommend that you set each training mode to a period of seven days.

 

Training modes
Firewall and Process Monitor	Analyzes the normal activities of your computer’s applications and processes, so the firewall can later determine unusual traffic activity. • Enable Training Mode: Make sure the checkbox is selected. • Training period: Set the number of days from the drop-down box. This field counts down for each day (for example, after 3 days of a 7-day training period, this field shows “4 days”) and the box is automatically unchecked when training is complete. • Enable Process Monitor: Monitors processes related to commonly used applications. When the firewall monitors a process, it inspects it for potentially malicious system API calls used by hackers to launch executable files.
Email Anomaly Detection	Monitors outbound e-mail delivery behavior, so the firewall can detect activities that may be related to worms and viruses spread through outbound e-mail. • Enable Detection: Enables Email Anomaly Detection. • Training period: Set the number of training days for Email Anomaly Detection, so the firewall can analyze normal outbound mail delivery. • Block All Outbound Email: You may need to uncheck this box if you receive an Email Anomaly alert. Only uncheck this box if you determined the nature of the e-mail to be safe. • Training Statistics: During the training period, click this link to see the training days completed, total e-mails sent, and the total e-mail recipients.
System Anomaly Detection	Monitors the computer’s running processes so the firewall can determine unusual activities that may be related to applications. • Enable Detection: Enables System Anomaly Detection. • Training period: Set the number of training days for System Anomaly Detection, so the firewall can analyze normal patterns of the running processes and establish a baseline. • Sensitivity: Determines the sensitivity the firewall applies to System Anomaly Detection. Decreasing the threshold percentage increases the sensitivity, meaning that smaller deviations generate alerts. Increasing the threshold percentage allows greater variance from normal activity. The default Sensitivity threshold is set to 60%, meaning any activity deviating more than 60% from normal generates an alert. • Training Statistics: During the training period, click this link to see activities related to the CPU and threads for each running application or process.

When the training period completes, the firewall opens alerts for any unusual activities relating to processes, applications, e-mail traffic, or other system activity. If an alert opens and states that the activity is unknown, you should click Block in case some type of malware is causing it (see Adjusting security levels).