Solved

Endpoints needs attention, even after clean up...

  • 18 November 2016
  • 8 replies
  • 3666 views

Userlevel 2
 Hi,
 
I was wondering why my site is always displaying the "endpoints need attention". I cleaned up the computers. I did many full scans after and all of them said Protected and did not show any infected files anymore. But in my console I see the "endpoints need attention, last threat on 11-16-2016 (2 days before)" for the same 2 computers. Is there a way to reset in the console so that they are now viewed as protected?
 
I don't know if you understand my issue...<
 
Thanks !
icon

Best answer by coscooper 21 November 2016, 17:09

@ - This is a common question and the short answer is, they usually take a few days to cycle. If your policy poll setting is 24 hours (daily), then it could take up to 72 hours to clear at the site/GSM level. it's not going to be instant, so give it a few days. Just know, the endpoint is in good shape and has been remediated.
 
Keep in mind, there's really nothing you need to do once a machine has reported a threat. The WSAB agent has already remediated the file (put it in quarantine), rolled back any changes the file potentially performed and rescanned the machine for additional remnants and/or references.
View original

8 replies

Userlevel 6
Badge +20
@ - This is a common question and the short answer is, they usually take a few days to cycle. If your policy poll setting is 24 hours (daily), then it could take up to 72 hours to clear at the site/GSM level. it's not going to be instant, so give it a few days. Just know, the endpoint is in good shape and has been remediated.
 
Keep in mind, there's really nothing you need to do once a machine has reported a threat. The WSAB agent has already remediated the file (put it in quarantine), rolled back any changes the file potentially performed and rescanned the machine for additional remnants and/or references.
Userlevel 1
Just curious, what is the purpose for this? If it doesn't need attention because of automatic remediation then why does it need attention? Sorry, maybe I'm too literal but wouldn't a more specific alert be more useful?
I too was hoping the Needs Attention would go away but it just doesn't. 

IMHO I also think that when attention is given and issue is resolved that the needs attention GOES AWAY! as it no longer needs attention. Then each time I open the control panel I dont want to see it since it really does not need my attention.. Or does it because it was re-infected and I need to check it again and again and again.. Frustrating.
Userlevel 2
Badge +6
I will move this to a product request, but Wouldn't it make more sense then, for the Needs Attention alert to read "Threat Detected and Removed" (like an unread status) and once you opened that site and reviewed it, it would disappear basically marking the alert as READ.. this would be much nicer.. I have technicians re-scanning the same machine for a day or two because it still says that it needs Attention. It should be clearer that action as already been taken.
Also I have had scenerios where Webroot will continue to find the same file over and over again after I have created an Over-Ride and marked it as Bad and told the agent to "Cleanup", it seems the only way to truly remove it is a remote session and manually open the local agent to approve the removal.
Userlevel 1
Couldn't agree more!!  Would really really like to see a more descriptive status.  "Threat Detected and Removed", or "Threat Detected and Quarantined", would be fantastic.   Our Engineers are also wasting valuable time confirming that the threat has been removed because it keeps saying it "needs attention".  
 
Also what would be VERY helpful would be if there was an Alert you could create for "Threat Detected - Remediation failed".  As it stands right now I can only create an Alert for "Threat Detected".  But in truth I really don't care to know every time a threat was detected.  I just want to know when it was detected but unable to clean it.  
Userlevel 6
Badge +24
All comments here have had valid points.
 
I too have had the issues with overrides.
 
I too have had clients that continue to say Needs Attention
 
I too (have made feature requests as well) needed Webroot to show me what action was already taken (threat remediated, threat could not be removed, file blocked but not quarantined, remove manually, whatever) because needing attention is vague, and combined with Needs Attention not updating, having true knowledge of what is going on is difficult at best, impossible at worse, and frustrating to open a client ticket to remediate an issue only to find Webroot did at the client end but the alert never went away on the GSM side.
Badge +1
Just wanted to add to this that I opened a case for this exact issue, and what fixed it for me was uninstalling the agent from the affected computer (can be done through console), removing the %ProgramData%\WRData folder, and then reinstalling it and letting the initial scan complete. So not perfect, especially since other agents were able to be cleared up from same "infection" with just regular cleanup, but better than nothing. 🙂
Badge +3
We are also experiencing the same issue with one of our clients: Endpoint detects threat -> Console lists the endpoint as needing attention -> Only options available when selecting the endpoint are: (1) Create Overide, (2) Show all PCS which have encountered this file, and (3) Restore from Quarantine. In most cases, none of these options are viable. It's been longer than 5 days for one endpoint and the message is still there. We simply want the "Needs Attention" alert to go away, if the threat has been remediated or addressed. A previous post stated that a fix can be to uninstall the program, delete the WR folder, reinstalling and scanning. This is not a viable solution. What can be done to ensure that the "Needs Attention" message disappears when the threat is addressed? Thank you.

Reply