Complete

New alert when endpoints not seen for a long period of time

  • 20 August 2014
  • 42 replies
  • 22174 views

Userlevel 4
For some reason, Secure Anywhere stopped working on several endpoints.  It was weeks before we knew a problem actually existed, during which time one of the PCs was actually infected with a virus.
The only reason I found out was by looking on the web console at the "Last Seen" date and I noticed that several PCs had not been seen in weeks.
Rebooting those PCs and then installing the newer build of Secure Anywhere seemed to solve that problem.  But, it would have been nice to know that there was a problem in the first place.  The Secure Anywhere icon sat in the tray and looked like it was protecting us, but it was doing nothing.  Right-clicking on it produced no results, and you couldn't even open the program.
 
I request a new alert be created that will e-mail the endpoint/PC name, date "Last Seen", and version fo Secure Anywhere if an endpoint has not been seen for a given number of days (that we can set on the alert).
I'd like to know when an endpoint hasn't been seen for more than 3 days as that is highly unusual in our organization...even when people are on vacation.
 
Thanks,
John

42 replies

Userlevel 3
You're not alone there. 
 
This is an epedemic on multiple sites and it'd be nice to know when Webroot is failing so we can re-install it. 
 
Thanks for your post. I second this request!
Userlevel 7
Badge +56
This one has been evaluated by the escalations team and entered into our database - still awaiting prioritization.
+1
It would be even better if you could get an alert when the WSA client has any problems. In order to achive that we would either need a second service which checks the state of the WRSA.exe process or perhaps a scheduled task.
I have a trial going right now and I have had this problem with a handful of endpoints. It appears to be running but is not. Along with everything said in the original post I would also not that the "Right Click scan" stop working as well. I have had to reinstall the client on on PC the other 3 are on 24/7 and only required a reboot. It is odd like the client gets stuck or something.
I would like an email alert when the devices are not up to date after a certain period of time as well. I know there's a dashboard in beta right now showing the versions, but that is not accurate at all.  I had a server that was out of date about a month ago and it got infected, after installing the most recent update.. sure enough it found the virus right away. 
 
I restarted 20 devices that were stuck in the "Not seen recently" state and 15 were corrected after a restart. Is there any update on prioritizing this? It's very time consuming to go look at 30 different sites on a daily basis to check for updates/last check in date.
Apologies for resurecting an old post but on the subject of workstations reporting "not seen recently" I've got over a dozen that are reporting this way, that a reboot doesn't fix but when I try to reinstall it says "managed from the web interface".  
 
I've tried "refreshing the configuration" but it says its all managed in the cloud, which is where its not been seen recently...
 
Being new to Webroot deployment and management any clues as to how to a) avoid "not seen recently" messages occuring in the first place and b) how to get rid of them would be appreciated.
 
Thanks
 
C
I have had to uninstall Webroot with Revo Uninstaller in some cases, then reinstall Webroot. The best way to avoid the not seen recently is to restart the device daily. 
This feature is very important to us especially since we are a bank and a public company. (audit, audit, audit) 
Userlevel 2
I agree, this feature would be very helpful.  
 
However, in regards to getting the agents to check back in, I believe I have found a way to get Webroot to check back in WITHOUT rebooting!  
 
I have tested this on servers mainly, but I believe it will work on workstations also.  When the agent is un-responsive (thus not checking in), but appears to be running. (Right-clicking the icon does nothing or you try to run a scan and it sits at 0%)  Go to the main directory of WRSA.exe and open properties.  Verify that an administrative account has full permissions for WRSA.exe.  I have found that either our admin account was not set to it or on workstations a standard account was set to run it.  Once you give any of those accounts "Full Control" this seems to almost always resolve my issue with Webroot not checking in because then it can update itself properly.  Once you do this, I usually am able to force close the WRSA.exe processes through task manager, then Webroot will either restart itself automatically or you can do it manually.  Then it should become responsive and you can do a "refresh configuration" command which will make it check in very quickly.  Sometimes a log off and log back on works too, but it is much better than rebooting!  I hope this helps.
I gave Administrator full rights and even ownership of WSRA.exe and when I try to end the task, it still comes up as Access is denied. 
Userlevel 7
Badge +56
Yeah that's by design, as there might be a malicious process with Admin rights that might be trying to kill Webroot to protect itself.  You'll need to go into safe mode with networking if you need to uninstall and don't have the uninstall password or the endpoint isn't checking in.
It's been about 8 months since last update for Under Consideration 
 
 
Has this changed at all? I just went to my first site and 4/8 servers had not checked in since February and 1 hadn't checked in since end of March. 
Userlevel 2
Cody,
 
Try re-installing over it now with the most updated agent.  I think that is the last thing I tried after giving admin rights and it worked.  (It has worked for me on about 4 different server agents.)  Also, try shutting down protection by right-clicking the icon first if you can and then re-install over the top.
Installing lastest version over the top didn't work. I can't manually shutdown protection as we have that option disabled in the policy.  Going to restart them after hours. 
Userlevel 2
Alright, each situation is slightly different.  I just fixed one and all I had to do was change the policy to allow the shutdown protection option come up.  Then I simply restarted Webroot from the WRSA.exe program (This was after I added my user to the WRSA.exe security tab, not entirely sure if that is necessary or not.) and it checked in and automatically updated itself.  (This one had been disabled for about a month.)  Thanks for trying my theories though.
Userlevel 2
Update on this topic:
 
I was able to restore functionality to Webroot on multiple servers without rebooting by ADDING a new admin account with full control permissions in its security tab that was not their before.  That NEW account will stay there until you get a new instance of Webroot running.  This new admin account with full permissions will allow you to kill the process which most likely has its "Commit" memory maxed out over 2,000,000 KB which is why it is locked up or un-responsive and not checking in.  I had to use the CMD prompt on a few and use the taskkill command with the force option to kill Webroot.  Once the new Webroot instance comes back, it should now be responsive!  Once it is like this, please make sure that if this is a server that it has the "Recommended Server Defaults" policy set or a policy copied from that set.  I hope this helps other people resolve their issues with Webroot being unresponsive and locked up.
Userlevel 1
I would like to have a chart on the dashboard to indicate how many agents that have not checked in recently.
 
A time frame of 3-5 days would be a good start or if it could be variable, that would be better.

I was going thru the clients/sites and noticed that one hadn't checked in since 7/24 and thought that a dashboard chart showing the not checked in agents would be helpful.
Yes please to the original request! 
 
 
I would like to add to this that it would be awesome to have a report that I could set up on a schedule that gives me a list of the endpoints and the dates they were last seen.  We have about 300 sites now and managing "Last Seen" has been a problem for us. 
We would really like to see this as well.  We have a set number of licenses that we are always maxing out.  When one machine gets replaced, we need to go in and deactivate the license for it.  It would be nice to get emailed a report so we don't forget to do this. 
Business Secure Anywhere Alerts
 
There really should be an alert for endpoints not seen for X period.
I would like to know if an endpoint has not checked in and the setting should be endpoint or policy driven.
Home or even some office computers may not checked in becasue they are asleep or off for the night so you might set a longer time on them say 72 hours
 
On the server side I would want to know asap that it has not checked in. No need to send the alert twice once it comes back online the alert resets itself. If it has not checked in for 15 minutes send me an alert.
 
I found 3 computers and 1 server that had not checked in for 6 Days all easy fixes but what if they weren't? 
When you log into the endpoint status console there is a little windows that show endpoints that have not checked ( default is 24 hours ) nice and all but with home and office computers being turned off that number can change daily and btw its 24 hours old. I also do not find the need to log into the console daily so that even increases the lack of awareness time.
 
Thanks for listening.
 
2 years later & still no news on this? 
 
I had an incident with a customer recently where their machine had not reported back in ages, webroot had become disabled & the user got Crypto'd, as did the file server. 😞 Of course, this was the owner of the company & he was not best pleased to say the least. 
 
End result, we looked incompetant for not noticing & the client lost faith in Webroot. 
It's been a year since I added my Kudo to this request. Just today I ran into another case of discovering late that an Endpoint had not been reporting into the Console. It would be really appreciated if this request could be addressed.
 
For those of us still waiting, here's a potentially helpful workaround support informed me of today:
 
Each endpoint keeps track of the last time it successfully made contact with the Console within the following registry Key:
 
HKEY_LOCAL_MACHINESOFTWAREWOW6432NodeWRDataStatusUpdateTime
 
If you convert the hex value to a standard date & time you can determine when the client last successfully checked in. So IF you are running an additional RMM tool on your managed PCs then you can potentially have your RMM tool check that reg key and send an alert if the the endpoing hasn't checked in recently.
 
Not a perfect solution (and I definitely hope Webroot will simply give us the built-in alert we need) but knowing about this Registry key is definitely a better solution than what I was aware of yesterday. 
 
I can't believe this hasn't been done.  Ive lost clients because of this, we have no visibility into whether systems are updated and actively communicating.
 
 
Hi Guys,
                Well come to forum site. We Secure Anywhere stopped working on several endpoints.  It is was weeks before we knew a problem actually existed, you during which time one of the PCs was actually infected with a virus.This is only reason I found out was by looking on the web console at the "Last Seen" date. We are noticed that several PCs had not been seen in weeks.

Reply