very bad web shield problems

  • 29 November 2014
  • 10 replies
  • 172 views

Ok so I installed webroot yesterday.
 
I observed web browsing was pretty slow and then today big problems hit.
 
I opened a IE session which is about 60 tabs.  Usually this would take a few seconds to load and settle down as is a lot of tabs.  But bear in mind not all tabs get loaded, as many are left in background.
 
Anyway short story is windows completely became unresponsive, the spinning circle was barely moving, the mouse pointer could be moved but everything was effectively paused, clock stuck etc.  So was forced to hard reboot.
 
So I turned off the webshield completely (disabled all 4 options in advanced settings, and the problem was gone.
 
So with IE already running I decided to try one option at a time, and I observed when "detect and block malicious websites" is ticked simply clicking next or back on a google search page causes IE to stop responding for 3-4 seconds, after about 10 clicks the entire windows OS again started becoming laggy, even tho cpu resources were not saturated, very weird, never seen this on my rig before.  Luckily I could navigate the webroot UI and unticked the option, within 10 seconds it cleared itself up and IE was fast again, so now I have left it off.
 
My annoyance is tho the app is now displaying a warning triangle in the status page,
 
Also I have the following issues.
 
1 - webroot doesnt scan emails, how does it protect against email drive by viruses?
2 - webroot doesn't feel the need to scan emails yet wants a separate web scanner? is webroot good enough with this broken web shield disabled?
3 - how do I make webroot settings survive reboots? any changes I make in the settings are reset every reboot.
4 - in the active connections box, only lan addresses are shown, otherwise box is blank. this is normal?
5 - in the protection statistics box it is showing very high rates of activity, e.g. approx. 2000 registry events every second, seems crazy. is this normal for win7? trying to assess what these are, some are userassist registry entries but is others also, another is device/classes and it says its creating blank keys?
 
I left identity shield on.
 
In the UI it lists a lot of what identity protection does. Prevent MITM, man in browser attacks etc.
Are these still activated with the vague "detect and block malicious websites" disabled?
 
To be clear on this, we not talking about a small performance hit, that option caused my entire OS to effectively freeze up.

10 replies

Userlevel 7
Badge +62
Hello chroluk,
 
Welcome to the Community,
 
I will try to answer most of these questions with the best solution that I am cabable of since we are all Volunteers here trying to help.
 
#2- To change the
WSA set to scan at boot time...
 
Open WSA
Click the Advanced Settings button at the upper right
Click on Scheduler 
 Check mark next to "Scan on Bootup if the computer is off at the scheduled time"
 
Review your schdule time, and either disable Scheduler or change the time for a time when the computer will be on, but the scan won't interfere with your usage.  (My own is set for 7 PM.  While I am usually using the computer at that time, that is OK as the scan is so fast it does not interfere anyway.
 
#2- There is a Toolbar Fix you could try here Password Management Toolbar Fix Tool For PC:
http://download.webroot.com/toolbarfix.exe
 
 
#3- You could try a Clean reinstall:
 
Can you please do a clean reinstall of WSA and Please follow the steps closely!
 
  • Make sure you have a copy of your Keycode
  • KEEP the computer online for Uninstall and Reinstall to make sure it works correctly
  • Download a Copy Here (Best Buy Subscription PC users click HERE)
  • Uninstall WSA and Reboot
  • Install with the new installer, enter your Keycode and don't import any settings as you can set it up as you like once it's done
  • Let it finish it's install scan
  • Reboot once again
#4- Webroot will stop viruses in their tracks when yhey become active. As here's a graphic display here.This is a great place to learn about things and WSA is an awesome piece of security software but most of the work is done in the WIN Cloud: http://www.brightcloud.com/platform/webroot-intelligence-network.php
 
 


 
Also I might need to ask my colleagues to assist in further assistance here such as @  @ @  where they can further answer these questions.
 
Not last but least you can issue a Support Ticket free of charge!
 
Sincerely.
 
Best Regards,
 
Userlevel 7
Badge +56
Hello @ and Welcome to the Webroot Community!
 
I see you posted the same here as you did over at Wilders! Have you tried a clean reinstall of WSA that Sherry mentioned? If not please do so and run it for awhile also after a few scans can you Right Click on the Webroot Tray Icon and Choose Save a Scan Log and tell me approximately how many [u] files that you have in your scan log? I f it's more than 20 then it's best to Submit a Support Ticket so that they can get those files Whitelisted and also they can check for any conflicts!
 
Example:
 
[u] c:program files (x86)urnaware premiumurnaware.exe [MD5: 09A0DB4CC06EC6620867135F82C7BED5] [Flags: 10081101.3646]
[u] c:program files (x86)urnaware premiumdatadisc.exe [MD5: 5262423B6255B2141603CF58BA28856D] [Flags: 00081001.3637]
[u] c:program files (x86)urnaware premiumcopydisc.exe [MD5: A76C94CDEAD6B8BB42081A4A2758D1FD] [Flags: 00081001.3652]
[u] c:program files (x86)urnaware premiummakeiso.exe [MD5: BEA1FC45A7C398A404FB258E6D7BB023] [Flags: 00081001.3638]
[u] c:program files (x86)adobe
eader 11.0
eaderplug_insppklite.api [MD5: 410D8C52F2446D61FD6CAF6686BAC0AD] [Flags: 00000000.3696]

 
 
1. WSA doesn't waste it's time scanning emails if you click on a bad link or attachment that's when WSA will react or if you save it and try to execute.
2. No see above.
3. Have you setup your Online Account? Webroot SecureAnywhere Online Account and go inside there and set it up here is the online help File: http://live.webrootanywhere.com/content/665/Editing-your-account-settings make sure it's all set for you to allow changes or set it up as Admin. if your PC does show up in there scan a couple more times and wait 30 to 45 minutes then click on the PC in question and make sure it's setup to User Configuration and if it is set it to something else and save and go back to User Configuration and Save do a scan then set it up as you like and the settings should stick during reboots.
4. It's normal for Windows 8, 8.1 and Win 10 Preview because Microsoft took the settings away in Windows 8 so any other AV or Firewall all they do is use the same API's so in this case WSA didn't because Windows 8 Firewall is great so why duplicate the same API's? Windows Firewall and WSA's firewall does give you full inbound and outbound protection as WSA uses a Smart Firewall so if an unknown infection tries to call out WSA will automatically Block the malware from calling out now Win 7 and older OS's yes you will see more from WSA's Firewall.
5. That is normal for any AV with the Real Time Shield.
6. Identity Shield does protect from all it says and make sure all browsers are under Protect you even can add other Web facing Apps to the ID Shield like Outlook and the other part is the Web Shield which protects you from Bad Websites and blocks them also when you do searches lets say Google it will give Website Reputations.
7. Since you are having big issues and if a clean reinstall doesn't help it's bect to Submit a Support Ticket and they will get you sorted.
 
Thanks,
 
Daniel ;)
 


 

I will try these things tommorow but I am finding new issues.
 
1 - exiting a full screen game the system gets very laggy temporarily, doesnt occur if I play the game in a window.
2 - on the eicar test files if I dont save them ti disc and just run them, they are allowed to run or be opened in a app.  eicar.com actually causes windows to say this "windows has detected a critical problem and will restart in one minute"
3 - regarding email you are talking about attachments, I am talking about email malware that can infect just by viewing the email.
4 - my OS is windows seven.
5 - Also a windows system binary is been monitored c:windows/system32/lsm.exe
6 - winroot silently also undid some windows customiations, I had notepad2 replacing notepad which was silently undone and a custom DEP dll which I use to harden DEP protection wa salso silently disabled.  I would have appreciated prompts allowing me to excempt.
 
Will post back tommorow with info from the scan.
Userlevel 7
Badge +56
In this case as I said at Wilders it's best to Contact Webroot Customer Service and they will get you on the right path and please let us know how things go!
 
Thanks,
 
Daniel 😉
Userlevel 7
Badge +56
@ wrote:
I will try these things tommorow but I am finding new issues.
 
1 - exiting a full screen game the system gets very laggy temporarily, doesnt occur if I play the game in a window.
2 - on the eicar test files if I dont save them ti disc and just run them, they are allowed to run or be opened in a app.  eicar.com actually causes windows to say this "windows has detected a critical problem and will restart in one minute"
3 - regarding email you are talking about attachments, I am talking about email malware that can infect just by viewing the email.
4 - my OS is windows seven.
5 - Also a windows system binary is been monitored c:windows/system32/lsm.exe
6 - winroot silently also undid some windows customiations, I had notepad2 replacing notepad which was silently undone and a custom DEP dll which I use to harden DEP protection wa salso silently disabled.  I would have appreciated prompts allowing me to excempt.
 
Will post back tommorow with info from the scan.
I'm pretty sure some of the eicar test files are whitelisted as they are not actual threat's but be sure if something comes along that's malicious WSA will jump on it please see this short Video:  https://community.webroot.com/t5/Webroot-Education/What-Happens-if-Webroot-quot-Misses-quot-a-Virus/ta-p/10202
 
Thanks,
 
Daniel 😉
I have so many I would have been counting all day 🙂 so uploaded it to a linux srrver so I could count with grep.
 
is 33248 [u] files in the scan.log.
 
This is when I discovered my password manager and ssh client (securecrt) also are slow loading.
 
So you want me to submit 32k files for analysis?
ok correction is 122 unknown files, I noticed the log also includes a lot of monitoring lines for programs etc. So I removed those and recounted.
is there a reason I cannot batch send the files for anlaysis or isnt automated?
 
I did 3 manually and 2 were listed as good, so why the [U} in log?
Userlevel 7
Badge +56
When you contact support a scan log is automatically uploaded so they can help you so in this case of 122 [u] files they will whitelist them also you can ask them why WSA is affecting your other hardening settings so have you contacted support? If not please do so. Webroot Customer Service Just do as we tell you as you can't whitelist them yourself support has access to do that we only make the suggestions so don't mess around with the programs!
 
Thanks,
 
Daniel 😉
ok a quick update.
 
On this pc I have uninstalled webroot as was other issues as well, but I will be testing it on another pc to try and see if that has same issue and if I can work around them, the other pc is a clean installation no windows 8.1
 
I did submit half a dozen files or so via the web form, that form showed tho it is on other pc's so webroot should already be analysing these files?
 
Alot of the files with (U) next to name (mostly one's in system32) were already classified when I submitted them so I stopped submitting the ones in the system32 folder. 
 
Also i discovered it wasnt all entirely down to webroot the slowdowns with IE, it seems the EAF+ protection in EMET 5.1 was partially to blame as well (I upgraded EMET from 4 to 5 just before installing webroot).

Reply