light bulb

Did You Know?

New Idea

I cant believe I was told by support to field this to a BLOG site but whatever. The idea is as follows. The software (webconsole) has no maitenance feature available for inactive licenses to be polled and placed to a folder that shows inactive and then to recover thos said licenses. In  a large environment such as education machines are replaced and or renamed and there are many thousand machines to try and keep track of issue a remove command and then sent them manually to inactive client, how shall we say , "This is impractical to maintain". WebRoot needs to develop a routing that allows the administrator to set a time frame of if inactive for (drop down box) 30-60-90 days) then free up the license so it can go back in the Enterprise licensing pool. I cannot believe that this has not been developed before now as other AV companies have routines to take care of licensing issues.

Hint guys at webroot. You want to go mainstream with Large campuses and Enterprises and you dont have this, they will go elsewhere.

Immediate email alert for new unknown process run (based on a CryptoWall infection)

Status: New
by Community Guide GyozoK ‎12-14-2015 12:12 PM - edited ‎12-14-2015 12:23 PM


We just got CryptoWall infection at one of custmoers with 1500 PCs.

Even though WSA client is capable to recognize new unknown processes starting on an endpoint, and even though it also reports it to the console, still the most important things are missing:

- send email alert to admins immediately when an endpoint reports new unknow process running on the endpoint
- be able to create a report in the console for a specific day that includes the new unknows started found on THE SPECIFIED DAY only

If we had these information, we possible could very quickly pinpoint the infection among the 1500 PCs.

Now we could not, because, just imagine, what is the best advice if you see files being encrypted on file server shares? Switch off the shares and disconnect the endpoints from LAN / INTERNET! Well, but then again, that would lead to several days off work, and you will be need to find the infected machine all offline.

So in our example, Saturday morning some user suddenly found encrypted files on a netwrok share. The share was swithed off. We saw the timestamps of HELP_DECRYPT.TXT files so we could see when the malware encrypted the files. It was Saturday morning. OK. Then, IF we had an alert about new unknowns of this Saturday then we could easily pinpoint  out of 1500 clients which ones were running an unknown process at the time of encryption - and we could stop only these PCs and let others work.

So, I believe, as I told it in 2012 several times to Webroot already: sending alerts about caugth viruses to admins (meaning existing "Threat Detected" and "" reports) is simply useless as they contain information after auto-remediation (auto-quarantining the malware). Some email collectors may like to get these alerts, but they will really not have any job with it.

Rather, admins need to focus on hidden things running in the environments, and those are the unknowns.
We need alerts for each and every unknown process immediately, just as soon as they first run! That is what admins must take care about! And then admins will have a chance to stay in control.

Kind regards,

Community GuideCommunity Guide

WSA 6500+ endpoints inatalled and maintained daily, 11+ years with Webroot, 1 yr Webroot MSP

It would be great if there was a way that you could see
what machines are monitoring or blocking an application from
the Secure Anywhere console without having to look at each individual machine.
This would make creating overrides much simpler.

Status: Reviewed

WSS, Reporting:  Custom reports require http:// to select domain

Potential Solution:  Add the option in Custom Reports to execute a “like” search, the default options force an exact word match



1.create custom report select Top users by page request for one domain

2.specify “including only” –save and run report –this will have no results

specify “including only” –save and run report –this will have no results

specify “including only” –save and run report –this will have results


Include only with should return all without having to specify https-http://


as per user guide

Specify Domain Specify the domain to include in this chart:

All generates reports on all users in the account. This is the default.

Including only includes domains with names that match the text you specify in the text box.

Excluding excludes domains with names that don’t match the domain you specify.

Note: You must enter a fully qualified domain name.

Status: Reviewed

As a managed service provider, every now and then I have to reinstall Webroot on a system because it isn't reporting in correctly, the service isn't starting right, or it isn't updating properly.  Fine and good.  However, once in awhile said system shows up as a new client in my Default Group; I might not find this until a day or two later, having not expected the behavior.


As an MSP (unlike in a single organization) this can be problematic, as multiple organizations may have a PC with a similar name.  However, there is no basic way within Webroot to identify a system by MAC address, querying any machine strings, etc. that might help me pin this down.  It would be incredibly helpful if there was something that could give me just a little bit of basic system information to help me.


Does this sound like a useful idea to anyone?

Status: Reviewed

I'd like to see the ability to create a report template that lists the "Threat History" as found in the Reports tab for a selected endpoint.


I've created a template where I have it autorun once a month and the closest thing the report template has is just a count of the threats detected.


I'd like to see the filename of the detection along with the type of malware what device it was found on and the status of the infection (deleted, quarantined, etc).


Seems like this feature could be added to the template since it exists at the endpoint level.

Add extra column for "Last Logged In User"

Status: New
by bweiss on ‎12-23-2015 02:55 PM

When viewing the endpoints on the groups tab there is a column that can be added for "Current User." This helps us identify whose computer is whose. The problem with this field is that when a user is not logged in the field is blank. Can we make a request to have a column added that references "Last user logged on" so that we can see the a username even if there is no current user?

A few new related ideas

Status: New
by smulvenon on ‎12-16-2015 10:10 AM

Here are a few feature requests that we have to make our experience with the software better.


1) The ability to search all sites, and manage Endpoints from all sites on one screen
     a) The ability to see all infected Endpoints on one screen (and manage them)
     b) The ability to see all Endpoints that have not checked in over a period of time (ie 30+ days) (and manage them)
     c) The ability to search for a specific Endpoint name in all sites (see #2 for why)


2) The ability to move Endpoints to other sites

     - We had a bunch (~250) of Endpoints get installed with the wrong code, and it will be a right pain to uninstall and reinstall all of them to try to get them to the right site


3) The ability to setup automatic responses to certain situations

     a) Infection found, run a predetermined series of scans or tasks
     b) Endpoint has not checked in for an amount of time, automatically deactivate
     c) Deactivated Endpoint starts checking in again, reactivate Endpoint automatically
     d) Send email alerts if certain things are found or if sequence did not clean the system

   - Define sequences based on site or system wide


Thanks, and I hope that these can be implemented.

We very much need a way to push out a client version manually to update a remote computer, and sometimes to push AV updates.  I know systems are supposed to check in at an interval, but there are times when a system that has recently checked in continues to report out-of-date to our management software, which is confirmed by the Webroot console.


Additionally, if there were an agent command to "Force reinstall of Webroot Agent" for a system that shows active but does not seem to be updating, that would be great.  The idea is to do this silently in the background so I don't need to call a client, remote into their system, and reinstall Webroot, interrupting them.


it would be nice to be able to check from the GUI and\or from the web console if a process is actually being monitored or not.

Now from the GUI in the active process panel a process is listed as monitored when the global determination of the file is Unclassified, regardless the fact that file is actually being monitored or not and an override is active.

At the moment the only way to check if a process is being monitored is looking at the wrlog.log. I think it would be way more easy and intuitive if it would be possible to check it on the GUI or from the console.


This because some processes are acting weird when being monitored by Webroot, and by now if we create a file\folder exception it's not easy to understand if that override is actually working or not.





Idea Categories
Top Kudoed Authors