Complete

Persistent Logging

  • 19 September 2013
  • 5 replies
  • 1680 views

I have called support several times now and the one thing that frustrates me the most is that when you try to fix an issue first on your own before calling and actually make some headway on the issue, all logs are overwritten if you uninstall/reinstall, if you delete a user's profile where the file infection was, etc.
 
Saying the logs are not there because a company has failed to create a logging system, or a folder, that does not get deleted or overwritten with user profile changes/deletions, webroot install/uninstalls, etc. is unacceptable in my book.
 
I am constantly told "we can't help because there's no logs." Well, it's your program, you decide how the logging works--so get it working! It's absolutely ridiculous that you can use "we can't help because there's no logs" as an excuse to not help/believe a customer.

5 replies

Userlevel 7
Hi DaysIT, I agree that logging is a weak point in the product, but can you expand what you mean by the logs being per-user?
All program data is stored in %ProgramData%WRData as far as I am aware, which is not per-user.
I want to find out more about your problem.
Then why do the engineers not know this? I had an issue with Webroot disappearing from a Terminal Server environment on a machine that was infected, so I re-installed Webroot to scan the machine (it removed the infection, but crashed).
 
The person on the phone said I "should not have done that" [that being reinstall Webroot on the machine] because it deletes all the logs relevant to it having been removed from the server, etc.
 
Also, originally, I had deleted a user's profile that was infected, and the person told me that because I had done that, they were unable to get the removal logs for that user to investigate further.
 
I keep finding that this is an excuse every time I call in for support, so I figure it's a pretty big issue. Either that or the support staff doesn't know that the logs should be under %ProgramData%WRData (though I see them going there all the time)
Userlevel 7
They are correct in that uninstallation really does remove everything except a few identifier registry keys. I don't use WSA on a Terminal Server so the behavior may very well be different. Since Webroot support has access to your complete support history I think I'll leave the rest to them, though I'm very interested in the issues you're running into.
Userlevel 5
Customers actually get very upset when they find that we have left a file behind after uninstallation. This is tried and true. For those few out there that would like those files left behind, please make a copy/backup of the wrdata folder before uninstall. -Shawn
Ok so if people don't want any trace of the Webroot, i can see that but consider many other options for instance, ask the customer to remove and never reinstall like some other programs do.  Storing the log in say the user profile is an option.  Providing management around the logs is a nice option, for example do you want to maintain all logs on a log server or central location, do you want to overwrite logs by size or age, do you want to maintain logs with infection data versus less sensitive logs, do you want to send logs with infection back to Webroot as part of the uninstall?  Being able to include logs in syslog collection would be ultra-nice for us because we have software to collect and analyze our syslog data.  I am sure the community could come up with any number of other options as well.  In our circumstance Webroot initiated the uninstall to fix an issue and the logs were not collected first and basically we couldn't be helped further.  Thanks for your thoughts and considerations.  Our goal is to maintain everything an auditor would need in the event a Trojan were to infect us and transmit sensitive data out or any similar situation.

Reply