Knowledge Base

How to correct a False Positive

  • 10 April 2018
  • 7 replies
  • 1713 views

Userlevel 7
Badge +36
If a file was incorrectly detected as bad and quarantined by the Webroot SecureAnywhere product, there are multiple options available to the business admin in order to reverse the False Positive detection and restore the files that were quarantined.
 
Option 1:  Restore Point

If you are running in an Active Directory environment and have recent restore points for the affected machines, it is recommend to create a script to roll these machines back to a time prior to the issue.
 
Option 2: Access to Client (Agents MUST be in an unmanaged policy for this option)

If you can access the affected client machines and launch the Webroot GUI then restore the files from quarantine on the clients. This should restore the machine to a state prior to the issue.

For detailed steps on how to move a machine to an unmanaged policy to restore the files, click here.
   
Option 3: Access to client & reboot to safe mode w/ Networking

If access to the affected client is not possible because it cannot boot, try booting in Safe Mode with networking. If this is successful open the Webroot GUI and restore the files from quarantine. This should restore the machine to a state prior to the issue.
 
Option 4: Agent Commands via Console 

Finally, you can issue agent commands from the Console
 
  1. Sign into the Webroot console at: https://my.webrootanywhere.com/default.aspx
  2. Click the "Group Management" tab and then select Agent CommandsFiles and Processes Reverify All Files and Processes.
  3. Go to “Endpoint protection”, then click the “Status” tab.
  4. Click the red text "View" under "Blocked Programs".
  5. This list will show all files found by Webroot for the endpoint, for any files that have the malware group "Uncategorized File" or "Whitelisted File" click the checkbox next to the file, then click "Create Override" followed by "Restore from quarantine".
  6. After creating overrides and restoring the false positive detections, click the "Group Management" tab and then select Agent Commands> Files and Processes > Reverify All Files and Processes, followed by the scan command.
  7. Click the "Group Management" tab, select all the endpoints with this detection. Click Agent CommandsAgent Scan

This topic has been closed for comments

7 replies

Badge +1
A false positive is an error in some evaluation process in which a condition tested for is mistakenly found to have been detected. In spam filters, for example, a false positive is a legitimate message mistakenly marked as UBE --unsolicited bulk email, as junk email is more formally known. mobdro
@LLiddell

Lara, the Category assigned to this article (Community > Webroot SecureAnywhere - Antivirus) confused me. I thought from the Category that this concerns Home Users but the content reveals that it is for Business Users.

Also, I searched in the KnowledgeBase Category, but could not find this article anywhere. However, I found several other KnowledgeBase articles that have been assigned to the KnowledgeBase > Home Users section but are in fact Business related articles.

It seems that some cleaning up in terms of categories assigned is necessary, if only to avoid future confusion.
Userlevel 7
Badge +36
The knowledge base is still under construction. We have to reformat some 60% of the articles due to the migration causing formatting errors. This will be brought over into that section soon.
Userlevel 7
Badge +28
Something this knowledge base article doesn't cover is what happens if your endpoint's Ovr.db file isn't updating. The Ovr.db file is the database file on your endpoint that holds the overrides you create in the Endpoint Protection Console. I recently discovered this file not updating across most of my infrastructure. There were a few solutions to get it to update:

  1. Refreshing the configuration worked, but with a small success ratio.
  2. Running a scan on the endpoint in unmanaged mode sometimes worked.
  3. For the endpoints with the oldest Ovr.db files, I had to uninstall Webroot, restart the endpoint, delete all folders and files associated with Webroot, and reinstall Webroot.
Even after all those possible solutions, my endpoints won't keep their Ovr.db files up-to-date. However, they got me up-to-date enough to include the override I needed added. However, this is an apparent issue in the Webroot software since most of my infrastructure stays out-of-date.

Yes, I opened a support ticket, so they are aware of the issue. I'm including it here in case someone else is having the same issue. Here's a link to my original post if anyone wants to read about what I was experiencing.
https://community.webroot.com/got-a-question-10/override-database-not-updating-336658

@LLiddell, good luck getting the knowledge base moved over and properly formatted. I know how much of a pain that can be and I don't envy you. Try not to have too much fun!
Userlevel 7
Badge +36
That's really good feedback, thank you! We should be able to implement this, but I have to run it by a couple people first.
Userlevel 7
Badge +28
No problem, might as well put my experiences to use helping others. Let me know if you need any info.
The knowledge base is still under construction.
OK. Work in progress ☺️