Can malicious software uninstall Webroot?

  • 16 January 2017
  • 4 replies
  • 24 views

I started getting pop-ups on my browser (Chrome for PC).  I looked in the system tray, and the Webroot icon was there.  That's curious, I thought.  So I clicked on the Webroot icon.  It vanished!  That's weird, I thought.  So I used Explorer to go restart Webroot, and the whole Webroot folder was missing from c:program files and c:program files (x86).
 
Weird.  So I visited the GSM console, and found that my endpoint had been deactivated.
 
Oh oh... So I ran a few different malicious software removal programs.  Hitman Pro found and deleted a  Chrome extension and deleted it.  I reinstalled Webroot, and the icon came back.

4 replies

Userlevel 7
Hello @ and welcome to the Webroot Community.

I'd suggest bringing this to the attention of our Enterprise Support Team. They may need to gather more information to further diagnose what the cause is.

Business Technical Support: Call 1-866-254-8400
Open a Support Ticket: http://mysupport.webrootanywhere.com/supportwelcome.aspx?SOURCE=ENTERPRISEWSA
Userlevel 6
Badge +26
There is no known way to "deactivate" an endpoint without access to the GSM console. It sounds like someone with admin privledges who has access to the GSM console accidently sent the deactivate command to your host.
 
You can review who may have done this in the Log tab under the site where you endpoint was installed. There is a Command log which will tell you when that command was sent to your host name and audit log will tell you who sent the command.
 
There is no other way for a machine to be deactivated manually or maliciously.
 
If you feel that wasn't the case, then report the incident to support for further review as JP mentioned above.
Gassners and Shane, I too experienced Webroot Endpoint Protection being mysteriously uninstalled.
 
I have two AWS VMs (Windows servers) that had Webroot Endpoint Protection uninstalled with no explanation as to how it happened. I did open a ticket (61874) and Asked the Experts (https://community.webroot.com/t5/Product-Questions/Issues-with-Webroot-Endpoint-Protection-on-AWS-Windows-Servers/td-p/285294). I also spoke with Stephen and he saw that Webroot was no longer installed, but there were remenents of it having been installed.
 
I checked the Webroot console log and did not see any unistall entries. When Stephen and I checked the ProgramDataWRData folder on the servers there wasn't any log files. Just db files.
 
We reinstalled the software and it seems to be working. BUT this experience has raised some serious concerns about the trusting Webroot. BHC01
Userlevel 2
Badge +13
I would suggest that anyone experiencing spontaneous uninstallation should do a thourough audit of the system in question. Anything found during this investigation should not be deleted. You should contact support and upload a sample of any potential malware you find.
 
For example, OP mentioned that he found something with Hitman Pro. Was that sample submitted to Webroot?

Reply