We have a legacy VMware Thin App virtualised application which has been working until quite recently, i.e. just in the last day or so, users are experiencing app crashes when launching the virtualised app.
We have found that removing the Webroot client from a sample computer eliminates the symptoms of the application crashing and therefore we believe that the Webroot client is interfering with execution.
We have added Global Whitelists entries for the Application executable and for the UNC from where the Application executable is run and streamed, but this has not resolved the issue.
I suspect that somehow the Webroot client is interfering with the data streaming process upon which the ThinApp virtualisation framework depends.
This affected application is business critical, so I need to find a way to correct this behaviour, or we will be forced to abandon Webroot in favour of an alternative AV solution for all affected users.
I have a raised a Support ticket today and currently awaiting a response.
Any ideas how we might be able to actively prevent the Webroot Client from scanning data that is streamed (or executed) from a UNC, beyond Global Whitelisting which evidently is not working for us?
Best answer by robertellis991
We have a resolution, although it required 2 support engagements each lasting 2+ hours. Ultimately this issue cost us critical application availability over more than 2 business days, so we are somewhat perturbed but also relieved to seemingly have found the issue.
As I understand it (I wasn’t on the 2nd support call this evening) two “new” WR services, known as WR Sky and WR Core, had effectively blacklisted the relevant executable file. Once this was whitelisted on the backend, the problem was fixed.
This executable is not new or recently modified. It has been scanned and seen by our Webroot clients across all our desktops for months on end without incident. If the file were newly-discovered or modified, I’d be more understanding of this kind of “false positive”; but as it is, this looks like an arbitrary determination, which is, in my view, really quite concerning; especially given that no alerts or notifications were generated. If these “new” services aren’t capable of referencing previously-acquired business intelligence, it may lead to real trouble for customers. Not the end of the world of course, but I’d say our confidence is a little shaken.
So overall… an OK support experience. Problem seems to be resolved. But certainly we have something to ponder when deciding upon our next renewal, which perhaps we didn’t have before.
Kind Regards to all.