Endpoint Protection User Guide
Contents
1. cece eee cece cece eeeeeeeeeeeeeeees 118 87 Endpoint Protection Administrator Guide Implementing policies When you first configured Endpoint Protection you selected one of its default policies A policy defines the Secure Anywhere settings on endpoints such as the scan schedule and shielding behavior You can continue to use your selected default policy or you can define more policies and assign them to endpoints For example you might want to give system administrators more control than you would other employees In that case you could create a new policy for administrators and keep everyone else on the default policy To begin implementing policies follow these steps 1 Decide if you want to keep using your default policy All policies appear in the Policy tab Your default policy is indicated by a gray arrow on the far left see the highlighted row in the following example Double click on your default policy name to open the settings You cannot see any settings for the Unmanaged policy because that policy specifies that endpoint users have control not the administrator You can then review the SecureAnywhere settings and determine if the default policy meets your business requirements If not you need to create a new policy you cannot modify the Webroot defaults Home Endpoint Protection Mobile Protection sun Porcier pos tone Reports Alerts Overrides Logs Resources Policy Descnption Recommended setup wit2. Selecting a default policy during configuration The Setup Wizard prompts you to select a default policy for new SecureAnywhere installations on endpoints A policy defines the SecureAnywhere settings including how the program scans for threats and manages detected items 13 Endpoint Protection Administrator Guide Home Endpoint Protection Mobile Setup Wizard Select the default policy to apply to all endpoints during installation These policies are provided with Webroot SecureAnywhere Endpoint Protection so that you can get started eate new p es and apply them to your managed endpoints after instalkatio Recommended Defaults Submit The Setup Wizard provides the following default policies e Recommended Defaults Provides our recommended security with threats automatically removed and quarantined e Recommended Server Defaults Provides our recommended security for servers with threats automatically removed and quarantined while also allowing the servers to run with optimal performance e Silent Audit Scans for threats without user interaction Does not block or quarantine detected items This policy allows you to review Secure Anywhere s threat detections first so you can review detected items and add overrides for any legitimate application files Use this policy if you are concerned about a false positive being detected or you are applying Secure Anywhere to a critical server This policy is help
3. oOo D Endpomis with threats Blocked Programs a Endpoints with threats during the selected period Hostname First Infected Last Infected Days Infected Blocked Programs 1 G 0409 FIRENZE Apr 8th 2013 17 28 Apr 5th 2013 17 28 1 1 View 2 G 0409 SUMATRA Apr 8th 2013 17 24 Apr 8th 2013 17 27 11 View Locate the row for the endpoint that has the blocked program and select the View link in the Blocked Programs column to open the following dialog y Programs blocked on this endpoint Create override Restore from Quarantine Filename 9876 ZIP 9876 EXE BAZOOKABAR ZIP BAZOOKABAR EXE From this dialog you have the following options e Create override If you want to bypass Endpoint Protection and designate the file as Good allow the file to run or Bad detect and quarantine the file click Create override from the command bar For further instructions see Applying overrides to files from reports on page 172 e Restore from Quarantine If the file is safe and you want to restore it to the original location on the endpoint click Restore from Quarantine from the command bar You can also select whether you want to apply this override to all policies or selected policies so you don t need to create this override again on other endpoints If desired you can show or hide additional data for the report Click a column header to open the drop down menu then click in the checkboxes to s
4. 99 Endpoint Protection Administrator Guide Self Protection settings Enable self protection Turns self protection on and off response cloaking Self protection level Sets the detection level to e Minimum Protects the integrity of the SecureAnywhere settings and databases Recommended if the endpoint has several other security products installed Medium Prevents other programs from disabling protection Provides maximum possible compatibility with other security software Maximum Provides the highest protection of the SecureAnywhere processes Recommended Heuristics With heuristics you can set the level of threat analysis that Secure Anywhere performs when scanning managed endpoints SecureAnywhere includes three types of heuristics advanced age and popularity e Advanced Heuristics Analyzes new programs for suspicious actions that are typical of malware e Age Heuristics Analyzes new programs based on the amount of time the program has been in the community Legitimate programs are generally used in a community for a long time but malware often has a short life span e Popularity Heuristics Analyzes new programs based on statistics for how often the program is used in the community and how often it changes Legitimate programs do not change quickly but malware often mutates at a rapid pace Malware may install as a unique copy on every computer making it statistically unpopular 100 Chapter
5. This user guide describes how administrators can deploy SecureAnywhere and use the Management Portal to view threat alerts data charts and other information about endpoint activity The tasks you can perform depend on your access permissions and what mode of management you select during Endpoint Configuration This guide is intended for administrators who are using Endpoint Protection with full access permissions Endpoint Protection Administrator Guide EndpointProtection htn To begin using Endpoint Protection see the following topics Preparing for setup a 7 Overview of configuration steps c cece cece cece cece eee eeeeeeeeeeeceeeeeeeeeeseeeess 7 System requirements ee eee eee eee ee eee eect eens eeeeeeeeeeeenees 8 Creating a Webroot account eeeeeeeeeeeeee 9 Logging in and using the Setup Wizard 2 ccc cece cence eee cee eee e ee ee ee eneeeeeneeeenneeeenaes 12 Logging in for the first time 0 0 000000 e eee e eee e cece cece eee aaao Aao aaa aaar aai 12 Selecting a default policy during configuration 13 Selecting a deployment method and performing a test install 000 0 20000 e cece eeeeeeee 15 Using the Management Portal eee nee e eee nena e cece een ne cess eeennseeeeeeeees 19 Using the main tabs cnc 21 Opening the Endpoint Protection Menu 2200000 cc cece cece cece eee eee eeeceeeeeeecececeeeeeece
6. The following dialog opens Determination Apply this override globally 5 Open the Determination drop down menu by clicking the arrow to the right of the field Select one of the following e Good Always allow the file to run e Bad Always send the file to quarantine 6 You can apply this override globally or to an individual policy as follows e To apply the override to all policies keep the Apply the override globally checkbox selected e To select an individual policy for the override deselect the checkbox When the Policy field appears click the drop down arrow to the right of the field and select a policy ngka Chapter 3 Managing Endpoints Deactivating endpoints You can deactivate an endpoint so that it no longer reports in to Endpoint Protection You can reactivate an endpoint later if necessary By deactivating an endpoint you can free the license seat so you can install another endpoint in its place Deactivating an endpoint Deactivation sends an Uninstall command to the endpoint and removes the endpoint entry from the Management Portal To deactivate an endpoint 1 Click the Group Management tab 2 From the Groups panel on the left select a group that includes the desired endpoints Home Endpoint Protection Search for endpoint Keycode E GHULL 1 tt SA23 TEST GHULL 1 3 s SAA2 TEST G FEB15 SA23 TEST HOP 13113 SAA2 TEST INSTALL d SAA2 TEST 3
7. Access amp Permissions Overrides Commands Chapter 2 Managing User Accounts Create amp Edit Define and modify groups of endpoints Deactivate Reactivate Endpoints Deactivate and reactivate endpoints from the Management Portal See Deactivating endpoints on page 73 Assign Endpoints to Groups Allows the portal user to move one or more endpoints from one group to another See Organizing endpoints into groups on page 120 Create amp Edit Define delete rename copy and export policies Assign Policies to Endpoints Associate a policy with an endpoint or group of endpoints See Implementing policies on page 88 MDS Override how a file is detected by entering the MD5 value of a file MD5 Message Digest algorithm 5 is a cryptographic hash function that acts like a fingerprint to uniquely identify a file Determination Capability Specify overrides based on these settings e Good Allow files containing the specified MD5 value e Bad Block files containing the specified MD5 value When a scan encounters this file it flags it and requests action from the SecureAnywhere user e Good amp Bad Allow either Good or Bad See Implementing overrides on page 166 None Do not allow this user to send commands to endpoints Simple Access to the Agent and Clear Data commands and view commands for selected endpoints Advanced Access to Agent Clear Data Keycode Power amp User Access Antimalware T
8. Renaming a console To rename the console 1 Click Rename located below your login name in the upper right Gallagher webroot com 2 Enter the new name using numbers and spaces but not special characters then click Save Switching consoles To switch between consoles 1 Click Change Console located below your login name in the upper right Gallagher webroot com 2 Select the console name from the table 46 Chapter 2 Managing User Accounts Renewing or upgrading your account From the Management Portal you can easily renew your Endpoint Protection license or add more seats to your license When your license is about to expire or has already expired you will see a warning message on the Status panel similar to the example below 0 Endpoints need attention To continue using Webroot SecureAnywhere Endpoint Protection you must upgrade or renew a keycode Upgrade Renew You can click Upgrade Renew from this message or you can go to the Manage Keycodes panel as described below To renew or upgrade your account 1 Open the Endpoint Protection menu by clicking the arrow next to your login ID then click Manage Keycodes WEBROOT D webroct ce SecureAnywhere panes Account Settings Home Endpoint Protection es k Manage Users Status Poles Group Management Reports Alerts Overtides Logs Resources J Manage Keycodes NG Endpoints encountering threats last 7 days Agent Version
9. SecureAnywhere detected and removed it Reports Alerts Overrides Logs Resources All Threats Seen Apr 23 1533 KJ All Threats Seen P Create override 3 Restore from Quarantine Filename SVHOST32 EXE desktop trojans trojan sohanad 6TO4SVCN EXE desktop Irojans trojan buzus CALC32 EXE desklop lrojans trojan downloader CSRS154 EXE desklop itrojans trojan phisher net 7 From this panel you have the following options e Create override If you want to bypass Endpoint Protection and designate the file as Good allow the file to run or Bad detect and quarantine the file click Create override from the command bar For further instructions see Applying overrides to files from reports on page 172 e Restore from Quarantine If the file is safe and you want to restore it to the original location on the endpoint click Restore from Quarantine from the command bar 8 If desired you can show or hide additional data for the report Click a column header to open the drop down menu then click in the checkboxes to select the columns to add or remove For descriptions of the data in the columns see Sorting data in tables and reports on page 26 140 Chapter 7 Viewing Reports Generating the All Undetermined Software Seen report SecureAnywhere may sometimes detect a file that appears legitimate but also exhibits questionable behavior In these cases it classifies the file as Undetermined To locat
10. WEBROOT SecureAnywhere kaaa Log in Create an account Security amp Convenience Email Address i eating a 3 ni help you manage yor Password Log in Can t log in Sign up now In the Confirm Logon panel enter the requested characters of your security code and click Login This personal security code was defined when you created a Webroot account Every time you log in Endpoint Protection will require this extra security step Be aware that it prompts for two random characters of your code For example if your code is 123456 and it prompts you for the fourth and sixth characters you would enter 4 and 6 2 Chapter 1 Getting Started Confirm Logon Please enter the FOURTH and SIXTH characters of your Security Code case sensitive Login Can t log in 4 When the SecureAnywhere website opens click Go to Endpoint Protection Note If you also purchased Mobile Protection you will have access to the portal for Mobile Protection as well otherwise you will not see the Mobile Protection panel co Endpoint Protection Mobile Protection Endpoint Protection Mobile Protection 0 Endpoints Protected E 0 Endpoints Currently infected lt 0 Endpoints Infected jas 2 A a Go to Endpoint Protection Go to Mobile Protection The first time you log in the Setup Wizard opens Continue with the next section to select a default policy 0 Devices Protected 0 Infected 0 Need Attention
11. 8 If desired you can show or hide additional data for the report Click a column header to open the drop down menu then click in the checkboxes to select the columns to add or remove For descriptions of the data in the columns see Sorting data in tables and reports on page 26 142 Chapter 7 Viewing Reports Generating the Endpoints with Threats on Last Scan report To locate and manage detected threats from the last scan you can generate the Endpoints with Threats on Last Scan report This report shows threats by endpoint location From the report you can change the endpoint s policy run a scan create an override for a file or restore a file from quarantine You can modify the report data as follows e View all detected threats within a selected policy or group which is helpful if you need to narrow search results to a specific set of endpoints e Drill down to see the threats detected within a date range which is helpful if you want to narrow the search results to a specific time period To generate the Endpoints with Threats on Last Scan report 1 Click the Reports tab 2 Inthe Report Type field click the drop down arrow to display a list of reports 3 Select Endpoints with Threats on Last Scan then click Submit Status Policies Group Management Reports Select your report al Report Type Endpoints with threats on last scan Submit O The report opens in the right panel where you h
12. Applying overrides from the Overrides tab on page 167 Re set all applications previously blocked so they can run on the endpoint Add extra security to an application running on the endpoint To identify the application you must enter its MD5 value To determine an MD3 value see Applying overrides from the Overrides tab on page 167 Re set the application to standard protection if you previously used the Protect an application command to add extra security To identify the application you must enter its MDS value To determine an MDS value see Applying overrides from the Overrides tab on page 167 Run a clean up script on the endpoint to remove malware infections You must specify a network path to the file Run the WSABLogs utility to gather information about an infected endpoint The Customer Support Diagnostics dialog shows the location of the utility s executable file and the email address associated with the endpoint account Clicking Submit runs the utility and sends the results to Webroot Business support You can specify optional advanced settings to send an additional file to save the log locally instead of sending it and gather a memory dump Specify a file s direct URL to download it to the agent and then run it remotely at the system level You can also enter command line options for example you could specify the s parameter so that the file you download runs silently in the background Command line opti
13. El Export to csv Policy Name Policy Description After you confirm the deletion you are prompted to move any endpoints from the deleted policy to another 3 Open the drop down list in the Move any endpoints dialog and select a new policy for the endpoints 4 Click Save to remove the policy from the list Note Deleted policies are moved to a Deleted Policies list To view them select the Show Deleted Policies checkbox on the Policies tab to display them in the list The Deleted policies are shown in gray 116 Chapter 5 Managing Policies Viewing endpoints assigned to a policy From the Policies tab you can quickly view which endpoints are assigned to a policy To view endpoints assigned to a policy 1 2 Click the Policies tab From the Policy Name column select the desired policy The bottom panel shows which groups use this policy To view endpoints you can do either of the following e Click View all endpoints using this policy from the command bar e Select the View link in the row for the group Status Policies Group Management Reports Alerts Overndes Logs Resources Policies Ocea O Copy Export to CSV Poicy Name Policy Description Date Created Poacy Pohcy1 Jan 31st 2013 13 15 Policy Policy Feb 1512013 1404 Pokcy3 Feb 4th 2013 13 06 Recommended Server Defaults Recommended setup for servers protection enabled Silent Audit Security Audi with detection only Unmanaged This
14. Sacramento PDT Ajerts Access amp Permissions 3 In the User Details panel make the desired changes to your name and phone numbers Note The Display Name is the name that appears in the Management Portal If you need to change the time zone click the pencil icon at the right then type the country region or city to open a drop down menu of choices Account Settings User Details Access amp Permissions First Name Wilkam Last Name User Display Name Bill Office Phone 555 555 5555 Mobile Phone Time Zone nied States Calif i Los Angeles San Francis San Diego Sacramer O Save Details 4 To check your access permissions click the Access amp Permissions tab If you are the main Endpoint Protection administrator we recommend that you keep the default settings as shown in the following example For more information about the settings see Setting permissions for portal users on page 38 3 Endpoint Protection Administrator Guide 5 Click Save Access amp Permissions when you re done mana Do you wish to give this user Console access Create amp Eda Deactivate Reactvate Endpoints Assign Endpoints to Groups Policies Create amp Edil Assign Policies to Endpoints Overrides MOS Save Access amp Permissions 32 Chapter 2 Managing User Accounts Managing portal users If you have Admin permission for Endpoint Protection see Setting permissions for portal users
15. SecureAnywhere settings controlled by policies Web shield settings Settings that protect endpoints as users surf the Internet and click links in search results Identity shield Protection from identity theft and financial loss It ensures that sensitive settings data is protected while safe guarding users from keyloggers screen grabbers and other information stealing techniques Firewall settings Firewall protection that monitors data traffic traveling out of computer ports It looks for untrusted processes that try to connect to the Internet and steal personal information The Webroot firewall works in conjunction with the Windows firewall which monitors data traffic coming into the endpoints User access to the SecureAnywhere program on the endpoint settings System Cleaner Settings that control the System Cleaner behavior such as an automatic cleanup schedule and what types of files and traces to remove from the endpoint To change policy settings 1 Click the Policies tab A list of policies opens in the bottom panel In the Policy Name column find the policy in the list and double click anywhere in the row Home Endpoint Protection Mobile Protection si Potcies prow Management Reports Alerts Overndes Logs Resources J Policies CF Create o Delete Rename Copy l Export to CSV Set as Default Policy Name Policy Description Recommended Defa Recommended setup with protection and remediation Recommended Ser
16. Select one or more endpoints and click Deactivate from the command bar 73 Endpoint Protection Administrator Guide Reports Alerts Ovemides Logs Resources El Endpoints in Default Group kal Save Changes Undo Changes lai Move endpoints to another group i Apply policy to endpoints i Agent Commands gt T Hostname Policy Status Last Seen Last Infected Agen Keycode a 25 SME M NE Recommend Not Seen Rece Jan 31st 2013 14 18 SAAZTEST E Yes A dialog warns you that a deactivated endpoint will no longer be able to report to Endpoint Protection 4 Click Yes to send an Uninstall command to the endpoint so that it removes SecureAnywhere Once SecureAnywhere is removed the endpoint is shown in the Deactivated Endpoints group After 7 days the status changes to Not Seen Recently Reinstalling SecureAnywhere on the endpoint If you deactivate an endpoint from the Group Management tab you can reactivate it later if necessary To reactivate the endpoint 1 Reinstall SecureAnywhere on the endpoint 2 Open the Management Portal and click the Group Management tab 3 Select the endpoint from the Deactivated Endpoints group 4 Click Reactivate from the command bar Status Policies Group Management Reports Alerts Ovemides Logs Ocreae Group Name BILL_LABO1 Q Not Seen Recently CI BILLXP_LAB Not Seen Recently LAB_BILLXP Q Not Seen Recently The endpoint is then moved back
17. 2 LL eee cece cece ccc cece cece cee nn 124 Applying a policy to a group cnc 124 Applying a policy to a single endpoint 00 ccc ccc ccc cee cece cece ceeeeeeeeeeeeeeeeeeeeees 125 Moving endpoints to another group 2 ee eee eee cece cece cece cece cece cece cnn aa cnn 127 Deleting groupS aaa 0000000000000000 00000 daaa Aaaa AAAA AeA A E ELEDEL EDEDED EPDE A E raora a aaa 128 Renaming groups tor A e a a aa aaa 129 Chapter 7 Viewing Reports 2 0 0 00 0 0 cece ccc ccc ec cece ec ceceeeceeceececeeceeeeeceeeees 131 Generating Endpoint Protection reports 00 002202 c ee cece cece cece cece ccc ccc cece cece cece ee eeeeeeeeeeeees 132 Generating the Agent Version Spread report c cece cece cece eee c eee eeeeeeeeeeeeeeeeeeesees 134 Generating the Agents Installed report 2 c cece ccc cece eee e eee cnn cnn cnn cnn 137 Generating the All Threats Seen report o coco cece cece cece cece ceeceeeeeeeeeeeeeeeeeeesees 139 Generating the All Undetermined Software Seen report 1 00 02 22 eee cece cece cece eee ce cece eeeeees 141 Generating the Endpoints with Threats on Last Scan report e eee eeeeees 143 Generating the Endpoints with Undetermined Software on Last Scan report 0 0 000 00 00000eee eee 146 Generating the Threat History Collated report 2 200202 c ccc e c
18. 81 Endpoint Protection Administrator Guide Viewing endpoint status You can see the status of all endpoints in the Management Portal Endpoints report their status when SecureAnywhere runs a scan on them or when a polling interval has completed To view endpoint status 1 Log in to the SecureAnywhere website https my webrootanywhere com 2 Click Go to Endpoint Protection If any endpoints are infected you can click a link for those endpoints to go directly to a details panel WEBROOT SecureAnywhere Home Endpoint Protection Endpoint Protection 77 Endpoints Prolected 16 Endpoints Currently infected 1 Endpoint infected fast 24 hours Go to Endpoint Protection When the Management Portal opens you can see the endpoint status in the left panels for Status top and Endpoint activity bottom 82 Chapter 4 Checking Status WEBROOT SecureAnywhere semap Home Endpoint Protection Status Policies Group Management Reports Alerts Ovemides Logs Resources Ej Endpoints encountering threats last 7 days Status O We recommend you check whether hese 602126 502104 B Others ier a 2833 Meco a ma MB 02128 32 F E erdpomts have automate remediahon 2 Ws02119 enabled on thes assigned policies m 2118 pes MD 202110 M 202109 f j e e s A KC 263R 15 53 Ej Recently infected endpoints last 7 days Hostname Potcy Group Last Infected 1 WEBROOTRED10 G_NewSid_Agents G_Realii
19. 8th 2013 15 02 Apr 8th 2013 16 10 6 If desired you can show or hide additional data for the report Click a column header to open the drop down menu then click in the checkboxes to select the columns to add or remove For descriptions of the data in the columns see Sorting data in tables and reports on page 26 136 Chapter 7 Viewing Reports Generating the Agents Installed report To see a chart of SecureAnywhere installations generate the Agents Installed report An agent is the Secure Anywhere software running on the endpoint This report displays a bar chart showing the dates when Secure Anywhere was installed on endpoints as well as the number of endpoints receiving the installations You can modify the report data as follows e View all SecureAnywhere installations within a selected policy or group which is helpful if you need to narrow search results to a specific set of endpoints e Drill down to see the endpoints with SecureAnywhere installed on the same date which is helpful if you need to narrow the results to a time period and need to assign policies to a set of endpoints installed on a specific date To generate the Agents Installed report 1 Click the Reports tab In the Report Type field click the drop down arrow to display a list of reports Select Agents Installed B we N If desired select a specific policy or group Otherwise the report data shows all policies and groups and may take a lon
20. Changes a tae Fay Orne Sn tamiseen cre GHULL 1 Reco G 16y Prote Ape 16th SA23 TEST Deactivated Endpoints 4 38 F GHULL 1 Reco G_trey Y Prote Ape 19th SAA2 TEST IF G FEB15 Reco G_ti y p NotS Apr 9th 2 8 SA23 TEST Default Group 45 HOP 13113 QAde PhGmp30 Q NotS Feb 6th2 SAA2 TEST INSTALL Reco Default G o Infected Apr Sth 2 5 SAA2 TEST 3 From the Endpoints panel on the right select one or more endpoints Tip You can select all endpoints within the selected group by clicking the Hostname checkbox at the top of the list first column 4 Click Apply policy to endpoints from the command bar Note If the group has more than one page of endpoints the dialog prompts you to apply the policy either to the endpoints on the current page or to all pages of endpoints 124 Chapter 6 Managing Groups Home Endpoint Protection Status Policies Group Management Reports Alerts Overrides Logs Resources Groups w2 E Endpoints in Default Group create o Group Name No All Endpoints 77 Deactivated Endpoints 4 6 Check the Policy column to make sure the new policy is applied to the selected endpoints Applying a policy to a single endpoint If you want to apply a policy to only one endpoint the quickest method is to double click in the Policy column and change it there To apply a policy to an individual endpoint 1 Click the Group Management tab 2 From the Groups panel on the left sele
21. Internet Explorer versions 8 9 and 10 Firefox the latest 5 versions Chrome the latest 5 versions Safari versions 5 0 and above Server platforms Windows Server 2003 Standard Enterprise 32 and 64 bit Windows Server 2008 R2 Foundation Standard Enterprise Windows Small Business Server 2008 and 2011 Virtual server platform VM Workstation 6 5 7 0 Citrix XenDesktop 5 and XenServer 5 0 5 5 5 6 Endpoint requirements Operating systems for PCs and laptops Windows XP 32 and 64 bit SP2 SP3 Windows Vista 32 bit all editions Windows Vista SP1 SP2 32 and 64 bit all editions Windows 7 32 and 64 bit all editions Windows 7 SP1 32 and 64 bit all editions Processor Intel Pentium Celeron family AMD K6 Athlon Duron family Other compatible processor with those listed above Memory 128 MB RAM minimum Browsers Internet Explorer versions 8 9 and 10 Firefox the latest 5 versions Chrome the latest 5 versions Safari versions 5 0 and above Opera the latest 5 versions Chapter 1 Getting Started Creating a Webroot account Before you can log in to Endpoint Protection you must create an account using your license keycode You should have received the keycode in an email sent from Webroot To create an account 1 Go to the SecureAnywhere website https my webrootanywhere com 2 In the Login panel click Sign up now WEBROOT SecureAnywhere pom Log in Create an account Secur
22. Off no alert appears to the endpoint user and the process is allowed Gives administrative control over the SecureAnywhere interface on the endpoints using this policy User Interface setting GUI System Cleaner Blocks or allows endpoint user access to the main SecureAnywhere interface If users try to open SecureAnywhere when this option is set to Hide a message tells them to contact the administrator to access the interface Note This option does not also hide the Webroot system tray icon The System Cleaner removes traces of the end user s web browsing history files that show computer use and unnecessary files that consume valuable disk space such as files in the Recycle Bin or Windows temporary files The System Cleaner does not run automatically you need to schedule cleanups and select the items you want removed 109 Endpoint Protection Administrator Guide System Cleaner settings Manage System Cleaner Enables the administrator to change System Cleaner settings centrally as follows e On The System Cleaner settings are shown in the panel and are available to change e Off No settings appear in this panel Scheduled Cleanup Monday Sets the days of the week one or more to automatically run through Sunday the System Cleaner Cleanup at specific time of Sets the hour of the day the System Cleaner runs on the day hour endpoints Cleanup at specific time of Sets the time in 15 minute increme
23. Spread Downloads 47 Endpoint Protection Administrator Guide 2 In the Manage Keycodes panel click either Renew to extend your license or Upgrade to add more seats to your license Note Your license is tied to a keycode so select the appropriate row for the keycode you need to renew or upgrade Manage Keycodes Add Product Keycode Buy a Keycode now Keycode Edition Devices Days Remaining Upgrade SSW Endpoint Protection 25 318 Upgrade AA Endpoint Protecton 100 296 Upgrade The Webroot website opens with further instructions 48 Chapter 3 Managing Endpoints To deploy Secure Anywhere to endpoints and to manage endpoints in the portal see the following topics Deploying SecureAnywhere to endpoints anana onana aa nonnai rannan a nrnna 50 Using the SecureAnywhere installer c cece cece eee c ccc cece cece cece cnc cnn 52 Using MSI for deployment e cece ccc ce cece cece ccceceeceececeeeceseeeeeees 57 Using GPO for deployment e eee e cece e cece A Aa aa raaa raoran 58 Changing an endpoint keycode o 59 Renaming endpoints 222222 0 eee e cece eee cece eect eee a Earrannan 61 Searching for endpoints once 62 Issuing commands to endpoints 0aaaaaa0000aa0aaa 0000n aoaaa aaao aada a naana ooann anana aanana nan 63 Checking scan results and managing threats 69 Viewing the scan history 0000000000000000 ne 69
24. Started Data points in tables and reports Agent Language The language selected when SecureAnywhere was installed en English ja Japanese es Spanish fr French de German it Italian nl Dutch ko Korean zh cn Simplified Chinese pt Brazilian Portuguese ru Russian tr Turkish zh tw Traditional Chinese Agent Version The version of the SecureAnywhere software installed on the endpoint All Endpoints More information about the endpoints where a file was detected and blocked All Versions More information about the SecureAnywhere versions where a file was detected and blocked Approx Scan Time The duration of a scan in minutes and seconds Area A flag for the country where the endpoint is located The Webroot classification of the file which can be Good Bad or Undetermined Cloud Determination Days Infected The number of days the endpoint remained infected Device MID A Machine ID value that identifies the hardware for an endpoint Webroot uses an algorithm to determine this value Endpoints Affected The number of endpoints with a detected file File Size The size of the file in bytes Filename The filename of the detected threat Ls Endpoint Protection Administrator Guide Identifier Webroot uses an algorithm to determine this value The time of the last scan on this endpoint The date and time this endpoint last checked into the Management Portal Malware Group The classification
25. System Shield Automatically download and apply updates Web Threat Shield Operate background functions using fewer CPU resources identity Shield Favor low disk usage over verbose logging fewer details st Firewall Lower resource usage when intensive applications or game User Interface Allow Webroot to be shut down manually Force non critical notifications into the background Fade out warning messages automatically Store Execution History details Poll interval Promote Draft Changes to Live Basic Configuration The Basic Configuration settings control the behavior of the SecureAnywhere software on managed endpoints 95 Endpoint Protection Administrator Guide Basic Configuration settings Show a Webroot shortcut on Provides quick access to the main interface by placing the the desktop shortcut icon on the endpoint desktop Show a system tray icon Provides quick access to SecureAnywhere functions by placing the Webroot icon in the endpoint system tray Show a splash screen on Opens the Webroot splash screen when the endpoint starts bootup Show Webroot in the Start Lists SecureAnywhere in the Windows Startup menu items Menu Show Webroot in Lists SecureAnywhere in the Windows Add Remove Programs Add Remove Programs panel Show Webroot in Windows Lists SecureAnywhere in the Windows Security Action Security Action Center Center under Virus Protection information Hide the Webroot keycode Hides the keycode on the endp
26. adds only a small amount of time to the scan Checks for rootkits and other malicious software hidden on disk or in protected areas Spyware developers often use rootkits to avoid detection and removal We recommend that you keep this option selected It adds only a small amount of time to the scan Enables an option for scanning the currently selected file or folder in the Windows Explorer right click menu This option is helpful if the user downloads a file and wants to scan it quickly Displays a full list of files as SecureAnywhere scans each one If you want to increase scan performance slightly deselect this option so that file names only update once per second on the panel SecureAnywhere will still scan all files just not take the time to show each one on the screen 98 Chapter 5 Managing Policies Scan Settings Favor low memory usage Reduces RAM usage in the background by using less memory over fast scanning during scans but scans will also run a bit slower Deselect this option to run faster scans and use more memory Favor low CPU usage over Reduces CPU usage during scans but scans will also run a bit fast scanning slower Deselect this option to run faster scans Save non executable file Saves all file data to the scan log resulting in a much larger details to scan logs log file Leave this option deselected to save only executable file details to the log Show the Authenticating Opens a small dialog when
27. an override to a file designated as a threat so it won t be detected and quarantined again in the future To apply an override from groups 1 Click the Group Management tab 2 From the left panel select the group for the endpoint where the file was detected Home Endpoint Protection Search for endpoint Status Policies Reports Alerts Overrides Logs Resources 2 E All Endpoints bad Save Changes J Undo Changes Hostname Policy Group Status Keycode GHULL 1 Reco G 16y Prote R SA23 TEST GHULL 1 G_119y Prote SAA2 TEST G FEB15 G_t1 y Nos SA23 TEST HOP 13113 QAde PhGmp30 Not S SAA2 TEST INSTALL Reco Default G fp infected SAA2 TEST 3 Inthe right panel select the endpoint where the file was detected 4 Inthe Scan History list at the bottom you can click View in the Status column for the date when the threat was detected or you can click View all threats seen on this endpoint Scan history for G RR VOLGA Li View all threats seen on this endpoint Scan Start Status Jan 31st 2013 16 Threats detected View Jan 31st 2013 16 Clean Jan 3151 2013 16 Threats detected View Windows XP Professional 5 In the dialog select the desired filename by clicking in its checkbox 6 Click Create override 170 Chapter 9 Using Overrides a All threats ever seen on this endpoint LINKPAL 1 EXE documents and settings lowe W32 Troj
28. at the bottom to learn more about advanced deployment options See also Deploying SecureAnywhere to endpoints on page 50 5 Endpoint Protection Administrator Guide Status Poboes GeoupMasagement Reports Alerts Oveendes logs Mesowces Wek ome Weteoot Threat Biog o No have in yet rea mana ee By Darcho Darchev Everyday new The Quickest and easiest way lo pet engpants reporting into The console amp by Gownloading a copy of Me Weteoot SecureAmywhere software whech has one taton of your keycode automatica appbed ewe Sonseinvaters piech rar ongo bare emos emos Peart ANAN ee nanan seose The uses then simpty needs to run the fie and thew A pack inside a CVE 201 3 0472 exploiting DY mabcious Jeva appiet now De MUI s Paan tonnes poorest gererabng tool by amag yo a KA a a o Nd eters Your avastabie keycodes downloads Uamoagaanaa pn vn an aang profe various 100 E yourse releases ao Offered tor sae on Ne undergone SAEA TEST mathetslace wih Pe des lo tughighi the TEST TEST TEST re emengence of hs concept which athows For advanced deployment options such as using MSI Command Line GPO etc cick the ink below Deploying Webroot SecureAnywhere To get started we recommend that you deploy SecureAnywhere to at least one test endpoint so you can see its status in the Management Portal To deploy SecureAnywhere to a test endpoint 1 Look for your keycode in the How to get started panel This keycode ident
29. code and click Login This personal security code was defined when you created a Webroot account Every time you log in Endpoint Protection will require this extra security step Be aware that it prompts for two random characters of your code For example if your code is 123456 and it prompts you for the fourth and sixth characters you would enter 4 and 6 The SecureAnywhere website opens and shows the total number of endpoints protected in your network any endpoints that have threats and any endpoints with threats detected in the last 24 hours 4 From the Endpoint Protection panel see the following example you can click Go to Endpoint Protection to open the Management Portal or click an Endpoint Infected link if any to open the Management Portal and go directly to the threat information panel JY Endpoint Protection Administrator Guide where Endpoint Protection Endpoint Protection 77 Endpoints Protected 16 Endpoints Currently infected 1 Endpoint Infected ast 24 hows Go to Endpoint Protection The Management Portal looks similar to the following example The Status panel includes threat alerts endpoint activity and data charts You can click tabs along the top that allow you to access configuration and other tasks WEBROOT SecureAnywhere aaa Status Policies Group Management Reports Alerts Ovemides Logs Resources a o Endpoints encountering threats last 7 days Agent Version Spread 2 pa
30. dialog that opens select a category of agent commands and then a command to run For a description of each command see the tables following these steps 6 To see the status of commands you sent you can click View commands for selected endpoints near the bottom of the menu You can also review the Command Log on the Logs tab 8 Agent Commands Deactivate Endpoint Protection will issue the commands on the next polling interval If necessary you can either change the polling interval in Basic Configuration of the group s policy see the following example or you can force the changes immediately as described in Forcing immediate updates forced polling on page 76 64 Chapter 3 Managing Endpoints Policy1 Section Setting IA stow a Webroot shortcut on the desktop Scan Schedule Show a system tray icon 9 5 Scan Settings Show a splash screen on bootup Self Protection Show Webroot in the Start Menu Heuristics Show Webroot in Add Remove Programs Realtime Shield Show Webroot in the Windows Security Action Center Behavior Shield Hide the Webroot keycode on screen Core System Shield Automatically download and apply updates Web Threat Shield Operate background functions using fewer CPU resources identity Shield Favor low disk usage over verbose logging fewer details stored in logs Firewall Lower resource usage when intensive applications or games are detec User Interface Allow Webroot to be shut down manually Force
31. end user searched for on the computer This history displays when the end user starts entering a new search that starts with the same characters The cleanup does not delete the actual files Reverts the list of programs and documents in the Start menu back to alphabetical order which is the default setting After the cleanup runs the list reverts back to alphabetical order after a system re boot Windows System Clipboard contents Windows Temporary folder System Temporary folder Windows Update Temporary folder Windows Registry Streams Clears the contents from the Clipboard where Windows stores data used in either the Copy or Cut function from any Windows program Deletes all files and folders in the Windows temporary folder but not files that are in use by an open program This folder is usually C Windows Temp Deletes all files and folders in the system temporary folder but not files that are in use by an open program This folder is usually in C Documents and Settings username Local Settings Temp Deletes all files and subfolders in this folder but not files that are in use by an open program Windows uses these files when a Windows Update runs These files are normally in C Windows Software Distribution Download Clears the history of recent changes made to the Windows registry This option does not delete the registry changes themselves 111 Endpoint Protection Administrator Guide Syst
32. for easy management Once endpoints report into the Management Portal after performing the first scan you can move them to a different group For example you might organize endpoints by time zone so that you can schedule the same scan time for all of them You can view all groups in the Group Management tab which looks similar to the example below Select a group from the Groups panel on the left to see the endpoints and policies associated with that group on the right Endpoints are shown on the top policies are shown on the bottom Status Policies Group Management Reports Alerts Overdes Logs Resources Groups Create E Group Name No All Endpoints 77 Deactivated Endpomts 4 e Endpoints in Default Group led Save Changes Undo Changes Hostname Policy Status ADMIN405 G Protected ADMIN405 Protected G 0409 FIRENZE Not Seen Recently G 0409 SUMATRA infected G 0409 V0LGA Not Seen Recently MAMMAL INGANANG 2 Mo Not Saan Darant L Policies used in Default Group led save Changes J Undo Changes Policy Name Endpoints using this pokcy Recommended Defaults 39 Unmanaged 5 QA default pobcy 1 120 le Last Seen Apr 30th 2013 12 33 Apr 30th 2013 12 20 Apr 6th 2013 1748 Apr 8th 2013 Apr 8th 2013 17 45 Apr Sih 2013 Apr Sth 2013 17 42 Apr Sth 2013 Ane Bin 2902 46 04 Potcy Descnption Recommended setup with protecbon and remediation This policy is for al PCs thal are
33. if you need to narrow search results to a specific set of endpoints e Drill down to see the endpoints using a specific version which is helpful if you want to determine which endpoints should be upgraded To generate the Agent Version Spread report 1 Click the Reports tab 2 Inthe Report Type field click the drop down arrow to display a list of reports 3 Select Agent Version Spread and click Submit A list of groups opens along with the Agent Version Spread report as shown in the following example 134 Chapter 7 Viewing Reports 28 19 2 E 2 2 1 1 1 1 E o MH D o P o g SOS gt S y 1 A n a r Ny Agent Version Spread Apr 23 08 30 Select a Group 1 0 KP 2 9 0 3 gt e a AN a e AS PG ps o oS o o o o Hostname First Seen Last Seen select a version number from the above chart to populate this window To view data for a specific group click the group name on the left The bar chart redisplays the data with only the selected group To view the endpoints using the version click a bar to see details The bottom panel displays data about each endpoint 135 Endpoint Protection Administrator Guide ky 2 128 IL Endpoints running agent version 8 0 2 128 Hostname First Seen Last Seen ADMIN405 Apr 8th 2013 15 04 Apr 8th 2013 15 35 ALERT15 Apr St 2013 15 08 Apr 8th 2013 1631 ALERT16 Apr 5th 2013 15 06 Apr Sih 2013 16 34 ALERT17 Apr
34. its activity 104 Behavior shield settings Enable advanced behavior interpretation to identify complex threats Track the behavior of untrusted programs for advanced threat removal Automatically perform the recommended action instead of showing warning messages Warn if untrusted programs attempt low level system modifications when offline Chapter 5 Managing Policies Analyzes a program to examine its intent For example a malware program might perform suspicious activities like modifying a registry entry then sending an email Watches programs that have not yet been classified as legitimate or as malware Does not prompt the user to allow or block a potential threat SecureAnywhere determines how to manage the item Opens an alert if an unclassified program tries to make changes to your managed endpoints when they are offline SecureAnywhere cannot check its online threat database if endpoints are disconnected from the Internet Core System Shield The Core System shield monitors system structures of your managed endpoints and makes sure malware has not tampered with them If the shield detects a suspicious file trying to make changes it opens an alert and prompts the user to block or allow the item If it detects a known threat it immediately blocks and quarantines the item before it causes damage or steals information Core System shield settings Core System Shield Enabled Turns the Core System s
35. might want to change the machine name to something more meaningful such as Gallagher Laptop or LabTest 1 To rename an endpoint 1 Click the Group Management tab 2 From the Groups panel on the left select the group that contains the desired endpoint 3 From the Endpoints panel on the right double click on the endpoint name in the Hostname column 4 Enter the new name and press the Enter key A red flag appears in the upper left of the field to indicate that the change is not yet saved 5 Click Save Changes from the command row The new name appears in the Hostname column 6 If you decide later to revert to the original name you can click the Revert button on the far right of the row 6 Endpoint Protection Administrator Guide Searching for endpoints You can search for a specific endpoint from the field in the upper right of the Management Portal This field is accessible from any area of the portal Enter a full or partial endpoint name case insensitive and click the magnifying glass search icon WEBROOT saas webrootcom v SecureAnywhere Home Endpoint Protection Search for endpoint The Management Portal displays all endpoints matching the search criteria in the bottom panel 62 Chapter 3 Managing Endpoints Issuing commands to endpoints From the Management Portal you can issue commands to individual endpoints or to a group of endpoints For example you might wan
36. modification This option enables self protection and the CAPTCHA prompts CAPTCHA requires you to read distorted text on the screen and enter the text in a field before performing any critical actions e Change Language To change the language displayed in Secure Anywhere click the Change Language button and select from the supported languages You can only change the displayed language during installation not after 4 Click Agree and Install During installation Secure Anywhere runs an immediate scan on the endpoint To send an email to end users so they can install SecureAnywhere themselves 1 Click the Resources tab 2 Click the Email template link The email template opens in the panel below The quesi and exe way lo Get endpomts reporting r o Me console B by Gownkloading a copy of Te Wetroot SecureAnywhere sofware wah has one of your keycodes sauformatically appbed The user then simgiy needs to run the fe and thew emapomnt will automatically report mio the cormsote Your avaiable keycodes downloads 3 Cut and paste the text into an email message The link automatically adds the correct keycode for the user Send the email to the users The user clicks the link to begin installation The program installs silently in the background with the correct keycode already entered When it s done a Webroot icon appears in the endpoint s system tray 53 Endpoint Protection Administrator Guide To run a back
37. non critical notifications into the background Fade out warning messages automatically Store Execution History details Poll interval Live The following tables describe each of the endpoint commands Agent commands Scan Run a Deep scan in the background as soon as the endpoint receives the command When the scan completes the Scan History panel shows the results for a Deep scan Be aware that any detected threats are not automatically quarantined You must take action yourself in the portal by running a Clean up or by creating an override Change scan time Select a new time of day to scan the endpoint By default SecureAnywhere runs a scan every day at about the same time it was installed For example if you installed SecureAnywhere on the endpoint at noon a scan will always run around 12 p m With this command you can change it to a different hour Scan a folder Runs a full file by file scan on a specific folder Be sure to enter the full path name For example C Documents and Settings Administrator My Documents When the scan completes the Scan History panel shows results for the Custom Right Click Scan 65 Endpoint Protection Administrator Guide Agent commands Clean up Start a scan and automatically quarantine malicious files When the scan completes the Scan History panel shows results for the Post Cleanup Scan System Cleaner Run the System Cleaner on the endpoint which removes all traces of web brow
38. on an endpoint 2 2 2 e cece cece cece cece ccc ccc ccc aa aa oaa raorao aaran nrinn 75 Moving endpoints to a new subnet 200 cece cece eee ec cece cece cee ecc cece ceeceeceeeeeeeeees 75 Forcing immediate updates forced polling e cece ee eeeeeeeeeeeeeeeeeees 76 Using SecureAnywhere on the endpoint 0 0 ccc c ccc ccc cece ce cece cece eeeeeeeeeeeeeeeereeeeeees 77 Uninstalling SecureAnywhere 22222 0 eee cece c eee e cece cece cece cece eee eee e eee eeeeeeeeeeeeteeteeeeeees 79 Chapter 4 Checking Statusu ncnnnncnnnoe 81 Viewing endpoint status ccc nro 82 Viewing recent threat status ccc cc ccc ccc ccc cee eee ce eee eee ceeeeeeeeeeeceeeeeeeseeeeeeees 84 Viewing an agent version overview 20 2 e cece cece cece cece eee cece cece ceeceeceeeeeeeeees 85 Chapter 5 Managing Policies 87 Implementing policies nce dd oe erate eee te eed cabs eee 88 Selecting a new default policy cece cece ccc c cece cece eee ccceeeeeceseseeeceseeeeeseeees 89 Creatingipollcies 220 0 Aya p as aay Su ine Bada nala Seve a ir Ss AS 90 Creating a new policy c coco ccc ccc cc ccc ccc ee cee ce cece eee eee eeeeeeeeeeeeeeeeeeeeeeeeeeecseeeees 90 Copying a policy ooo e cece cece cece E ceececeeeeeceeeeeeeeeeeeeees 91 Changing policy settings 2 2 cece cece cece cece cece ccc cece cece E ea raroa raene 92 B
39. on page 38 you can create new Management Portal users set access permissions for them and edit their information When you create new users Endpoint Protection sends them an email with further details for creating a password and logging in Creating new portal users You might want to add other administrators so they can access Endpoint Protection reports You can also add users with limited permissions so they can view data but not make changes To create a new portal user 1 Open the Endpoint Protection menu by clicking the arrow next to your login ID then click Manage Users WEBROOT SecureAnywhere o Account Settings Home Endpoint Protection 4 Y Manage Users Status Polices Growp Management Reports Alerts Overndes Logs Resources Manage Keycodes NG Endpoints encountering threats last 7 daya Agent Verson Spread D Downloads O Hep Support Logout w a R oo CET 202 a E 2 In the Manage Users panel click Create New User Home Endpoint Protection Manage Users 33 Endpoint Protection Administrator Guide 3 In the Create New User panel enter the user s email address the address where the user receives the confirmation message The email address will also serve as the user s login name If you entered the wrong email address and the user does not receive the message you will be able to change the email address and re send it later See Editing user informatio
40. policy is for all PCs that are user managed Groups and endpoints using Recommended Defaults ka Save Changes Undo Changes de Move all endpoints on this policy to another policy C E view all endpoints using his pote Group Name Number of endpoints Default Group A dialog opens and shows the endpoint names and status 4 If desired you can show or hide additional data about the endpoints Click a column header to open the drop down menu then click in the checkboxes to select the columns to add or remove For descriptions of the data in the columns see Sorting data in tables and reports on page 26 117 Endpoint Protection Administrator Guide Moving endpoints to another policy From the Policy tab you can move all endpoints assigned to one policy to another policy To move endpoints to another policy 1 Click the Policies tab 2 From the Policy Name column select the desired policy The bottom panel shows which groups use this policy 3 Click Move all endpoints on this policy to another policy from the command bar Copy Export to csv Policy Description Date Created Jan 31st 2013 13 15 Policy2 Feb 151 2013 1404 Policy3 Feb dih 2013 13 06 Recommended Server Defaults Recommended setup for servers protection enabled Silent Audit Security Audi with detection only Unmanaged This policy is for all PCs that are user managed Groups and endpoints using Recommended Defaults kl Save Changes Undo Chan
41. protects sensitive data that might be exposed during online transactions You can change the behavior of the Identity shield and control what it blocks Identity shield settings Identity Shield Enabled Look for identity threats online Analyze websites for phishing threats Verify websites when visited to determine legitimacy Verify the DNS IP resolution of websites to detect Man in the Middle attacks Block websites from creating high risk tracking information Prevent programs from accessing protected credentials Warn before blocking untrusted programs from accessing protected data Allow trusted screen capture programs access to protected screen contents Turns the Identity shield on and off Analyzes websites as users browse the Internet or open links If the shield detects malicious content it blocks the site and opens an alert Analyzes websites for phishing threats as users browse the Internet or open links If the shield detects a phishing threat it blocks the site and opens an alert Analyzes the IP address of each website to determine if it has been redirected or is on our blacklist If the shield detects an illegitimate website it blocks the site and opens an alert Looks for servers that could be redirecting users to a malicious website man in the middle attack If the shield detects a man in the middle attack it blocks the threat and opens an alert Blocks third party cookies from installi
42. remaining fields specify your existing account information for the email address password security code and security question and answer 5 Click Register Now As shown in the following example Webroot recognizes your account information and prompts you to either create a new console for the keycode or add the keycode to an existing console Have we seen you before Vie have recognised some of your Getads and have found an existing Webroot SecureAnywhere console already owned by you 9 Please Select from the following two options Wiat happens E setect this option How to do this e You wil contras to login using your original bgn detads 1 Log rto you existing socourt YOu Can Bccest any Of you Consoles under has angle bgn 2 Cath Manage Key Codes J Cath the Add Product Key Code button Select 4 Erter you bey code rto the box and press AST 5 Your key code has now been stuccesshdy Based to your existing Compote 6 Click Select in the left panel to add a new console The Secure Anywhere website creates the console and prompts you to log in 7 Login with your account information then choose the new Unnamed Console You can rename it as described in the following section Your new console shows any endpoints that use the keycode you entered 45 Endpoint Protection Administrator Guide Select the Console you wish to view Console name Date created Devices allowed Expired keycodes 50
43. spreadsheet You can export all override information to a spreadsheet which is convenient if you want to review settings with your colleagues To export override settings 1 Click the Overrides tab 2 If you want to narrow the results in the right panel select a specific policy from the left 3 Click Export to CSV from the command bar Status Policies Group Management Reports Alerts Overrides Logs __ Filter Overrides by Policy P Overrides AB Acive Ovando gt mos Common Flena 1 IECAICIGGAD COMPUSPY C 2 DO361FC39D3 IMMONITOR F 4 From the prompt save the overrides to a CSV file Endpoint Protection saves it to a file named Overrides csv If you save additional files it appends a number to the base name such as Overrides 2 csv 177 178 Chapter 10 Viewing Logs To use logs see the following topics Viewing the Change Log 00an anaana i anaona aaora aD ADDA a Daa anaona annaa na nn Viewing the Command Lg aaan aaan aaeanoa eee 179 Endpoint Protection Administrator Guide Viewing the Change Log In the Change Log you can see when the following types of events have occurred e Logon When the administrator logged into the Management Portal e Policy Any policies created changed or deleted e Agent Commands When a command was initiated e Override Any overrides created changed or deleted e Group Any groups created changed or deleted e Endpoint Any end
44. table to the appropriate value e Set the GUILIC property in the Property table to your keycode 57 Endpoint Protection Administrator Guide Using GPO for deployment To install Secure Anywhere using GPO Group Policy Object you should have experience with Microsoft s Active Directory and the Group Policy Object editor You can also watch a video for using GPO at How to Deploy Using Group Policy Webroot SecureAnywhere Business To install SecureAnywhere using GPO 1 Download the SecureAnywhere MSI installer to a network share http anywhere webrootcloudav com zerol wsasme msi Downloading the file makes it accessible to all endpoints on which you will deploy SecureAnywhere 2 Go to the server that is the domain controller for the deployment group 3 Open the GPO editor on the domain controller and create a policy for the deployment group 4 Assign SecureAnywhere to all endpoints that belong to the Organizational Unit where the Group Policy is created SecureAnywhere installs on the endpoints in the group when they restart 58 Changing an endpoint keycode Endpoints must use the Endpoint Protection keycode before they can report into the Management Portal If there are endpoints in your network that already have SecureAnywhere installed with a different type of keycode for example a Consumer version of SecureAnywhere change the keycode either by issuing a Change Keycode command see Issuing commands to endpo
45. user if a threat tries to launch Block threats automatically if Stops threats from executing even when managed endpoints are no user is logged in logged off Threats are sent to quarantine without notification Show realtime event Opens an alert when suspicious activity occurs warnings Show realtime block modal Shows alerts when Heuristics detects malware and prompts alerts the user to allow or block the action Note This setting must be set to on if Heuristics is set to Warn when new programs execute that are not known good Otherwise users will not see the alert Show realtime block Shows a tray notification if the Realtime shield detects notifications malware If this setting is off there is no tray notification but malware is blocked and the home page shows that threats were detected Behavior Shield The Behavior shield analyzes the applications and processes running on your managed endpoints If it detects a suspicious file it opens an alert and prompts you to block or allow the item If it detects a known threat it immediately blocks and quarantines the item before it causes damage to managed endpoints or steals information Behavior shield settings Behavior Shield Enabled Turns the Behavior shield on and off Assess the intent of new Watches the program s activity before allowing it to run If it programs before allowing appears okay SecureAnywhere allows it to launch and them to execute continues to monitor
46. user managed QA default policy Chapter 6 Managing Groups To create more groups and move endpoints follow these steps 1 Add one or more new groups as described in Adding a new group on page 122 2 Move endpoints to the newly created groups as described in Moving endpoints to another group on page 127 3 Assign a policy to the new group of endpoints as described in Applying a policy to endpoint groups on page 124 121 Endpoint Protection Administrator Guide Adding a new group When you first deploy Secure Anywhere to endpoints Endpoint Protection assigns them all to the Default group If desired you can add more groups for different management purposes and re assign endpoints to those new groups To create a group 1 2 Click the Group Management tab Click Create from the command bar Home Endpoint Protection Status Policies ES Alerts Overrides Logs Resources 2 Endpoints in Default Group Vi bed Save Changes 3 undo Changes del Group Name No l Hostname Policy St All Endpoints 77 a 1 F 00B6ILL LAB Recommended D Deactivated Endpoints 4 2 OOBILLXP_LAB Recommended D Create Group Group Name Description Create Group The new group appears in the Groups panel on the left To move endpoints into this group click the group where the endpoints currently reside Select one or more endpoints from the Endpoints panel on the right Tip You can select all en
47. 20 character license you received when you purchased Endpoint Protection Endpoint Protection or another Webroot product you purchased Number of endpoints that can use this keycode Days Remaining Number of days remaining for this keycode to be active and the expiration date Renew A link for renewing your subscription See Renewing or upgrading your account on page 47 Upgrade A link for purchasing more endpoint seats for this license See Renewing or upgrading your account on page 47 If you need to purchase another keycode click Buy a Keycode now at the top of the list The Webroot Business website opens From here you can buy another keycode After you purchase the keycode you can add it to Endpoint Protection by clicking Add Product Keycode Manage Keycodes Add Product Keycode Buy a Keycode now Keycode Edition Devices Days Remaining Renew Upgrade a Endpoint Protection 25 318 Renew Upgrade A Endpoint Protechon 100 296 Renew Upgrade In the Add a Keycode dialog enter the keycode you just purchased and click Add Your new keycode will appear in the Manage Keycodes panel and in the Resources tab 43 Endpoint Protection Administrator Guide Adding consoles to your account When you first created an account Endpoint Protection organized your managed devices into a single console A console is a collection of one or more endpoints running SecureAnywhere or other Webroot products If you have a large
48. 49 Deploying SecureAnywhere to endpoints 0000da aaa danaa andora anaran n arn naannn 50 Using the SecureAnywhere installer cece ce cece cece ce ccc cece aaraa ra aaura norana 52 Using MSI for deployment 2 2 2 c cece cece cece cece cece eee ceececcecceceeeeeeeeees 57 Using GPO for deployment 22 0 cece c cece cece cece ccc cc cece eceeecceececcceeeeeeeeeeeeees 58 Changing an endpoint keycode 20000 cece ccc cece cece cece cece cece eee e cece eee aa aaraa erraren 59 Renaming endpoints a sae See a eas A PRU cant hk chad MQ est Ed otek na fo 61 Searching for endpoints 0 0 nn nnnnnnne 62 Issuing commands to endpoints 0 ec eee cece cece cece Aa aa ee a Ea aa earannan 63 Checking scan results and managing threats e cece eee eeeeeeeeeeeeseeeees 69 MEM 69 Restoring a file from quarantine e cece cece ee eeeeeeeeeeeeeeeeeceseeeeees 70 Setting an override for the file c cece cece cc cece cece cece eee c raare ainainen 71 Deactivating Gnd points asss sarn rt naginit a ose cues et 73 Deactivating an endpoint 000002 c occ ce cece cece AAD ED EP E E aa naona nanan 73 Reinstalling SecureAnywhere on the endpoint occ 74 Managing endpoint upgrades and other changes ccoo cnn nnnnnccnnnnnnncnnnnnoso 75 Migrating to a new operating system e cece ee earar raano araara 75 Changing hardware
49. 5 Managing Policies You can adjust these types of heuristics for several areas the local drive USB drives the Internet the network CD DVDs and when your computer is offline For each of these areas you can set the following options e Disable Heuristics Turns off heuristic analysis for the local drive USB drives the Internet the network CD DVDs or when your computer is offline Not recommended e Apply advanced heuristics before Age Popularity heuristics Warns against new programs as well as old programs that exhibit suspicious behavior on the local drive USB drives the Internet the network CD DVDs or when your computer is offline e Apply advanced heuristics after Age Popularity heuristics Warns against suspicious programs detected with Advanced Heuristics based on Age Popularity settings on the local drive USB drives the Internet the network CD DVDs or when your computer is offline e Warn when new programs execute that are not known good Warns when malicious suspicious or unknown programs try to execute on the local drive USB drives the Internet the network CD DVDs or When your computer is offline This setting may result in false detections 101 Endpoint Protection Administrator Guide Heuristics levels Advanced Heuristics Age Heuristics Disabled turns off Advanced Heuristics leaving it vulnerable to new threats However it will still be protected against known threats Low detects p
50. 67 subnet moving endpoints to new subnet 75 subscription renewing 47 System Cleaner command for 66 settings for 109 system requirements 8 system tray icon hiding or showing on endpoint 96 T tables sorting columns 26 task manager settings changing on endpoint 67 Technical Support 25 television icon 24 Endpoint Protection Administrator Guide threat blog 25 Threat History Collated report 148 Threat History Daily report 152 threat reports 132 U Undetermined software locating on endpoints 133 Uninstall command 66 Unnamed Console 45 Unprotect an application command 68 updates forcing immediate on endpoint 76 upgrading your account 47 user guides 25 User Interface policy settings 109 user permissions 38 users for portal adding 33 Vv videos icon available in panels 24 link from the Product Information panel 25 View commands for selected endpoints 64 virtual servers supported 8 W wallpaper resetting 67 Web Threat Shield policy settings 106 Webroot account 9 Webroot Support 25 Windows Explorer enabling right click scan 98 Windows systems supported 8 wsasme exe 52 192
51. Agent Version 802 128 802128 8 002 128 802 128 802103 Chapter 7 Viewing Reports 5 From the bottom panel you can perform one of the following actions on a selected threat e Create override If you want to bypass Endpoint Protection and designate the file as Good allow the file to run or Bad detect and quarantine the file click Create override from the command bar For further instructions see Applying overrides to files from reports on page 172 e Restore from Quarantine If the file is safe and you want to restore it to the original location on the endpoint click Restore from Quarantine from the command bar 6 If desired you can show or hide additional data for the report Click a column header to open the drop down menu then click in the checkboxes to select the columns to add or remove For descriptions of the data in the columns see Sorting data in tables and reports on page 26 145 Endpoint Protection Administrator Guide Generating the Endpoints with Undetermined Software on Last Scan report SecureAnywhere may sometimes detect a file that appears legitimate but also exhibits questionable behavior In these cases it classifies the file as Undetermined To locate files that Secure Anywhere classified as Undetermined on the last scan you can generate the Endpoints with Undetermined Software on Last Scan report You can select an endpoint to drill down for more details about the files To generate t
52. Cookies Temporary Internet Files or URL History Note Index dat functions like an active database It is only cleaned after you reboot Windows Secure File Removal Control the level of security Removes files permanently in a shredding process which to apply when removing files overwrites them with random characters This shredding feature is a convenient way to make sure no one can ever access the endpoint s files with a recovery tool By default file removal is set to Normal which means items are deleted permanently bypassing the Recycle Bin However with the Normal setting data recovery utilities could restore the files If you want to make sure files can never be recovered select Maximum Medium overwrites files with three passes whereas Maximum overwrites files with seven passes and cleans the space around the files Also be aware that cleanup operations take longer when you select Medium or Maximum 113 Endpoint Protection Administrator Guide Renaming a policy You can rename a policy from the Policies tab Keep in mind that policy names must be unique To rename a policy 1 Click the Policies tab 2 From the Policy Name column select the policy to rename 3 Click Rename from the command bar Home Endpoint Protection Status Poicies Group Management Reports Alerts Overrides Logs Resources ij Policies Q create verie rename I copy Ed Export to CSV Set as Default Policy Nam
53. RENZE G FEB15 WINS G FEB15 WINS Command Log w Recent amp Outstanding Commands Command Uninstall Uninstall Uninstall Uninstall Clean up Reports Alerts Overrides Parameters Resources Date Requested Apr 9th 2013 12 22 Apr 9th 2013 1222 Apr 9th 2013 1222 Apr 9th 2013 12 00 Apr 9th 2013 11 24 Status Elapsed Elapsed Elapsed Executed Executed 3 Ifthe data exceeds 50 items you can use the navigation buttons at the bottom to move between additional pages You can also use the Refresh button to update the data Page 1 of 7 b Mia 182 Glossary A adware Software designed to display advertisements on your system or hijack web searches rerouting searches through its own web page It may also change your default home page to a specific website Adware generally propagates itself using dialog boxes and social engineering methods agent The SecureAnywhere software installed on a PC or other type of endpoint C console A console is a collection of one or more devices running a Webroot product and displays as separate sites in the Managment Portal When you first registered an account SecureAnywhere organized your managed devices into a single console You can add more consoles for management purposes if desired cookies Small strings of text designed to help websites remember your browser and preferences Cookies cannot steal information off your machine but some do store persona
54. Restoring a file from quarantine 0000000000000000 eee cece cece ee eeeeeeeeeceeeeeeeeeeeeees 70 Setting an override for the file 0000000000100 a daaa a cece cece cece cee cnn cnn 71 Deactivating endpoMtS 00nd eee 73 Deactivating an endpoint nes 73 Reinstalling SecureAnywhere on the endpoint 0010ra aa cece cece eeeeeeeees 74 Managing endpoint upgrades and other changes ooo conoces 75 Migrating to a new operating system cece cece cc ccc ccc cece ce ce eee eee eet Aa aa aa nananana 75 Changing hardware on an endpoint 02 0 002222 e cece eee ccc cece ce cee eee ns 75 Moving endpoints to a new subnet l a cece cece cece eee e cece cece cece cc ececccceeeeeeeceeeees 75 Forcing immediate updates forced polling 0 00 22 c oe cece cece cece ccc cc cece cece eee eeeeeeeeeees 76 Using SecureAnywhere on the endpoint 00an daanin naiara anana n nanona nnana 77 Uninstalling SecureAnywhere 0 cece cece cece cece ccc cece eee cece cece cece ee aaora naaran 79 49 Endpoint Protection Administrator Guide Deploying SecureAnywhere to endpoints You can deploy SecureAnywhere to endpoints using a variety of methods depending on your business requirements and network size An endpoint can be a Windows PC laptop server or virtual server installed in your network A list of endpoint system requirement
55. Seen e All Undetermined Software Seen e Endpoints with Threats on Last Scan in the panel for Threats Seen on this Endpoint panel individual endpoints only e Endpoints with Undetermined Software on Last Scan in the panel for All Undetermined Software Seen on this Endpoint individual endpoints only To create an override from reports 1 Click the Reports tab and generate one of the reports listed above 2 Select the desired filename and click Create override from the command bar All Threats Seen Apr 23 08 00 Restore from Quarantine Pathname LOADCLEAN ZIP LOA deskiop wound Buro The following dialog opens Create override Determination v Apply this override globally y Save Cancel 3 Open the Determination drop down menu by clicking the arrow to the right of the field Select one of the following e Good Always allow the file to run e Bad Always send the file to quarantine 172 Chapter 9 Using Overrides 4 You can apply this override globally or to an individual policy as follows e To apply the override to all policies keep the Apply the override globally checkbox selected e To select an individual policy for the override deselect the checkbox When the Policy field appears click the drop down arrow to the right of the field and select a policy Create override Determination Apply this override globally Policy v Save Cancel 5 When you re
56. The Webroot firewall is preconfigured to filter traffic on your managed endpoints It works in the background without disrupting normal activities If the firewall detects unrecognized traffic it opens an alert You can either block the traffic or allow it to proceed Firewall settings Enabled Firewall level Turns the Firewall on and off Default Allow Allows all processes to connect to the Internet unless explicitly blocked Warn unknown and infected Warns if any new untrusted processes connect to the Internet if the endpoint is infected Warn unknown Warns if a new untrusted process connects to the Internet Default Block Warns if any process connects to the Internet unless explicitly blocked 108 Firewall settings Show firewall management warnings Show firewall process warnings User Interface Chapter 5 Managing Policies Controls the alert shown by SecureAnywhere when the Windows firewall is off e On The user sees an alert when Secure Anywhere detects that the Windows firewall is off e Off No alert appears when the Windows firewall is off Controls the firewall alerts If this is setting is Off no firewall alerts appear This option works in conjunction with the Firewall Level settings For example if Show firewall process warnings and Default Block options are both set to On the endpoint user sees an alert if a new process tries to connect If Show Firewall process warnings is set to
57. WEBROOT SecureAnywhere Endpoint Protection Administrator Guide Copyright Endpoint Protection Administrator Guide June 2013 2012 2013 Webroot Inc All rights reserved Webroot is a registered trademark and SecureAnywhere is a trademark of Webroot Inc All other product and company names mentioned may be trademarks or registered trademarks of their respective owners Table of Contents Chapter 1 Getting Started Z2 5 Preparing for setup o cece cece cee eee cnn 7 Overview of configuration steps ce cece cece cece cece cece cece ce cece cece cece cnn cnn cnn 7 System requirements gta rossi candsit s dase nave tes coda oi fen 8 seis estadia 8 Creating a Webroot account eee 9 Logging in and using the Setup Wizard e cece eee eeeeceeeeeeeeeeees 12 Logging in for the first time c cece cc cece cece cece nc 12 Selecting a default policy during configuration iaai rani nnn i rnnnnnnnn 13 Selecting a deployment method and performing a test install 0 2 c eee ec ee eeeeee 15 Using the Management Portal 2 00002 ooo cc ccc cece cece ccc cc cnn 19 Using the main tabs 0 0 c eee oaoaraa AA A cece ee ceeceeeeceeeeeeeeees 21 Opening the Endpoint Protection Menu 22 2 2 22 c cece eee aoaaa aora adioa inaina nnna 22 Opening and collapsing panels e eee e cece eee eeeeeeeeeeceecseeeees 23 Exportin
58. alert Click Next at the bottom right 158 Chapter 8 Managing Alerts If you select one of the summary alerts another field appears where you must select the frequency for sending the alerts either daily weekly or monthly 4 In the next panel you can select from an existing distribution list or you can create a new one If you already created a distribution list click Use existing list and then click Next Create Alert Step 2 Select an existing distribution list or create a new list of emails to send this alert to Alen tecipsents O Use extinga ist Create new bst Select a Detribubon List Distribution list 3 K cancel E Previous If you have not yet created a distribution list click Create new list enter a list name then enter the email addresses When you re done click Next Create Alert 17 Step 2 Select an existing distribution list or create a new list of emails to send this alert to Alert recpients Use existing bst O Create new list Lst Name Distribution List Emad Addresses comma used company com separated maamern of 10 X Cancel Previous 5 Inthe next panel you can enter the subject and message for the email message In the Email title field enter the subject head for the message In the Email message body field enter the text for the message 159 Endpoint Protection Administrator Guide Create Alert Step 3 Create your email Infection Alert An endpoint has rec
59. an Downloader LowZ Jan 31st 2013 16 55 MNMYBOH EXE 7 documents and setlingstowe Adware W find com Hijacker Jan 31512013 16 55 45765FBEB334563B9A7AD0DE0 7 documents and settings towe W32 Trojan Trojan iejore Jan 31st 2013 16 55 The following dialog opens Create override Determination Apply this override globally 7 Open the Determination drop down menu by clicking the arrow to the right of the field Select one of the following e Good Always allow the file to run e Bad Always send the file to quarantine 8 You can apply this override globally or to an individual policy as follows e To apply the override to all policies keep the Apply the override globally checkbox selected e To select an individual policy for the override deselect the checkbox When the Policy field appears click the drop down arrow to the right of the field and select a policy Create override Determinabon Apply this override globally Policy 9 When you re done click Save 10 If you want to test the file s detection you can send the endpoint a Reverify all files and processes command see Issuing commands to endpoints on page 63 171 Endpoint Protection Administrator Guide Applying overrides to files from reports From the Reports tab you can apply an override to a file designated as a threat so it won t be detected and quarantined again in the future You can add overrides from these reports e All Threats
60. asic Configuration 2 2 2 sate a a ii Ue hose sees ana voces 95 SCAN OCHECOUIE Cards NN GAY tah hs ea te terest ES att o e ts nG pap ao Pana Es Eo Paba NAGA 97 Scan Settings e KAG AN NG NASA HEP BDL BOGA LALEPEE NB ARES ELA htt AERO Kwan da 98 Self Protection nn nono coco cn cccccnccnncnic 99 FISUNSTUES cua el la o e AB ton e eS Ue SEUNG eto 100 Realtime Shield 02000 t lo St A es NAGTALA 103 Behavior Shield anakan a do oo aero did de Na SA 104 Core System Shield conc nn ee eee eececeeeseeeeesseeseseeseeeee 105 Web Threat Shield e cece cece cece eeececeeeeeeeeeeeeeeeees 106 OLUSE e EEEE AEAEE e e ee SER a a bel Coat e de 107 Elrewalll 00 os AN ode Suen Sado 108 User Intemace NE ed ra a dto NG dd GG AS ANN is 109 System ICM E E e a RAN nama 109 AA GA ctra lleida 114 Exporting policy settings to a spreadsheet 0H cece cece cece oaoaraa adorata aaraa nainn 115 Deleting policies 002005 Hei aos rt Hod Que es ee ees ta 116 Viewing endpoints assigned to a policy ce cece cece ee eeeeeeeeeeeeeeeeeeeeees 117 Moving endpoints to another policy e cece cece aaaea doaar araara ronin 118 Chapter 6 Managing Groups 0 00 0 cece eee ccc c ccc ec eee e cece ceeceeeeceeececereeeeees 119 Organizing endpoints into groups 22 conc cnn 120 Adding a new group cnc 122 Applying a policy to endpoint groups
61. assword 12 permissions for portal use 38 policies assigning endpoints to another policy 118 assigning permissions for creating 41 changing settings 92 copying policies 91 creating new policies 90 deleting 116 exporting to spreadsheet 115 190 live settings and draft changes 93 overview of implementation 88 promoting changes to live 95 renaming 114 selecting a default during configuration 14 selecting a new default policy 89 viewing endpoints assigned to 117 poll interval changing for endpoint 97 polling forcing an immediate poll 76 Popularity Heuristics 100 portal adding users for 33 alerts in 82 charts in 21 collapsing panels in 23 logging in 19 removing endpoints from 73 setting access permissions 38 Post Cleanup Scan 66 Power amp User Access commands 67 Protect an application command 68 proxy commands using during installation 56 Q quarantine restoring a file using agent commands 67 restoring a file using Scan History panel 70 Question mark icon 24 Quick Scan changing to 98 R Realtime Shield policy settings 103 Reboot in Safe Mode command 67 Refresh configuration on endpoints 76 registering an account 9 registry command sending to endpoint 68 release notes 25 Remove password protection 66 renewing your license 47 reports overview of 132 sorting data in 26 Reset desktop wallpaper command 67 Reset screen saver command 67 Reset system policies command 67 resetting SecureAnywhere settings 66 r
62. ate O Delete Cg Suspend Alert Name infection Alert 1 Infection Summary sumen de msiaa infection Summary 2 Installation Alert Alert Type Infection detected Infection Summary ummar Infection Summary Endpoint installed Dale Created a Apr 26th 2013 09 20 Apr 26th 2013 09 22 Apr 268 10 4 Apr 26th 2013 11 49 May 4th 2013 10 23 156 Chapter 8 Managing Alerts Creating a distribution list From the Alerts tab you can easily create a distribution list of users who will receive alert messages For example you might want to create a list of administrators who need to respond to threat detections at a remote office To create a distribution list 1 Click the Alerts tab 2 In the Distribution Lists panel on the right click Create from the command bar Date Created Apt 26th 2013 09 20 Apr 26th 2013 09 22 Apr 268 10 49 Apr 26 2013 11 49 May 4th 2013 1023 3 Inthe dialog enter a name for the list and the email addresses of the recipients E Create Distribution List List Name Distribution List Email Addresses comma separated maximum of 10 user company com 4 Click Save The new list is added to the Distribution Lists panel If you need to delete the list later click the name and click Delete from the command bar 157 Endpoint Protection Administrator Guide Creating customized alerts You can customize the alert messages sent to a distribution
63. ave the following options e View and change the policy To open the policy settings for that endpoint and change the settings you can click the View link Endpoints assigned to the Unmanaged policy have no View link because they are controlled at the endpoint level e Launch scan Click the broom icon on the far right to initiate a scan and auto quarantine threats 143 Endpoint Protection Administrator Guide Endpoints with threats on last scan May 08 11 21 y Endpoints with threats Hostname G 0409 SUMATRA INSTALLSME405 PHANIXP 408 PH 32713 PH 40413 SMEINSTALL408 WEBRT327 Ej Threats seen on this endpoint O Filename Policy a Recommended Defaults View Recommended Recommended Defaults View Recommended Defaults View Recommended Defaults View Recommended Detaults View Recommended Defaults View Pathname Agent Version 802127 802128 802128 802128 802128 802128 802128 Malware Group Select an endpoint to populate this window Endpoints with threats on last scan Apr 24 07 35 y Endpoints with threats Hostname INSTALLSME405 PH_32713 PHANIXP 408 SMEINSTALL408 SMT 13113 Ej Threats seen on this endpoint Policy Recommended Defaults View Recommended Defaults View Policy1 View P Create override Restore from Quarantine 144 4 To view more details about threats found on an endpoint click a hostname from the upper panel to see details in the bottom panel
64. can Schedule SecureAnywhere runs scans automatically every day at about the same time you installed the software You can use the Scan Schedule settings to change the schedules and run scans at different times Scan Schedule settings Enable Scheduled Scans Allows scheduled scans to run on the endpoint Scan Frequency Determines how often to run the scan You can set a day of the week or select on bootup when the computer starts Time Specifies the time to run the scan e Scan time options for when computer is idle are before 8 00 a m before noon before 5 00 p m or before midnight e Scan time options for when resources are available are hourly from 12 00 a m to 11 00 p m Scan on bootup if the Launches a scheduled scan within an hour after the user turns computer is off at the on the computer if the scan did not run at the normally scheduled time scheduled time If this option is disabled SecureAnywhere ignores missed scans Hide the scan progress Runs scans silently in the background If this option is disabled window during scheduled a window opens and shows the scan progress scans Only notify me if an infection Opens an alert only if it finds a threat If this option is disabled is found during a scheduled a small status window opens when the scan completes scan whether a threat was found or not Do not perform scheduled Helps conserve battery power If you want SecureAnywhere to scans when on battery power laun
65. cate the threat in the row and click the View link in the Blocked Programs column 3 If desired you can show or hide additional data about the recently infected endpoints in the bottom panel Click a column header to open the drop down menu then click in the checkboxes to select the columns to add or remove For descriptions of the data in the columns see Sorting data in tables and reports on page 26 4 For more details about threats and further options you can generate the Endpoints with Threats on Last Scan report From this report you can change the endpoint s policy run a scan create an override for a file or restore a file from quarantine See Generating the Endpoints with Threats on Last Scan report on page 143 84 Chapter 4 Checking Status Viewing an agent version overview The Agent Version Spread pie chart on the Status tab shows a high level overview of the Secure Anywhere versions installed on endpoints An agent is the SecureAnywhere software running on the endpoint To view the Agent Version Spread pie chart 1 Make sure the Status tab is selected The Agent Version Spread chart is located on the right 2 To see more details move your cursor over sections of the pie chart Polices Group Management Reports Alerts Overrides Logs Resources Tainan m 18 67 N 202132 202 128 202127 KO 802126 W 802119 W 802118 BO 502110 202 109 202 104 ome 3 For more details see Genera
66. cc cecceccceceeeeceeees 148 Generating the Threat History Daily report e cece cece eeeeteeeeeees 152 Chapter 8 Managing Alerts 00 0 ccc cece ccc cece cece eee eee cee ceececeeeceeeeeeeeees 155 Implementing alerts e cece cece cece ce cece ceeeeeeeceeesseeeeseeseseeeeeees 156 Creating a distribution list e cece cece cece eeecceeeceeeceeeeeeeeeees 157 Creating customized alerts cece cece cece cece cece cece eee eeeeeeseseeesseeeeeee 158 Viewing your defined alert messages eee c cece cece cece cece nn nn 162 Suspending or deleting alerts 2222 eee cece ccc c ccc c cece c eee c cece ceeeceeecececeeeeeeeeeees 164 Chapter 9 Using Overrides 2222 0 0 00 ccc ec ccc cccecececececeececceccecceueeeeeeeeceeneeuee 165 Implementing overrides 1 0 2 2 cece cece cece cece eee e cece ce cece conos 166 Applying overrides from the Overrides tab e cece ee eeeeeeeeeeeeeeeeeeeees 167 Applying overrides to files from groups 0 0 22222 e cece cece cece cece ccecececcccccceceeeeeees 170 Applying overrides to files from reports e cece cece cece cece cece cece cece cece ee eeeeeeeeeeeees 172 Viewing overrides 0 0000 o occ 000000 0a cece aaora ea eee aaeeeo ceeeeeseeeesseesseeeeseeees 174 Deleting OVeMmdes aa sheen YE Nha cise apa Bad wbidoharl Ausiods ota ts 176 Exporting
67. ch scheduled scans when the endpoint is on battery power deselect this option 97 Scan Schedule settings Do not perform scheduled scans when a full screen application or game is open Randomize the time of scheduled scans up to one hour for distributed scanning Perform a scheduled Quick Scan instead of a Deep Scan Scan Settings Endpoint Protection Administrator Guide Ignores scheduled scans when the user is viewing a full screen application such as a movie or a game Deselect this option if you want scheduled scans to run anyway Determines the best time for scanning based on available system resources and runs the scan within an hour of the scheduled time If you want to force the scan to run at the scheduled time deselect this option Runs a quick scan of memory We recommend that you keep this option deselected so that deep scans run for all types of malware in all locations Scan settings give advanced control over scanning performance Scan Settings Enable Realtime Master Boot Record MBR Scanning Enable Enhanced Rootkit Detection Enable right click scanning in Windows Explorer Update the currently scanned folder immediately as scanned Protects the endpoint against master boot record MBR infections An MBR infection can modify core areas of the system so that they load before the operating system and can infect the computer We recommend that you keep this option selected It
68. commands the user can issue to the endpoints e Alerts Allow this user to create and edit warning messages To set user permissions 1 Open the Endpoint Protection menu by clicking the arrow next to your login ID then click Manage Users SecureAnywhere mg wawa O O Account Setting Endpoint Protection m Manage Users Status Poloes Group Management Reports Alerts Overndes Logs Resources Manage Keycode a Endpowts encountering threats last 7 daya Agent Veron Spread Y Download He 2 Locate the row for the user you want to edit then click that user s edit icon The edit icon is at the far right as shown in the following example 38 Chapter 2 Managing User Accounts Manage Users Create New User Permis sons Secure Anywhere The User Details panel opens 3 Click the Access amp Permissions tab to see the list of Endpoint Protection functions and their associated access permissions 39 Endpoint Protection Administrator Guide mo Do you wish to give this user Console access SecureAnywhere Console Endpoint Protection Console Groups Create 4 Eda Deactivate Reactvate Endpoints Assign Endpoints to Groups Policies Create amp Eda Assign Policies to Endpoints Alerts Create amp Edi Save Access amp Permissions 4 Assign access permissions for this user as described in the following table When you re done click Save Access amp Permissions 40
69. ct a group that includes the desired endpoint 125 Endpoint Protection Administrator Guide 3 From the Endpoints panel on the right select the endpoint Home Endpoint Protection Status patces Group Management Reports Alerts Ovemdes Logs Resources ie Bb Endpoints in Default Group led Save Changes 3 Undo Changes amp Move endpoints to another group I Appiy policy to endpoints Buble Click to Edit F OOBILLXP_LAB ECO des at Seen Recently Apr 8th 2013 09 04 4 In the Policy column of the selected endpoint double click the policy name to open a drop down of available policies Home Endpoint Protection Status Policies Group Management Reports Alerts Overndes LJ Groups Create Not Seen Recently Mar 28th 2013 13 27 5 Select the policy and press Enter You will see the new policy name in the column with a red flag at the upper left corner This indicates that your changes are in a draft stage and you can still select Undo Changes to revert back to the previous settings If desired you can continue making other changes in this panel until you are ready to save the changes 6 To apply the change click Save Changes The red flag is then removed from the row 126 Chapter 6 Managing Groups Moving endpoints to another group You can move endpoints into a different group as described in this section You can move individual endpoints or an entire group of endpoints To move endpoi
70. ction is quarantining a file that you want to allow you can set an override that ignores the file during scans To change how a file is detected and managed you can apply one of the following overrides e Good Always allow the file to run on the endpoint Do not detect the file during scans or send it to quarantine e Bad Always send the file to quarantine when detected during scans You can add overrides from several locations e From the Overrides tab you can create either a Good or Bad override for any type of file To do this you must first scan the endpoint save its scan log and locate the MD5 value of the file MD5 Message Digest algorithm 5 is a cryptographic hash function that produces a 128 bit value which acts like a fingerprint to uniquely identify a file For more information see Applying overrides from the Overrides tab on page 167 e From the Group Management tab you can search for endpoints where threats were detected and quickly apply overrides The MD5 value is already identified for the file For more information see Applying overrides to files from groups on page 170 e From the Reports tab you can search for endpoints where threats were detected in certain reports and quickly apply overrides The MD5 value is already identified for the file For more information see Applying overrides to files from reports on page 172 An override can have different settings at the global level and at the policy
71. d 12 Instance MID 28 189 Index K keycode adding to your account 42 changing from endpoint 59 changing temporarily 66 entering during deployment 50 hiding from endpoint user 96 using agent command to change 66 Keycode commands 66 L language codes for installation 56 language codes in portal 27 language changing for portal 19 license renewing 47 Live column in policy settings 93 Lock endpoint 67 Log off command 67 login after configuration 19 first time login after account creation 12 logs Change Log 180 Command Log 182 erasing on endpoint 66 M Malware Group 28 malware reports 132 Manage Keycodes 42 Manage Users 33 Management Portal adding users for 33 alerts in 82 charts in 21 collapsing panels in 23 logging in 19 Endpoint Protection Administrator Guide removing endpoints from 73 setting access permissions 38 MDS value locating and saving 167 shown in tables 28 MSI using for installation 57 O operating systems migrating to new 75 supported versions for endpoints 8 overrides applying the Good designation 167 assigning permissions for creating 41 creating from Group Management 170 creating from Reports 172 creating from Scan History panel 71 deleting 176 exporting to spreadsheet 177 implementation overview 166 locating and entering MD5 values 167 testing 67 viewing all overrides 174 P password for account changing 30 33 defined during registration 10 forgotten p
72. d prompts you to block or allow the item If it detects a known threat it immediately blocks and quarantines the item before it causes damage to the endpoint or steals its information Realtime shield settings Realtime Shield Enabled Enable Predictive Offline Protection from the central Webroot database Remember actions on blocked files Turns the Realtime shield on and off Downloads a small threat definition file to your managed endpoints protecting them even when they are offline We recommend that you leave this setting on Remembers how the user responded to an alert allowed a file or blocked it and will not prompt again when it encounters the same file If this setting is deselected SecureAnywhere opens an alert every time it encounters the file in the future 103 Endpoint Protection Administrator Guide Realtime shield settings Automatically quarantine Opens an alert when it encounters a threat and allows the user previously blocked files to block it and send it to quarantine If this setting is off the user must run a scan manually to remove a threat Automatically block files Blocks threats and sends them to quarantine If this setting is when detected on execution off the user must respond to alerts about detected threats Scan files when written or Scans any new or modified files that are saved to disk If this modified setting is off it ignores new file installations however it still alerts the
73. detects all untrusted programs that have been created or modified fairly recently Use this setting only if your managed endpoints are in a high risk situation or if you think that they are currently infected 102 Heuristics levels Popularity Heuristics Realtime Shield Chapter 5 Managing Policies Low detects programs that are seen for the first time This setting is recommended if new or beta programs are frequently installed on your managed endpoints or if endpoint users are software developers who frequently create new programs Medium detects unpopular and mutating programs preventing zero day and zero hour attacks We recommend using this setting if you do not allow new programs to be installed frequently on your managed endpoints and you want extra security over standard settings High detects programs that a significant percentage of the community has seen This setting is recommended if you do not allow new programs on your managed endpoints and you suspect that they are currently infected Maximum detects programs that a large percentage of the community has seen We recommend this setting if you think your managed endpoints are at very high risk and you accept that you might receive false detections because of the strict heuristic rules The Realtime shield blocks known threats that are listed in Webroot s threat definitions and community database If the shield detects a suspicious file it opens an alert an
74. done click Save 6 Ifyou want to test the file s detection you can send the endpoint a Reverify all files and processes command see Issuing commands to endpoints on page 63 173 Endpoint Protection Administrator Guide Viewing overrides After you add overrides to Endpoint Protection you can view them in the Overrides tab Select a policy from the left panel to narrow the results shown on the right Your selected overrides appear under the Manual Determination column 986D7850230596 1FEF DO3I61FC39D3D417C8 ASFDSFS7TDASSAD7D EDE344535435F DF DS 65DFEA453SFE453FE 6876FDFDADFADA564 DA78DA6876A678E68 AB76DAS7DA5876D8A7 1034ADEESFB547997 242897AAC49A46D4E 77092713297C1C8B4 Common Filename MEL 69047DAA0D94F IMMONITOR FACEBO CLICK CAB AXFREEA MNMYBOH EXE NDNUNINSTALLE 38 GBGGGRRRG08 Page 1of3 MZ If desired you can show or hide additional data about the overrides Click a column header to open the drop down menu then click in the checkboxes to select the columns to add or remove y Date Created 44 Sort Ascending Z Sort Descending Common Pathname File Size 174 Chapter 9 Using Overrides The columns provide the following data Columns in the Overrides tab MD5 The Message Digest algorithm 5 value which acts like a fingerprint to uniquely identify a file Command Filename The name of the Windows file a
75. dpoints within the selected group by clicking the Hostname checkbox at the top of the list first column 122 Chapter 6 Managing Groups 6 Click Move endpoints to another group from the command bar Home Endpoint Protection Status Policies Group Management Reports Alerts Overrides Logs Resources Apr 8th 2013 16 23 7 When the Move dialog opens click the drop down arrow to display the list of groups Select your new group from the drop down field and click Save Move endpoints to which group Group 8 You can then apply policies to the entire group or to individual endpoints as described in Applying a policy to endpoint groups on page 124 123 Endpoint Protection Administrator Guide Applying a policy to endpoint groups All endpoints are first assigned to your default policy If you want to change the policy assignment you must first define a new policy see Implementing policies on page 88 then follow the instructions below to apply that policy to a group Applying a policy to a group From the Group Management tab you can apply a policy to multiple endpoints To apply a policy to a group of endpoints 1 Click the Group Management tab 2 From the Groups panel on the left select a group that includes the desired endpoints Home Endpoint Protection Status Policies Group Management Reports Alerts Overrides Logs Resources __ Groups 2 E All Endpoints Ocrae bed Save Changes Undo
76. e To delete a group 1 Click the Group Management tab 2 Select the group from the left panel 3 Click Delete from the command bar Status Policies Group Management Reports L Groups create Rename Group Name No G New Sid Endpoints 1 na 4 Click Yes at the prompt If endpoints are assigned to this group another dialog asks you to select a group where you want the endpoints moved 5 Select the target group then click Save 128 Chapter 6 Managing Groups Renaming groups In the Group Management tab you can easily rename a group in the list The endpoints remain in that renamed group you do not need to move them To rename a group 1 Click the Group Management tab 2 Select the group from the left panel 3 Click Rename from the command bar Policies Group Management G New Sid Endpomts The Rename Group dialog opens 4 Enter a new name and description then click Rename Group 129 130 Chapter 7 Viewing Reports To generate reports see the following topics Generating Endpoint Protection reports eee cece cece cece ccc cece cece cece eeeeeeeeeees 132 Generating the Agent Version Spread report e eee eeeeeeeeeeees 134 Generating the Agents Installed report a 137 Generating the All Threats Seen report 202 2222 c cece cece cece cece ccceceeeeeees 139 Generating the All Undetermined Software Seen re
77. e The following example shows the MDS value for a file named csrss exe 167 Endpoint Protection Administrator Guide M version v8 0 7 Log saved at Thu 2013 04 25 13 43 08 v8 0 2 132 windows 7 Service Pack 1 Build 7601 64bit Hostname JGALL 1884L BRM Local IP Scan Started Thu 2013 04 25 10 00 16 Some legitimate files are not inclyg c windows SyStem32 csrss exe MOS 60C286284BFOFO9F582EF 344C281EC 2D F 40110000 195 Cc windows system32 wininit ex ys DUTINTTE 3 Flags 40110000 718 Cc windows 1system32 services exe hos O A4 S0 BO BAL CB flags 40110000 1257 Cc windows system32 winlogon exe MD5 1151B1BAA6F 350B10B6598E0FEA7C457 Flags 40110000 1493 Cc windows system32 Isass exe MD5 C118A482CD78818C294B228366E56F81C3 Flags 50110000 781 Cc windows system32 Ism exe MDS 9662EE182644511439F1053745DC1C088 Flags 40110000 1337 Cc windows system32 svchost exe MD5 C786558C80301D7 6ED4FEFLC1EA40A7D fF iags 50110000 424 ci windows syswow64 ntd11 d11 mD5 E73B0F1819602cB6EF176F8780764478 F ags 40001000 1777 Cc windows syswow64 kernel32 d11_ MD5 ACOB6F41882FC6 01869620770E8F102 1 Ci windows syswow64 kernelbase dl MD5 E954A79D6A7 544547 5582CACED1 56566 c wow64 advapi32 d11 MD5 95E237683323F062EB562B858600F14A 0 502 windows 4 Copy the value so you can paste it into the Management Portal To add an MD5 override from the Overrides tab 1 R
78. e Anywhere reports into the Management Portal 17 Endpoint Protection Administrator Guide 5 After the endpoint finishes a scan log in to the SecureAnywhere website again and see its status When you click Go to Endpoint Protection the Management Portal opens you won t see the Setup Wizard again See Using the Management Portal on page 19 Endpoint Protection 1 Endpoint Protected E 0 Endpoints Currently infected j 0 Endpoints Infected last 24 hours S a Go to Endpoint Protection O 18 Chapter 1 Getting Started Using the Management Portal The Management Portal is a central website that administrators can use to view and manage network status The administrator who first created the Webroot account has access to all functions in the portal see Creating a Webroot account on page 9 If desired the administrator can create additional users with full or limited access see Managing portal users on page 33 To log in to the Management Portal 1 Go to the SecureAnywhere website https my webrootanywhere com 2 In the Log in panel enter the email address and password you specified when you created an account Click Log in WEBROOT SecureAnywhere Log in Create an account Security 4 Convenience Emai Address Password multiple devices th any Webroot product Log in Can t log in Sign up now 3 In the Confirm Logon panel enter the requested characters of your security
79. e Policy Description 4 In the Rename Policy dialog enter a new name and a description for the policy 5 Click Rename Policy 114 Chapter 5 Managing Policies Exporting policy settings to a spreadsheet You can export all policy information to a spreadsheet which is convenient if you want to review policy settings with IT colleagues To export a policy 1 Click the Policies tab 2 From the Policy Name column select the desired policy 3 Click Export to CSV from the command bar Home Endpoint Protection sue force croup banago Reports Alerts Overndes Logs Resources jj Policies Q Create Delete Rename Copy Set as Default Policy Name Policy Description 4 From the prompt save the policy to a CSV file Endpoint Protection saves it to a file with the policy name and a CSV extension For example if the policy is named Policy 1 the file is saved to Policyl csv 115 Endpoint Protection Administrator Guide Deleting policies You can delete all policies except for the original default policies When you delete a policy Endpoint Protection removes it from the list of active policies and moves it to a Deleted Policies list so it is still accessible to the report logs To delete a policy 1 Click the Policies tab 2 From the Policy Name column select the desired policy and click Delete from the command bar Home Endpoint Protection O create 9 Derete JT Rename M copy
80. e files that Secure Anywhere classified as Undetermined you can generate the All Undetermined Software Seen report The All Undetermined Software Seen report shows all undetermined software typically executable files that SecureAnywhere cannot classify as either safe or as malware This report lists items by filename along with when and where Secure Anywhere detected them This report might show duplicate entries if the undetermined software was detected multiple times or in multiple places You can also use this report to create overrides and tag files as either Good or Bad so SecureAnywhere knows how you want to classify them in the future From the report you can modify the report data as follows e View all undetermined software within a selected policy or group which is helpful if you need to narrow search results to a specific set of endpoints e Drill down to see the files detected within a date range which is helpful if you want to narrow the search results to a specific time period To generate the All Undetermined Software Seen report 1 Click the Reports tab In the Report Type field click the drop down arrow to display a list of reports Select All Undetermined Software Seen B BY N If desired select a specific policy and group Otherwise the report data shows all policies and groups and may take a long time to generate depending on your environment 5 Optionally you can click the Select time period checkb
81. edge Spyware may get bundled with freeware shareware or email attachments You can also accidentally install spyware by clicking on dialog boxes in websites Once installed spyware can send information about your online activities to a third party for malicious purposes 185 Endpoint Protection Administrator Guide T Trojan Horse A program that takes control of your computer files allowing a hacker to install execute open or close programs A Trojan is usually disguised as a harmless software program It may also be distributed as an email attachment When you open the program or attachment the Trojan can launch an auto installation process that downloads third party programs onto your computer U Undetermined software A file that may appear legitimate but also exhibits questionable behavior In these cases SecureAnywhere classifies the file as Undetermined V virus A self replicating program that can infect computer code documents or applications While some viruses are purposefully malignant others are more of a nuisance replicating uncontrollably and inhibiting system performance VM Virtual machine Z zero hour virus New viruses that do not yet have recorded definitions 186 Index A Access amp Permissions 39 account changing email address with users awaiting status 37 creating 9 editing administrative settings 30 registering more users 33 renewing or upgrading 47 Account Set
82. elect the columns to add or remove For descriptions of the data in the columns see Sorting data in tables and reports on page 26 151 Endpoint Protection Administrator Guide Generating the Threat History Daily report To view a summary of threats detected on a daily basis you can generate the Threat History Daily report This report shows each day where Secure Anywhere found threats on endpoints You can modify the report data as follows e View daily threats within a selected policy or group which is helpful if you need to narrow search results to a specific set of endpoints e Drill down to see the threats detected within a date range which is helpful if you want to narrow the search results to a specific time period To generate the Threat History Daily report 1 Click the Reports tab In the Report Type field click the drop down arrow to display a list of reports Select Threat History Daily Es A If desired select a specific policy or group Otherwise the report data shows all policies and groups and may take a long time to generate depending on your environment 5 In the bottom two fields enter a start and end date for the report data 6 Click Submit Status Policies Group Management Reports Select your report al Report Type Threat History Daily v Policy All NG Group Default Group v Between And Submit The report opens in the right panel 152 Chap
83. em Cleaner settings Default logon user history Memory dump files CD burning storage folder Flash cookies Internet Explorer Address bar history Temporary Internet Files Deletes the Windows registry entry that stores the last name used to log on to your computer When the registry entry is deleted end users must enter their user names each time they turn on or restart the computer This cleanup option does not affect computers that use the default Welcome screen Deletes the memory dump file memory dmp that Windows creates with certain Windows errors The file contains information about what happened when the error occurred Deletes the Windows project files created when the Windows built in function is used to copy files to a CD These project files are typically stored in one of the following directories C Documents and Settings username NLocal Settings A pplication Data Microsoft CD Burning or C Users username AppData Local Microsoft Windows Burn Burn Deletes bits of data created by Adobe Flash which can be a privacy concern because they track user preferences Flash cookies are not actually cookies and are not controlled through the cookie privacy controls in a browser Removes the list of recently visited websites which is stored as part of Internet Explorer s AutoComplete feature You see this list when you click the arrow on the right side of the Address drop down list at the top of the I
84. ently detected an infection Hostname hostname Group Name groupname Policy Name policyname Keycode keycode infection List infections f ename malwaregroup pathname The wizard also provides data inputs within the text which are variables you can use for automatically inserting such information as the hostname of the endpoint Some data inputs are already displayed for you in the sample text Data inputs are shown in brackets 6 To add your own data inputs click inside the text where you want a variable to appear then click the drop down arrow for one of the Data Inputs buttons There is one button for the subject head and one for the body e Email message body An endpoint has recently detected an infection a Hostname t Hostname hostname KA Group Name groupname Policy Name Policy Name policyname Keycode keycode Keycode Current User Infection List Console Name infectionlist filename mabwaregroup pathname 7 Select from the data inputs which are all described below Note Depending on the type of alert message you are defining only the applicable data inputs appear in the drop down menu 160 Chapter 8 Managing Alerts Agent Version The version number of the SecureAnywhere software installed on the endpoint triggering the alert MAC Address The Media Access Control address MAC address on the network where the endpoint triggering the alert is installed Workgroup The netw
85. ert service spotted in the wid 16 Enapomts aped 6 In 201 T atenton La pa meo Meo mai a se potertab making To re open the panel click the Collapse button again as shown in the following example O a Endpoints encountermg threats last 7 days ds Endpoint Protection Administrator Guide Exporting data to a spreadsheet When you see a spreadsheet icon you can click that icon to export the displayed data into a spreadsheet Undo Changes la Status Last Seen Last Infected Agent Version 8 0 2127 Overrides Logs Resources Policy Recommended dy Not Seen R May 7th 2013 O Opening video tutorials When you see a television icon shown in the following example you can click that icon to view a video that C Show Deleted Policies describes a procedure related to the panel Alerts Overrides Logs Resources n Date Created Draft Changes May 24th 2013 15 15 No Opening the Help files When you see a Question mark icon you can click that icon to open Help for the current panel You can also go to http www webroot com En US Secure Anywhere SME EndpointProtection htm Overrides Logs Resources a Gi d Undo Changes La Last Seen Last Infected Agent Version 8 0 2 127 Policy Status D Recommended Not Seen R May 7th 2013 24 Chapter 1 Getting Started Accessing product information Webroot s threat blog guides video
86. es in the portal 44 providing access to 34 renaming 46 Endpoint Protection Administrator Guide switching between consoles 46 cookies removing 112 Core System Shield policy settings 105 Create New User 33 Create Override 71 145 Custom Right Click Scan 65 Customer Support Diagnostics command 68 D Data Inputs entering for alerts 160 Deep Scan command 65 Deep Scan changing to 98 default policies overview of 14 selecting a new default 89 Deny application command 68 deploying SecureAnywhere 50 Device MID 27 diagnostics for Customer Support 68 Disable proxy settings command 66 distribution lists creating for alerts 157 deleting 157 DOS commands sending to endpoint 68 Download and run a file command 68 Draft column in policy settings 93 E email address changing when user does not confirm registration 37 limitation on changing 30 email template for deployment 15 53 Endpoint Installed alerts 158 Endpoint Protection access permissions 35 Endpoint Protection menu 22 Endpoint with undetermined software on last scan report 146 188 endpoints adding seats to your license 42 assigning to a policy 124 changing a keycode 59 changing hardware for 75 creating a shortcut for SecureAnywhere 53 deactivating and uninstalling 73 deploying SecureAnywhere to 50 duplicates created with new OS 75 Endpoint Infected links 82 issuing commands to 63 locking from portal 67 logging off user from portal 67 migra
87. eseseees 22 Opening and collapsing panels occ cnn 23 Exporting data to a spreadsheet 2 22 02 2ccccccnce ccc cce cece aa NA nro 24 Opening Video tutonalS secsec reie did seeds hb oe added AL 24 Opening the Help files c ccc cece cece cece e cece cece cece ce eeeeeeeeeeeeeeeeeeeeeeeeeesseeees 24 Accessing product information 2c c cece ec nn 25 Sorting data in tables and reports 22 cece ee eee ee nn nn nn nn nn cnn nn nn nana 26 Chapter 1 Getting Started Preparing for setup Before you begin review the configuration steps in this section and make sure your environment meets the system requirements Overview of configuration steps 1 Create an account using your keycode You should have received the keycode in an email from Webroot See Creating a Webroot account on page 9 Log in to the Management Portal and open the Setup Wizard In the wizard you must select a default policy for SecureAnywhere installations on endpoints An endpoint can be any Windows corporate workstation such as a PC laptop server or virtual server A policy defines the SecureAnywhere settings including how the program scans for threats and manages detected items After you select a policy a Welcome panel opens and provides information about how to deploy SecureAnywhere to endpoints See Logging in and using the Setup Wizard on page 12 Optional Edit your account settings for the Managemen
88. esources conserving for endpoint 95 Restart command 67 Restore file command 67 Restore from Quarantine 70 145 Reverify all files and processes command 67 Right click scan in Explorer enabling 98 Run a DOS command 68 Run a registry command 68 Run Customer Support script command 68 S Safe Mode reboot 67 Scan a folder command 65 Scan command 65 Scan History panel 69 Scan policy settings 98 Scan Schedule policy settings 97 Scan Type shown in tables 28 scanning changing command time for 65 changing frequency 97 changing scan settings 98 checking results from Group Management 69 generating a threat report 132 issuing command to endpoints 65 scanning a single folder 65 scanning with cleanup 66 screen saver resetting 67 scripts for cleanup 68 Search for endpoint 62 191 Index secure file removal 113 SecureAnywhere changing settings by using policies 92 deploying to endpoints 50 generating a version report 134 generating installation report 137 hiding from endpoint user 109 opening main interface 77 using installer file 52 SecureAnywhere website access 34 security code changing 30 defining during registration 10 entering during login 12 security question and answer 10 Self Protection policy settings 100 servers supported 8 setup wizard 12 shortcut creating for SecureAnywhere on endpoint 53 96 Shutdown command 67 spreadsheet exporting data to 24 Status shown in tables 28 Stop untrusted processes command
89. esults page then displays an image next to each link that signifies whether it s a trusted site green checkmark or a potential risk red X Web Threat shield settings Web Threat Shield Enabled Turns the Web Threat shield on and off Analyze search engine results and identify malicious websites before visitation Enable deep content analysis Look for malware on websites before visitation Look for exploits in website content before visitation Suppress the user s ability to make local Web Threat Shield overrides Analyzes search engine results SecureAnywhere analyzes all links displayed on the search results page by running the URLs through its malware identification engine It then displays an image next to each link that signifies if the site is safe green checkmark or a potential risk red X Analyzes all data traffic on your managed endpoints as users visit websites If threats try to install it blocks the threat s activity Analyzes URLs in a browser s address bar and links to sites If the site is associated with malware it blocks it from loading in your browser Looks for cross site scripting attacks that might try to redirect users to a different website Prevents the endpoint user from overriding the Web Threat Shield settings If disabled endpoint users can create overrides when they are blocked from accessing a website 106 Chapter 5 Managing Policies Identity Shield The Identity shield
90. eturn to Endpoint Protection and click the Overrides tab 2 Click Create from the command bar Overrides Common Filename 1 986D785023059B1FEF 143060 MEL 69047DAADD94FF 111282 2 A D0361FC39D3D417C8904BA5 IMMONITOR FACEBOOK SPY 3 7 ASFD9FS7DASSAD7DAS9F7A 2862B4BFOFD9F582EF344C2B1EC72 Determinabon v Apply this override globally F 168 Chapter 9 Using Overrides 4 Open the Determination drop down menu by clicking the arrow to the right of the field Select one of the following e Good Always allow the file to run e Bad Always send the file to quarantine 5 You can apply this override globally or to an individual policy as follows e To apply the override to all policies keep the Apply the override globally checkbox selected e To select an individual policy for the override deselect the checkbox When the Policy field appears click the drop down arrow to the right of the field and select a policy Create override MDS 2862B4BFOFD9F582EF 344C2B1EC72 Determination Bad v Apply this overrkde globally Policy Policy 1 v Save Cancel 6 When you re done click Save 7 If you want to test how SecureAnywhere will detect the file you can send the endpoint a Reverify all files and processes command see Issuing commands to endpoints on page 63 169 Endpoint Protection Administrator Guide Applying overrides to files from groups From a group level you can apply
91. ever the user runs a program for the Files popup when a new file first time Leave this option deselected if you do not want users is scanned on execution to see this dialog Scan archived files Scans compressed files in zip rar cab and 7 zip archives Automatically reboot during Restarts the computer after running a clean up which is the cleanup without prompting process of removing all traces of a malware file Never reboot during malware Prevents the endpoint from restarting during cleanup which is cleanup the process of removing all traces of a malware file Automatically remove threats Removes threats during scans that run in the endpoint s found during background background and sends them to quarantine scans Automatically remove threats Removes threats during the first scan on the endpoint and sends found on the learning scan them to quarantine Enable Enhanced Support Allows logs to be sent to Webroot customer support Show Infected Scan Results Shows scan results If not enabled the endpoint does not show scan results even if malware is detected Self Protection Self Protection prevents malicious software from modifying the SecureAnywhere program settings and processes If SecureAnywhere detects that another product is attempting to interfere with its functions it launches a protective scan to look for threats It will also update the internal self protection status to prevent incompatibilities with other software
92. ey can install the software by clicking on the link provided in the email template Rename the executable file using your keycode This method is useful if you plan to use your own deployment tool and if you prefer not to use MSI commands to run the installation in the background Use additional commands with the executable file to deploy it in the background Use command line options with the installer to deploy to endpoints that are behind a proxy server To use the SecureAnywhere installer 1 On the endpoint download the SecureAnywhere installer file The installer file is available from the Resources tab or by clicking this link http anywhere webrootcloudav com zerol wsasme exe In the installation panel shown below enter the keycode Y our keycode is shown in the Resources tab Secure Anywhere Wa Installation 52 Chapter 3 Managing Endpoints 3 Optionally you can click Change installation options at the bottom of the installation panel and set these options e Create a shortcut to SecureAnywhere on the desktop This option places a shortcut icon on the Windows Desktop for Secure Anywhere e Randomize the installed filename to bypass certain infections This option changes the Webroot installation filename to a random name for example QrXC251G exe which prevents malware from detecting and blocking Webroot s installation file e Protect the SecureAnywhere files processes and memory from
93. ful if you want to preconfigure overrides before applying a stricter policy that will automatically remediate detected items For more information about overrides see Applying overrides from the Overrides tab on page 167 e Unmanaged Provides our recommended security while also allowing users to change their own SecureAnywhere settings on their endpoints Unmanaged endpoints still report into the Management Portal and show scan results Administrators can also send them commands but cannot change the policy settings 14 Chapter 1 Getting Started To select a default policy 1 Open the drop down menu and select one of policies s E Select your default settings Recommended Defaults Recommended Defaults Recommended Server Defaults Silent Audit Unmanaged 2 Click Submit The Endpoint Protection status page opens showing a Welcome panel on the top deployment options on the bottom and Support resources on the right Continue with the next section to select a deployment method Selecting a deployment method and performing a test install The Welcome panel describes methods of deploying the SecureAnywhere program to endpoints e If you have a small network less than 100 endpoints you may want to use the quick method described in the How to get started panel Follow the instructions provided e If you have a large network and use Active Directory we recommend that you click Deploying Webroot SecureAnywhere
94. g EH Columns Ni b 7 Alert Type A Distribution List V Date Created Created By Date Edited Edited By V Status The columns provide the data described in the following table Columns in the Alerts panel Alert Name Alert Type 162 Chapter 8 Managing Alerts Columns in the Alerts panel Distribution List The email recipients for this alert Date Created The date the alert message was defined Created By The administrator who created the alert message Date Edited The date if any that the alert message was modified Edited By The administrator who modified the alert message if applicable Status The alert status which is either Active or Suspended 163 Endpoint Protection Administrator Guide Suspending or deleting alerts After customizing alert messages for a distribution list you may decide later that an alert is no longer necessary You can permanently delete an alert or if you think it might be useful again sometime in the future you can temporarily suspend it instead To suspend or delete an alert 1 Click the Alerts tab 2 Select an alert from the left panel 3 Click Delete or Suspend from the command row Status Policies Group Management E Alerts Alert Name Infection Alert 14 Infection detected Infection Alert 15 Infection detected Installation Alert 26 Endpoint installed Installation Alert 27 Endpoint installed If you selected Suspend the alert is
95. g data to a spreadsheet ccc ccc cece cece cece cece ee aa earan arannana 24 Opening video tutorials ccccececce ec cee ccc cece cece cece cece Ea aaora aenor 24 Opening the Help files coco cece cece cece cece cnn 24 Accessing product information 1 02 2 22222 e eee ccc eee cc cece eee cece eee ce cece cece cece cece eect eceeeeeeeeeteeeees 25 Sorting data in tables and reports 26 Chapter 2 Managing User Accounts 0 0 0 0 ccc ccc cece nec ce cence cece nce c nce eecensecensenenees 29 Editing your own account settings 0 00 00000 e eee eee aa naana anaona onae 30 Managing portal US Crs a aaa ae Set eee ees Na dio aes Ses ao it YNG ne sede Ida SAGANA 33 Creating new portal users a 000a000anoianniiani enant ean otenn arenen rn raaro o naear arean an anane rnan rennene 33 Editing user information 1 02 2 cocos 36 Setting permissions for portal users 00000000000000 cnn 38 Adding keycodes to your account ee 42 Adding consoles to your account eee 44 Adding a Console AAA 44 Renaming a console 0000000000000 cece cece cece eee eee cece eee eeeeeeeeeeeeeeeeerereeereeeeees 46 Switching consoles 2 022 222 eee cece cece cece cece cece cece cece cece cece cece cece eee E Aaaa aaaea 46 Renewing or upgrading your account eee 47 Chapter 3 Managing Endpoints nanan anann inaan nanan annonnann
96. g in the Management Portal prompts you to enter two random characters of this code For example if your code is 123456 and it prompts you for the fourth and sixth character you would enter 4 and 6 Your Personal Security Code is case sensitive Security Question Choose a question from the drop down list If you forget details of your login later you will need to provide the answer to this question to retrieve the information Security Answer Type an answer to your security question The Security Answer is case sensitive 4 Click Register Now Endpoint Protection verifies the keycode you entered and then displays a License Agreement at the bottom of the panel as shown in the following example 10 Chapter 1 Getting Started WEBROOT SecureAnywhere pa Create an account x Webroot Product Keycode CL Emai Address je03 webroot com za Repeat Email Address joO3 webroot com x Password sa Repeat Password n gt a Your Personal Secunty Code Security Question Best childhood frend IBA Security Answer Alison I have read through and agree to the terms of the Webroot SecureAnywhere Business Solution Agreement Register Now 5 Click the link to read the agreement When you re done click the checkbox to accept the agreement and click Register Now again Webroot sends a confirmation message to the email address you specified 6 Open your email application and click the link
97. g time to generate depending on your environment 5 In the bottom two fields enter a start and end date for the report data 6 Click Submit Status Polioes Group Management Reports r Select your report Report Type Agents Installed N Policy AT v Group Al Y Between The report opens in the right panel as shown in the following example 137 Endpoint Protection Administrator Guide Agents Installed May 03 08 43 First Seen the agents mstalled 7 To view the endpoints where SecureAnywhere was installed on a specific date click a bar to see details The bottom panel displays data about each endpoint 8th Apr 20 21 Agents installed 10 5 Mi aa 0 A e ae KN pa ps ps a ps Ko S i s Lj Agents installed on Apr 8th H Hostname Policy Group Status First Seen Last Seen Agent Version 1 ADMIN405 Recommended Default Group Protected Apr Sth 2013 1 Apr 30th 2013 8 0 2132 a 2 ALERT15 Unmanaged Default Group iy NotSeenR Apr 8th 2013 1 Apr Sth 2013 1 8 0 2128 8 If desired you can show or hide additional data for the report Click a column header to open the drop down menu then click in the checkboxes to select the columns to add or remove For descriptions of the data in the columns see Sorting data in tables and reports on page 26 138 Chapter 7 Viewing Reports Generating the All Threats Seen report To locate and manage detected threats you can generate
98. ged 5 Move all endpoints on this policy to another policy JE View all endpoints using this policy Group Name Number of endpoints Default Group 6 View 4 In the dialog click the drop down arrow to open a list of policies Select the policy and click Save 5 Check the Policies list to make sure the new endpoints are shown under the new assignment 118 Chapter 6 Managing Groups To manage groups and the endpoints within each group see the following topics Organizing endpoints into groups cece cee cece eee e eee raean anaana 120 Adding a new group ces 122 Applying a policy to endpoint groups 0 0 cece cence ccc cece cece ee eeeeeeeeeeees 124 Applying a policy to a group c cece cece ce eee eee e bee e ee eeeeeeeeeeeeeeeeeeeeseeees 124 Applying a policy to a single endpoint ooo eee 125 Moving endpoints to another group 0 0 0 e cece cece ccc cc cece cece cece cece eee eeeeeeeeeees 127 Deleting groups 2222 0 e cece cece eee ce cece eee e cece cece cece eee eteeeeceteeeeeeeeees 128 Renaming Groups naa ii illes 129 119 Endpoint Protection Administrator Guide Organizing endpoints into groups When you install Secure Anywhere on endpoints those endpoints are automatically assigned to your default policy and to the Default group A group is a collection of endpoints which helps you organize your devices
99. grayed out in the panel with Suspended in the Status column Later you can select the alert again and click Resume If you selected Delete click Yes in the prompt The alert is permanently removed from Endpoint Protection 164 Chapter 9 Using Overrides To use overrides see the following topics Implementing overrides 77 e cece cnc nn cn cn nnccnes 166 Applying overrides from the Overrides tab 0 0 c cece cece cece eeceeeeeeees 167 Applying overrides to files from groups eee ccc cece cece eee eecceceeceecceeceeeees 170 Applying overrides to files from reports coo cece cece cece cccceeeeeeees 172 Viewing overrides cnn 174 Deleting overrides 222 22 cece ccoo cocos 176 Exporting overrides to a spreadsheet cece ccc ccc cece eee e eee e eee eeeeeeeeees 177 165 Endpoint Protection Administrator Guide Implementing overrides Overrides provide administrative control of the files and applications in your environment allowing you to designate files as Good always run or Bad always quarantine For example e You may decide to quarantine legitimate files for certain business purposes For example if you don t allow users to make Skype voice calls during business hours you can set an override that always sends the Skype executable file to quarantine when detected during scans e Conversely if Endpoint Prote
100. ground installation by renaming the executable file You can deploy SecureAnywhere by renaming the executable file with the keycode This method is useful if you plan to use your own deployment tool and if you prefer not to use MSI commands to run the installation in the background You can also use the email template described above which is preconfigured to include a renamed installer file with your keycode 1 On the endpoint download the SecureAnywhere installer file http anywhere webrootcloudav com zerol wsasme exe 2 Rename the installer file by replacing wsasme with your keycode The resulting file name will have this format XXXX XXXX XXXX XXXX XXXX exe 3 Install the SecureAnywhere software on your endpoints using your own deployment tool To run a background installation from a command line 1 On the endpoint download the SecureAnywhere installer file http anywhere webrootcloudav com zerol wsasme exe 2 Run the installer from a command line using any of the command options listed in the following table More options are available contact Webroot Business Support for more information Command line options key keycode Installs with the provided keycode with or without hyphens For example wsasme exe key XxXX XXXX XXXX XXXK XXKX Installs in the background Installs without starting SecureAnywhere 54 Command line options lockautouninstall password autouninstall password exeshowaddre
101. h protection and remediation Recommended setup for servers protection enabled Silent Audit Secunty Audit with detection only Unmanaged This policy is for all PCs that are user managed 2 To add a new policy see Creating policies on page 90 Tip We suggest you determine policy names and settings first to make the process easier 3 Once you create new policies you can assign them to endpoints in the Group Management tab See Applying a policy to endpoint groups on page 124 88 Chapter 5 Managing Policies Selecting a new default policy Whenever you install Secure Anywhere on new endpoints Endpoint Protection assigns them to your default policy If desired you can set a different default policy for any endpoints that you install in the future To select a new default policy 1 Click the Policies tab A list of policies appears in the bottom panel A gray arrow indicates the current default policy on the far left as shown in the following example 2 Inthe Policy Name column click on the policy you want to use as the new default Once highlighted Set as Default activates in the command bar Home Endpoint Protection Status Gore Ya Management Reports Alerts Overrides Logs Resources Ej Policies Oc 0 baa Besar TTD Policy Name Policy Description O Recommended Defaults Recommended setup with protection and remediabon Silent Audit Security Audit with detection only 3 Click Set as Default from the com
102. he Endpoints with Undetermined Software on Last Scan report 1 Click the Reports tab 2 In the Report Type field click the drop down arrow to display a list of reports 3 Select Endpoint with undetermined software on last scan then click Submit Status Policies Group Management Reports Select your report Report Type Endpoints with undetermined softw w Submit n The report opens in the right panel showing all the endpoints Reports Alerts Ovemides Logs Resources Endpoints with undetermined software on last scan Apr 24 00 50 dy Endpoints with Undetermined Software Hostname Agent Version os OOBILL_LAB 802127 WinXP DOBILLXP LAB 802127 WinxP 3 ADMIN405 802128 Wins E All undetermined software seen on this endpoint 4 To view more details about the undetermined software found click an endpoint s row to see details in the bottom as shown in the following example 146 Chapter 7 Viewing Reports Endpoints with undetermined software on last scan Apr 24 09 50 v Endpoints with Undetermined Software Hostname a Agent Version DOBILLXP_LAB 8 0 2 127 DOBILL_LAB 8 0 2127 BILLXP LAB 802118 5 BILLXP WSA 8 0 2118 BILL JIANG 30 8 0 2127 maa a va nanan All undetermined software seen on this endpoint P Create override DESKTOPEVENTS DLL programfiles wmware wrwar HGFSSERVER DLL programfiles wmware wrrwar 5 From this panel you can select a file and click Create over
103. her the program icon appears in the endpoint s system tray and whether the user can shut down the program Scan schedule Settings that allow you to run scans at different times change the settings scanning behavior or turn off automatic scanning If you do not modify the scan schedule Secure Anywhere launches scans automatically every day at about the same time you installed the software Scan settings Settings that provide more control over scans such as performing a more thorough scan Self protection Additional protection that prevents malicious software from modifying settings the SecureAnywhere program settings and processes on the endpoint If Secure Anywhere detects another product attempting to interfere with its functions it launches a protective scan to look for threats Realtime shield Settings that block known threats listed in Webroot s threat definitions settings and in Webroot s community database Behavior shield Settings that analyze the applications and processes running on the settings endpoints Core shield settings Settings that monitor the computer system structures to ensure that malware has not tampered with them Heuristics Threat analysis that SecureAnywhere performs when scanning endpoints Heuristics can be adjusted for separate areas of the endpoints including the local drive USB drives the Internet the network CD DVDs and when the endpoint is offline 92 Chapter 5 Managing Policies
104. hield on and off Assess system modifications Intercepts any activity that attempts to make system changes before they are allowed to on your managed endpoints such as a new service installation take place Detect and repair broken system components Locates corrupted components such as a broken Layered Service Provider LSP chain or a virus infected file then restores the component or file to its original state Prevent untrusted programs Stops unclassified programs from changing the kernel memory from modifying kernel memory 105 Endpoint Protection Administrator Guide Core System shield settings Prevent untrusted programs from modifying system processes Verify the integrity of the LSP chain and other system structures Prevent any program from modifying the HOSTS file Web Threat Shield Stops unclassified programs from changing system processes Monitors the Layered Service Provider LSP chain and other system structures to make sure malware does not corrupt them Stops spyware from attempting to add or change the IP address for a website in the Hosts file and opens an alert for the user to block or allow the changes The Web Threat shield protects your endpoints as users surf the Internet If it detects a website that might be a threat it opens an alert for users to block the site or continue despite the warning When they use a search engine this shield analyzes all the links on the search r
105. ifies your Endpoint Protection license 16 Chapter 1 Getting Started 2 Download the Secure Anywhere installer file by clicking the Download link How lo get started The Quickest and eases way to get endponts reporting Hio Me console amp by Gownkoading a copy of Te Wetroot SecureAnywhere software whch has one of your keyceodes aufornatically appbed The user then sirgty needs to run the Me and thew endpunt will automatc aly report into the console Your avadable keycodes downinads SAEA TEST TEST TEST TEST 3 From the endpoint run the installer file When the following Installation panel appears enter your Endpoint Protection keycode and click Agree and Install SectreAynnere Installation 7 Please enter your ke de below Installation will take only a few seconds and SI will not require a reboot Alternatively you can send a test email to an end user who will install SecureAnywhere To do this click the Email template link from the Welcome panel or Resources tab and then cut and paste the text into an email message The link automatically adds the correct keycode for the user Next the user clicks the link to begin installation The program installs silently in the background with the correct keycode already entered When it s done a Webroot icon appears in the endpoint s system tray 4 Wait for SecureAnywhere to finish its first scan This should only take a few minutes When it s done Secur
106. ild 7601 64bit 10 Apr Sth 2013 14 13 G Clean Windows 7 Service Pack 1 Build 7601 64bit 20 Apr Sth 2013 14 10 o Threats detected View Windows 7 Service Pack 1 Build 7601 64bit Windows 7 Service Pack 1 Build 7601 64bit 4 If desired you can show or hide additional data about the endpoint and the scan history Click a column header to open the drop down menu then click in the checkboxes to select the columns to add or remove For descriptions of the data in the columns see Sorting data in tables and reports on page 26 Restoring a file from quarantine You can restore a file from quarantine from the Scan History panel as described below or from the All Threats Seen report see Generating the All Threats Seen report on page 139 The file is automatically returned to its original location on the endpoint To restore a file 1 View the scan history for a particular endpoint as described previously in this section 2 Inthe Scan History panel locate the file by either clicking View in the Status column for the date when the threat was detected or by clicking View all threats seen on this endpoint Scan history for G RR VOLGA Scan Start Status Windows Full OS Jan 31st 2013 16 Threats detected View Windows XP Professional Jan 31st 2013 16 Clean Jan 31st 2013 16 Threats detected View 70 Chapter 3 Managing Endpoints 3 In the dialog that opens select a file by clicking on its checkbo
107. in the confirmation email message 7 When the Confirm Registration page opens enter the two randomly selected characters of the security code you specified when you created the account Click Confirm Registration Now You can now log in to the Management Portal to begin configuring Endpoint Protection See Logging in and using the Setup Wizard on page 12 11 Endpoint Protection Administrator Guide Logging in and using the Setup Wizard After you create an account see Creating a Webroot account on page 9 you can log in to the Management Portal On your first login a Setup Wizard opens to help you begin configuration Logging in for the first time 1 Open a browser and go to the SecureAnywhere website https my webrootanywhere com Tip To display a language other than English click the drop down arrow in the upper right corner of the page select a language then click Go Be aware that to enable languages that use double byte character sets you must have the appropriate language pack installed on your computer In the Log in panel enter the email address and password you specified when you created an account Click Log in Tip If you forget your password or security code click the Can t log in link then click I forgot my password or I forgot my security code Endpoint Protection prompts you to enter your email address and sends you an email message containing a link for resetting your password or security code
108. into its former group 74 Chapter 3 Managing Endpoints Managing endpoint upgrades and other changes This section describes some special circumstances you may encounter when you change hardware and operating systems on endpoints Migrating to a new operating system If you install a new operating system on an endpoint the change will create duplicate endpoint entries in the Management Portal Before you install a new operating system you should deactivate the endpoint See Deactivating endpoints on page 73 If you have already performed the OS installation you can simply deactivate the oldest entry in the Management Portal The extra license is then removed and the duplicate endpoint is placed in the Deactivated Endpoints group Changing hardware on an endpoint If you install a new hard drive in an endpoint and reinstall Secure Anywhere on it it will appear as a new entry in the Management Portal Before you switch out a hard drive you should first deactivate the endpoint from the Management Portal so you do not use an extra license See Deactivating endpoints on page 73 If you change other types of hardware on an endpoint for example you install a new motherboard processor or network adaptor that upgraded computer will not appear as a new entry in the Management Portal You do not need to deactivate the endpoint first Moving endpoints to a new subnet If you move endpoints to a new subnet make sure the same commu
109. ints on page 63 or by activating a new keycode directly from the endpoint as described below To change a keycode on an endpoint Chapter 3 Managing Endpoints From the endpoint open SecureAnywhere by double clicking the Webroot icon in the system tray Click the My Account tab Click Activate a new keycode as shown in the following example WEBROOT SecureAnywhere My Subscription Status Active meremaining 703 days remaining Manage My Account online tity amp Privacy Backup amp Sync System Tools SecureAnywhere has used 0 20 of your CPU since installation and 0 088 disk space Average scan time is 2 6 minutes Inthe dialog enter your Endpoint Protection keycode and click the Activate button When you enter a new keycode SecureAnywhere launches a scan If it does not launch a scan 59 Endpoint Protection Administrator Guide automatically go to the PC Security tab then click Scan My Computer When the scan completes SecureAnywhere reports into the Management Portal 5 Return to the Management Portal and look for the new endpoint in the Default group If desired you can reassign the endpoint to another group See Moving endpoints to another group on page 127 Home Endpoint Protection Apr 8th 2013 16 23 60 Chapter 3 Managing Endpoints Renaming endpoints When you add an endpoint SecureAnywhere identifies it in the Management Portal by its machine name You
110. it When the specified time for the change elapses the keycode reverts to the original 66 Chapter 3 Managing Endpoints Power amp User Access commands Lock endpoint Lock this endpoint by activating the Windows Login screen The user must enter a user name and password to log back in Log off Log the user out of the account Restart Restart this endpoint when it reports in Reboot in Safe Mode Restart this endpoint in Safe Mode with Networking with Networking Shutdown Shut down this endpoint when it reports in Antimalware Tools commands Reset desktop Reset the desktop wallpaper to the default settings which might be necessary if wallpaper the endpoint was recently infected with malware that changed it After sending this command the user must restart the endpoint Reset screen saver Reset the screen saver to the default settings which might be necessary if the endpoint was recently infected with malware that changed it Reset system policies Reset the Windows system policies which might be necessary if the endpoint was recently infected with malware that changed such policies as the Task Manager settings Note This command resets Windows policies not Endpoint Protection policies Restore file Restores a quarantined file to its original location using its MD5 value For more information about how to locate a file s MD5 value see Applying overrides from the Overrides tab on page 167 File amp Processes co
111. ity 4 Convenience Log in Cant log m The registration page opens Emad Address Pasgeoro Create an account V ebroct Product Keycode Emad Address a Repeat Email Address Password Repeat Password z You Personal Security Code n Security Queston gt Security Answer Register Now Endpoint Protection Administrator Guide 3 Complete the following information Account registration Webroot Product Enter the license keycode you received when you purchased Endpoint Keycode Protection Email Address Enter the email address for the administrator who will manage Endpoint Protection The account activation confirmation is sent to this email address which is also the username for logging in to the Management Portal Password Enter a minimum of 9 characters Your password must contain at least 6 alphabetic characters and 3 numeric characters Your password can be longer than the required 9 characters It can include special characters except for the angle brackets lt gt Your password is case sensitive As you type the Strength meter shows how secure your password is For optimum security it s a good idea to make your password as strong as possible Your Personal Enter a word or number which will be used for an extra security step Security Code after you enter the password during login Choose a code that is easy to remember using a minimum of 6 characters Every time you lo
112. l make the desired changes to the name and phone numbers If the user has an Awaiting Confirmation status this dialog shows an email field at the top You might want to change the email address if you entered an incorrect address for the user and need to resend the registration Account Settings User Details Access amp Permissions SME_ 20130 webroot com First Name Last Name Display Name Office Phone Mobile Phone Time Zone l MAT q Save Details 3 If you want to change the settings under Access amp Permissions see Setting permissions for portal users on page 38 for further instructions 4 Click Save Details when you re done 37 Endpoint Protection Administrator Guide Setting permissions for portal users If you have Admin permission for Endpoint Protection you can edit the following permissions for other Management Portal users e Site access Change the level of access between Basic and Admin levels for the Secure Anywhere website Home panel of my secureanywhere com and the Management Portal of Endpoint Protection e Groups Specify whether the user can create and modify groups of endpoints deactivate or reactivate endpoints or assign endpoints to groups e Policies Specify whether the user can create and modify policies or assign policies to endpoints e Overrides Specify whether the user can make overrides to files designating them as good or bad e Commands Specify what types of
113. l information that you may not want outside parties to gather You can manage cookie settings in your browser s security or privacy preferences You can also remove cookies using SecureAnywhere s System Cleaner CSV file Comma Separated Values file A file format that stores tabular data G GPO Group Policy Object 183 Endpoint Protection Administrator Guide H Hostname The name of the endpoint which is displayed in the Management Portal K keycode Your keycode is the 20 character license that identifies your Webroot account keylogger A system monitor that records keyboard activity Keyloggers can be used for legitimate purposes but can also record sensitive information for malicious purposes LDAP Lightweight Directory Access Protocol A software protocol for enabling anyone to locate resources such as files and devices in a network whether on the public Internet or on a corporate intranet LSP Layered Service Provider malware Malicious software that is designed to destroy or harm your computer system Malware includes viruses spyware adware and all types of threats Management Portal The centralized website used for Endpoint Protection where administrators can view and manage endpoints and network status The portal can be divided into sub portals called consoles MD5 Message Digest algorithm 5 is a cryptographic hash function that acts like a fingerprint to uniquely identify a file MID A
114. level Be aware that Policy settings take precedence over Group settings 166 Chapter 9 Using Overrides Applying overrides from the Overrides tab When you add overrides from the Overrides tab you must first locate the MDS values of files by running a scan on the endpoint When SecureAnywhere scans the device it creates a scan log where it stores the path name file name and MDS value for executables and other types of files that run a process You need that MDS value to create the override To locate and save MD5 values 1 Runa scan on the endpoint to capture MDS values You can run the Scan command either from the endpoint itself or by using the Scan command from the Groups tab see Issuing commands to endpoints on page 63 2 On the endpoint the PC or other device open SecureAnywhere Click the System Tools tab then Reports In the Scan Log section of the page click Save as and specify a name and location for the log z SecureAnywhere Sota Overview PC Securty identity amp Privacy System Tools My Account System Cleaner Scan Log System Control y save a scan log which Technical Suppor uses for diagnostics Clear Log Submit a File Protection Statistics SecureAnywhere constantly monitors your computer for threats Click the button below to see detailed information on what is taking place in your computer in the background View 3 Open the scan log and locate the MDS value to the right of the filenam
115. list for the following types of events Infection Detected An immediate message sent when an endpoint reports an infection Endpoint Installed An immediate message sent as soon as SecureAnywhere is installed on an endpoint and it reports into the Management Portal Infection Summary A summary message that provides an overview of threats detected on endpoints The summary can be scheduled for a daily weekly or monthly distribution Install Summary A summary message that provides an overview of Secure Anywhere installations The summary can be scheduled for a daily weekly or monthly distribution You can use the Create Alert wizard to define the messages and a distribution list as described below You can also define a distribution list separately as described in Creating a distribution list on page 157 To create a custom alert 1 2 Click the Alerts tab In the Alerts panel on the left click Create from the command bar Status Policies Group Management Reports Alerts Overrides Logs Resources 2 El Distribution Lists _ Alerts O Delete y Suspend Q create Alert Name Alert Type Date Created Status List Name Email The following dialog opens Create Alert Step 1 Give this alert a name and select the alert type Alert Type v Abert Name K Cancel e Next ap In the Alert Type field click the drop down arrow to select an alert type In the Alert Name field enter a description for this
116. lpful if you need to narrow search results to a specific set of endpoints e Drill down to see the threats detected within a date range which is helpful if you want to narrow the search results to a specific time period To generate the Threat History Collated report 1 Click the Reports tab 2 In the Report Type field click the drop down arrow to display a list of reports 3 Select Threat History Collated 4 Tf desired select a specific policy or group Otherwise the report data shows all policies and groups and may take a long time to generate depending on your environment 5 In the bottom two fields enter a start and end date for the report data 6 Click Submit 148 Chapter 7 Viewing Reports Status Policies Group Management Reports E Select your report Report Type Threat History Collated Policy Recommended Defaults Group Default Group Between 04 01 13 And 04 24 13 The report opens in the right panel Reports Alerts Overrides Logs Resources Threat History Collated Agr 24 11 45 Type Number Endpoints with threats 9 Blocked Programs 33 40 9 Endpoints with threats Blocked Programs 17 Click a chart bar or table row above to view the undertying endpoint or program data From this panel you can click one of the bars to view more details about Endpoints with threats or Blocked Programs If you click the Blocked Programs bar chart the bottom panel show
117. m tray menu then click Open Open Help and Support About Refresh configuration Save a Scan Log e Ifthe system tray icon is hidden open the Windows Start menu click All Programs or Programs Webroot SecureAnywhere then Webroot SecureAnywhere again The Overview panel opens similar to the following example 297 2 Endpoint Protection Administrator Guide WEBROOT mg nywhere sa Overview PC Securty identty amp Privacy ystem Tools My Account You are protected e eAnywhere protecting yo computer No active threats have been detected bd Last scanned 22 hours ago Next scan starts in 1 hour 7 minutes 10 threats have been removed Scan Now Protection has been active for 3 months 2 days 11 48 02 suspend 31 083 832 system events have been inspected since startup 478 2 bilion since instalation View Detads identty Shield is montormg for information stealing behaviors Advanced System Cleaner last cleaned 40 days ago So far t has cleaned 3 297 MB Cieanup Now 7 The SecureAnywhere trewal is monitoring 14 processes with 41 active network connections Osabe b ecureAnywhere has used 0 13 of your CPU since installation and 0 003 disk space Average scan time is 2 1 minutes Along the top of the panel the main interface includes navigation tabs Main Interface tabs Overview View the system status and manually scan the computer PC Security Run custom scans change shield settings and manage
118. machine ID that Webroot uses to identify the hardware and OS of an endpoint 184 Glossary MSI Microsoft Installer P phishing A fraudulent method criminals use to steal personal information These criminals design websites or email messages that appear to originate from trustworthy sources such as eBay PayPal or even your own bank Typical scams can trick you into entering your user names passwords and credit card information policy A policy defines the SecureAnywhere settings on endpoints including how the program scans for threats and manages detected items portal A centralized website used to view and manage endpoints and network status See Management Portal R registry A database of hardware and software settings about your computer s configuration such as the types of programs that are installed Spyware can create entries in the Windows registry which can ultimately slow down your computer and cause problems in your system rootkit A collection of tools that enables administrator level access to a computer or network By using file obfuscation techniques rootkits can hide logins processes files and logs and may include software to capture information from desktops or a network Spyware developers often use rootkits to avoid detection and removal S seat A SecureAnywhere installation on an endpoint spyware A program that may either monitor your online activities or install programs without your knowl
119. mand bar 4 When prompted click Yes The gray arrow moves to that new policy From now on this policy is applied to any new Secure Anywhere installations 89 Endpoint Protection Administrator Guide Creating policies You can add policies in one of two ways either by creating a new policy or by copying an existing policy as a starting point Each method is described below Once you have defined a policy name and given it a description you can then determine the policy settings as described in Changing policy settings on page 92 Creating a new policy You create a new policy by giving it a name and description Your new policy will pick up the Recommended Default settings as a starting point but you can change those settings later To create a new policy 1 Click the Policies tab 2 Click Create from the command bar Home Endpoint Protection 3 Inthe Create Policy dialog enter a policy name and description of up to 50 alphanumeric characters then click Create Policy 4 Locate your new policy in the Policy tab Double click the policy you just created and modify the settings See Changing policy settings on page 92 90 Chapter 5 Managing Policies You can apply a policy to an individual endpoint or to a group of endpoints See Applying a policy to endpoint groups on page 124 Copying a policy If you have a similar policy already defined you can copy it and rename it Your new polic
120. me_infect May 8th 2013 14 22 You can drill down for more detail in both of these panels e If you see an alert message in the top panel click the link to see more information about the endpoints e If any endpoints have not reported into the portal Not Seen click the View link in the Endpoint activity panel You can see endpoints in the Status tab home panel and the Group Management tab The Group Management tab provides more detailed information see Organizing endpoints into groups on page 120 83 Endpoint Protection Administrator Guide Viewing recent threat status From the Status tab you can quickly view endpoints that reported a threat in the past week To view endpoints encountering threats in the past week 1 Make sure the Status tab is selected The bar chart at the top shows a daily summary of threats found on endpoints The table at the bottom of the panel shows more details about the endpoints WEBROOT saasQa webroot com v Secure Anywhere s Status Policies Group Management Reports Alerts Ovemides Logs Resources amp Status Endpoints encountering threats last 7 days OQ We recommend you check whether these endpoints have automatic remediation enabied on thee assigned policies m a Recently infected endpoints last 7 days Hostname Policy Group Last Infected 1 WEBROOTRED10 G_NewSid_Agents G_Reatiime_infect May 8th 2013 14 22 2 To learn more about a threat lo
121. mmands Reverify all files and Re verify this file s classification when the next scan runs This command is processes useful if you have established some overrides and need them to take effect on an endpoint Consider all items as Consider all detected files on this endpoint as safe to run This command is useful good if you find numerous false positives on an endpoint and need to quickly tag them as Good Allow processes Allow communication for all processes that are blocked by the Firewall setting blocked by firewall Stop untrusted Terminate any untrusted processes which might be necessary if a regular scan processes did not remove all traces of a malware program The processes stop immediately but are not prevented from running again later 67 Endpoint Protection Administrator Guide Identity Shield commands Allow application Deny application Allow all denied applications Protect an application Unprotect an application Advanced commands Run Customer Support script Customer Support Diagnostics Download and run a file Run a DOS command Run a registry command Allow an application to run on the endpoint To identify the application you must enter its MD5 value To determine an MDS value see Applying overrides from the Overrides tab on page 167 Block an application from running on the endpoint To identify the application you must enter its MDS value To determine an MDS value see
122. move group groupname Chapter 3 Managing Endpoints Allows automatic uninstallation of SecureAnywhere using the password you specify This option is useful if you need to silently uninstall SecureAnywhere later To uninstall use the autouninstall command When you use lockautouninstall SecureAnywhere is not included in the Add Remove Programs list in the Control Panel Use the exeshowaddremove command to include SecureAnywhere in Add Remove Programs Corresponds to lockautouninstall Example wsasme exe autouninstall password By default SecureAnywhere does not appear in the Add Remove Programs list in the Control Panel which prevents the user from removing the software in unmanaged mode Includes SecureAnywhere in the Control Panel Add Remove Programs list Example wsasme exe Key XXXX XXXX XXXX XXXX lockautouninstall password exeshowaddremove Note Adding SecureAnywhere to Add Remove Programs enables the endpoint user to remove the software in unmanaged mode Deploys endpoints directly into a specified group For example wsasme exe key xxxxxxxxx silent group Sales Note Does not support spaces or localized characters in the group ce ce ce name Certain characters like _ or are supported Other requirements e The group must already exist in the console e You can only use this option for new installs on systems that the console has not previously seen For MSI installs you m
123. n on page 36 4 Select the time zone where this user is located Click the pencil icon at the right then type the country region or city to open a drop down menu of choices Create New User Please complete the details below to create a new user Emad Address Gallagher webroot com Time Zone nite tate ra env racic h Do you wish to give this user Console access Yes 5 Next to Do you wish to give this user Console access click in the Yes checkbox Additional fields appear at the bottom as shown in the following example Create New User Please complete the details below to create a new user Emal Address Gallagher webroot com Time Zone ng tates olorad j xi pangs M FA Do you wish to give this user Console access Y Yes SecureAnywhere Endpoint Protection Create User In these two fields you must specify the level of access to give the user for SecureAnywhere or Endpoint Protection The two types of consoles are described as follows e SecureAnywhere The Home page of my webrootanywhere com see the following example From here the user can access other Webroot portals such as the Mobile 34 Chapter 2 Managing User Accounts Protection portal if your company purchased Mobile Protection WEBROOT SecureAnywhere Endpoint Protection Mobile Protection Endpoint Protection Mobile Protection 7 Endpoints Protected lt i 2 Devices Protected E Endpomt rently infected
124. n the email template Rename the executable file using your keycode The email template also provides a renamed executable file with the keycode Use additional commands with the executable file to deploy it in the background Use command line options with the installer to deploy to endpoints that are behind a proxy server Use MSI Deploy the SecureAnywhere installer file using the Microsoft deployment options Installer MSI Use Windows Deploy the SecureAnywhere installer file using GPO Group Group Policy Policy Object You should have experience with Microsoft s Object GPO Active Directory and the Group Policy Object editor 3 Deploy SecureAnywhere to the endpoints as described in one of these sections e Using the SecureAnywhere installer on page 52 e Using MSI for deployment on page 57 e Using GPO for deployment on page 58 4 Check the Management Portal to make sure the endpoints have reported their status See Viewing endpoint status on page 82 All endpoints are first assigned to your default policy and a default group You can change those assignments later if desired See Implementing policies on page 88 and Applying a policy to endpoint groups on page 124 5 Endpoint Protection Administrator Guide Using the SecureAnywhere installer You can deploy the Secure Anywhere installer file using one of these methods Install Secure Anywhere on each endpoint Send emails to end users so th
125. nel opens for the user to enter login information see the following example Confirm Registration A temporary password had been emailed to you Confirm Editing user information After the user confirms registration you can return to the Manage Users panel and edit information for that user You cannot view or edit other users passwords security codes or security questions only they have access to that information If the user has not confirmed registration you will see the user s status as Awaiting Confirmation The status changes to Activated when the user receives the email and confirms the registration If desired you can resend the confirmation email by clicking the envelope icon next to the Awaiting Confirmation status Manage Users Create New User Name Email bj webroot com maiba ron aroero contraton ban gine webroot com 36 Chapter 2 Managing User Accounts To edit portal users 1 Locate the row for the user you want to edit then click that user s edit icon The edit icon is at the far right as shown in the following example Manage Users reate New User Name Email Permis sons Secure Anywhere Endpomt Protection Note If your account has multiple consoles you see only users who are associated with the keycodes for the currently active console For more information about consoles see Adding consoles to your account on page 44 2 Inthe User Details pane
126. network with hundreds of endpoints you might want to create multiple consoles for simplified views of device groups For example you can create separate consoles for endpoints in remote offices or endpoints in separate departments This section describes how to add a console rename a console and switch between consoles Adding a console Before you create a console you must first obtain a new keycode and deploy SecureAnywhere to the endpoints with that keycode When you create the console it will automatically discover the endpoints that use the new keycode If you need to migrate existing endpoints from one console to another you must contact Webroot Business Support for assistance To add a console to your account 1 Goto the SecureAnywhere website https my webrootanywhere com 2 Instead of logging in to your account click Sign up now Create an account Security amp Convenience Creating an account helps you manage your security across multiple devices with any Webroot product It also makes it easy to add new devices and help other people protect thews 44 Chapter 2 Managing User Accounts 3 In the first field enter the new keycode Create an account Webroot Product Keycode Enter new keycode here Email Address x Repeat Email Address x Password Strength Repeat Password p n n x Your Personal Security Code Secunty Question Security Answer Register Now 4 Inthe
127. ng on your managed endpoints if the cookies originate from malicious tracking websites Blocks programs from accessing login credentials for example when you type your name and password or when you request a website to remember them Opens an alert any time malware attempts to access data instead of blocking known malware automatically Allows screen capture programs no matter what content is displayed on the screen 107 Endpoint Protection Administrator Guide Identity shield settings Enable Identity Shield compatibility mode Enable keylogging protection in non Latin systems Firewall Allows certain applications to run that the Identity shield might block during normal operations You can enable this option if you notice problems with an application s functions after SecureAnywhere was installed on the endpoint With this compatibility mode enabled the endpoint is still protected by the Identity shield s core functionality Allows endpoints with non Latin systems such as Japanese and Chinese to be protected from keyloggers The Webroot firewall monitors data traffic traveling out of endpoint ports It looks for untrusted processes that try to connect to the Internet and steal personal information It works with the Windows firewall which monitors data traffic coming into your managed endpoints With both the Webroot and Windows firewall turned on network data has complete inbound and outbound protection
128. nication lines are open as on the previous subnet These domains should be allowed through the firewall webrootcloudav com webrootcloudav com p4 webrootcloudav com compute amazonaws com webroot com webrootanywhere com prevx com 75 Endpoint Protection Administrator Guide Forcing immediate updates forced polling The polling interval determines how often the endpoint sends its status and receives commands for example every 15 minutes or every hour If necessary you can change the polling interval in Basic Configuration of the group s policy see Changing policy settings on page 92 or you can force an immediate update as described below To force an update 1 Go to the endpoint and look for the Webroot icon in the system tray 2 Right click on the Webroot icon 3 Click Refresh configuration Scan Now Open Help and Support About Refresh configuration N Save a Scan Log 76 Chapter 3 Managing Endpoints Using SecureAnywhere on the endpoint On occasion you may need to access an endpoint to change settings in the SecureAnywhere interface This might be necessary if you assign an endpoint to the Unmanaged policy which is not controlled through the Management Portal To open the SecureAnywhere main interface go to the endpoint and do one of the following e Double click the Webroot shortcut icon on the desktop e Right click on the Webroot icon from the syste
129. npo f magin 202122 Or 2237 Meoz128 2 Z 802127 W 802125 AG EG os Wso2119 enabled on ther assigned policies i p5 E 02118 MD 202110 ay mf i BB 202105 MM 202104 Lol Others Ej Recently antected endpoints last 7 days Hostname Poicy Group Last Infected 1 WEBROOTRED10 G NewSad Agents G_Realime_infect May 3th 2013 14 22 20 Chapter 1 Getting Started The following sections describe the areas of the Management Portal including its tabs menus panels tables search functions and export functions Using the main tabs The following table describes the Endpoint Protection tabs Management Portal tabs Status A dashboard that shows e An alert notification panel if endpoints need attention Click the notification to see a list of endpoints that encountered threats A bar chart showing the number of endpoints that encountered threats in the last 7 days A pie chart showing the SecureAnywhere versions installed on your endpoints An endpoint activity panel showing the number of endpoints reporting into the Management Portal based on a timeframe you select If any endpoints have not reported their status recently you can click the View link next to Not Seen to determine which endpoints are not reporting status A panel showing the endpoints with the most recent threats You can click on a row to view more information and add an override if desired A panel with links to Webroot s threat blog guides vide
130. nt to sort data by policy name you would click the Policy column header e Change the ascending or descending order Click at the end of a column header to display the drop down arrow then click the arrow to open the menu Select either Sort Ascending or Sort Descending to change the order of data points in a column e Show or hide columns Click at the end of a column header to display the drop down arrow then click the arrow to open the menu Select a box check to show a column Deselect a box uncheck to hide a column All Threats Seen Apr 30 1142 pu All Threats Seen Filename name File Sce SYSTAM EXE Sort Ascending MN backd 15 360 zZ SVHOST32 EXE in sohan 182 672 zl Sort Descending 6TO4SVCN EXE in buzus 46 080 CALC32 EXE Columns gt 7 Pathname CSRS154 EXE sedeskiop trojansitrol 7 File Size KB27746129 EXE desktop Kitrojansiirof Y Last Seen Ny JUSTJOKE 12 B EXE desktop trojans troj SAS EXE desktop ttrojansitroj 17545EA5124 EXE desktop ltrojansitroj INSTALLER EXE desktop Kikrojansitrof J Hostname First Seen Vendor NOTE C EXE Sedesktop trofansitrof Product A3 EXE deskiop trojansitroj 7 Version 113_211 EXE desktop trojansitrof TROJAN PSW WIN32 MINILD desktop trojansitroj The following table describes subject data that may appear in Endpoint Protection tables and reports The data that appears depends on the type of table or report displayed 26 Chapter 1 Getting
131. ntected Endpoints infected Need A tenton nma Lo O Go to Endpoint Protection Go to Mobile Protection e Endpoint Protection The Management Portal or Admin Console for Endpoint Protection When users have access to this portal they will see the Go to Endpoint Protection button and can click it to enter the Management Portal see the following example WEBROOT nywhere Home Endpoint Protection Mobile Protection Endpoint Protection Mobile Protection 7 Endpomts Protected Device Protected AS a ei Endpomts rent ntected ntected Endpoints infected Need Attention m co Go to Endpoint Protection Go to Mobile Protection 6 Inthe SecureAnywhere field click the drop down arrow to select either Basic limited access to consoles and account settings or Admin full access to all keycodes users and account settings in Webroot portals 7 Inthe Endpoint Protection field click the drop down arrow to change No Access to either Basic read only access to endpoint scans or Admin full access to all settings You can further modify this user s permissions later as described in Setting permissions for portal users on page 38 35 Endpoint Protection Administrator Guide 8 When you re done click Create User to send a confirmation email to the new user The user s email message includes a temporary password for the first login When the user clicks the confirmation link in the email the Confirm Registration pa
132. nternet Explorer browser Deletes all cookies from the endpoint Be aware that if you remove all cookie files the end user must re enter passwords shopping cart items and other entries that these cookies stored Deletes copies of stored web pages that the end user visited recently This cache improves performance by helping web pages open faster but can consume a lot of space on the hard drive URL history Deletes the History list of recently visited websites of the Internet Explorer toolbar Setup Log Deletes log files created during Internet Explorer updates 112 Chapter 5 Managing Policies System Cleaner settings Microsoft Download Folder Deletes the contents in the folder that stores files last downloaded using Internet Explorer MediaPlayer Bar History Removes the list of audio and video files recently opened with the media player in Internet Explorer The cleanup does not delete the files themselves Autocomplete form Deletes data that Internet Explorer stores when the end user information entered information into fields on websites This is part of Internet Explorer s AutoComplete feature Clean index dat cleaned on Marks files in the index dat file for deletion then clears those reboot files after the system reboots The index dat file is a growing Windows repository of web addresses search queries and recently opened files This option works when you also select one or more of the following options
133. nts the System Cleaner day minute runs on the endpoints Run on bootup if the system Launches a missed scheduled cleanup when the endpoint was off at the scheduled time powers on applicable only if the endpoint was off during a scheduled cleanup Otherwise skips the missed cleanup Enable Windows Explorer Includes an option for permanently erasing a file or folder in right click secure file erasing Windows Explorer on the endpoint A menu item appears when the user right clicks on a file or folder Open Explore Search Queue It Up Add to Playlist Play with Media Player Sharing and Security Permanently erase with Webroot Scan with Webroot Windows Desktop Recycle Bin Removes all files from the Recycle Bin in Windows Explorer 110 System Cleaner settings Recent document history Chapter 5 Managing Policies Clears the history of recently opened files which is accessible from the Windows Start menu The cleanup does not delete the actual files Start Menu click history Clears the history of shortcuts to programs that end users recently opened using the Start menu Search history Start Menu order history Clears the history of commands recently entered into the Run dialog which is accessible from the Start menu Note After the cleanup the end user may need to restart the computer to completely remove items from the Run dialog Clears the history of files or other information that the
134. nts to another group 1 Click the Group Management tab 2 From the Groups panel on the left select the group that contains the endpoints you want to move Note For this procedure you must select a specific group not All Endpoints 3 From the Endpoints panel on the right select one or more endpoints Tip You can select all endpoints within the selected group by clicking the Hostname checkbox at the top of the list first column 4 Click Move endpoints to another group from the command bar Note If the group has more than one page of endpoints the dialog prompts you to apply the policy either to the endpoints on the current page or to all pages of endpoints Home Endpoint Protection Status Policies Group Management Reports Alerts Overrides Logs Resources 2 amp Endpoints in Default Group Ursa Bierce Paanan Last Seen Apr 8th 2013 16 23 5 When the Move dialog opens click the drop down arrow to display the list of groups Select the group from the drop down field and click Save Move endpoints to which group Group 6 Click the group you selected from the left panel Make sure all the endpoints are shown in the Endpoints panel on the right 127 Endpoint Protection Administrator Guide Deleting groups In the Group Management tab you can easily delete a group from the list and move its endpoints to another group You cannot retrieve a deleted group however you can re use a deleted group nam
135. o Changes ka Keycode SA23 TEST SAA2 TEST SA23 TEST CBR SS GHULL 1 Reco G 16y Prote Ape 16th Oct 2nd Deactivated Endpoints 4 38 F GHULL 1 Reco G 16y Prote Apr 19th Apr Sth 2 Default Group 45 7 F G_FEB1S Reco G_ti y p NotS Ape9th2 Apr 8th2 HOP 13113 QAde PhGmp30 AY NotS Feb6M2 Feb 2nd SAA2 TEST SAA2 TEST 0 mm mb wo ow gt INSTALL Reco Default G o infected Apr Sih 2 Ape Sth 2 3 From the Endpoints panel on the right select one of the endpoints as shown in the following example The Scan History panel opens showing scan activity and any threats detected on the endpoint Note If the pathname where a threat was identified includes a drive letter the letter is masked with a question mark For example you might see a pathname that looks similar to the following users userl desktop 69 Endpoint Protection Administrator Guide All Endpoints led Save Changes Undo Changes Bh Appty policy to endpoints Agent Commands 0 Hostname kag ka Last Seen Last Infected Agen 37 FP G ALERTN T Apr 8th 2013 11 41 Apr 7th 2013 18 16 38 F G RR VOLGA i Feb 1st 2013 14 33 Jan 31st 2013 16 55 39 F GHULL 1365 Apr 16th 2013 20 25 Oct 2nd 2012 14 06 Fa Scan history for GHULL 1366D SMT L3 View all threats seen on this endpoint were al cer Scan Start Status Windows Full OS ce eee arr 18 Apr 6th 2013 14 19 Clean Windows 7 Service Pack 1 Bu
136. of the malware for example Trojan or System Monitor The Message Digest algorithm 5 value which acts like a fingerprint to uniquely identify a file Product The name of the product associated with the file if SecureAnywhere can determine that information Scan Type The type of scan Deep Scan Post Cleanup Scan or Custom Right Click Scan Status The current status of the endpoint Protected no infections Infected malware detected Not Seen Recently has not reported into the portal Expired SecureAnywhere license has lapsed or Infected amp Expired System Pack The number of the service pack for the operating system System Type Fither 32 bit or 64 bit Vendor The name of the vendor associated with the file if Secure Anywhere can determine that information Version The version of the product associated with the file if SecureAnywhere can determine that information Yes if the endpoint is installed on a virtual machine Windows Full OS The name of the Windows operating system 28 Chapter 2 Managing User Accounts To manage your Webroot account see the following topics Editing your own account settings 30 Managing portal users 33 Creating new portal users eee 33 Editing user information 2 2 2 2 22 2 e cece cece cece cece cece cece cece cece EA Ea eanan annen 36 Setting permissions for portal users u cece cece ce eee cece cece cece aoaaa arannana 38 Adding keycodes to your accoun
137. oint s My Account panel on screen Asterisks replace the code except for the first four digits Automatically download and Downloads product updates automatically without alerting the apply updates endpoint user Operate background Saves CPU resources by running non scan related functions in functions using fewer CPU the background resources Favor low disk usage over Saves disk resources by saving only the last four log items verbose logging fewer details stored in logs Lower resource usage when Suppresses SecureAnywhere functions while the user is intensive applications or gaming watching videos or using other intensive applications games are detected Allow Webroot to be shut Shows a Shutdown command in the endpoint s system tray down manually menu Deselecting this option removes the Shutdown command from the menu Force non critical Suppresses information only messages from appearing in the notifications into the system tray background Fade out warning messages Closes warning dialogs in the system tray after a few seconds automatically If you disable this option the user must manually click on a message to close it 96 Chapter 5 Managing Policies Basic Configuration settings Store Execution History Stores data for the Execution History logs available under details Reports Poll interval Specifies how often the endpoint checks for updates For example 15 minutes 30 minutes 1 hour or 2 hours S
138. ons must be supported by the file you are downloading and executing Specify the DOS command to run remotely at the system level which is useful for simple changes or for running a script Keep in mind that the Management Portal will not display results Specify the registry command to run remotely at the system level This command uses the same syntax as reg exe but does not call reg exe You can only refer directly to local registry hive paths for example HKLM Software You cannot include the name of the computer in the path 68 Chapter 3 Managing Endpoints Checking scan results and managing threats From Group Management you can view the scan history of endpoints and manage any detected threats You can restore a file from quarantine if you know it is legitimate see Restoring a file from quarantine on page 70 You can also reclassify a file as Good allowed to run or Bad auto quarantined as described in Setting an override for the file on page 71 Viewing the scan history You can view a scan history for endpoints from the Group Management panel which helps you determine where threats were found To view the scan history 1 Click the Group Management tab 2 From the Groups panel on the left select a group with the desired endpoints Home Endpoint Protection Status Policies Group Management Reports Alerts Overrides Logs Resources __ Groups 2 EB All Endpoints O create O bad Save Changes Und
139. ools Files amp Processes commands and view commands for selected endpoints Expert Access all commands including Expert Advanced options See Issuing commands to endpoints on page 63 Create amp Edit Configure instant or scheduled alerts for endpoint activity See Implementing alerts on page 156 4 Endpoint Protection Administrator Guide Adding keycodes to your account You can have one or more keycodes in your Webroot account A keycode is a 20 character license used to install SecureAnywhere on endpoints which identifies how many seats you have available for installations If you purchase more keycodes you must add them manually as described in this section To purchase and add keycodes 1 Open the Endpoint Protection menu by clicking the arrow next to your login ID then click Manage Keycodes Secure nyuhere o Account Settings Y Manage Users Status Potoes Group Management Reports Alerts Overtides Logs Resources P Manage Keycodes Ng Endpoints encountering threats last 7 days Downloads o The Manage Keycodes panel opens Note If your account has multiple consoles you see only the keycodes that are associated with the currently active console Manage Keycodes Add Product Keycode Buy a Keycode now 42 2 3 4 Chapter 2 Managing User Accounts The Keycode list shows the attributes associated with each Endpoint Protection license Manage Keycodes panel Keycode The
140. oose to filter the data as follows e Between and And Enter the time frame in these two fields in MM DD YYYY format or by clicking the calendar icons to choose dates e Event Type Select an event from the drop down list Events include changes in groups endpoints or policies as well as overrides and user logons e Involving User Select a user from the drop down list e Involving Group Select a group from the drop down list e Involving Policy Select a policy from the drop down list 3 If the data exceeds 50 items you can use the navigation buttons at the bottom to move between additional pages Page 1017 gt DPI You can also use the Refresh button to update the data 181 Endpoint Protection Administrator Guide Viewing the Command Log In the Command Log you can review information about recent and outstanding commands The log includes data for e Hostname The name of the endpoint that received the command e Command The command issued to the endpoint e Parameters Additional parameters for executing the command such as the full path name e Date Requested The date the command was sent from the Management Portal e Status Either Elapsed or Executed The Elapsed time is 24 hours To view the Command Log 1 Click the Logs tab 2 Click the Command Log tab The Command Log opens Change Log Status Policies Group Management Hostname G 0409 VOLGA G 0409 SUMATRA G 0409 FI
141. ork workgroup where the endpoint is located if any Active Directory The name of the Active Directory Infection List A list of infections Infection Summary A summary of the infections Install Summary A summary of the Secure Anywhere installations 8 To view the email message click Preview at the bottom of the wizard 9 If you are satisfied with the message click Finish 161 Endpoint Protection Administrator Guide Viewing your defined alert messages All your customized alerts will appear in the Alerts tab with a status of Active From here you can edit the alert by double clicking in its row On the right side of the panel are the distribution lists you defined Status Policies Group Management Reports Alerts Overrides Logs Resources Alerts 2 Distribution Lists O Create delete Lg Suspend Q create Alert Name Alert Type Dale Created Status List Name Email infection Alert 1 infection detected Apr 26th 2013 09 20 Active a us 000w Infection Summary Infection Summary Apr 26th 2013 09 22 Active Max Max JA 3 bc Infection Summary 2 Infection Summary Apr 26th 2013 11 49 Active Installation Alert Endpoint installed May 4th 2013 10 23 Active If desired you can show or hide additional data about the alert messages Click a column header to open the drop down menu then click in the checkboxes to select the columns to add or remove v Alert Type A Sort Ascending Z Sort Descendin
142. os release notes and other news Not shown in the example above see Accessing product information on page 25 Policies Policies define the behavior of SecureAnywhere on the endpoints such as when it runs a scan and how it blocks potential threats Group Management Groups help you organize endpoints for easy management You can view your groups and each endpoint in the group You can also select individual endpoints to see their scan histories Reports Reports show threats and unidentified software present on your endpoints as well as the versions of SecureAnywhere they are running Alerts Alerts allow you to customize warnings and status messages for a distribution list of administrators Ls Endpoint Protection Administrator Guide Management Portal tabs Overrides Overrides provide administrative control over the files running in your environment You can override files so they are not blocked or always quarantined Logs provide a view of changes and a history of command usage Resources provides information on deployment options for endpoints Opening the Endpoint Protection Menu The arrow next to your login ID opens the menu for Endpoint Protection The options available on the menu vary depending on your access permissions WEBROOT SecureAnywhere O Account Setting Endpoint Protection 2 Manage User Status Polkices Srowp Management Reports Alerts Overndes Logs Resources Manage Keycode a Endponts encounte
143. overrides to a spreadsheet 0 0 e cece cece cece cece eececcecccecceeeeees 177 Chapter 10 Viewing Logs u 2 22 2 0 ccc ccc ccc cc cece e cece eee ce cee ceeeeeceeececeeeseereeeees 179 Viewing the Change Log 2 2 c cece cece cece cece cece cece cece ccc ceecececeeeeeeeeeteeeeeteenes 180 Viewing the Comimand L g ssd Naa oli fan NG oc sso de Posey exis NLNG DARING AL Seta NG ema NLA 182 Glossary seseo Ana kan Ze eee ete ec O ANG HAE cates O NN 183 Chapter 1 Getting Started Webroot SecureAnywhere Endpoint Protection secures your enterprise from malware and other threats by combining Webroot s behavior recognition technology with cloud computing Endpoint Protection includes a Management Portal also called an Admin Console which is a centralized website used to view and manage your endpoints An endpoint can be any Windows corporate workstation such as a PC laptop server or virtual server You can deploy SecureAnywhere software to these endpoints within seconds protecting users immediately Once Secure Anywhere runs a scan on the endpoints it reports their status into the Management Portal Webroot Intelligence Network Known File Behaviors Other Hash Database Database Threat Databases External Threat Data Feeds gt E29 al 4 Webroot Customer Data Feeds ca aag E gt i Admin Console Corporate Workstations Remote Laptop Users browser client app IMB client app lt IMB
144. ow disk usage over verbose logging fewer d Lower resource usage when intensive applications Allow SecureAnywhere to be shut down manually Force non critical notifications into the background Fade out warning messages automatically Store Execution History details mm 6 Continue editing the policy making sure to click Save Changes before you move to another section 7 If you re not ready to implement the changes promote to live you can return to the Policy tab Any policy with changes not yet implemented displays Yes in the Draft Changes column 94 Chapter 5 Managing Policies Status Policies Group Management Reports Alerts Overrides Logs Resources Q creare M copy E Export to csv Policy Description Pobcy1 Policy2 Policy3 Recommended setup for servers protection enabled Security Auda with detection only This policy is for all PCs that are user managed 8 To implement the changes return to the Policy dialog and click Promote Draft Changes to Live bottom left Your changes do not take effect until you promote them J z Section Setting Basic Configuration Show a Webroot shortcut on the desktop Scan Schedule Show a system tray icon Scan Settings Show a splash screen on bootup Self Protection Show Webroot in the Start Menu Heuristics Show Webroot in Add Remove Programs Realtime Shield Show Webroot in the Windows Security Action Center Behavior Shield Hide the Webroot keycode on screen Core
145. ox to enter a date range for the data 6 Click Submit 141 Endpoint Protection Administrator Guide Status Policies Group Management Reports r Select your report w Report Type All Undetermined Software Seen Ka Policy All v Group Default Group v Select time period Submit The report opens in the right panel All Undetermined Software Seen Apr 23 15 50 H All Undetermined software P Create override Filename Pathname Last Seen UV 2 UNINST EXE Seprogramfiles3eumony og Apr Sth 2013 15 3 MONYOG EXE Seprogramfiles3emonyog bin Apr 5th 2013 15 4 NVVITVS DLL ewindir system32 Apr 8th 2013 15 5 NVSVC64 EXE Ywindirbisystem32 Apr Bih 2013 15 7 From this panel you can select a file and click Create override to reclassify it as follows e Good Always allow the file to run on the endpoint Do not detect the file during scans or send it to quarantine After you select Good the file is listed in the Overrides tab with Good as the Manual Determination but the Cloud Determination remains Undetermined e Bad Always send the file to quarantine when detected during scans After you select Bad the file is listed in the Overrides tab with Bad as the Manual Determination but the Cloud Determination remains Undetermined You can also select whether you want to apply this override to all policies or selected policies so you don t need to create this override again on other endpoints
146. points renamed or moved to another group e Reports Any reports generated You can filter the Change Log by date range event type user group and policy To view the Change Log 1 Click the Logs tab The Change Log opens by default It lists change events and provides filters for narrowing the list Status Pobcies Group Management Reports Ajerts Ovemdes Change Log Command Log T Filter Change Log y Change Log Between Date Event Type Description ra 14 Apr 23rd 2013 1429 Logon ph_SME_jan3 A 15 Apr 23ed 2013 1425 Logon ph_SME_jan3 n _ Apr 23rd 2013 1425 Logon ph_SME_jan3 Apa 23ed 2013 1424 Logon ph_SME_jan3 Event Type Ape 23rd 2013 14 19 Logon ph_SME_jan3 No Fitter z 18 Apr 23rd 2013 1418 Logon ph SME jan INvoiving User 20 Ape 2300 2013 13 56 Logon grish NI IG No Filter w 21 Apr 23rd 2013 1332 Logon ph_SME_jan3 na Group 22 Apr 23rd 2013 1330 Logon ph_SME_jan3 22 Apr 23 201 329 Si No Filter an Ape 23 2013 1 Logon ph_SME_jan3 24 Apr 234 2013 1328 Logon ph_SME_jan3 involving Policy 25 Ape 230d 2013 1324 Logon ph_SME_jan3 No Filter v 20 Ape 23rd 2013 1324 Logon ph SME jan3 27 Ape 23rd 2013 1323 Logon ph SME jan3 28 Apr 23rd 2013 1322 Logor ph_SME_jan3 Page 108 gt gt 2 180 Chapter 10 Viewing Logs 2 You can use the Filter Change Log options in the left panel to narrow the data When you have selected the filtering criteria click Submit You can ch
147. port eee eee cece e cece e eens 141 Generating the Endpoints with Threats on Last Scan report 00000 c cece eee 143 Generating the Endpoints with Undetermined Software on Last Scan report 222 146 Generating the Threat History Collated report 148 Generating the Threat History Daily report 152 131 Endpoint Protection Administrator Guide Generating Endpoint Protection reports With Endpoint Protection you can view detailed reports about Secure Anywhere versions and threat activity on the endpoints The following table provides suggestions for the types of reports you might want to generate depending on your business needs To locate endpoints with different Secure Anywhere versions installed To locate endpoints with newly installed Secure Anywhere software To locate and manage detected threats Generate the Agent Version Spread report An agent is the SecureAnywhere software running on the endpoint You can use this report to locate endpoints that should be upgraded Note You can also view the Agent Version Spread pie chart shown on the Status panel although this chart is less detailed than the Agent Version Spread report See Generating the Agent Version Spread report on page 134 Generate the Agent Installed report From here you can see the dates when SecureAnywhere was installed on an endpoint as well as the number of endpoints
148. receiving the installations See Generating the Agents Installed report on page 137 Generate either the All Threats Seen report or the Endpoints with Threats on Last Scan report e The All Threats Seen report lists threats by filename along with where Secure Anywhere detected them From here you can create an override for a file or restore it from quarantine See Generating the All Threats Seen report on page 139 The Endpoints with Threats on Last Scan report shows threats by endpoint location From here you can change the endpoint s policy run a scan create an override for a file or restore a file from quarantine See Generating the Endpoints with Threats on Last Scan report on page 143 132 To locate files classified as Undetermined To view a summary of detected threats To view a summary of threats detected on a daily basis Chapter 7 Viewing Reports Generate either the All Undetermined Software Seen or the Endpoints with Undetermined Software on Last Scan report e The All Undetermined Software Seen report shows a list of files that are classified as Undetermined they appear legitimate but also exhibit questionable behavior This report lists items by filename along with where SecureAnywhere detected them You can use this report to create overrides and tag files as either Good or Bad so SecureAnywhere knows how you want to classify them in the future See Generating the All Undetermined Sof
149. ride to reclassify the file as follows e Good Always allow the file to run on the endpoint Do not detect the file during scans or send it to quarantine After you select Good the file is listed in the Overrides tab with Good as the Manual Determination but the Cloud Determination remains Undetermined e Bad Always send the file to quarantine when detected during scans After you select Bad the file is listed in the Overrides tab with Bad as the Manual Determination but the Cloud Determination remains Undetermined You can also select whether you want to apply this override to all policies or selected policies so you don t need to create this override again on other endpoints 6 If desired you can show or hide additional data for the report Click a column header to open the drop down menu then click in the checkboxes to select the columns to add or remove For descriptions of the data in the columns see Sorting data in tables and reports on page 26 147 Endpoint Protection Administrator Guide Generating the Threat History Collated report To view a summary of detected threats you can generate the Threat History Collated report This report shows a bar chart for endpoints with detected threats and blocked programs From here you can create overrides for blocked programs and restore files from quarantine You can modify the report data as follows e View all threats within a selected policy or group which is he
150. rmg threats last 7 days Agent Vernon Spread 5 Download See the following table for more information about the Endpoint Protection Menu Endpoint Protection Menu Account Settings Edit your account settings including your password and other information See Editing your own account settings on page 30 Manage Users Provide other users with access to the Management Portal See Managing portal users on page 33 222 a Chapter 1 Getting Started Endpoint Protection Menu Manage Keycodes View your current Endpoint Protection license keycodes and add more to the portal if you purchased additional keycodes See Adding keycodes to your account on page 42 Downloads Download the Secure Anywhere installer file and read more about deployment options Open the online instructions for the Management Portal Open the interactive knowledgebase to find product information Exit out of the Management Portal Opening and collapsing panels For a larger view of the data charts you can collapse the panels on the far left and the far right Click the Collapse buttons shown in the following example The bar charts in the middle panel are static you cannot collapse them or change the type of charts that display Statws Polices Group Managerment Reports Alerts Overndes Logs Resouces O Status EL Endpoints encountering threats last Agent Version Spread Webroot Threat Blog days Managed Russian ransomware asa Al
151. rograms with a high level of malicious activity This setting ignores some suspicious behavior and allows most programs to run Medium balances detection versus false alarms by using our tuned heuristics in the centralized community database High protects against a wide range of new threats Use this setting if you think your system is infected or at very high risk This setting may result in false detections Maximum provides the highest level of protection against new threats Use this setting if you think that your system is infected or at very high risk This setting may result in false detections Disabled turns off Age Heuristics leaving it vulnerable to new threats However it will still be protected against known threats Low detects programs that have been created or modified very recently Medium detects programs that are fairly new and not trusted preventing zero day or zero hour attacks We recommend using this setting if you do not allow unpopular programs to be installed on your managed endpoints and you want extra security to prevent mutating threats High detects programs that have been created or modified in a relatively short time and are not trusted This setting is recommended only if new programs are rarely installed on your managed endpoints and if you feel that your systems are relatively constant This setting might generate a higher level of false detections on more obscure or unpopular programs Maximum
152. s release notes and other news are available from the right panel Click a link to access the resources under Help and Support or News and Updates cy Webroot Threat Blog Managed Russian ransomware as a service spotted in the wild By Dancho Danchev in 2013 you no longer need lo posses sophisticated programming skills to manage a ransomware botnet potentially tricking tens of thousands of gullible users per day into initiating a micro payment to pay the ransom for having their PC locked down You ve got managed ransomware services doing it for you In this post Ni profile a recently many legmmate Web sites as nosahle tamel carver farma and the Gy Help and Support Administrator Guide Webroot Education Videos Support gt News and Updates Neves from Webroot Webroot Threat Blog Release Notes If this panel is not open click on the Collapse button on the far right Reports Alerts Ovemdes Logs Resources E Endpoints encountering threats last 7 days Agent Version Spread 202128 24689 MN 802127 E 802126 E 802119 a Y 1 1 1 1 z 3x 7 W 802118 W 802110 LA E 802109 VA 202104 202 103 BB others t gt nh SS 25 Endpoint Protection Administrator Guide Sorting data in tables and reports You can sort hide and show data in tables and reports as follows e Quick sort on a column Click the desired column head to sort by that subject For example if you wa
153. s details about the programs 149 Endpoint Protection Administrator Guide Threat History Collated Apr 24 11 48 Type Number Endpoints with threats 39 40 9 Endpoints with threats Blocked Programs y Blocked programs during the selected period Filename Pathname File Size Malware Group Last Seen Endpoints Af All Endpoints All Versions 1 MEL 69047D ewindirse sy 70 157 Uncategorize Apr 8th 2013 2 AVG SETUP Adesktop t 76 424 Adware Antiv Apr 23rd 201 8 From the bottom panel you can click the View links in the All Endpoints and All Versions column to view more information The View link under All Endpoints displays this panel gq Endpoints which have seen this Program Hostname First infected 1 G_FEB1S_WINS Apr 6th 2013 14 24 2 G 0306 SUMATRA Mar 26th 2013 06 59 3 G 0408 SUMATRA Apr Sth 2013 15 03 The View link under All Versions displays this panel a Al versions encountered of this program Filename Pathname Last Seen Hostname ALL EXE desktop trojan h Apr 8th 2013 17 26 G 0409 SUMATRA ALL EXE desktop trojan h Apr 8th 2013 15 04 G 0408 SUMATRA ALL EXE Mrojan horses troja Apr 7th 2013 18 16 G ALERTN VOLGA 9 If you want to set an override for the file or restore it from quarantine select the Endpoints with threats bar to display more information in the bottom panel 150 10 11 12 Chapter 7 Viewing Reports Blocked Programs 9 10 3 Endpoints with threats 9
154. s is provided in Preparing for setup on page 7 To deploy SecureAnywhere to endpoints follow these steps 1 Find your keycode If you don t know your keycode look in the Resources tab of the Management Portal Simple Deployment Options The quickest and easiest way to get endpoints reporting into the console is by downloading a copy The user then simply needs to run the file and their endpoint will automatically report into the co Your available keycodes downloads Advanced Deployment Options Run the installer in the background from a command line 1 On the endpoint download the Webroot SecureAnywhere installer Click here to download 2 Run the installer from a command line using the commands listed in the deployment help Clic Note Devices must use the Endpoint Protection keycode before they can report into the Management Portal If there are endpoints in your network that already have SecureAnywhere installed with a different keycode see Changing an endpoint keycode on page 59 2 Select a method of deployment that best suits your environment The following table describes methods of deployment 50 Chapter 3 Managing Endpoints Deployment options Deploy the Deploy the Secure Anywhere installer file using one of these Secure Anywhere methods a TI Manually install the executable file on each endpoint Send emails to end users so they can install the software by clicking on the link provided i
155. s it would display in a file folder This column is static you cannot hide it The name of the Windows folder structure Vendor The name of the vendor associated with the file if Secure Anywhere can determine that information Product The name of the product associated with the file if SecureAnywhere can determine that information Version The version of the product associated with the file if SecureAnywhere can determine that information Your designation for the file which is either Good or Bad Cloud Determination Webroot s classification for the file which is Good Bad or Undetermined The date and time this override was defined The policy where this override is applied 175 Endpoint Protection Administrator Guide Deleting overrides If you want to remove an override that you previously defined you can delete it from the Overrides tab To delete an override 1 Click the Overrides tab 2 If you want to narrow the results in the right panel select a specific policy from the left 3 Click Delete from the command bar Status Policies Group Management Reports Alerts Overrides Filter Overrides by Policy P Overrides After you confirm the deletion the override is moved to the deleted list You can view all deleted overrides by selecting All Deleted Overrides from the left panel Be aware that you cannot restore deleted overrides 176 Chapter 9 Using Overrides Exporting overrides to a
156. sing history files that reveal the user s activity and files that consume valuable disk space files in the Recycle Bin and Windows temp files You can change the System Cleaner options in the Policy settings Uninstall Uninstall Secure Anywhere from the endpoint With this command the endpoint is still shown in the Management Portal If you want to uninstall Secure Anywhere and free up a seat in your license deactivate the endpoint instead See Deactivating endpoints on page 73 Return SecureAnywhere settings on the endpoint to their default values Remove password Disable password protection from the endpoint user s control which allows protection administrators to gain access to the endpoint if they are locked out Clear Data commands Clear files Frase current log files which frees space on the endpoint Disable proxy settings Disable any proxy settings the endpoint user set on the endpoint Note Do not use this command if the endpoint s only Internet access is through the proxy server The endpoint will no longer be able to communicate with the cloud Keycode commands Change keycode Enter a different keycode Note The drop down list shows only keycodes that are assigned to this console Change keycode Switch the keycode used for this endpoint temporarily which might be necessary temporarily for testing purposes In the dialog box choose a keycode from the drop down list then specify the dates for SecureAnywhere to use
157. stomized alerts c cece ccc ccc ccc cece ee cee cee cece eee eeeeeeeeeeeeeeeereeees 158 Viewing your defined alert messages ooo 162 Suspending or deleting alerts 164 155 Endpoint Protection Administrator Guide Implementing alerts You can customize alert messages and send them to a distribution list whenever the following types of events occur e Endpoints reporting an infection e New SecureAnywhere installations on endpoints For both of these event types you can customize the alerting method so administrators receive a message as soon as the event occurs or on a schedule daily weekly or monthly Using a setup wizard in the Alerts tab you can customize the subject heading and body of the messages You can also use variables to add information for the endpoints triggering the alerts affected groups and other specifics about the event To create customized alerts 1 Create a distribution list based on email addresses list members do not need to be defined in the Manage Users panel of the Management Portal See Creating a distribution list on page 157 2 Create alert messages that are sent to the distribution list whenever endpoints report an infection or SecureAnywhere is installed on an endpoint See Creating customized alerts on page 158 All your customized alerts will appear in the Alerts tab Status Policies Group Management Reports Alerts Overrides Logs Resources Alerts Q cre
158. t Brazilian Portuguese ru Russian tr Turkish zh tw Traditional Chinese Example wsasme exe key xxxxxxxxxxxx Silent lang ru 56 Chapter 3 Managing Endpoints Using MSI for deployment The Microsoft Installer MSI requires commands during installation which apply the keycode and options that activate Endpoint Protection installation mode The MSI installer is interactive by default and requires the msiexec exe option an to run an automated installation in the background This is an example of an MSI command msiexec i wsasme msi GUILIC licensekey CMDLINE SME quiet qn 1 v install log To remove SecureAnywhere later if desired If you need to remove the Secure Anywhere software from the endpoint later use the standard MSI command msiexec x wsasme msi qn L v uninstall log To use an MSI editor If you use your own methods to deploy the Secure Anywhere software on endpoints see the following table for commands you can pass to msiexec exe during installation CMDLINE SME quiet GUILIC The license key with or without hyphens Note If you don t provide a keycode the installation will continue however the endpoint will not have a keycode associated with it and will not be protected If you install without a keycode you must uninstall the software and re install to add it You can also modify these commands directly using an MSI editor such as ORCA e Set the CMDLINE property in the Property
159. t Portal including your contact number and a time zone where you are located See Editing your own account settings on page 30 You can also create logins for other administrators to access the Management Portal See Managing portal users on page 33 Deploy the SecureAnywhere software to the endpoints See Deploying SecureAnywhere to endpoints on page 50 Determine if the default policy is sufficient for your business needs If desired add new policies with different settings as described in Implementing policies on page 88 You cannot change the Webroot default policies You may also need to create overrides for certain files that you consider legitimate applications See Applying overrides from the Overrides tab on page 167 Determine if you need to create separate groups of endpoints for different management purposes When you deploy SecureAnywhere to your endpoints Endpoint Protection places them all in one Default group If desired you can create new groups and assign them to new policies See Organizing endpoints into groups on page 120 Optional Customize alert messages that will be sent to a distribution list whenever endpoints report an infection or whenever SecureAnywhere is installed on new endpoints See Implementing alerts on page 156 Endpoint Protection Administrator Guide System requirements You can use Endpoint Protection with the following browsers and server platforms Browsers and platforms Browsers
160. t to scan an endpoint at a remote location With these commands you can easily run all the same commands that are available on the endpoint s SecureAnywhere software Be aware that the endpoint may not receive the command until the next polling interval If necessary you can change the polling interval in its associated policy see Changing policy settings on page 92 or you can force an immediate polling as described in Forcing immediate updates forced polling on page 76 To issue commands to endpoints 1 Click the Group Management tab 2 From the Groups panel on the left select the group that contains the desired endpoints Home Endpoint Protection Search for endpoint CDS Alerts Overrides Logs Resources Status Policies __ Groups 2 E All Endpoints OQ create O T bed Save Changes J Undo Changes E Hostname Policy Group Status Keycode GHULL 1 Reco G trey Prote SA23 TEST GHULL 1 Reco G 1ey Prote SAA2 TEST G FEB15 Reco G_ti y p Nots SA23 TEST HOP 13113 QAde PhGmp30 Ay Not S SAA2 TEST INSTALL Reco Default G Infected SAA2 TEST 3 From the Endpoints panel on the right select one or more endpoints Tip You can select all endpoints within the group by clicking the Hostname checkbox at the top of the list first column 63 Endpoint Protection Administrator Guide 4 Click Agent Commands from the command bar 5 From the
161. t u eee 42 Adding consoles to your account __ 2 2 22 44 Adding a CONSOLE aaa NLA bat ae See es bee es hat sa ose NIA ew eh ee ed ee oh eo dee 44 Renaming a console es 46 Switching consoles ce 46 Renewing or upgrading your account aaaaaaaaa0 0000an aooaa aoaaa aoaaa o aaan anaona aonan aoaaa nanna 47 29 Endpoint Protection Administrator Guide Editing your own account settings An account defines your user details login name password etc and access permissions For your own account you can change any setting except the email address specified for your login name To edit your account settings 1 Open the Endpoint Protection menu by clicking the arrow next to your login ID then click Account Settings WEBADOT SecureAnywhere E Account Settings Home ea Endpoint Protection Manage Users Status Potoes Group Management Reports Alerts Overndes Logs Manage Keycodes NG Endpoints encountering threats last 7 days Downloads Hep S Logout i oe eaae 000000 a 3 3 2 Inthe Account Settings panel click one of the Change links to open another panel where you can edit the information 30 Chapter 2 Managing User Accounts Account Settings User Details Name Display Name Emal giri webroot com Password arenas Security Code seee Security Queston Pr Office Phone Mobile Phone Time Zone United States Califoria Los Angeles San Francisco San Diego
162. ter 7 Viewing Reports Reports Alerts Overrides Logs Resources Threat History Daily Apr 24 13 18 3 l KC yw e KC K a E Hostname Group 7 To view more details about threats click on a bar to see details for a specific day The bottom panel shows details about the endpoints with the detected threats Threat History Daily Apr 24 13 15 3 e Y y y y S Na Pa Pag Pan cs 3 g El Endpoints with threats during the selected period Hostname Last Scan Time a Agent Version SMEINSTALL408 Apr 5th 2013 15 06 802128 PHANIXP 408 Apr 8th 2013 15 47 8 0 2 128 G 0409 SUMATRA Apr 8th 2013 17 22 8 0298 G 0409 FIRENZE Apr 8th 2013 17 23 8 0 2 98 G 0409 VOLGA Apr 8th 2013 17 25 8 0298 8 To view more information about a block program click a View link in the Blocked Programs column 153 Endpoint Protection Administrator Guide 9 If desired you can show or hide additional data for the report Click a column header to open the drop down menu then click in the checkboxes to select the columns to add or remove For descriptions of the data in the columns see Sorting data in tables and reports on page 26 154 Chapter 8 Managing Alerts To learn more about alerts see the following topics Implementing alerts u 2222 000 0 0 e ce eee cece cece cece cece ee naear aaan 156 Creating a distribution list 000000 000000 c coco ce cee cece cece cece cnn 157 Creating cu
163. the All Threats Seen report This report lists threats by filename along with when and where SecureAnywhere detected them This report might show duplicate entries if the threats were detected multiple times or in multiple places From here you can create an override for a file or restore it from quarantine You can modify the report data as follows e View all detected threats within a selected policy or group which is helpful if you need to narrow search results to a specific set of endpoints e Drill down to see the threats detected within a date range which is helpful if you want to narrow the search results to a specific time period To generate the All Threats Seen report 1 Click the Reports tab In the Report Type field click the drop down arrow to display a list of reports Select All Threats Seen Er KN NO If desired select a specific policy and group Otherwise the report data shows all policies and groups and may take a long time to generate depending on your environment 5 Optionally you can click the Select time period checkbox to enter a date range for the data 6 Click Submit Status Policies Group Management Reports m Select your report Report Type All Threats Seen mA Policy All v Group All v Select time period Submit The report opens in the right panel Each threat is listed by its filename along with where and when 139 Endpoint Protection Administrator Guide
164. the quarantine Identity amp Privacy Protect sensitive data that may be exposed during online transactions System Tools Use tools to manage processes and files view reports and submit a file to Webroot Support Also use the System Cleaner to remove Internet browser activity and to remove temp files My Account View SecureAnywhere account information and check for updates 78 Chapter 3 Managing Endpoints Uninstalling SecureAnywhere You can remove the Secure Anywhere program from an endpoint by using one of the following methods e Deactivate an endpoint so that it no longer reports in to Endpoint Protection You can reactivate an endpoint later if necessary By deactivating an endpoint you can free the license seat so you can install another endpoint in its place See Deactivating endpoints on page 73 e Send an Uninstall command to the endpoint from the Management Portal See Issuing commands to endpoints on page 63 Be aware that by using this method the endpoint is still shown in the Management Portal If you want to uninstall SecureAnywhere and free up a seat in your license deactivate the endpoint instead 79 80 Chapter 4 Checking Status To learn more about the Status panel see the following topics Viewing endpoint status 82 Viewing recent threat status 84 Viewing an agent version overview 2 222000 cece 0 cece cece cece cece cece cece ee eeeeeeeeeececeeseesees 85
165. ting from one policy to another 118 migrating to new OS 75 moving to anew group 127 moving to new subnet 75 opening SecureAnywhere interface 77 operating systems allowed 8 reinstalling 75 renaming 61 requirements for 8 restarting from portal 67 sending Uninstall command to 66 using search to locate 62 viewing assignments in Policies tab 117 Endpoints with Threats on Last Scan report 143 Explorer enabling right click scan 98 exporting data to a spreadsheet 24 F File amp Processes commands 67 firewall allowing blocked processes 67 stopping untrusted processes 67 Firewall policy settings 108 G GPO using for deployment 58 groups H adding new groups 122 applying a policy to 124 assigning permissions for creating 41 deleting 128 directly deploying endpoints to 55 moving endpoints to another group 127 overview of implementation 120 renaming 129 Heuristics policy settings 100 I icons in browser search results 106 Identity Shield commands 68 Identity Shield policy settings 107 Infection Detected alerts 158 Infection Summary alerts 158 Install Summary alerts 158 installation and configuration deploying SecureAnywhere 50 deploying SecureAnywhere quick method 15 installing agent in background silent 50 overview of 7 selecting a policy 14 system requirements for 8 using GPO for installation 58 using MSI for deployment 57 using proxy commands during installation 56 using setup wizar
166. ting the Agent Version Spread report on page 134 85 86 Chapter 5 Managing Policies To manage policies see the following topics Implementing policies 222 c cece conos 88 Selecting a new default policy cc cece cnc 89 Creating policies ciooococono cocidas cicatrices 90 Creating a new policy nn 90 Copying a policy cnn 91 Changing policy settings cnn cnn 92 Basic Configuration occ eaaa Aa AAAA EPELE E EELEE Aaaa aonaran 95 a eoe ai e OEE E EE din la A A ua SELER 97 Scan Settings 000000000 00000000 cece cece cece cece cece ceeccccccceeeeeceeeeseteteeteesenes 98 Self Protection ssor sseo risia eda daa a oe a eaae a h a ae iae aeeai 99 HEUNSNGS oie e E ee E A E E E E Kag dais ius 100 Realtime Shield o ne 103 Behavior Shield una maga PA IPA MAC NO AN de elt a AA ibn paba E eens cy 104 Gore systems held aaa partial aio dd ieee ae eae 105 Web Threat Shield c cece ee ccc cee nn nn 106 identity Shield pagg not eee aten ito ata eas ee PA NANA 107 Firewall AB inciso IS 108 SCP MGM AGC PM OO ou BANG ABG oe NA AA KAHA 109 System Cleaner ii ns 109 Renaming a policy ooo cnn 114 Exporting policy settings to a spreadsheet 115 Deleting policies cc 116 Viewing endpoints assigned to a policy eee eee eee cece ee eeeeeeeeees 117 Moving endpoints to another policy
167. tings 30 admins adding portal users 33 Advanced commands 68 Advanced Heuristics 100 Age Heuristics 100 agent commands for 65 deploying to endpoints 50 generating Agent Version Spread report 134 generating installation report 137 opening on main interface 77 Agent Commands 63 Agent Version Spread chart Status tab 85 Agent Version Spread report Reports tab 134 Agents Installed report 137 alerts assigning permissions for creating 41 creating a distribution list 157 creating customized messages 158 deleting a distribution list 157 overview of configuration 156 resuming 164 suspending 164 viewing in Status tab 82 All Threats Seen report 139 All Undetermined Software Seen report 141 Allow all denied applications command 68 Allow application command 68 Allow processes blocked by firewall command 67 Antimalware Tools commands 67 B Basic Configuration policy settings 96 Behavior Shield policy settings 104 browsers supported 8 C Change Console 46 Change keycode command 66 Change keycode temporarily command 66 change log generating 180 Change scan time command 65 Clean up command 66 cleaner settings 110 cleanup script 68 Clear Data commands 66 Clear files command 66 Cloud Determination 27 Collapse button in portal 23 columns sorting in tables 26 command log 182 commands assigning permissions for using 41 issuing to endpoints 63 Confirm Logon 12 Consider all items as good command 67 consoles creating separate consol
168. tware Seen report on page 141 The Endpoints with Undetermined Software on Last Scan report shows a list of endpoints reporting Undetermined files during the last scan You can use this report to create overrides and tag files as either Good or Bad so SecureAnywhere knows how you want to classify them in the future See Generating the Endpoints with Undetermined Software on Last Scan report on page 146 Generate the Threat History Collated report This report shows a bar chart for endpoints with detected threats and blocked programs From here you can create overrides for blocked programs and restore files from quarantine See Generating the Threat History Collated report on page 148 Generate the Threat History Daily report This report shows each day where Secure Anywhere found threats on endpoints See Generating the Threat History Daily report on page 152 133 Endpoint Protection Administrator Guide Generating the Agent Version Spread report To locate endpoints with different Secure Anywhere versions installed you can generate the Agent Version Spread report An agent is the SecureAnywhere software running on the endpoint You can use this report to locate endpoints that should be upgraded The report displays a bar chart showing the version numbers in your network and the endpoints using each version You can modify the report data as follows e View all versions within a selected group which is helpful
169. ust use command line and not an MSI editor 55 Endpoint Protection Administrator Guide Command line options Specifies proxy settings proxyhost X proxyport X proxyuser X proxypass X proxyauth Note about proxy settings If the endpoint connects through a proxy server SecureAnywhere will automatically detect the proxy settings SecureAnywhere checks for changes to the proxy settings every 15 minutes and when the endpoint restarts We recommend using auto detection for proxy settings however you can use command line options if you prefer To enable proxy support use these command line options wsasme exe proxyhost nn nn nn nn proxyauth n where n can be 0 Any 1 Basic 2 Digest 3 Negotiate 44 NTLM proxyuser proxyuser proxypass password proxyport port number We recommend that you use a specific value for proxyauth instead of 0 any The any option requires the endpoint to search through all authentication types which might result in unnecessary errors on proxy servers as well as delayed communications If you use this command line option use all parameters and blank out any value you don t need with double quotes i e proxypass lang LanguageCode Specifies the language to use for the product rather than allow default language detection Codes include en English ja Japanese es Spanish fr French de German it Italian nl Dutch ko Korean zh cn Simplified Chinese p
170. ver Defaults Recommended setup for servers profection enabled Silent Audit Security Audit with detection only TestPolicy test Unmanaged This policy is for all PCs that are user managed The Policy dialog opens with the Basic Configuration category selected see the following example 93 Endpoint Protection Administrator Guide The Live column shows how the setting is currently implemented on the endpoints The Draft column is where you can make changes 3 Under the Section column left side choose the category to edit 4 Under the Draft column far right side click in the cell to view the options then select the desired setting A complete description of each setting follows these steps 5 When you re done with a section click Save Changes at the bottom For example when you have finished editing Basic Configuration save your changes before moving to Scan Schedule Setting Show a SecureAnywhere shortcut on the desktop Show a system tray icon Scan Settings Show a splash screen on bootup Self Protection Show SecureAnywhere in the Start Menu Heuristics Show SecureAnywhere in Add Remove Programs Realtime Shield Show SecureAnywhere in the Windows Action Center Behavior Shield Core System Shield Web Threat Shield Identity Shield Firewall User interface System Cleaner Hide the SecureAnywhere keycode on screen Automatically download and apply updates Operate background functions using fewer CPU res Favor l
171. x 4 Click Restore from Quarantine El All threats ever seen on this endpoint PA Create override 3 Restore from Quarantine E Filename Pathname 2 F LINKPAL 1 EXE documents and settings o 3 MNMYBOH EXE documents and settings o The file returns to its original location on the endpoint Setting an override for the file You can set an override for a file from the Scan History panel as described below or from the Overrides tab see Applying overrides from the Overrides tab on page 167 To set an override 1 View the scan history for a particular endpoint as described previously in this section 2 In the Scan History panel locate the file by either clicking View in the Status column for the date when the threat was detected or by clicking View all threats seen on this endpoint Scan Start Scan Type Jan 31st 2013 16 Threats detected View Full Scan Jan 31st 2013 16 Clean Full Scan Jan 31st 2013 16 Threats detected View 3 In the dialog that opens select a file in the list 4 Click Create override Ll Endpoint Protection Administrator Guide a All threats ever seen on this endpoint LINKPAL 1 EXE documents and settings lowe W32 Trojan Downloader LowZ Jan 31st 2013 16 55 M MNMYBOH EXE 7 Wocuments and settings owe Adware W find com Hijacker Jan 31st 2013 16 55 F 45765FBEBS3463B9A7AD0E0 7 Wocuments and settings towe W32 Trojan Trojan iejore Jan 31st 2013 16 55
172. y will use the settings from the policy you copied but you can change the settings later To copy a policy 1 Click the Policies tab 2 In the Policy Name column click the policy you want to use as a starting point and then click Copy from the command bar Home Endpoint Protection In the Copy Policy dialog the policy you selected is displayed in the first field You can select a different one if desired 3 In the next two fields enter a unique name and a description of up to 50 alphanumeric characters then click Create Policy Copy Policy Policy to Copy Policy1 Policy Name Policy Description 4 Locate your new policy in the Policy tab Double click the policy you just created and modify the settings as desired See Changing policy settings on page 92 You can apply a policy to an individual endpoint or to a group of endpoints See Applying a policy to endpoint groups on page 124 9 Endpoint Protection Administrator Guide Changing policy settings Once you create a policy see Creating policies on page 90 you can change its settings to suit your business purposes If desired you can make temporary changes create drafts and then implement them later promote to live Policies control the following SecureAnywhere settings on managed endpoints SecureAnywhere settings controlled by policies Basic settings General preferences that change the behavior of the SecureAnywhere program such as whet
Download Pdf Manuals
Related Search