Can you clarify what "Infected" really means against an endpoint

  • 16 August 2012
  • 4 replies

I am currently conducting a trial of Webroot installed at a remote office in Malaysia, from Australia.  Yesterday I received an email that one of the PC's there had been "Attacked", and checking the console this morning I see the message :
Alert 1 Endpoint needs attention We recommend you check whether this endpoint has automatic remediation enabled on the assigned policy.
The endpoint shows as "Infected" by Malware called "W32.Rogue.32".   The PC was last seen yesterday afternoon, a few minutes after the Malware was detected.   There is no clean scan recorded. 
My question is : How do I know what action was taken by Webroot, or do I have to assume the file was quarantined ?   There does not seem to be any way to see a log of the actions performed either successfully or not.
I find the message "Infected" rather alarming as it implies there is still an infection .....

Best answer by Shawn 17 August 2012, 16:29

View original

This topic has been closed for comments

4 replies

Userlevel 5
This message indicates that there is an infection on the machine that was not able to be removed possibly due to the policy configuration. I recommed calling the Webroot Support team in your area to get further assistance with this issue.
Thank you,
Webroot Enterprise Support
Unfortunately due to a public holiday in Malaysia, our office there is closed and the Laptop seems to have been turned off every since the virus was detected (at least I hope that is the case, and the Malware is not interferring with Internet connections).
We will wait until Monday when we can make contact with the user, and then contact Webroot support if there is indeed an issue.
In the meantime, I have checked the policy which is the same for all machines and it definitely has automatic remediation turned on.  
I take it from your reply that there is no easy way to tell what actions were taken on the client to quarantine or roll back, even though the EP has reported in with the infection.

Hello Andy,
When an endpoint is listed in the 'Endpoint Needs Attention' section on the status page, it typically means that we have detected malware that we have been unable to remove automatically. This could be for a number of reasons:
1. Automatic remediation has been disabled - you have clarified that this is not the case.
2. The malware was already on the PC before SecureAnywhere was installed so we don't have the journal history to perform a clean roll-back. This is rare because we are also able to perform 'generic' cleanups like competing products rely on. If you do have an infection that your old product missed, our advanced malware removal team would be happy to clean it up for you free of charge,
3. We have detected a PUP (Potentially Unwanted Program) such as a toolbar. We consider many toolbars to be malicious, but the user may have legitimate reasons for using them. Therefore we prefer the user to uninstall the toolbar, or an override could be created.
Either way, it should be fairly rare for this to happen.
Because the malware hasn't been "cleaned up" yet, there are no further actions for the console to report on. However, you can be rest assured that your endpoint and its data are protected from the malware (if it is indeed malware):
1. Webroot's unique outbound Firewall will prevent the infection from communicating to its command and control centre
2. Webroot's unique Identity & Privacy shield will generically protect your sensitive applications and their data from information-stealing malware, protecting against threats such as keyloggers, screen grabbing, man-in-the-browser attacks and many more.
Please feel free to reach out to your systems engineer once the laptop has been turned back on and we will try to clarify exactly what happened and what we can do it resolve it.
Systems Engineer
Userlevel 5
After further testing, I found that if I have the Silent Audit policy assisnged to an endpoint that becomes infected, it will desplay that message in the console. This is also the case when you have a policy configured to not auto-remediate threats, which is the main function of Silent Audit.
If that is not the case this could be a new variant of a rootkit that we would like to investigate further.
Please let us know if you have any further questions or need further assistance with that endpoint.
Webroot Enterprise Support