False report on Mac OS Sierra?

  • 26 October 2016
  • 30 replies
  • 247 views

Userlevel 3
Hi,
 
We are receiving reports from Webroot of a detection that I am not sure is true... How do I know if it is a false positive?
 
The report log is below:-
 
Automated Cleanup Engine
Starting Cleanup at 2016-Oct-26 11:40:30
Starting Routine> Detected /Volumes/Time Machine Backups/Backups.backupdb/User/2016-10-26-053418/Macintosh HD/.PKInstallSandboxManager-SystemSoftware/3F5A27F6-09A2-4D3F-8049-A2ABB8F44C32.sandbox/Root/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation [Name: "PUA.OSX.TuneUpMyMac.1.r", MD5: 00000000000000000000000000000000]
Quarantining File> Removing /Volumes/Time Machine Backups/Backups.backupdb/User/2016-10-26-053418/Macintosh HD/.PKInstallSandboxManager-SystemSoftware/3F5A27F6-09A2-4D3F-8049-A2ABB8F44C32.sandbox/Root/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
Quarantining File> Removing /Volumes/Time Machine Backups/Backups.backupdb/User/2016-10-26-053418/Macintosh HD/.PKInstallSandboxManager-SystemSoftware/3F5A27F6-09A2-4D3F-8049-A2ABB8F44C32.sandbox/Root/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
Automated Cleanup Engine
Starting Cleanup at 2016-Oct-26 14:52:31
Starting Routine> Detected /Volumes/Time Machine Backups/Backups.backupdb/User/2016-10-26-053418/Macintosh HD/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation [Name: "PUA.OSX.TuneUpMyMac.1.r", MD5: 00000000000000000000000000000000]
Quarantining File> Removing /Volumes/Time Machine Backups/Backups.backupdb/User/2016-10-26-053418/Macintosh HD/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation

30 replies

Userlevel 7
Badge +62
Hi Beckey!
 
Great news! Thank you so much for letting us know!
 
 
Have a great day!:D
Userlevel 3
It's fixed! Whoop Whoop!
 
I had this from support and it worked!
 
Below are manual uninstall instructions. Please be aware that the following instructions must be followed exactly as any mistakes can cause negative effects on the machine.

1. Open Terminal and write: Sudo su -

2. Click Enter and then type your password when prompted.

3. Paste in the following:

sudo /usr/local/bin/WSDaemon -u 

4. This will remove Webroot from your MAC machine.

5. Please reboot your machine.

6. Reinstall Webroot.
 
Thank you to everyone that has helped and advised on this issue. Much appreciated :womanvery-happy:
 
Cheers,
Beckey | IT Manager - Helen Moore
Userlevel 3
Just to point out, I've had complete number dyslexia regarding the version number. Have been looking at the end one and not the second number from the right. Doh! But am still hoping that support can sort out the weird missing text for me...!
Userlevel 3
Thank you coscooper. Much appreciated.
Userlevel 6
Badge +26
? - I'll mention the specific situation to support as it does sound odd and/or isolated. I've checked tickets and haven't seen any other UI oddities mentioned. (PS.. my MBP is running Sierra, 10.12, WSAB 9.0.4.23 and it appears fine. It was an inplace upgrade just like anyone in the field and nothing odd is presenting.)
Userlevel 3
Hmm, very confused here now. I have contacted support who tell me that 9.0.4.23 is the latest version even though the article on the link below states...
https://www5.nohold.net/Webroot/ukp.aspx?pid=12&app=vw&vw=1&login=1&json=1&solutionid=2587&
 
"Software agent versions below 9.0.2.45 will not update or operate correctly on macOS Sierra. Once you have update Webroot SecureAnywhere Business Endpoint Protection accordingly, you may upgrade to macOS Sierra as normal."
 
This is what support said...
 
Hello,

Thank you for contacting Webroot Support.

You machines are currently on the latest version for the Mac. The latest version is 9.0.4.23. When we release an update it takes up to 72 hours to apply to all machines globally.

Any new releases will update automatically when they are available and the Release Notes will be added to our website: https://www.webroot.com/us/en/business/support/release-notes

Thank you,

Kelly
Webroot Support
 
I have asked them to clarify. Will update further when I get a response.
 
In the meantime, I uninstalled Webroot and deleted the folder under Application Support as suggested, downloded a fresh copy of Webroot, reinstalled, and the check box still has nothing written beside it, (which support neglected to comment on...)
Userlevel 7
Badge +56
Sorry here is the Business versions release notes: https://www.webroot.com/us/en/business/support/release-notes
Userlevel 7
Badge +56
? here is the latest information on all WSA current releases: https://www.webroot.com/us/en/support/support-consumer-release-notes
 
Thanks,
 
Daniel 😉
Userlevel 6
Badge +26
? - that download link should be the latest version. If its not working, then reach out to support for sure.
 
One option you might try, uninstall WSAB and check to see if this folder is left behind. Main computer harddrive, not user account - GOTO  "libraryapplication supportwebroot"  - kill this folder after uninstall if it's still there and then try a reinstall. It has a number of configurations and logs that may be accidently left behind.
 
Hope that helps.
Userlevel 3
Hi Everyone,
 
Thank you for all your help and insights. I have downloaded the latest version from my account, and reinstalled it, and it's STILL saying that it's the same version as before (9.0.4.23), and the check box still has nothing next to it. I think I need to raise a support ticket to solve this issue, as some machines on my network are now running Sierra and the article says we NEED to be running the later version, not the one we have available to download... (It downloads from http://anywhere.webrootcloudav.com/zerol/wsamac.dmg so I presume that would automatically be the latest version?)
 
I'll let you know how I get on.
 
Thanks,
Beckey | IT Manager, Helen Moore
Userlevel 6
Badge +26
All - something doesn't look right with a few of the screns I've seen and I'd definately update or reinstall if menu fields are NOT presenting properly. Definately open a support ticket so they can track this metric for getting it fixed if there's an issue.
 
Turning off scanning archives was a suggestion for Time Machine and I personally do not scan ZIP files because I don't want WSAB to spend a lot of time dealing with the high number of zip files on my machine and to be frank, I do have/store known bad PUAs and other files on my perosnal system. (Hey... I work for Webroot and we all have bad stuff we keep around for testing.8-)
 
A lot of business users (This was posted in the Business forum) want performance and scanning archives on a Mac can take a performance hit. WSAB will dynamically grab bad files as they're unzipped (Mac or Windows), so scanning zip files isn't always necessary. Exclusions can fix that, but the original question was around a PUA and I simply noticed a TimeMachine reference with the PUA.
 
Here's my Business Endpoint menu/screen, so it's definately different. (This is from a site within a GSM) However, the original question wasn't around scanning, it was related to real/false PUA file, so my suggestion was and is to ignore these archives on a busines machine.
 
My test environment (and daily Mac):
MacOS: Sierra 10.12
WSAB (Webroot SecureAnywhere Business) - 9.0.4.23
Menu doesn't have preferences - to get to details, use Advance Settings.
??
Userlevel 7
Badge +62
Hi  again Beckey,
 
May I ask that you let us know how things are going? I am curious to know what the outcome is when you have a chance.
 
Thank you so much!
Userlevel 7
Badge +62
Hi Beckey.

 Please submit a support ticket just to be safe. You could try reinstalling if you want to try that first.

Thanks
Userlevel 3
I've just looked at the mac instructions from the link posted earlier and run the update as we have an earlier version than suggested. So I ran the update as per the instructions but it says we have the latest version?!? I think I may uninstall and reinstall from a new download...
 
?
Userlevel 3
Also, I think i'd keep the archived files checked as I like zip files to be scanned... just in case!
Userlevel 3
I have the same version installed on 8 macs and they all have that bit missing... Just a check box with no writing...
Userlevel 7
Badge +62
Another thing that should be looked at and that's this article here:
https://www5.nohold.net/Webroot/ukp.aspx?pid=12&app=vw&vw=1&login=1&json=1&solutionid=2587&
 
Userlevel 7
Badge +62
@ wrote:
This is not right in the OP's picture compared to yours. GUI Issue? Version issue? Maybe @ can tell us!
 
?
I see that and this is very strange to me. Seems like something is missing doesn't it? Maybe a reinstall woud fix this? Not sure.
Userlevel 7
Badge +56
This is not right in the OP's picture compared to yours. GUI Issue? Version issue? Maybe ? can tell us!
 
?
Userlevel 7
Badge +62
Yes the Business is different:
This is what the GUI looks like here and I would have my setting set like this below.
http://d3hj48gy07tbjf.cloudfront.net/LIVEIMGS/00-F-consumer/macagent/scansettingspanelfeb.png
 
 
Userlevel 7
Badge +56
Look at both pictures posted!
Userlevel 7
Badge +62
@ wrote:
@ would your suggestions impact system performance in a Business environment you think? Just wondering as you know I'm not a Mac user.
 
Thanks,
 
Daniel ;)
Sorry Daniel I am not sure about the Business side of Webroot. It is possible that scanning the archives could slow down performance. It would be best t oask Support IMO. It doesn't hurt to uncheck scanning of archived files and see how it works.
Edit: This is what I see in the Business version of Webroot. http://live.webrootanywhere.com/content/553/Changing-Scan-Settings
Userlevel 7
Badge +56
Sherry can you look at my edit and see my questions.
Userlevel 7
Badge +62
Hello again Becky,
 
I am not familiar with the Business version but here is some information concerning the Time Machine.
 
Please go into the Mac sacn  settings and uncheck Scan Mounted drives. Otherwise it will take foreverr to complete.
 
Here is the Mac User Guide for more information. The Mac Business Guide
 
Have a look at this THREAD
 
And here .https://community.webroot.com/t5/Webroot-SecureAnywhere-Complete/How-long-does-it-take-to-scan-350-G...
 
 
In some cases, Webroot will detect a threat that is located on your backup, such as Time Machine. If the file are in the backup, then they cannot hurt your system. You would have to restore the files from the backup to get them on the system, and at that point the Real Time Shield in Webroot would find and remove them. Even though Webroot cannot remove these files, as space for newer backups is needed the older backups will be deleted. This will delete the threats from the backup as well.

We recommend if Webroot continues to detect these files that you uncheck the box next to them on the removal page. This will tell Webroot to ignore the files in their current location.

If you would like to remove these files manually from the backup in Time Machine, you can use the following steps:

Note: This action is permanent, and will impact all past backups on the given Time Machine drive, even backups from the distant archives on that drive. For this reason, be absolutely certain you want to remove an item before deleting it, otherwise you may end up missing data you would have wanted to keep.

1. Open the backup manager by pulling down Time Machine menu item and selecting, “Enter into Time Machine.”
2. Navigate to the directory location of the files/folders you want to remove.
3. Right-click on the folder or file you want to remove and select “Delete all backups of [File Name].”
4. Confirm the removal.

As the process is the same whether you are deleting the backup of a file or an entire folder, please be careful to only select the items you wish to delete. You cannot recover these files.

Another option available to Time Machine users is to exclude the files and folders from being backed up by the Time Machine. You can add them to the exclusion list which will permanently block the files/folders from being backed up in the future. By doing this, the infected file will eventually be deleted from the backup over time and prevent it from ever getting re-introduced to the drive should it be installed on the computer again.
 
Hope this helps.
Userlevel 7
Badge +56
? would your suggestions impact system performance in a Business environment you think? Just wondering as you know I'm not a Mac user. Also your and the OP's pictures don't match? Could it be the version? GUI issue in the Business version?
 
Thanks,
 
Daniel 😉

Reply