Webroot folder in Program Data is ~48GB!!!
-
@Nic said:
Probably a process is getting monitored. It saves a record of all changes when that is happening, in case it need to roll back. Check the processes being watched to see if any are in monitored status.
Yes you can delete the folder and it will get recreated.
In that case I would be scared that something is doing something bad.
-
have you been hit by crypto something?
for your sake I hope not.. but at the same time.. if yes... then Webroot is currently saving you. -
@Nic The whole folder? Also, what would be getting monitored that is so huge? I've only been running SW network monitor on that box.
-
in the case of something like cryptoware - webroot would be making a backup copy of all encrypted files before it allows the virus to encrypt them.
-
typically it's something innocuous that we haven't seen before, and it doesn't need to be monitored. If you recognize the process and know it is good then go ahead and whitelist it. If you aren't sure support would be happy to take a look at it.
-
@Dashrender practicallt impossible on this machine. It has been off for 3 days, before that no email or browsing, just a headless workstation for testing GIS map stuff.
-
It could be the network monitor itself that we haven't seen before - post a snapshot of the processes within Webroot and we can take a look.
-
@Nic how does he find out what process is being monitored?
-
@Dashrender my ? exactly
-
@RojoLoco said:
@Dashrender practicallt impossible on this machine. It has been off for 3 days, before that no email or browsing, just a headless workstation for testing GIS map stuff.
In that case, @nic is probably right - webroot just doesn't know the process and it's probably just being cautious.
-
Is this business or consumer version?
-
@Nic Biz endpoint
-
actually it's the same for both, my bad. Click on the gear symbol next to PC Security, then click Block/Allow Files and see what is listed there. Anything with the radio button in the Monitor column is being monitored and needs to be set to either Block or Allow.
-
@Nic where is that on the console? I have the endpoints locked down, no settings available on the local machine.
-
You can do a report for "All Undetermined Software Seen" and that should show you if anything is being monitored. Then you can do an override for it on the Override tab.
-
Actually if you zoom in on an undetermined software from the report it has the override button there to make it easier.
-
@Nic ok that report revealed the issue.... like 6 gazillion instances of our own software, source code, patches, etc. This was a development machine before, and all those database instances are busy clogging up the works. Overrides on the way. Thanks for your help!
-
Ah that makes sense. One think you can do now is exclude folders, so if you just want to exclude the folders that you put your builds into, that should take care of future versions. Otherwise you'll have to keep whitelisting them as they get created.
-
@Nic I've been trying to stay on top of that stuff, but they can build faster than I can make exclusions.
-
Yeah just exclude the whole folder that they do their dev work in and that should take care of it.