Skip to main content

False report on Mac OS Sierra?


Hi,
 
We are receiving reports from Webroot of a detection that I am not sure is true... How do I know if it is a false positive?
 
The report log is below:-
 
Automated Cleanup Engine
Starting Cleanup at 2016-Oct-26 11:40:30
Starting Routine> Detected /Volumes/Time Machine Backups/Backups.backupdb/User/2016-10-26-053418/Macintosh HD/.PKInstallSandboxManager-SystemSoftware/3F5A27F6-09A2-4D3F-8049-A2ABB8F44C32.sandbox/Root/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation [Name: "PUA.OSX.TuneUpMyMac.1.r", MD5: 00000000000000000000000000000000]
Quarantining File> Removing /Volumes/Time Machine Backups/Backups.backupdb/User/2016-10-26-053418/Macintosh HD/.PKInstallSandboxManager-SystemSoftware/3F5A27F6-09A2-4D3F-8049-A2ABB8F44C32.sandbox/Root/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
Quarantining File> Removing /Volumes/Time Machine Backups/Backups.backupdb/User/2016-10-26-053418/Macintosh HD/.PKInstallSandboxManager-SystemSoftware/3F5A27F6-09A2-4D3F-8049-A2ABB8F44C32.sandbox/Root/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
Automated Cleanup Engine
Starting Cleanup at 2016-Oct-26 14:52:31
Starting Routine> Detected /Volumes/Time Machine Backups/Backups.backupdb/User/2016-10-26-053418/Macintosh HD/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation [Name: "PUA.OSX.TuneUpMyMac.1.r", MD5: 00000000000000000000000000000000]
Quarantining File> Removing /Volumes/Time Machine Backups/Backups.backupdb/User/2016-10-26-053418/Macintosh HD/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation

30 replies

coscooper
Forum|alt.badge.img+26
  • Manager, Channel Sales
  • 219 replies
  • October 26, 2016
I would suggest open a support ticket and have them escalate your request to our AMR team for validation. They can provide details as to whether this is valid or not. PUAs are a common issue on the Mac, more common than you'd think. (I run a mac daily and WR finds PUAs a few times a month.)
 
The one thing I noticed was that WR is looking at your TIme Machine volume. I would suggest under Scan Settings, turn off "Scan archived files". This will tell WR to not scan Time Machine backups and ZIP files, which could impact performance.

  • Author
  • New Voice
  • 13 replies
  • October 27, 2016
Thank you for your response, much appreciated, and I will turn off archived file scanning ASAP :)

Cheers,
Beckey.

  • Author
  • New Voice
  • 13 replies
  • October 27, 2016
Just one more question...
 
To turn off archive scanning, would it be the 4th tickbox down in the screen shot below, as it doesn't have anything next to it, and I don't want to disable something important...!
 
?

RetiredTripleHelix
Gold VIP
Forum|alt.badge.img+56
Hello,
 
I will ping one of our Mac experts and she will let you know the best settings: ?
 
Thanks,
 
Daniel 😉

Ssherjj
Moderator
Forum|alt.badge.img+62
  • Moderator
  • 21898 replies
  • October 27, 2016
Hello BeckeyB,
 
This is how I have my Mac set up with Webroot. No do not turn off archive scanning, I have had this checked for years without any issues.
?

RetiredTripleHelix
Gold VIP
Forum|alt.badge.img+56
? would your suggestions impact system performance in a Business environment you think? Just wondering as you know I'm not a Mac user. Also your and the OP's pictures don't match? Could it be the version? GUI issue in the Business version?
 
Thanks,
 
Daniel 😉

Ssherjj
Moderator
Forum|alt.badge.img+62
  • Moderator
  • 21898 replies
  • October 27, 2016
Hello again Becky,
 
I am not familiar with the Business version but here is some information concerning the Time Machine.
 
Please go into the Mac sacn  settings and uncheck Scan Mounted drives. Otherwise it will take foreverr to complete.
 
Here is the Mac User Guide for more information. The Mac Business Guide
 
Have a look at this THREAD
 
And here .https://community.webroot.com/t5/Webroot-SecureAnywhere-Complete/How-long-does-it-take-to-scan-350-G...
 
 
In some cases, Webroot will detect a threat that is located on your backup, such as Time Machine. If the file are in the backup, then they cannot hurt your system. You would have to restore the files from the backup to get them on the system, and at that point the Real Time Shield in Webroot would find and remove them. Even though Webroot cannot remove these files, as space for newer backups is needed the older backups will be deleted. This will delete the threats from the backup as well.

We recommend if Webroot continues to detect these files that you uncheck the box next to them on the removal page. This will tell Webroot to ignore the files in their current location.

If you would like to remove these files manually from the backup in Time Machine, you can use the following steps:

Note: This action is permanent, and will impact all past backups on the given Time Machine drive, even backups from the distant archives on that drive. For this reason, be absolutely certain you want to remove an item before deleting it, otherwise you may end up missing data you would have wanted to keep.

1. Open the backup manager by pulling down Time Machine menu item and selecting, “Enter into Time Machine.”
2. Navigate to the directory location of the files/folders you want to remove.
3. Right-click on the folder or file you want to remove and select “Delete all backups of [File Name].”
4. Confirm the removal.

As the process is the same whether you are deleting the backup of a file or an entire folder, please be careful to only select the items you wish to delete. You cannot recover these files.

Another option available to Time Machine users is to exclude the files and folders from being backed up by the Time Machine. You can add them to the exclusion list which will permanently block the files/folders from being backed up in the future. By doing this, the infected file will eventually be deleted from the backup over time and prevent it from ever getting re-introduced to the drive should it be installed on the computer again.
 
Hope this helps.

RetiredTripleHelix
Gold VIP
Forum|alt.badge.img+56
Sherry can you look at my edit and see my questions.

Ssherjj
Moderator
Forum|alt.badge.img+62
  • Moderator
  • 21898 replies
  • October 27, 2016
@ wrote:
@ would your suggestions impact system performance in a Business environment you think? Just wondering as you know I'm not a Mac user.
 
Thanks,
 
Daniel ;)
Sorry Daniel I am not sure about the Business side of Webroot. It is possible that scanning the archives could slow down performance. It would be best t oask Support IMO. It doesn't hurt to uncheck scanning of archived files and see how it works.
Edit: This is what I see in the Business version of Webroot. http://live.webrootanywhere.com/content/553/Changing-Scan-Settings

RetiredTripleHelix
Gold VIP
Forum|alt.badge.img+56
Look at both pictures posted!

Ssherjj
Moderator
Forum|alt.badge.img+62
  • Moderator
  • 21898 replies
  • October 27, 2016
Yes the Business is different:
This is what the GUI looks like here and I would have my setting set like this below.
http://d3hj48gy07tbjf.cloudfront.net/LIVEIMGS/00-F-consumer/macagent/scansettingspanelfeb.png
 
 

RetiredTripleHelix
Gold VIP
Forum|alt.badge.img+56
This is not right in the OP's picture compared to yours. GUI Issue? Version issue? Maybe ? can tell us!
 
?

Ssherjj
Moderator
Forum|alt.badge.img+62
  • Moderator
  • 21898 replies
  • October 27, 2016
@ wrote:
This is not right in the OP's picture compared to yours. GUI Issue? Version issue? Maybe @ can tell us!
 
?
I see that and this is very strange to me. Seems like something is missing doesn't it? Maybe a reinstall woud fix this? Not sure.

Ssherjj
Moderator
Forum|alt.badge.img+62
  • Moderator
  • 21898 replies
  • October 27, 2016
Another thing that should be looked at and that's this article here:
https://www5.nohold.net/Webroot/ukp.aspx?pid=12&app=vw&vw=1&login=1&json=1&solutionid=2587&
 

  • Author
  • New Voice
  • 13 replies
  • October 27, 2016
I have the same version installed on 8 macs and they all have that bit missing... Just a check box with no writing...

  • Author
  • New Voice
  • 13 replies
  • October 27, 2016
Also, I think i'd keep the archived files checked as I like zip files to be scanned... just in case!

  • Author
  • New Voice
  • 13 replies
  • October 27, 2016
I've just looked at the mac instructions from the link posted earlier and run the update as we have an earlier version than suggested. So I ran the update as per the instructions but it says we have the latest version?!? I think I may uninstall and reinstall from a new download...
 
?

Ssherjj
Moderator
Forum|alt.badge.img+62
  • Moderator
  • 21898 replies
  • October 27, 2016
Hi Beckey.

 Please submit a support ticket just to be safe. You could try reinstalling if you want to try that first.

Thanks

Ssherjj
Moderator
Forum|alt.badge.img+62
  • Moderator
  • 21898 replies
  • October 27, 2016
Hi  again Beckey,
 
May I ask that you let us know how things are going? I am curious to know what the outcome is when you have a chance.
 
Thank you so much!

coscooper
Forum|alt.badge.img+26
  • Manager, Channel Sales
  • 219 replies
  • October 27, 2016
All - something doesn't look right with a few of the screns I've seen and I'd definately update or reinstall if menu fields are NOT presenting properly. Definately open a support ticket so they can track this metric for getting it fixed if there's an issue.
 
Turning off scanning archives was a suggestion for Time Machine and I personally do not scan ZIP files because I don't want WSAB to spend a lot of time dealing with the high number of zip files on my machine and to be frank, I do have/store known bad PUAs and other files on my perosnal system. (Hey... I work for Webroot and we all have bad stuff we keep around for testing.8-)
 
A lot of business users (This was posted in the Business forum) want performance and scanning archives on a Mac can take a performance hit. WSAB will dynamically grab bad files as they're unzipped (Mac or Windows), so scanning zip files isn't always necessary. Exclusions can fix that, but the original question was around a PUA and I simply noticed a TimeMachine reference with the PUA.
 
Here's my Business Endpoint menu/screen, so it's definately different. (This is from a site within a GSM) However, the original question wasn't around scanning, it was related to real/false PUA file, so my suggestion was and is to ignore these archives on a busines machine.
 
My test environment (and daily Mac):
MacOS: Sierra 10.12
WSAB (Webroot SecureAnywhere Business) - 9.0.4.23
Menu doesn't have preferences - to get to details, use Advance Settings.
??

  • Author
  • New Voice
  • 13 replies
  • October 28, 2016
Hi Everyone,
 
Thank you for all your help and insights. I have downloaded the latest version from my account, and reinstalled it, and it's STILL saying that it's the same version as before (9.0.4.23), and the check box still has nothing next to it. I think I need to raise a support ticket to solve this issue, as some machines on my network are now running Sierra and the article says we NEED to be running the later version, not the one we have available to download... (It downloads from http://anywhere.webrootcloudav.com/zerol/wsamac.dmg so I presume that would automatically be the latest version?)
 
I'll let you know how I get on.
 
Thanks,
Beckey | IT Manager, Helen Moore

coscooper
Forum|alt.badge.img+26
  • Manager, Channel Sales
  • 219 replies
  • October 28, 2016
? - that download link should be the latest version. If its not working, then reach out to support for sure.
 
One option you might try, uninstall WSAB and check to see if this folder is left behind. Main computer harddrive, not user account - GOTO  "libraryapplication supportwebroot"  - kill this folder after uninstall if it's still there and then try a reinstall. It has a number of configurations and logs that may be accidently left behind.
 
Hope that helps.

RetiredTripleHelix
Gold VIP
Forum|alt.badge.img+56
? here is the latest information on all WSA current releases: https://www.webroot.com/us/en/support/support-consumer-release-notes
 
Thanks,
 
Daniel 😉

RetiredTripleHelix
Gold VIP
Forum|alt.badge.img+56
Sorry here is the Business versions release notes: https://www.webroot.com/us/en/business/support/release-notes

  • Author
  • New Voice
  • 13 replies
  • October 31, 2016
Hmm, very confused here now. I have contacted support who tell me that 9.0.4.23 is the latest version even though the article on the link below states...
https://www5.nohold.net/Webroot/ukp.aspx?pid=12&app=vw&vw=1&login=1&json=1&solutionid=2587&
 
"Software agent versions below 9.0.2.45 will not update or operate correctly on macOS Sierra. Once you have update Webroot SecureAnywhere Business Endpoint Protection accordingly, you may upgrade to macOS Sierra as normal."
 
This is what support said...
 
Hello,

Thank you for contacting Webroot Support.

You machines are currently on the latest version for the Mac. The latest version is 9.0.4.23. When we release an update it takes up to 72 hours to apply to all machines globally.

Any new releases will update automatically when they are available and the Release Notes will be added to our website: https://www.webroot.com/us/en/business/support/release-notes

Thank you,

Kelly
Webroot Support
 
I have asked them to clarify. Will update further when I get a response.
 
In the meantime, I uninstalled Webroot and deleted the folder under Application Support as suggested, downloded a fresh copy of Webroot, reinstalled, and the check box still has nothing written beside it, (which support neglected to comment on...)

Reply