We have Sality infections spreaded over 350+ endpoints.
Webroot support simply suggested to re-image endpoints - which is obviously the latest thing we want to do.
Some endpoints (the file servers and some clients) we cleaned with ESET/Kaspersky boot CDs. ESET/Kaspersky found 100-600 infected files per endpoint, one files server had 68.000+ infected files that Webroot did not find!
but still the company cannot work as infected endpoints reinfect file shares, and then from file shares even cleaned PCs got reinfected again. We use Webroot on the servers, too, and it does not stop reinfection of shared folders!
We think maybe we should do a full scan with Webroot on all endpoints, but we cannot see any agent commandfor that in the console. How could we command Webroot to do a FULL scan on all endpoints in the Management Console?
Any other idea how to get rid of Sality?
How to have Webroot to do a FULL scan on all endpoints in the Management Console? (Sality infection)
This topic has been closed for comments
Already have an account? Login
Login to the community
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.
Again, as to whether these tools can get 100% of the infection off of 100% of the machines, that's not guaranteed.
Also the reason Webroot doesn't find all the infected files is that we stop scanning after we encounter Sality, as continuing to scan just helps the infection to propagate further. At that point Webroot notifies you that the infection is present, but then stops to let you decide how to proceed. Hope that helps!
Thank you for taking care indeed!
All this sounds very bad, of course.
Re-imaging actually would mean that we have to re-image the whole office (including many servers and ~400 endpoints).
I expect Webroot support / threat research team to give more feasible advices.
Firstly, the very first task to do for an AV supporter is always: STOP MALWARE PROPAGATION.
So instead of talking about where WSA is week at and giving us 3rd party utilities, rather Webroot should explain us the ways Sality propagates / infects new files and how to block them doing it.
Eg. I experienced that Sality creates an autorun.inf file in the root dir of every network dive (mapped shared folder). Then an endpoint can get infected by simply the user opening that mapped drive in Explorer (when autorun.inf starts Sality in the background). So we can block this way of propagation in 2 ways:
a. disable autorun.inf execution on every endpoint
b. WSA client shall block creation of autorun.inf files pointing to malware (on the servers that are protected (?) by WSA)
So regarding point a., Webroot Support should have taken a look at our console to find out that we have Windows XP + Windows 7 desktops and Windows 2000, 2003, 2008 R2 servers running. They shall be able to check it in 1 minute in Group Management. After that, Webroot Support should have sent us this article in order to give advice how to disable autorun on endpoints:
Regarding point b. Webroot shall double-check if WSA client can block creation of autorun.inf files pointing to malware or not, and if not, they shall develop this, or basically, they could develop a "Block aurtorun.inf files from execution". Both feature can be solution not against Sality, but basically all the malware that try to propagate the same old-school way using autorun.inf.
So the above was steps Webroot support should have adviced at least.
Then again, we wanted to do a FULL scan on every endpoint via the console. I did not find out how to do it, so I wrote this question here. I still have no answer: how can we do it? Can anyone tell it, please?
This very is important, because we found that WSA finds and quarantines many infections if we do a FULL scan, but does not find any if we do a DEEP scan. So DEEP scan is not enough. We plan to remove as much malware as we can, and disable autorun.
Obviously, we think that new infections may not be anymore, as WSA is installed and protects yet uninfected files, doesn't it?
So we shall find files infected before WSA installation, and maybe reinstall some apps only.
After all, I expect Webroot Support really think about our situation much more parctically, and let us know all the ways of propagation + advice how to block that with Webroot or any other way + how to remove existing infections.
Can you talk to Support, please?
@ GyozoK - your points are well made . One thing I don't understand - you say you found that Webroot findsmore infections on a Full scan rather than a DEEP scan but then ask for instruction as to how to do a FULL scan . I am not following what you are saying - how can you know about the results of a FULL scan without knowing how to run the full scan ?
Sure, it is easy: we did FULL scan manually using the client UI on some machines, but I want to do FULL scan on ALL endpoints NOT manually (initiated from the console). :)
Hope this helps.
A customer who switched from another AV to Webroot, he switched _because_ he was not happy with that old AV. And he was not happy _because_ he got infected and could not remove the malware (Sality). So now he expects his new AV (Webroot) will do this job.
In other word, the customer was not about to switch AV until he found out that his that old AV (Panda) was bad at malware protection.
So, I can get your point that "we're a prevention tool, not a remediation tool for a pre-existing infection, ", but unfortunately this is not what the market needs (at least not those who switches AV - and frankly speaking only new companies may not swith AV, all others have something to switch from). Btw, Sophos had the same approach in the early 90's, they did not even had a removal functionality, only blocking in real-time. B ut once a malware could get through, you had no chance to remove. They said: "install Sophos on clean endpoints and then it will protect you". That turned out to be a bad approach years later: the market needed removal tools.
Rather, could we focus on my major question, the title of this post, please, as no words I got about that so far:
How to have Webroot to do a FULL scan on all endpoints via the Management Console?
So do not scan for malware just because Webroot's resources are not enough out there??!!
Ooooh! Now this is not only technically, but also as marketing message would hurt your good recognition on the market.
So, guys, why do not you just go and invest more in resources so to allow your customers do malware scans?
Nothing is impossible, take a lok at Google's clusters...
The Webroot response I see indicates that initiating a full scan of all endpoints is not available by design, and that it's a matter of not enough resources on Webroot's end to handle this kind of bulk processing request. OK, let's accept that for the moment.
If manually initiating a full scan of all endpoints is not an available option, is the original line of thinking here flawed? Put another way, is there ever a need to initiate a full scan of all endpoints? Unless explained otherwise, GyozoK's reasoning makes sense to me: he's wanting to be reassured about whether a currently-known threat still exists in his environment.
I'm looking for Webroot to explain, not just from a technical reason as to why ("there aren't enough resources at Webroot to support this") but from a security standpoint as to why this is not a necessary feature for your customers.
The Webroot agent does not rely on traditional definitions to make its’ determinations. The existence of any particular file is less of a concern than the file's behavior and how it interacts with your system. Therefore, only files that present risk are currently active and are examined during the scan. This is one of many ways Webroot is able to keep a small footprint concerning resource usage on the end machines. If a file is dormant but for whatever reason becomes active while a scan is not taking place, Webroot's advanced heuristics involved with our Real-Time Shield should catch this behavior and prevent any malicious behavior/actions from taking place.
At this time there is not a method of initiating full scans from within your console, only the option to "Scan a Folder". This option at this time will not recognize "C:" as a folder; however, some specific folders would need to be in place if you decided to go this route. This Agent Command would be located within your Group Management tab of your Endpoint Protection console. More on Agent Commands can be reviewed here.
When it comes to frequency of scanning, the agent performs this action on its’ own once a day unless otherwise specified within the policy settings (More on policy settings can be reviewed here). You can, however, adjust the poll frequency to be a little as every 15 minutes to have the agent check into your console more frequently for any additional policy changes or commands sent, including additional scan commands. With this said, our Real-Time Shield is consistently running around the clock to keep the system protected between scans while working alongside the additional protection coming from our Web-Threat Shield, Firewall, and Identity Shields.