Solved

Webroot Scan Frozen - Fix

  • 13 March 2015
  • 7 replies
  • 461 views

On our RDS servers, occasionally we get a report of a virus and go to do a follow-up scan and it will not move past 1%.  It is frozen at scanning for rootkits.  Sometimes we can't even cancel the scan.
 
My theory is that one of the instances (maybe even "System") has a dialogue box open that nobody is clicking on - perhaps a prompt to clean the infection.
 
I stumbled upon a quick, no-reboot fix.
 
1. Shut down Protection (a bit scary, but not as bad as having a frozen AV product!)
2. Kill all WRSA processes.
3. Restart the WRSVC
4. Scan away!

We use Labtech to make killing the processes and restarting the service a bit easier.  Also Process Explorer comes in handy to watch them all stop and restart.
 
Come to think of it, it is also possible that a -poll command sent in the background produced a dialogue box that nobody even sees to click on.
icon

Best answer by JohnnyS 13 March 2015, 16:28

View original

7 replies

Userlevel 7
Badge +56
Have you contacted support about this one yet?  They'll be able to scan your logs and confirm if your hypothesis is true.  And hopefully come up with a better fix than killing and restarting the processes.
I've read the other posts about frozen scans and seen the "Uninstall and Reinstall" and "Reboot" and other items that just won't work on an in-use server.
I just usually get cut-n-paste replies about any issue I do submit.  Just submitted about webroot thinking it doesn't have a connection, even though I can remote to it and the user browses and it was connected for a long time and other systems at the location connect fine and I turned the windows firewall off... and they pasted the whole "add these to your firewall allow list"  So I'm not very confident Support wants to help any.
Userlevel 7
Badge +56
Just reply to any of the stock answers with "I've already tried that and it didn't work" and then you'll get a real answer afterwards.  And if you can't get good help let me know and I'll get the ticket escalated.
Userlevel 5
My name is Johnny and I work with Webroot Enterprise Support. I believe the server's policy may not be configured with servers in mind. We recommend using the Recommended Server Defaults but if you configure your own please confirue it along these guidelines: 
 
Basic Configuration - Favor low disk usage over verbose logging - ON
Scan Schedule - Time - Choose a day and time that fits in with low disk io activity (i.e. every day at a specific time or only on weekends)
Scan Schedule - Hide the scan progress window during scheduled scans - OFF
Scan Settings - Scan archived files - OFF
Self Protection - Set to Minimum
Realtime Shield - Scan files when written or modified - OFF
 
Let me know if the policy is already configured this way I will need logs from the machine.
The only two we didn't have set as recommended are :
 
Scan Schedule - hide the scan progress window  - this is set to on because we don't want users getting all freaked out about a virus scan and we also don't want them canceling the scan when it pops up.  Yes, we have users on these servers 24/7.  So, would only the Admin have the scan window show or would all users see it?
 
Self Protection -self protection level -  this is a Server, so why would we want the security lower by having a minimal self-protection? 
 
I'm not refusing to set those, but I need a better explanation than "its recommended."
Userlevel 5
These settings are in place for servers beacuse of the required long uptime. The most common issue I see is our page file grow to max on servers where WSA's policy is not configured porperly.
 
I'm sorry that first setting was a type on my part it needs to be on (Hide the scan window during scheduled scans). 
 
 
Self protection is the agents self protection not he protection against malware. The reason for this is because each user that load a session will load a user process and thus load the elevate heuristcs for the self protection. This needs to be set to minimum. If it is not you may run into a large allocation of page file or loss of connection to the cloud. 
 
I am currently researching a case in which on workstations where "scan files when written or modified" is on and the machine is up for a long time it may gather a large page file causeing performace issues in WSA, the OS, and/or connection to the cloud. 
 
If you would like me to diagnose logs from this machine please run our log utility and PM me that it has been run with the email you used to submit them and I will check the repository.
Userlevel 5
Thank you for getting me the logs. What I see is issues with the Webroot user processes clearing. Correcting the policy will help with the but I would like to have you modify/add the following registry keys:

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal ServerSysProcs]
"wrsa.exe"=dword:00000000

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControl]
“WaitToKillAppTimeout”=”2000”
“AutoEndTasks”=hex:01

Reply