I am trialling Webroot endpoint protection on a small network ( workgroup/no dedicated server) 3-5 endpoints.
We have two physically separate networks ( 3 endpoint and 4 endpoint). As the 3 point network does not need a constant internet connection we share one broadband connection as necessary ( simply physically connect the router to the appropriate network's switch).
On our lesser internet used network we recently had an external tech support technician log on do a remote sesion with Teamviewer to update some software. Although he could access the PC he was logged into he had problems accessing other files on mapped drives - he could "see" them but not access. I later discovered (email received late as internet connection was switched to smaller network) that Webroot had flagged an infection ( a false positive - both VirusTotal and Jotti's scan confirm ) on the PC he was logged into - Webroot is installed on that PC not the other two. I am now wondering whether it was actually Webroot which was blocking his access as the Webroot default policy seems to block unknown processes on an "infected" - even if a false positive - endpoint. I am presuming I am correct in my reading of the firewall policy ? As far as I know no firewall warning fired during his session and I can find no log of firewall events in the web interface logs.
I had trialled Prevx a couple of years ago but eventually had to remove it because of false positives taking up time. I would like to use Webroot as the client agent is so light on the system but I fear now that Webroot endpoint protection - with Prevx underlying it - might also be prone to false positives ( it has cropped up for us within a week of trialling) which would also silently block network access as well.
- Am I reading the situation/policy correctly ?
- What suggested changes to the default policy would I need to make ?
- Should the firewall not have an option to block internet but not local network traffic ? Switching the firewall off altogether would be too risky as then an unknown infection would have free rein to "phone home"/steal files/ passwords until it was recognised as bad in the Webroot cloud
- Should the logs not record firewall block events at least ?
All / any comments welcome. Thanks in advance