Solved

Why is Webroot punishing casual crypto mining?

  • 22 April 2021
  • 9 replies
  • 756 views

Support refuses to deal with the issue.

Webroot ignores the whitelist for NiceHash QuickMiner and it constantly kills the process and prevents installation even though it’s thoroughly whitelisted.

What’s the point of a whitelist that gets ignored because they want to punish casual crypto mining?

icon

Best answer by dstokes1 27 April 2021, 23:27

View original

9 replies

Userlevel 7
Badge +24

Glad you were able to contact support and have them resolve your issue :grinning:

Userlevel 3

Hello, just to follow up on this thread.  I was successfully able to get our crypto rig working with NiceHash Miner and Webroot SecureAnywhere.  After getting nowhere with their email support ticketing staff, I called the Webroot 866 US-based support telephone number and was able to speak with someone who could remote into my machine and see what I was seeing.  We created a new policy just for the crypto machine and assigned three sets of overrides to it (using a whole lot of "include subdirectories" and *.* masks) and eventually were able to get Webroot to stop deleting and blocking every attempt to run NHM.

It was especially tricky because NHM uses some additional .exe's to perform functionality like benchmark video cards (which Webroot also thinks is malicious activity), but once we got all of the "don't block this and don't block all of these other things either" filters in place, we were able to get it working.  So hopefully this is "case closed" for my particular issue, hopefully won't creep back up next time NHM does an update.  🤷😄

Userlevel 7
Badge +24

@msmith-442 @Intoxicus 

Hey All,

 

I’ve been mining using Windows and Webroot since 2016 at over 1GH/s across AMD and Nvidia on Windows 10 and 11. It absolutely can get annoying at times, especially when setting it up, but there is a way forward to mining without headaches.

 

Webroot will never whitelist even legitimate miner executables, because criminals when breaching a system/environment will use legitimate miner tools so our stance is to block them all - this is industry standard accords the board in infosec, so you will have to manually allow the mining binaries.

 

My suggestions are to use nicehash quick miner or standalone binaries because that has the fewest executables that you will have to allow. If you want to the full nicehash suite or any other miner programs that are not standalone and have a bunch of binaries built in then you will have to allow a bunch of binaries. 

 

Please note the instructions below are for more advanced users

 

  1. Uninstall Webroot
  2. Delete C:\ProgramData\WRData folder
  3. Reboot
  4. Install your miners and get them working
  5. Reboot - make sure miners are not running
  6. Install Webroot - let the installation scan complete and find threats DO NOT REMOVE THEM
  7. Make sure to uncheck all the miner executables to ALLOW
  8. Click through for it to scan again and ALLOW any more until it comes back clean all green
  9. Start the miners - Expect a warning and block from Webroot on any more miners and click ALLOW - let it scan until it comes back clean all green.
  10. Reboot
  11. Start miners - Should be all good working, but repeat step 9 if needed. 

 

Now I highly recommend that you don’t auto update the miners unless you want headaches and want to do steps 8-11 every time. Most of these updates  are fixing issues with certain brands of cards that aren’t hashing correctly or crash, so if you are running stable at good hashrate just leave it not updated until it doesn’t work at that same hashrate and are forced to update and then have to do steps 8-11 again. If you do want to have the miners auto update expect more than once a month if using a suite and once every 6 months if using quickhash or standalone.

 

If you REALLY want to have the miners auto update and Webroot not detect them as soon as they are updated you can always click on Webroot cog wheel  “advanced settings” > shields > uncheck “check files for threats when written or modified” This will allow you to have the miners update and still hash and only on a manual scan will you see the detections and you can ALLOW the new binaries. I can’t recommend this for normal users though since this would compromise your security to a degree. However, if this rig is just for mining and you want some protection on it, then that would be acceptable. 

 

Let me know if there is anything else I can help with 

 

Userlevel 7
Badge +20

@TylerM  - Do you know if we’ve built a workaround for crypto mining software yet?

Userlevel 3

Wow, I’m having the same problem and just found your thread.  Webroot support has been infuriating to deal with.  Only way we were able to get our mining software installed was to completely disable Webroot.

10 months later your quote is still spot-on:  “ *Assuming all crypto mining is malware is anti consumer, compromises security overall, lowers the quality and value of your service, and leaves people wondering stuff like “Are A/V companies trying to stifle crypto.”* “

@Intoxicus  Out intent is to not punish casual crypto-mining, but the heart of the issue is that cybercriminals are using the same miners in their operations and it gets further complicated by the fact that many of these miners are updated frequently.

In this case, although it appears on the surface that NiceHash is being blocked, it actually is not, there is a dynamic plug-in NiceHash loads to mine various cryptocurrencies that is the issue. An Override should work here, but will require constant updating probably on your part to keep up with dynamic plugins.

Well, the end result is what matters most and it feels like you guys are giving casual crypto miners a big middle finger.

Your tech support doesn't even understand what I am asking about and keeps giving me replies that are inappropriate and show they are not sufficiently competent. How is it they keep telling me to whitelist it when I’m telling the it is whitelisted and the whitelist isn’t working properly?

Maybe you need new tech support people that have basic reading comprehension? I’m not joking or exaggerating here. Very truly & literally it’s like they either did not read my emails, do not understand my emails, or are intentionally trolling me. Or maybe some of all three?

At best it’s lazy. Yes you can differentiate between malware and legitimate mining. Maybe you need to maybe, coordinate with the legitimate mining apps and put that work in? You should know just as well as I do that to use a miner as malware changes need to be made that an A/V absolutely can detect.

*Assuming all crypto mining is malware is anti consumer, compromises security overall, lowers the quality and value of your service, and leaves people wondering stuff like “Are A/V companies trying to stifle crypto.”*

I’m not paying Webroot for lazy service that makes everyone less secure at the end of the day.
Which is why I am going to find a new A/V unless Webroot makes corrections quickly.

Perhaps read this conversation in the screen cap and think about how Webroot is pushing away it’s user base….

https://github.com/nicehash/NiceHashQuickMiner/issues/438

 

@Intoxicus  Out intent is to not punish casual crypto-mining, but the heart of the issue is that cybercriminals are using the same miners in their operations and it gets further complicated by the fact that many of these miners are updated frequently.

In this case, although it appears on the surface that NiceHash is being blocked, it actually is not, there is a dynamic plug-in NiceHash loads to mine various cryptocurrencies that is the issue. An Override should work here, but will require constant updating probably on your part to keep up with dynamic plugins.

Userlevel 7
Badge +20

@Intoxicus ,

This is a really good question. Since Support has not yet been able to resolve this with you, let me see if one of our product experts has any thoughts - @dstokes1 

Even though whitelisted and not actually malware Webroot wants to keep flagging NiceHash QuickMiner with false positives.

Reply