cancel
Showing results for 
Search instead for 
Did you mean: 

Endpoint Protection and GSM KB

Top Contributors
Sort by:
Learn how to secure your environment against ransomware
View full article
  What is CryptoLocker? CryptoLocker is most often spread through booby-trapped email attachments and uses military grade encryption. The malware can also be deployed by hacked and malicious web sites by exploiting outdated br owser plugins.    Webroot's Threat Brief on CryptoLocker   Can Webroot Protect Customers Against It?   Encrypting ransomware (Cryptolocker, CTB Locker, Crtroni, Cryptowall, ect.) is a very difficult infection to remediate because it uses the RSA public-key encryption algorithm to encrypt user files using unique encryption keys for each computer. Once a user’s files are encrypted this way, it is next to impossible to decrypt them without access to the private key that is stored on the remote servers in use by the malware author(s). There are no tools currently that are capable of decrypting these files without the private key. As long as SecureAnywhere is installed prior to infection, All encrypting ransomware should be detected and removed before it is allowed to make any changes on the computer. Threat Research has many rules in place already to detect the known variants of Cryptolocker at or before execution, but it is important to remember that malware is constantly changing and we cannot guarantee that we will initially detect all new variants.   For best practices on securing your environment from encrypting ransomware please see our community post: https://community.webroot.com/t5/Webroot-Education/Best-practices-for-securing-your-environment-against/ta-p/191172       Read more about CryptoLocker in these posts on the Webroot Community: Additional Conversations About CryptoLocker   CryptoLocker malware targeting the UK - comment from Webroot    NCA warns UK of mass CryptoLocker ransomware attacks - comment from Webroot
View full article
We have integration with the following RMM and PSA software:   Continuum   Kaseya   LabTech   Autotask   Connectwise   NinjaRMM   Atera   There are more integrations in the pipeline and I'll keep this list updated as they roll out.    
View full article
Global whitelist overrides can now be set on a file or folder level as well as the traditional MD5 (Message-Digest algorithm 5) level in Endpoint Protection. This upgrade allows greater flexibility in the deployment of overrides and means that multiple related MD5 overrides no longer have to be whitelisted individually, instead the whole associated directory can simply be whitelisted.   Note: If you detect or remove a file before an exclusion or override is in place, you will need to uninstall then reinstall or ensure that the detected files are restored from quarantine. If the files are still located locally in the quarantine or block/allow tab, the exclusion does not work.   To create a whitelist override: 1. Log in to your   Endpoint Protection console.     The Endpoint Protection console displays, with the Status tab active.     2. Click the   Overrides   tab.     3. The system displays the Overrides panel, with the Whitelist tab active.     4. Click the   Create   button.     The system displays the Create override window.     5. In the Override Name field, enter a name for the override.     6. Do one of the following: If you're done, click the   Save   button. To create a Folder/File override, continue with this procedure. Note: To use File/Folder overrides please make sure endpoints are running version 9.0.1 or higher of Webroot SecureAnywhere Endpoint Protection. Earlier versions support MD5 overrides only.   7. In the New Whitelist Entry window, select the   Path/File   radio button.     The system displays the Create override window with the relevant fields.     8. Use the information in the following table to populate the fields.    FIELD DESCRIPTION Override Name Enter a name for the override. Override Type You have already selected the Path/File radio button. File Mask Target a file or group of files by specifying a file mask with optional wildcards, for example, *.exe to target all executable files in the selected folder. This will default to all files in the selected folder/path if not specified. Path/Folder Mask The folder to target with the override. You can specify an absolute path, for example, x:\myfolder\ or a system variable with optional path, for example, %SystemDrive%\myfolder . Default supported environment variables are displayed when you type % (percent)however you may choose to use any variable you have setup on the target machine with the exception of user variables which are not supported. You may not use %temp% for example as this refers to a specific users temp directory (‘username/temp/’). Wildcards are not supported. Include Sub-folders Select this checkbox to apply the override to all sub-folders within this folder. Detect if Malicious If this setting is enabled Webroot will continue to protect the user against threats originating from the selected file/folder whitelist override but will disable monitoring and journaling. This is primarily used to improve performance when monitoring and journaling is being applied to a large number of files with an unknown determination. Disabling this setting will provide a true whitelisting, allowing files to run without Webroot protection. Global (GSM) Override Selecting this will make the Override global for every site under the current GSM Console. Apply to Policy Do either of the following: Select   Yes   to apply the Override to a specific policy, global policies included. Select   No   to apply to all policies on the selected site. 9. When you're done, click the  Save  button.  
View full article
When attempting to use proxy settings with Webroot SecureAnywhere Business – Endpoint Protection, there are two methods to allow the Webroot product to communicate with our cloud servers. These are listed below.  -- -- -- -- -- -- -- -- -- --   Option 1: Enter a proxy bypass (Recommended)   Enter a proxy bypass for g*.p4.webrootcloudav.com   Note: if you choose this option, be sure that the wild card mask (*) is supported.  If not, you will need to add 100 separate URL's, e.g. [g1, g2, g3, ..., g99, g100].   -- -- -- -- -- -- -- -- -- --   Option 2: Enter proxy information on each endpoint   Note: This option is only recommended if you are unable to use option 1.    1.       Open the SecureAnywhere Endpoint Protection Group Management tab, open a group, and select an endpoint. 2.       In the Policy column of the selected endpoint, double-click its policy name to open a list of available policies. 3.       Select the unmanaged policy and apply.  A red flag on the new policy name reminds you that you’ve made a change. 4.       Click Save Changes.   Once applied, go to each individual endpoint workstation and follow the instructions below.   5.       Open SecureAnywhere Endpoint Protection from the system tray icon. 6.       Click Settings. 7.       In the Settings window, open the Proxy tab. 8.       Enter your proxy information. 9.       Click Save All to save your changes.   After entering the proxy information, you can move the machine back to the original policy.   Tip:  The best way to test proxy settings is to ensure there is no Internet access via the default gateway.  You can hardcode an IP address and subnet mask for the endpoint’s network card without adding a default gateway or DNS server. As long as the proxy server is on the same subnet, you can be sure that the only Internet access is via the proxy server.   If you are not using a proxy to filter traffic but a firewall is in place, please allow Webroot’s path masks through the firewall, listed below:   *.webrootcloudav.com   (this will cover the g-url’s as well as several other target addresses)   *.*.webrootcloudav.com (some devices don’t like a single * for urls that contain dots in the value of *)   *.p4.webrootcloudav.com (in case a device doesn’t like multiple *’s)   *.compute.amazonaws.com (this will cover inbound communication from the Amazon cloud servers)   *.webroot.com (for future communications)   *.webrootanywhere.com (for future communications)
View full article
Webroot now has an integration with Labtech.  Watch this video to learn more about how that works   Q. What is Labtech?   A. Labtech is a remote monitoring and management (RMM) platform used by IT service providers to manage the environments of the businesses they support   Q. What benefit does integrating with Webroot bring? A. It allows you to manage your Endpoint installations from one convenient tool, rather than have to go to multiple locations for each software package that you support as an MSP   Q. Where can I learn more after watching this? A. Here a link with more information.   Q.  Enough with the questions, can we get to the video now? A. Sure thing, here it is:  
View full article
LusyPOS is a new variant of malware that was used in the Target breach.  It combines code from two other pieces of malware named Dexter and Chewbacca.  It targets Point of Sale (POS) systems with a view to stealing customer information and credit card data stored in RAM. It uses the encrypted Tor network to communicate with the server that collects the data.     To protect your POS systems from this threat we recommend: 1. Using an antivirus and malware detection system that detects LusyPOS.  Webroot SecureAnywhere will detect and prevent LusyPOS. 2. Making sure that your firewall blocks communications that attempt to access the Tor network   Additional resources to learn more: http://www.networkworld.com/article/2854093/new-pointofsale-malware-on-underground-markets-for-2000.html https://community.webroot.com/t5/Security-Industry-News/New-point-of-sale-malware-on-underground-markets-for-2-000/m-p/174835
View full article
Question How do I Enable/Disable Webroot Filtering Extensions in Endpoints? Answer This solution addresses Webroot SecureAnywhere Business - Endpoint Protection Internet Explorer With the release of Webroot PC agent version 9.0.3 and the Web Filter version 1.2, the Web Filtering browser extension for Internet Explorer is now installed automatically, without prompting. In addition, the extension cannot be removed from the browser directly but can be removed via the Webroot PC agent user interface. Follow these steps to disable the extension in Internet Explorer. Close all open instances of Internet Explorer Open the Webroot SecureAnywhere PC agent interface On the Main screen, click the Advanced Settings button in upper right corner Select Firewall / Web Shield from the left hand column. Uncheck the box for Activate browser extensions. If the Captcha feature is enabled, enter the requested Captcha and press Continue. Close the settings window using the "X" in the upper right corner. Upon restart of the browser, the Webroot Web Filtering extension is removed. Note : The browser extensions provide important protection features including detection and blocking of malicious websites, search annotations for search engine results from Google, Yahoo and Bing as well as Realtime Anti-phishing protection. If the browser extensions are not activated this protection is not available. Firefox ESR (Extended Support Release) and Chrome (on domain managed machines only) With the release of Webroot PC agent version 9.0.3 and the Web Filter version 1.2, the Web Filtering browser extensions for these browsers are now installed automatically, without prompting. Note : in FireFox ESR the Webroot Web Filtering browser extension is not displayed in the Add-ons Manager at all due to the enforced installation. In addition, the extensions cannot be removed from these browsers directly but can be removed via the Webroot PC agent user interface. Follow these steps to disable extensions. Close all open instances of the browsers Open the Webroot SecureAnywhere PC agent interface On the Main screen, click the Advanced Settings button in upper right corner Select Firewall / Web Shield from the left hand column. Uncheck the box for Activate browser extensions. If the Captcha feature is enabled, enter the requested Captcha and press Continue. Close the settings window using the "X" in the upper right corner. Upon restart of the browser, the Webroot Web Filtering extension is removed. Note : The browser extensions provide important protection features including detection and blocking of malicious websites, search annotations for search engine results from Google, Yahoo and Bing as well as Realtime Anti-phishing protection. If the browser extensions are not activated this protection is not available.
View full article
Managing your alerts with Webroot couldn't be easier. 
View full article
Sometimes Webroot Support may ask for a packet capture when troubleshooting an issue for you, or you may wish to obtain a packet capture for yourself.  Here is how to do that: Hold down the Ctrl key and right-click the DWP tray icon.   Select Network Packet Capture from the pop-up menu. The Network Packet Capture window opens with the path to your desktop selected. The desktop is the default output path.   Click Start Capture to accept the default folder, or Browse to another folder and then click Start Capture.   Click Close to hide the window. A notification bubble opens over the DWP icon periodically, reminding you that the capture is running:   When you have captured enough data to recreate the problem you’re troubleshooting, Ctrl/right-click the DWP icon to open the Network Packet Capture window and click Stop Capture. The capture results are available in the DWP_Pcaps folder on your desktop or other specified location. The folder is identified by the date and time of the capture. The DWP_Pcaps folder contains one folder for each capture, which contains a .pcap file for each adapter found, and the AdapterNames.txt file. For example:   If support has requested the packet capture, please follow up with them.  You can contact technical support to determine the best way to send the .pcap files to them. These files are very large.   US Business Support: 877-612-6009 Email: saassupport@webroot.com UK/EMEA Phone: +44 (0) 800-804-7015 Email: saassupport@webroot.com APAC Business Support outside of Australia: +61 (0) 2-8071-1903 Support in Australia: (Free Call) 1-800-212-640 Email: saassupport@webroot.com
View full article
The “human firewall” – your users – are often the weakest security link. A lot of lip service is paid to User Security Education, and with the advent of online self-paced courses there is no excuse not to look at using those tools to help educate your users of the risks they face in the office and from using the Internet at home. If a user receives an invoice, receipt, or any other form of attachment from someone they are unfamiliar with, chances are it’s bad. For word document emails, it is also advised to warn users to avoid clicking “enable content” for emails from unfamiliar sources. 
View full article
  If you have failed to stop ransomware from successfully encrypting your data, then the next best protection is being able to restore your data and minimize business downtime. Bear in mind when you are setting up your backup strategy that crypto-ransomware like CryptoLocker will also encrypt files on drives that are mapped, and some modern variants will look for unmapped drives too. Crypto-ransomware will look for external drives such as USB thumb drives, as well as any network or cloud file stores that you have assigned a drive letter to. You need to set up a regular backup regimen that at a minimum backs up data to an external drive, or backup service, that is completely disconnected when it is not performing the backup. The recommended best practice is that your data and systems are backed up in at least three different places.   Your main storage area (file server) Local disk backup Mirrors in a cloud business continuity service   In the event of a ransomware disaster, this set-up will give you the ability to mitigate any takeover of your data and almost immediately regain the full functionality of your critical IT systems.
View full article
You can customize alert messages and send them to a distribution list whenever the following types of events occur:   Endpoints reporting an infection New SecureAnywhere installations on endpoints For both of these event types, you can customize the alerting method so administrators receive a message as soon as the event occurs or on a schedule, such as daily, weekly, or monthly. Using a setup wizard in the Alerts tab, you can customize the subject heading and body of the messages. You can also use variables to add information for the endpoints triggering the alerts, affected groups, and other specifics about the event.   Note: To customize alerts, you must have access permissions for Alerts: Create & Edit.    To implement an alert: Create a distribution list based on email addresses. List members do not need to be defined in the Manage Users panel of the Management Portal. For more information, see   Creating Distribution Lists . Create alert messages that are sent to the distribution list whenever endpoints report an infection or SecureAnywhere is installed on an endpoint. For more information, see   Creating Customized Alerts . All your customized alerts display in the Alerts tab.  
View full article
  Cybercriminals scan the internet daily for systems with commonly used RDP ports and bruteforce with weak usernames/passwords and attempt to gain access. Once access has been gained, they can deploy variants of ransomware, create user accounts, and download other unwanted malicious software. Here’s some tips you can use to help secure RDP and prevent this type of attack.     Preventing scanning for an open port:   Restrict RDP to a whitelisted IP  Require two-factor authentication, i.e. smartcards Use protection software to prevent RDP bruteforce Create a GPO to enforce strong password requirements: https://technet.microsoft.com/en-us/library/cc786468(v=ws.10).aspx Change the default RDP port from 3389 to another unused port Change default RDP port from 3389 to another unused port        To change the default port, execute the following in an elevated command prompt –         REG ADD "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal                  Server\WinStations\RDP-Tcp" /t REG_DWORD /v PortNumber /d XXXX /f         The parameter “XXXX” is the port number you would like to move RDP to. It is  recommended to choose a random port number that is not in use and outside of the 33XX port range. Block RDP (port 3389) via firewall Restrict RDP to a whitelisted IP range  It is also important to monitor possible intrusions with Windows Event Viewer. This will show you what cybercriminals may be doing to try and get in, and help you adjust and use different security measures in your environment. Here’s an example to filter event logs for the event ID “4625” (An account failed to log on).  
View full article
From the Alerts tab, you can easily create a distribution list of users who will receive alert messages. For example, you might want to create a list of administrators who need to respond to threat detections at a remote office.   Note: You can also create a distribution list in the Create Alert wizard. For more information, see  Creating Customized Alerts .   To create a distribution list: Click the   Alerts   tab. In the Distribution Lists column, from the Command bar, click   Create.   The Create Distribution window displays     In the List Name field, enter a name for the list. In the Email Addresses field, enter the email addresses of the recipients, with each address separated by a comma. When you're done, click the   Save   button. The new list is added to the Distribution Lists panel.   To delete the list later, highlight the name of the list and from the Command bar, click the   Delete   icon.
View full article
  Webroot SecureAnywhere Business Endpoint Protection System Requirements   For Desktops: Minimum system requirements Desktop Operating systems: Webroot SecureAnywhere can be installed on a computer with one of the following operating systems: Windows® 10 32 and 64-bit Windows 8, 8.1, 32 and 64-bit Windows 7, 32 and 64-bit Windows Vista®, 32 and 64-bit Windows XP®** 3, 32 and 64-bit Windows XP** Embedded Mac OS X 10.7 (Lion®) Mac OS X 10.8 (Mountain Lion®) Mac OS X 10.9 (Mavericks®) Mac OS X 10.10 (Yosemite®) Mac OS X 10.11 (El Capitan®) Mac OS X 10.12 (Sierra®) Mac OS X 10.13 (High Sierra®) **must support SHA-2   For Servers: Minimum system requirements Server Operating systems: Webroot SecureAnywhere can be installed on a server with one of the following operating systems: Windows Server® 2012 R2 Standard, R2 Essentials Windows Server 2008 R2 Foundation, Standard, Enterprise Windows Server 2003** Standard, Enterprise, 32 and 64-bit (must support SHA-2) Windows Small Business Server 2008, 2011, 2012 Windows Server Core 2003**, 2008, 2012 Windows Server 2003** R2 for Embedded Systems Windows Embedded Standard 2009 SP2 Windows XP Embedded SP1, Embedded Standard 2009 SP3 Windows Embedded for POS Version 1.0 Windows Server® 2016 Standard, Enterprise and Datacentre **must support SHA-2   For VM Platforms: Minimum system requirements Virtual Machine Support: Webroot SecureAnywhere can be installed within the following Virtual Machine environments on supported Operating Systems:   VMware® vSphere® 5.5 and older (ESX®/ESXi 5.5 and older), Workstation 9.0 and older, Server 2.0 and older Citrix® XenDesktop® 5, XenServer® 5.6 and older, XenApp® 6.5 and older Microsoft® Hyper-V® Server 2008, 2008 R2 Virtual Box     For Browsers: Minimum system requirements Browser Versions: Webroot SecureAnywhere provides support for the following Browser versions: Google Chrome® 11 and newer Internet Explorer® version 11 and newer (Windows XP IE8) Microsoft Edge® (partial support) Mozilla® Firefox® version 3.6 and newer Safari 5 and newer Opera 11 and newer  
View full article
We are continuously developing new material to help protect individuals against ransomware and other threats. Here are a few of our recent publications that you may share with your friends, family, and co-workers.   Whitepaper - Q&A The Truth About Crypto Ransomware   Webinar - Defeating Polymorphic Phishing   Webinar - Cloud Security Best Practices for Defending Against APTs   Podcast - Protecting Against Emerging Ransomware  
View full article
      All Webroot SecureAnywhere® solutions are fully cloud-based, which means you don’t have to worry about maintaining on-premises hardware or software. What’s more, our protection works in real time, so there are no definition files for you to update, and the Global Site Manager (GSM) console makes it easy to remotely manage security on your endpoints.   The GSM was purpose-built to streamline management for multiple sites and locations, and it supports policies at the global and individual site level. That means you can set some policies to apply to all locations, while other policies apply only to specific sites or locations. You can even manage access rights and permissions alongside the administration of all your sites.   With our cloud-based management with full remote endpoint administration, delivering global management becomes extraordinarily cost-effective compared to conventional antivirus, making it ideal for businesses of all sizes.    Here's how easy it is to deploy Global Site Manager: Create sites and locations One site for each entity One site for multiple entities, if applicable Create and assign policies Add more administrators and assign permissions, if applicable Configure Global Alerts, if applicable Deploy SecureAnywhere software across all computers in your network
View full article
  As the impact and severity of crypto-ransomware threats and attacks has grown over the past 2½ years, we have published many blogs and articles on how best to defend against these modern day extortionists. We do not believe that our businesses or consumer customers should have to choose between extortion and losing precious, irreplaceable data. We often get asked the leading question: “which endpoint security solution will offer 100% prevention and protection from crypto-ransomware?”   The simple answer is none.   Even the best endpoint security (which we pride ourselves on innovating and striving towards) will only be 100% effective most of the time. At other times the cybercriminals will have found ways to circumvent endpoint security defenses and their attack will likely succeed. Each day many ransomware campaign operators create a new variant which is re-packed making it once again undetected for all of antivirus.   Use Reputable, Proven, Multi-Vector Endpoint Security Back-up your data User Education Disable Execution of Script Files Patch and Keep Software Up to Date Secure Weak Username/Passwords which have Remote Desktop Access
View full article
All your customized alerts are listed in the Alerts tab with a status of Active. From here, you can edit the alert by double-clicking in its row.   On the right side of the panel are the distribution lists you defined.     If needed, you can display or hide additional data about the alert messages.   To view a defined alert message: Click a column header to open the drop-down menu, then do either of the following: Select a checkbox to add a column. Deselect a checkbox to remove a column.   The information in the columns is described in the following table.   COLUMN DESCRIPTION Alert Name The name defined in the Create Alert wizard. This column is static and cannot be hidden. Alert Type Displays one of the following alert types: Infection Detected Endpoint Installed Infection Summary Install Summary Distribution List The email recipients for this alert. Date Created The date the alert message was defined. Created By The administrator who created the alert message. Date Edited The date, if any, that the alert message was modified. Edited By The administrator who modified the alert message, if applicable. Status The alert status, which is either Active or Suspended.  
View full article