We recently had a PUA alert from an endpoint but the alert provided by webroot didn’t have sufficient detail to be able to trace the executable that triggered the alert.
After contacting support I’m told that its a feature request via the community to ask webroot to include enough detail to be able to find the PUA file. I have to say I was surprised at this response but here goes.
The alert is below indicated that the path for the file was %cache% however this is an environment variable that changes based on the logged in user so the absence of the username logged on at the time you cannot find the path.
Additionally no reference is made to the action taken by webroot so I had no idea if this PUA was left in place or quarantined or happily running in memory. No idea.
I suspected the issue was just in the email but found that the webroot portal also did not include any additional detail and worse still trimmed much of the information in several location replacing parts of the filename and MD5 with …
So my request is to the product owner and testers to ensure that all alerts provide the following key info.
- What was found, where and within what user/security context.
- What Webroot did with it, quarantine, delete etc.
- If there is any expected action on the part of the reviewing technician, e.g. run full scan.
Site Name: BGG
Group Name: Workstations - Desktop
Policy Name: CCL-WKS-1
MYSCRAPNOOK.B66A79EA02404715A4787809F0274D3F.EXE, Pua.Mindspark, %cache%\, https://snup.webrootcloudav.com/SkyStoreFileUploader/upload.aspx?MD5=1CF333750BC6E74DA3F91526EE80DEBC 1CF333750BC6E74DA3F91526EE80DEBC,