+6Hi there,
We’ve been exploring some of the newer features with Webroot and I am curious if the Isolate function can be triggered automatically by the endpoint agent.
The documentation seems to indicate that it is only a manual process, but that seems ineffective. By the time we have someone in the portal clicking the isolate button, it’s probably too late to do much good.
Thanks for your help!
Matt
Best answer by jhartnerd123
Hi,
Currently the Host Isolate commands are NOT automated. This is something that is definitely in the works though as part of the console and agent development.
It would work like, say, upon a detection threshold of a malware type etc it could auto isolate the host. Say, for a Trojan/Ransomware/Miner/Credential stealer it would isolate, but for a PUP/PUA it won’t. Stuff like that. I’ve had discussions with the product development team regarding this. There’s A LOT of data they have on threats, just we don’t see it yet and they’re also trying to find ways to show this and act upon it in various ways. Very promising, but of course I’ve no idea of any timeline for this. If you didn’t know, they’re building in YARA detections as well so that threats and detections of new TTP’s can be detected faster by pushing very small YARA updates to agents. Super Cool Stuff. Makes the product very flexible
You are referencing the Controlling of System Processes, which is something different than what we are talking about. I wish THAT what you showed was available in the console.
The Host Isolation feature is for Business/MSP/MSSP use and currently not in the consumer product.
I don’t think that OpenText/Webroot have backed off the EDR claims. I think the article may have been either removed for updating or something. Again
Hope This helps
John H
+63Hello
Yes but be very careful!! From the Agent/Client itself.
Hope that’s what your looking for?
I haven’t tried this way below.
Maybe others might have other suggestions.
+6Thanks!
I was more looking for something like a ransomware detection function.
Like if a canary file is deleted or modified on the endpoint, the computer is automatically isolated and we generate an alert on our end to check it out.
+6There was a blog post, Announcing new EDR capabilities for Webroot Endpoint Protection that seems to be scrubbed from the site. I shared it with some of my colleagues at the time so still have the link.
I see the isolate option is available in the portal, but maybe Webroot backed off EDR claims? If so, that’s a bit disappointing.
+63There was a blog post, Announcing new EDR capabilities for Webroot Endpoint Protection that seems to be scrubbed from the site. I shared it with some of my colleagues at the time so still have the link.
I see the isolate option is available in the portal, but maybe Webroot backed off EDR claims? If so, that’s a bit disappointing.
Strange the link doesn’t work for me?
Maybe you should contact Webroot Business Support: https://www.webroot.com/us/en/business/support
The link doesn’t work for me either????
+63There was a blog post, Announcing new EDR capabilities for Webroot Endpoint Protection that seems to be scrubbed from the site. I shared it with some of my colleagues at the time so still have the link.
I see the isolate option is available in the portal, but maybe Webroot backed off EDR claims? If so, that’s a bit disappointing.
Strange the link doesn’t work for me?
Maybe you should contact Webroot Business Support: https://www.webroot.com/us/en/business/support
I understand now the article was on the blog but now it’s not maybe
+63There was a blog post, Announcing new EDR capabilities for Webroot Endpoint Protection that seems to be scrubbed from the site. I shared it with some of my colleagues at the time so still have the link.
I see the isolate option is available in the portal, but maybe Webroot backed off EDR claims? If so, that’s a bit disappointing.
Strange the link doesn’t work for me?
Maybe you should contact Webroot Business Support: https://www.webroot.com/us/en/business/support
I understand now the article was on the blog but now it’s not maybe
This one does: https://www.xcitium.com/webroot-edr/
+25There was a blog post, Announcing new EDR capabilities for Webroot Endpoint Protection that seems to be scrubbed from the site. I shared it with some of my colleagues at the time so still have the link.
I see the isolate option is available in the portal, but maybe Webroot backed off EDR claims? If so, that’s a bit disappointing.
This link also doesn’t work for me. Let me ask around
Hi,
Currently the Host Isolate commands are NOT automated. This is something that is definitely in the works though as part of the console and agent development.
It would work like, say, upon a detection threshold of a malware type etc it could auto isolate the host. Say, for a Trojan/Ransomware/Miner/Credential stealer it would isolate, but for a PUP/PUA it won’t. Stuff like that. I’ve had discussions with the product development team regarding this. There’s A LOT of data they have on threats, just we don’t see it yet and they’re also trying to find ways to show this and act upon it in various ways. Very promising, but of course I’ve no idea of any timeline for this. If you didn’t know, they’re building in YARA detections as well so that threats and detections of new TTP’s can be detected faster by pushing very small YARA updates to agents. Super Cool Stuff. Makes the product very flexible
You are referencing the Controlling of System Processes, which is something different than what we are talking about. I wish THAT what you showed was available in the console.
The Host Isolation feature is for Business/MSP/MSSP use and currently not in the consumer product.
I don’t think that OpenText/Webroot have backed off the EDR claims. I think the article may have been either removed for updating or something. Again
Hope This helps
John H
One way to to push the Auto Isolate is to start a Feature Request here in the Community. I’ll DEFINITELY upvote it and encourage others here to upvote it as well. That way, we show OpenText that this is something we want.
+63
+6Yeah, the blog link doesn’t work anymore. I’m not sure when that post was pulled. It definitely worked at some point because it came across the RSS feed.
Thanks for that info. Good to know that feature is in the works.
I just created a feature request. Feel free to upvote it.
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
