False report on Mac OS Sierra?

  • 26 October 2016
  • 30 replies
  • 230 views

Userlevel 3
Hi,
 
We are receiving reports from Webroot of a detection that I am not sure is true... How do I know if it is a false positive?
 
The report log is below:-
 
Automated Cleanup Engine
Starting Cleanup at 2016-Oct-26 11:40:30
Starting Routine> Detected /Volumes/Time Machine Backups/Backups.backupdb/User/2016-10-26-053418/Macintosh HD/.PKInstallSandboxManager-SystemSoftware/3F5A27F6-09A2-4D3F-8049-A2ABB8F44C32.sandbox/Root/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation [Name: "PUA.OSX.TuneUpMyMac.1.r", MD5: 00000000000000000000000000000000]
Quarantining File> Removing /Volumes/Time Machine Backups/Backups.backupdb/User/2016-10-26-053418/Macintosh HD/.PKInstallSandboxManager-SystemSoftware/3F5A27F6-09A2-4D3F-8049-A2ABB8F44C32.sandbox/Root/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
Quarantining File> Removing /Volumes/Time Machine Backups/Backups.backupdb/User/2016-10-26-053418/Macintosh HD/.PKInstallSandboxManager-SystemSoftware/3F5A27F6-09A2-4D3F-8049-A2ABB8F44C32.sandbox/Root/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
Automated Cleanup Engine
Starting Cleanup at 2016-Oct-26 14:52:31
Starting Routine> Detected /Volumes/Time Machine Backups/Backups.backupdb/User/2016-10-26-053418/Macintosh HD/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation [Name: "PUA.OSX.TuneUpMyMac.1.r", MD5: 00000000000000000000000000000000]
Quarantining File> Removing /Volumes/Time Machine Backups/Backups.backupdb/User/2016-10-26-053418/Macintosh HD/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation

30 replies

Userlevel 6
Badge +26
I would suggest open a support ticket and have them escalate your request to our AMR team for validation. They can provide details as to whether this is valid or not. PUAs are a common issue on the Mac, more common than you'd think. (I run a mac daily and WR finds PUAs a few times a month.)
 
The one thing I noticed was that WR is looking at your TIme Machine volume. I would suggest under Scan Settings, turn off "Scan archived files". This will tell WR to not scan Time Machine backups and ZIP files, which could impact performance.
Userlevel 3
Thank you for your response, much appreciated, and I will turn off archived file scanning ASAP :)

Cheers,
Beckey.
Userlevel 3
Just one more question...
 
To turn off archive scanning, would it be the 4th tickbox down in the screen shot below, as it doesn't have anything next to it, and I don't want to disable something important...!
 
?
Userlevel 7
Badge +56
Hello,
 
I will ping one of our Mac experts and she will let you know the best settings: ?
 
Thanks,
 
Daniel 😉
Userlevel 7
Badge +62
Hello BeckeyB,
 
This is how I have my Mac set up with Webroot. No do not turn off archive scanning, I have had this checked for years without any issues.
?
Userlevel 7
Badge +56
? would your suggestions impact system performance in a Business environment you think? Just wondering as you know I'm not a Mac user. Also your and the OP's pictures don't match? Could it be the version? GUI issue in the Business version?
 
Thanks,
 
Daniel 😉
Userlevel 7
Badge +62
Hello again Becky,
 
I am not familiar with the Business version but here is some information concerning the Time Machine.
 
Please go into the Mac sacn  settings and uncheck Scan Mounted drives. Otherwise it will take foreverr to complete.
 
Here is the Mac User Guide for more information. The Mac Business Guide
 
Have a look at this THREAD
 
And here .https://community.webroot.com/t5/Webroot-SecureAnywhere-Complete/How-long-does-it-take-to-scan-350-G...
 
 
In some cases, Webroot will detect a threat that is located on your backup, such as Time Machine. If the file are in the backup, then they cannot hurt your system. You would have to restore the files from the backup to get them on the system, and at that point the Real Time Shield in Webroot would find and remove them. Even though Webroot cannot remove these files, as space for newer backups is needed the older backups will be deleted. This will delete the threats from the backup as well.

We recommend if Webroot continues to detect these files that you uncheck the box next to them on the removal page. This will tell Webroot to ignore the files in their current location.

If you would like to remove these files manually from the backup in Time Machine, you can use the following steps:

Note: This action is permanent, and will impact all past backups on the given Time Machine drive, even backups from the distant archives on that drive. For this reason, be absolutely certain you want to remove an item before deleting it, otherwise you may end up missing data you would have wanted to keep.

1. Open the backup manager by pulling down Time Machine menu item and selecting, “Enter into Time Machine.”
2. Navigate to the directory location of the files/folders you want to remove.
3. Right-click on the folder or file you want to remove and select “Delete all backups of [File Name].”
4. Confirm the removal.

As the process is the same whether you are deleting the backup of a file or an entire folder, please be careful to only select the items you wish to delete. You cannot recover these files.

Another option available to Time Machine users is to exclude the files and folders from being backed up by the Time Machine. You can add them to the exclusion list which will permanently block the files/folders from being backed up in the future. By doing this, the infected file will eventually be deleted from the backup over time and prevent it from ever getting re-introduced to the drive should it be installed on the computer again.
 
Hope this helps.
Userlevel 7
Badge +56
Sherry can you look at my edit and see my questions.
Userlevel 7
Badge +62
@ wrote:
@ would your suggestions impact system performance in a Business environment you think? Just wondering as you know I'm not a Mac user.
 
Thanks,
 
Daniel ;)
Sorry Daniel I am not sure about the Business side of Webroot. It is possible that scanning the archives could slow down performance. It would be best t oask Support IMO. It doesn't hurt to uncheck scanning of archived files and see how it works.
Edit: This is what I see in the Business version of Webroot. http://live.webrootanywhere.com/content/553/Changing-Scan-Settings
Userlevel 7
Badge +56
Look at both pictures posted!
Userlevel 7
Badge +62
Yes the Business is different:
This is what the GUI looks like here and I would have my setting set like this below.
http://d3hj48gy07tbjf.cloudfront.net/LIVEIMGS/00-F-consumer/macagent/scansettingspanelfeb.png
 
 
Userlevel 7
Badge +56
This is not right in the OP's picture compared to yours. GUI Issue? Version issue? Maybe ? can tell us!
 
?
Userlevel 7
Badge +62
@ wrote:
This is not right in the OP's picture compared to yours. GUI Issue? Version issue? Maybe @ can tell us!
 
?
I see that and this is very strange to me. Seems like something is missing doesn't it? Maybe a reinstall woud fix this? Not sure.
Userlevel 7
Badge +62
Another thing that should be looked at and that's this article here:
https://www5.nohold.net/Webroot/ukp.aspx?pid=12&app=vw&vw=1&login=1&json=1&solutionid=2587&
 
Userlevel 3
I have the same version installed on 8 macs and they all have that bit missing... Just a check box with no writing...
Userlevel 3
Also, I think i'd keep the archived files checked as I like zip files to be scanned... just in case!
Userlevel 3
I've just looked at the mac instructions from the link posted earlier and run the update as we have an earlier version than suggested. So I ran the update as per the instructions but it says we have the latest version?!? I think I may uninstall and reinstall from a new download...
 
?
Userlevel 7
Badge +62
Hi Beckey.

 Please submit a support ticket just to be safe. You could try reinstalling if you want to try that first.

Thanks
Userlevel 7
Badge +62
Hi  again Beckey,
 
May I ask that you let us know how things are going? I am curious to know what the outcome is when you have a chance.
 
Thank you so much!
Userlevel 6
Badge +26
All - something doesn't look right with a few of the screns I've seen and I'd definately update or reinstall if menu fields are NOT presenting properly. Definately open a support ticket so they can track this metric for getting it fixed if there's an issue.
 
Turning off scanning archives was a suggestion for Time Machine and I personally do not scan ZIP files because I don't want WSAB to spend a lot of time dealing with the high number of zip files on my machine and to be frank, I do have/store known bad PUAs and other files on my perosnal system. (Hey... I work for Webroot and we all have bad stuff we keep around for testing.8-)
 
A lot of business users (This was posted in the Business forum) want performance and scanning archives on a Mac can take a performance hit. WSAB will dynamically grab bad files as they're unzipped (Mac or Windows), so scanning zip files isn't always necessary. Exclusions can fix that, but the original question was around a PUA and I simply noticed a TimeMachine reference with the PUA.
 
Here's my Business Endpoint menu/screen, so it's definately different. (This is from a site within a GSM) However, the original question wasn't around scanning, it was related to real/false PUA file, so my suggestion was and is to ignore these archives on a busines machine.
 
My test environment (and daily Mac):
MacOS: Sierra 10.12
WSAB (Webroot SecureAnywhere Business) - 9.0.4.23
Menu doesn't have preferences - to get to details, use Advance Settings.
??
Userlevel 3
Hi Everyone,
 
Thank you for all your help and insights. I have downloaded the latest version from my account, and reinstalled it, and it's STILL saying that it's the same version as before (9.0.4.23), and the check box still has nothing next to it. I think I need to raise a support ticket to solve this issue, as some machines on my network are now running Sierra and the article says we NEED to be running the later version, not the one we have available to download... (It downloads from http://anywhere.webrootcloudav.com/zerol/wsamac.dmg so I presume that would automatically be the latest version?)
 
I'll let you know how I get on.
 
Thanks,
Beckey | IT Manager, Helen Moore
Userlevel 6
Badge +26
? - that download link should be the latest version. If its not working, then reach out to support for sure.
 
One option you might try, uninstall WSAB and check to see if this folder is left behind. Main computer harddrive, not user account - GOTO  "libraryapplication supportwebroot"  - kill this folder after uninstall if it's still there and then try a reinstall. It has a number of configurations and logs that may be accidently left behind.
 
Hope that helps.
Userlevel 7
Badge +56
? here is the latest information on all WSA current releases: https://www.webroot.com/us/en/support/support-consumer-release-notes
 
Thanks,
 
Daniel 😉
Userlevel 7
Badge +56
Sorry here is the Business versions release notes: https://www.webroot.com/us/en/business/support/release-notes
Userlevel 3
Hmm, very confused here now. I have contacted support who tell me that 9.0.4.23 is the latest version even though the article on the link below states...
https://www5.nohold.net/Webroot/ukp.aspx?pid=12&app=vw&vw=1&login=1&json=1&solutionid=2587&
 
"Software agent versions below 9.0.2.45 will not update or operate correctly on macOS Sierra. Once you have update Webroot SecureAnywhere Business Endpoint Protection accordingly, you may upgrade to macOS Sierra as normal."
 
This is what support said...
 
Hello,

Thank you for contacting Webroot Support.

You machines are currently on the latest version for the Mac. The latest version is 9.0.4.23. When we release an update it takes up to 72 hours to apply to all machines globally.

Any new releases will update automatically when they are available and the Release Notes will be added to our website: https://www.webroot.com/us/en/business/support/release-notes

Thank you,

Kelly
Webroot Support
 
I have asked them to clarify. Will update further when I get a response.
 
In the meantime, I uninstalled Webroot and deleted the folder under Application Support as suggested, downloded a fresh copy of Webroot, reinstalled, and the check box still has nothing written beside it, (which support neglected to comment on...)

Reply