My theory is that one of the instances (maybe even "System") has a dialogue box open that nobody is clicking on - perhaps a prompt to clean the infection.
I stumbled upon a quick, no-reboot fix.
1. Shut down Protection (a bit scary, but not as bad as having a frozen AV product!)
2. Kill all WRSA processes.
3. Restart the WRSVC
4. Scan away!
We use Labtech to make killing the processes and restarting the service a bit easier. Also Process Explorer comes in handy to watch them all stop and restart.
Come to think of it, it is also possible that a -poll command sent in the background produced a dialogue box that nobody even sees to click on.
Best answer by JohnnySView original
I just usually get cut-n-paste replies about any issue I do submit. Just submitted about webroot thinking it doesn't have a connection, even though I can remote to it and the user browses and it was connected for a long time and other systems at the location connect fine and I turned the windows firewall off... and they pasted the whole "add these to your firewall allow list" So I'm not very confident Support wants to help any.
Basic Configuration - Favor low disk usage over verbose logging - ON
Scan Schedule - Time - Choose a day and time that fits in with low disk io activity (i.e. every day at a specific time or only on weekends)
Scan Schedule - Hide the scan progress window during scheduled scans - OFF
Scan Settings - Scan archived files - OFF
Self Protection - Set to Minimum
Realtime Shield - Scan files when written or modified - OFF
Let me know if the policy is already configured this way I will need logs from the machine.
Scan Schedule - hide the scan progress window - this is set to on because we don't want users getting all freaked out about a virus scan and we also don't want them canceling the scan when it pops up. Yes, we have users on these servers 24/7. So, would only the Admin have the scan window show or would all users see it?
Self Protection -self protection level - this is a Server, so why would we want the security lower by having a minimal self-protection?
I'm not refusing to set those, but I need a better explanation than "its recommended."
I'm sorry that first setting was a type on my part it needs to be on (Hide the scan window during scheduled scans).
Self protection is the agents self protection not he protection against malware. The reason for this is because each user that load a session will load a user process and thus load the elevate heuristcs for the self protection. This needs to be set to minimum. If it is not you may run into a large allocation of page file or loss of connection to the cloud.
I am currently researching a case in which on workstations where "scan files when written or modified" is on and the machine is up for a long time it may gather a large page file causeing performace issues in WSA, the OS, and/or connection to the cloud.
If you would like me to diagnose logs from this machine please run our log utility and PM me that it has been run with the email you used to submit them and I will check the repository.