Skip to main content
I'm interested to know if anyone else is experiencing issues with Webroot Endpoint Protection on AWS WIndows servers. I've had endpoints show up multiple times in the admin console (using multiple licenses) and was told this may be associated with a recent update intended to better handle registering VMs. Now I have AWS Windows servers (2008 and 2012) that had the endpoint client stop reporting in (last seen date 2/8). When I checked the servers I found the Webroot client was not installed. No Webroot folder in the Program Files (x86) folder. But there are remnents of webroot in the registry based on a search for webroot  or wsasme.

To Summarize:

Webroot client installed on AWS Servers (VM) with the -clone option

Endpoints register with the console and regular scans logged on a daily basis for several days

Endpoints register a second time with the console and new entries start logging daily scans, initial entries stop logging activity (last seen date on initial entries is the same as first scan date on new, duplicate entries)

Endpopints stop logging daily scans (last seen date 2/8)

Check of the servers reveals Webroot EWndpoint protection is not installed and no Webroot program folder

Remnents of Webroot found with a regedit search for webroot or wsasme in the registry
Greetings @ and welcome to our Community.



I've checked with our Team and they've told me that duplicates are expected. We released a fix in a recent build but had to rollback the update as it caused other issues.



Please stay tuned til our next build release.
Hi JP, thanks for the response. It was already my understanding Webroot was working to address the duplicate entries in the console and I'm hopeful the fix works. But I'm more concerned about the fact the Webroot endpoint protection client was uninstalled from the servers. Is this also an expected behavior? I don't know if this was part of a failed Webroot update/upgrade or if the servers have malware that was able to remove the Webroot software. Is this something Webroot has seen before?

 

I'm also interested to know if what I'm experiencing now on three AWS servers is isolated to my servers or if other users are experiencing similar issues. Thanks, BHC01
You should do some manual checks yourself if support isn't helping you with a post incident review.

 

Learning how to use GMER is a valuable skill:

http://www.gmer.net/

 

You can also use HijackThis!

http://www.majorgeeks.com/files/details/trend_micro_hijackthis.html

 

Both of these require looking at items manually, one by one, and making a judgment call for each. The items that are shown to you by these programs are not all bad. Misuse of these applications can render your system inoperable.

Reply