We would like to make a feature request to have Webroot integrate with N-able RMM tool to send alerts, information, and anything relevant that can show up in the N-able console. Bonus would be an easy way to deploy Webroot through N-able.
Today I booted my PC and saw the red alert Webroot icon. Opened the UI and saw this:
Sure I got excited and wanted to know immediately what malware is active on my system!!!
Isn't it that you also wanted to know immediately what infection is active on your PC?
1) As a simple home user (not IT expert) I realized that I simply do not have any chance to get any details - I cannot click anywhere for more details!!! Why? Why is not there any "Details" button/link yet to help me out of this scary situation?
2) As an IT expert, of course, I opened the "Control active processes" window - bit I found nothing being monitored!!!
IF any threat were active now, I believe that should be monitored, as far as I understand the logic of SecureAnywhere. Why there is nothing being monitored??? It scares me even more! The malware must be hiding very good! I have a malware active and I cannot get to know what it is!!! SOS SOS SOS to the World!!!
3) As a more experianced IT expert (but hey! stop! Webroot users may never be required to get to be an experienced IT expert just for getting detailed info about a malware alert) I saved and checked threat log first. Nothing! Oh my Good God, I have an active threat and
- no details on UI available
- it is not even logged in threat log
4) Ok, so very last chance is if I could find anything in the scan log. Let's go for it! Exported. Wow, I found the following in the scan log:
Tue 2016-03-08 11:13:59.0441 Infection detected: d:\letoltesek\mediainfo_gui_0.7.81_windows.exe [MD5: B8906012C0AEC3EB8A61B189F41AE47C] [3/00001400] [W32.Malware.Ml.Vt]
Tue 2016-03-08 11:13:59.0768 Scan Results: Files Scanned: 61528, Duration: 16m 12s, Malicious Files: 1
Tue 2016-03-08 11:13:59.0862 Scan Finished: [ID: 646 - Seq: 2147000000]
Tue 2016-03-08 11:17:56.0639 Agent Bits : 0
So I got it, finally! So nice to be an expert log-reader! Webroot, thank you for using my built-in human intelligence and years spent in the IT university in relation to using your products for the common people! Give me a double-kudo NOW and get me to the next level!
Ok, so I got the malware logged. But, why logged only?! If it is found, why was not it quarantined immediately and then I were received a quarantine message instead of an malware alert red icon? What if I do not even notice the red icon? Have you conducted a survey about how many percent of common cumputer users would notice this red icon and do know what to do with it? I bet it would be very low %. Furthermore, there is not any advice what to do now...
Very very poor implementaion of
- malware found logic and
- alerting logic
It all needs to be reinvented, Webroot.
Now, there's a little more if we take a look what was found as a malware expert:
mediainfo_gui_0.7.81_windows.exe is not really a malware, it only has an adware (Opencandy) inside the installer, thus it shoud have been classified as "PUA/Opencandy". Others classified it as a PUA, too:
So, here go my feature requests:
Reinvent actions on found malware and make the product usable for your customers, especially for common people, so:
1. add a window to show details of found malware on UI and make it easy to access
2. if a treat is found (no matter if during scan or real-time), log it in the threat log (not in the scan log only)
3. if a threat is found during such circumstances when user action is impossible (eg. booting boot-up or when user is logged in) make sure
- you quarantine the malware
- you notifiy the user in details the very next time user logs in about what was found & quarantined when user action was impossible
Well, I wonder if Webroot's development manager ever ever used this product and ever cared about this annoying red icon without details? Webroot, why do not you want me as a development manager? For that money, I will even take care of the basics of computer software products usability features. I guarantee I use the product myself and will make a development plan that fist much better to the needs of the users, including admins.
Why am I telling this unusal offer? Because:
1. I do not like to be scared by any AV that I have a malware active (which at the end turns out not to be active at all)
2. or if the AV scares me because it has to, I really do not feel comfortable if I cannot get the details at my hands easy
I am looking for a consolidated report that can have all the active groups with their respective number of agents on it. At this time the reports only shows total number of agents on the report without separting the the number of groups.
I can have the report with the separate groups on separate reports but needed to have a single consolidated report.
Hope this request is taken care.
As a managed service provider, every now and then I have to reinstall Webroot on a system because it isn't reporting in correctly, the service isn't starting right, or it isn't updating properly. Fine and good. However, once in awhile said system shows up as a new client in my Default Group; I might not find this until a day or two later, having not expected the behavior.
As an MSP (unlike in a single organization) this can be problematic, as multiple organizations may have a PC with a similar name. However, there is no basic way within Webroot to identify a system by MAC address, querying any machine strings, etc. that might help me pin this down. It would be incredibly helpful if there was something that could give me just a little bit of basic system information to help me.
Does this sound like a useful idea to anyone?
We just got CryptoWall infection at one of custmoers with 1500 PCs.
Even though WSA client is capable to recognize new unknown processes starting on an endpoint, and even though it also reports it to the console, still the most important things are missing:
- send email alert to admins immediately when an endpoint reports new unknow process running on the endpoint
- be able to create a report in the console for a specific day that includes the new unknows started found on THE SPECIFIED DAY only
If we had these information, we possible could very quickly pinpoint the infection among the 1500 PCs.
Now we could not, because, just imagine, what is the best advice if you see files being encrypted on file server shares? Switch off the shares and disconnect the endpoints from LAN / INTERNET! Well, but then again, that would lead to several days off work, and you will be need to find the infected machine all offline.
So in our example, Saturday morning some user suddenly found encrypted files on a netwrok share. The share was swithed off. We saw the timestamps of HELP_DECRYPT.TXT files so we could see when the malware encrypted the files. It was Saturday morning. OK. Then, IF we had an alert about new unknowns of this Saturday then we could easily pinpoint out of 1500 clients which ones were running an unknown process at the time of encryption - and we could stop only these PCs and let others work.
So, I believe, as I told it in 2012 several times to Webroot already: sending alerts about caugth viruses to admins (meaning existing "Threat Detected" and "" reports) is simply useless as they contain information after auto-remediation (auto-quarantining the malware). Some email collectors may like to get these alerts, but they will really not have any job with it.
Rather, admins need to focus on hidden things running in the environments, and those are the unknowns.
We need alerts for each and every unknown process immediately, just as soon as they first run! That is what admins must take care about! And then admins will have a chance to stay in control.
WSA 6500+ endpoints inatalled and maintained daily, 11+ years with Webroot, 1 yr Webroot MSP
Some companies are using a syslog server and they are gathering and managing servers' logs in Syslog Server.
So I really recommand Webroot should provide a new function which can send all logs on Webconsole syslog server.
Adding the option to export current policies and have the ability to import it to another site. Also, allowing customers to export policies allows customers to compare policies side by side in an Excel sheet.
I perform remote management and monitoring for an MSP. I have set up alerts to let us know when a client's system is infected, so I will get a quick e-mail.
My issue is that I get the e-mail, but it does not tell me what action Webroot has taken (or attempted to take) and whether that action was successful. This means I need to go to the console to check if the system has an infection; half the time Webroot removed the threat, and I wasted time having to check on a system that was taken care of already.
I need the alerts to show me not just that there was a threat, but how it was addressed. I do not see a way to do this. If anyone else has suggestions to the alert process that are within these general lines, feel free to add to this suggesion.
There shold be a possibility to have a AD integration where a "connector" checked all devices that example are connected to Exchange. If the device is new then an automatic email with enrollment should be sendt.
Today we have a lot of users who dont have webroot installed, maybe the enrollment could be even easyer also maybe translated?