Evasion Shield FAQ

  • 10 April 2020
  • 0 replies
  • 7559 views
Evasion Shield FAQ
Userlevel 4
Badge +15

What is the Webroot® Evasion Shield?

The Webroot Evasion Shield uses new, patented technology to enhance the efficacy of Webroot®️ Business Endpoint Protection by detecting, blocking, and remediating (quarantining) malicious and evasive script attacks, whether they are file-based, fileless, obfuscated, or encrypted. In addition, the shield prevents malicious behaviors from executing in PowerShell, JavaScript and VBScript files, which are commonly used to launch evasive attacks.

 

What type of threats does the Evasion Shield detect?

The shield will detect and report or remediate, depending on policy settings, malicious script files including JS, VBS, PowerShell, wscript, cscript, macros, and more. This shield includes protection against both file-based and fileless scripts which often evade other security software. On Windows®️ 10, the Evasion Shield provides enhanced protection for fileless scripts, obfuscated scripts, and other sophisticated script attacks.

 

Do I need to install the Webroot® Evasion Shield separately?

No. The Webroot Evasion Shield is available to all Webroot Business Endpoint Protection customers as part of our May 2020 product update. It is turned off by default. No additional installation is required.

Note: You must update all instances of Webroot®️ Business Endpoint Protection to agent version 9.0.28.00 or higher. Earlier agent versions will not fully support Evasion Shield malicious script protection.

 

Does the Webroot® Evasion Shield cost extra?

No. The Evasion Shield is now included within your existing protection and licensing arrangements.

 

How do I start using the Webroot® Evasion Shield?

Because unique and custom scripts are often used for legitimate purposes in IT environments, the Webroot Evasion Shield is turned off by default. To activate the Webroot Evasion Shield, log into your Webroot management console and open the Policies tab. Create a new policy or select an existing policy to modify. Within the policy settings, select Evasion Shield from the Policy Section drop-down. Click here for detailed instructions with screenshots.

We recommend enabling the policy with the Detect and Report setting first, so admins can identify and whitelist legitimate scripts as needed. See below, under “What policy options do I have?” for more details.

 

What policy options do I have?

In the interest of simplicity, there are three settings for the Script Remediation policy.

  • Off – The Webroot Evasion Shield is off by default.
  • Detect and Report – This setting allows admins to monitor which scripts are already running within a given environment and decide whether to whitelist or blacklist. We recommend using this setting first to help ensure legitimate scripts are not mistakenly prevented from executing.
  • Detect and Remediate – This setting enables the Webroot Evasion Shield to begin automatically detecting and remediating (quarantining) scripts in the given environment.

 

Will I be able to see which of my devices have the Evasion Shield enabled?

Yes. In the Reports tab of the Webroot management console, we have added a new Evasion Shield Script Protection Status report. This report displays a count of all the devices that have the Evasion Shield using the following statuses: Detect and Remediate, Detect and Report, Off, and Unsupported. Admins can click the graph to see a full list of all the devices in each status category.

 

Will I be able to see which of my devices have had script detections?

Yes. In the Reports tab of the Webroot management console, we have added a new Evasion Shield Script Detections report. This report displays a list of all the devices on which the Evasion Shield has detected scripts, as well as details on the script file detected. Admins can click each script file for more information and whitelist or blacklist as needed.

 

What if I have a recurring fileless threat on one of my devices?

In the case of fileless scripts, there is no file to quarantine. For these situations, the Webroot Evasion Shield will detect and block the script execution. If the fileless script is coded to execute repeatedly, the Evasion Shield will detect and block each execution, effectively neutralizing it.

If you need help removing a fileless infection from your machine, contact Webroot Support. Our Advanced Malware Removal team can provide further assistance.

 

How can I allow a legitimate script?

The Webroot Evasion Shield utilizes the file whitelist capability in the Webroot management console. To allow a script, open the Webroot management console and click the Overrides tab. From there, you can adjust your File Whitelist and File Blacklist preferences. Note that scripts may have dynamic MD5s, so you may have to allow/block by file/folder name. For more detailed instructions, refer to the Webroot business user guides.

 

Can I test whether the Evasion Shield will block any of my legitimate or RMM scripts before enabling script protection?

Yes. We recommend using the Detect and Report setting for the Script Remediation policy.

  1. Create (or modify) a policy using the Detect and Report setting and apply it to the desired device(s) for testing.
  2. The device(s) will receive the new policy according to the existing poll interval. To force a device to poll for an updated policy, run WRSA.exe –poll from the command line on that device.
  3. Run your scripts on the device(s). Any scripts detected as malicious will appear in the Threats Detected tab in the Webroot management console.
  4. If any scripts appear, you can choose to whitelist as needed (see above). If none of your scripts appear in this list, then they have been determined to be safe and will not trigger the Evasion Shield.
  5. After whitelisting necessary scripts, you can set the policy to Detect and Remediate, thereby enabling active protection.

 


This topic has been closed for comments