Webroot SecureAnywhere Discussion & Update Thread

You and everyone that are having problems could consider making a bug report to Webroot.

Because of the way Webroot works, I view identity shield as a fundamental feature of Webroot, so making sure it works properly is highly important in my opinion.

 

I think I figured it out. If the Webroot icon isn't displayed in the bottom right, and you click the tiny little arrow to display those running processes and services like sound, network icons etc., the browser window is no longer the active window so the lock doesn't show. But if you drag the webroot icon out of the drop down menu so you can see it when you're browsing, the lock is shown.

To my original question, I was wondering if Identitiy Shield is still as effective even with Chrome now being more specific as to what hooks into it.

 

Everything is working as expected here

 

@Triple Helix -- reference your post #4398 above, whereat you provide a screenshot of WSA's Application Protection settings.

There are 3 possible settings: Protect, Allow, Deny. The set-up mandates that there must always be TWO selections for each application. There are 3 possible pairings: Allow + Deny, Protect + Allow, Protect + Deny.

Is there a knowledge base somewhere that explains these mysterious (to me) pairings of settings?

 

Maybe this will help: https://docs.webroot.com/us/en/home...cPath=Managing%20Identity%20Protection|_____2

 

For the ID Shield to Protect the Browser the focus must be in the foreground.

Try this test: Okay Open the Browser full screen now click anywhere within the Browser window it becomes Focus and padlock shows but click anywhere in the system tray then Focus has been lost and padlock disappears so not protected so click back in the Browser window it becomes focus again and protected with the padlock showing.

 

Some threads with Joe explaining: https://www.wilderssecurity.com/threads/wsa-suggestions-thread.317194/page-6#post-2159042

And myself back then: https://www.wilderssecurity.com/thr...failing-spyshelter-tests.318059/#post-2014784

https://www.wilderssecurity.com/threads/wsa-suggestions-thread.317194/page-5#post-2158978

 

It works exactly like you said. But now I'm curious if you have some malware on your system and your browser is closed or not in focus and it tries to grab a session cookie or something is Webroot blocking that? Or only when the browser window is open?

 

I'm not sure? But that brings another question Active Malware (Unknown to the Webroot Cloud Database) then the other Shields would kick in like the Realtime Shield and Monitoring level as there are many levels that would stop such things and still protect you. See this question I asked about Emotet from a Webroot Threat Expert: https://community.webroot.com/tech-talk-7/live-blog-emotet-botnet-342164#post353620

 

I guess if it can't connect out it wouldn't be able to transmit the data. The reason I asked that question was that there was an infected browser extension that was stealing coinbase session cookies a month or so ago and I always wondered if webroot would block something like that.

 

Yes it would stop and block as I asked that question many years ago!

 

Some good info:

https://www.youtube.com/watch?v=AQ95W34B1GE&t=

https://www.youtube.com/watch?v=qy5o2wIwUDk

 

It helped. Thanks!

It seems that the white dots under Protect, Allow, Deny columns are "turn this off" indicators. Ergo, if an application is denoted by white dots in Allow & Deny, that means that the remaining, unselected radio button (Protect) is active. Correct?

 

They're simple radio buttons. When you click a radio button, it becomes shaded and Active, ie. turned on. If it is not shaded, it is Inactive, ie. turned off.

 

Here is a useful article I've found on Webroot's Identity Shield which, though old, still has lots of useful information about this powerful feature.

 

When running my back-up computer, I re-activated my Webroot (WSA) subscription. My back-up computer is an older laptop with less RAM & a slower cpu than my new one. On that older laptop, I found that running WSA with all its shields activated makes my browser (it's Chrome) run slow & heavy. When I close WSA, the browser zips along just fine.

Also, I run EXE Radar Pro (ERP), a stand-alone anti-exe program. Among other things, ERP is configured to alert the user any time an app tries to use rundll32.exe (a system dll often used by malware). Evidently WSA uses this dll MUCH more often than any of my other apps because ERP pops-up an alert every 20 seconds or so when I'm on the internet. Whitelisting WSA's action on ERP doesn't help because WSA uses a different PID every time it uses that dll. VERY annoying.

Are there any settings I could change to reduce or eliminate these 2 issues?

 

Don't know as I never used ERP, I use VoodooShield without issues. And is WSA Monitoring anything or is everything under Allow? https://docs.webroot.com/us/en/home/wsa_pc_userguide/wsa_pc_userguide.htm#UsingSystemControl/ControllingActiveProcesses.htm?TocPath=Using%20System%20Control|_____2

I also have WSA on older systems by itself without issues.

 

I also used Voodoo Shield (VS) for a while, w/o issues. VS is basically an anti-exe, as is EXE Radar Pro (ERP). However, ERP enables easy-to-do user designation of vulnerable exe's where the user wants to make the go/no-go decisions -- VS makes those decisions on its own. I like a little more control, which is 1 reason I prefer ERP to VS. Also, my primary anti-malware app is SecureAPlus (SAP). SAP has much less overlap with ERP than it does with VS.

I do not have WSA monitoring anything under the tab you showed. All listed are "Allow."

WSA doesn't add any discernible RAM load when I use Firefox (FF). Further, when I run FF, WSA doesn't cause ERP to repeatedly pop-up alerts about use of Rundll.exe. The RAM load & repeated alerts about Rundll.exe only occur when I run Chrome or 1 of its clones. This issue ceases when I disable WSA's Identity Protection shields. I think the probable reason for this situation is rather evident.

 

Interesting.

When you say "this issue ceases when I disable WSA's Identity Protection shields", are you referring to the Identity and Phishing Shields only, ie. those listed in the Identity Protection tab of the Webroot GUI, or are you also referring to the Shields listed in the PC Security tab?

Also, out of curiosity, what OS are you using on this older laptop?

 

Yes, just those 2 shields. I'm on Win7. Here is an example of WSA's commands that generate alerts by ERP:

"C:\Windows\sysnative\rundll32.exe" "C:\Windows\system32\WRusr.dll",SynProc 3692

 

Thanks! I asked out of curiosity. For any help on this matter, I would defer to TripleHelix or, better still, to Webroot Support.

However, I personally would advise you to avoid Chrome and Chrome-based browsers on that machine with that particular setup as (and I'm sure you know this) the Identity Shields are an essential component of Webroot's malware protection strategy and therefore should not be disabled.

 

C:\Windows\System32\WRusr.dll

or C:\Windows\SysWow64\WRusr.dll

- This loads for user mode analysis. It's responsible for WRSA running as a user mode service. WRSA will be loaded equally proportionately to the number of user profiles that are loaded because of this file.

 

There is only 1 user on my back-up/Win7 computer -- that's me & I am always admin. WSA executes this command line each time there's a new tab and at other times as well. It's a real PITA to whitelist because it changes PID every time. I'm going to whitelist the command line with a wild card after "WRusr.dll," & see if that works.

I wonder if this has something to do with Google fixing Chrome so a DLL cannot be injected. If so, MBAE evidently solved that problem with less impact than WSA's solution.
~~~~~~~~~~~~~~~~~~~~~~~~~~

Addendum: So far the wild card *seems* to be working. So far.

 

I am experiencing a peculiar WSA problem that I have reported to Webroot Support (along with requested log files). Unfortunately, Webroot Support has not offered any solution to the problem.

As detailed in my signature, I 'manage' 2 PC's (one running Win10, the other Win7), both running WSA 9.0.27.64 along with Shadow Defender 1.4.0.680. WSA continues to alert me to malware on my daughter's Win7 desktop, where it finds and quarantines atapi.sys (located in Windows\System32\Drivers). Since WSA does not report this issue on my Win10 laptop I submitted the suspected Win7's atapi.sys to VirusTotal, where it received a 'clean bill of health'. Based on VirusTotal's analysis, I assumed this WSA malware alert to be a false positive, so I restored atapi.sys from WSA's Quarantine, thereby allowing it in WSA's Block/Allow Files. However, even after my action to restore & allow atapi.sys (it is now listed as 'Allow' in WSA's Block/Allow Files) WSA continues to report Win7's atapi.sys as malware!

 

Could be because of being in Shadow Mode? https://www.file.net/process/atapi.sys.html just wait for a reply from Webroot support and keep up the Dialogue. Also can you post the MD5 Hash of your Win7's atapi.sys file? and you can check it here: http://snup.webrootcloudav.com/SkyStoreFileUploader/upload.aspx#md5