Option 1: Restore Point
If you are running in an Active Directory environment and have recent restore points for the affected machines, it is recommend to create a script to roll these machines back to a time prior to the issue.
Option 2: Access to Client (Agents MUST be in an unmanaged policy for this option)
If you can access the affected client machines and launch the Webroot GUI then restore the files from quarantine on the clients. This should restore the machine to a state prior to the issue.
For detailed steps on how to move a machine to an unmanaged policy to restore the files, click here.
Option 3: Access to client & reboot to safe mode w/ Networking
If access to the affected client is not possible because it cannot boot, try booting in Safe Mode with networking. If this is successful open the Webroot GUI and restore the files from quarantine. This should restore the machine to a state prior to the issue.
Option 4: Agent Commands via Console
Finally, you can issue agent commands from the Console
- Sign into the Webroot console at: https://my.webrootanywhere.com/default.aspx
- Click the "Group Management" tab and then select Agent Commands> Files and Processes > Reverify All Files and Processes.
- Go to “Endpoint protection”, then click the “Status” tab.
- Click the red text "View" under "Blocked Programs".
- This list will show all files found by Webroot for the endpoint, for any files that have the malware group "Uncategorized File" or "Whitelisted File" click the checkbox next to the file, then click "Create Override" followed by "Restore from quarantine".
- After creating overrides and restoring the false positive detections, click the "Group Management" tab and then select Agent Commands> Files and Processes > Reverify All Files and Processes, followed by the scan command.
- Click the "Group Management" tab, select all the endpoints with this detection. Click Agent Commands> Agent > Scan.