I get frequent "suspicious activity detected" alerts, where "system folder modified" is the MacOS/System Events folder. The alerts do not identify the program / app that is making the change. How do I get more information on the cause of this so I can determine if there is a problem or if I can hit "ignore"?
Thanks, Steve
Page 1 / 1
Hi srbough,
Welcome to the Community Forum,
The message ‘Suspicious Activity detected’ is a notification that Webroot SecureAnywhere provides when a change is made to the system that may resemble behavior of a malicious process. Generally speaking, these notifications are not malicious as there are a number of automated tasks that can occur within OS-X that could trigger it. Common tasks that could prompt this message are updates to software, or Folder Actions. It’s common that these kinds of tasks change or modify ‘plist’ files that affect the overall preferences for the system.
You may see in the alert mention of a plist (property list) file, which stores all the settings for an application, or LaunchDaemons, which are a scheduled task to run a single or selection of services. If you ever receive these prompts, you can safely click OK. If the alert repeats multiple times you may click Ignore. We are actively working to improve our SecureAnywhere agent for Mac and new design implementations are coming soon for these prompts and alerts.
Please note, the alert will only show up once to notify you that a trusted application or system process has done something a bit different today. If it was genuinely suspicious or malicious activity, it would be blocked by the client.
Regards,
Welcome to the Community Forum,
The message ‘Suspicious Activity detected’ is a notification that Webroot SecureAnywhere provides when a change is made to the system that may resemble behavior of a malicious process. Generally speaking, these notifications are not malicious as there are a number of automated tasks that can occur within OS-X that could trigger it. Common tasks that could prompt this message are updates to software, or Folder Actions. It’s common that these kinds of tasks change or modify ‘plist’ files that affect the overall preferences for the system.
You may see in the alert mention of a plist (property list) file, which stores all the settings for an application, or LaunchDaemons, which are a scheduled task to run a single or selection of services. If you ever receive these prompts, you can safely click OK. If the alert repeats multiple times you may click Ignore. We are actively working to improve our SecureAnywhere agent for Mac and new design implementations are coming soon for these prompts and alerts.
Please note, the alert will only show up once to notify you that a trusted application or system process has done something a bit different today. If it was genuinely suspicious or malicious activity, it would be blocked by the client.
Regards,
Very helpful Sherry, thanks!
Hello srbough,
No problem. Your are welcome! I own a Mac/Yosemite and this happens to my computer once in awhile too!
Kind Regards,:D
No problem. Your are welcome! I own a Mac/Yosemite and this happens to my computer once in awhile too!
Kind Regards,:D
HI Sherry
Is there a way to whitelist particular system activity? (such as descibed above)
and, or
is there a way to not have these alerts appear on the actual endpoint (vs to Admin using webconsole, or admin account on enduser machine)
thanks in advance
Is there a way to whitelist particular system activity? (such as descibed above)
and, or
is there a way to not have these alerts appear on the actual endpoint (vs to Admin using webconsole, or admin account on enduser machine)
thanks in advance
Hello and Welcome to the Community Forum,
Whitelisting a monitored application for all WSA users normally only requires you provide them a copy of your scan log, or even just the lines from the scan log that say "monitoring." I've never come across a situation where I needed to reproduce a problem to get something taken off monitored. Webroot's tech mostly allows them to see what the program does in their systems already.
Please look here
If you want more control over scans and shielding behavior, you can use Detection Configuration to specify one of the following actions:
To manage file detection:
@ can you assist here?
Regards,
Whitelisting a monitored application for all WSA users normally only requires you provide them a copy of your scan log, or even just the lines from the scan log that say "monitoring." I've never come across a situation where I needed to reproduce a problem to get something taken off monitored. Webroot's tech mostly allows them to see what the program does in their systems already.
Please look here
If you want more control over scans and shielding behavior, you can use Detection Configuration to specify one of the following actions:
- Allow. Ignore a file during scans and shielding.
- Block. Stop a file from executing or being written to your Mac.
- Monitor. Watch the program to determine if it is legitimate or related to malware.
To manage file detection:
- Open the SecureAnywhere interface (click the Webroot icon http://sw.nohold.net/Webroot/Images/wsa_icon.png in the menu bar, then select Open Webroot SecureAnywhere from the drop-down menu).
- From the main window, click the gear icon next to Mac Security.
http://sw.nohold.net/Webroot/Images/macmainpanelclickmacsecuritygear.png
- From the Mac Security window, click the Block/Allow Files tab.
http://sw.nohold.net/Webroot/Images/macquarantinetab.png
This list includes files you may have restored (allowed). You can also add files to this list. You can change the configuration for files already listed in this panel, or you can include other files by clicking the Add File button.
- In the right column, select the radio button for either Allow, Block, or Monitor.If you want to clear an item from the list, click either the Remove File or Remove All button.
Regards,
Hello Hypertrout,
There currently isnt a way to whitelist the activity detection method, but by clicking ignore you shouldnt be bothered by that detection anymore. We are currently looking into ways of improving this function and will be pushing these updates as soon as possible.
Thanks,
There currently isnt a way to whitelist the activity detection method, but by clicking ignore you shouldnt be bothered by that detection anymore. We are currently looking into ways of improving this function and will be pushing these updates as soon as possible.
Thanks,
Thanks for the helpful information.
I also just spoke with Business Tech Suppot. They said this could (possibly) be addressed with the next update. Is there a channel to monitor update release? This would be something that would prevent us from using the service as a solution.
I also just spoke with Business Tech Suppot. They said this could (possibly) be addressed with the next update. Is there a channel to monitor update release? This would be something that would prevent us from using the service as a solution.
Hello hypertrout,
The Announcements for business you can find here: https://community.webroot.com/t5/Webroot-Business-Announcements/bd-p/ent2
@ is his correct?
The Announcements for business you can find here: https://community.webroot.com/t5/Webroot-Business-Announcements/bd-p/ent2
Sherry....I need to start calling you Sherry Helix....you have the answers! 😉
Yep, that's the place! We also have all the release notes on this page:@ wrote:
Hello hypertrout,
The Announcements for business you can find here: https://community.webroot.com/t5/Webroot-Business-Announcements/bd-p/ent2
@ is his correct?
http://www.webroot.com/us/en/support/support-business-release-notes
That would be a real honor wouldn't it? Thank you! Too kind! 😃@ wrote:
Sherry....I need to start calling you Sherry Helix....you have the answers! ;)
Reply
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.