Endpoint Protection

Administrator Guide
Copyright
Endpoint Protection Administrator Guide

June, 2013

© 2012 - 2013 Webroot, Inc. All rights reserved. Webroot is a registered trademark and SecureAnywhere is a
trademark of Webroot, Inc. All other product and company names mentioned may be trademarks or registered
trademarks of their respective owners.
Table of Contents
Chapter 1: Getting Started 5
Preparing for setup 7
Overview of configuration steps 7
System requirements 8
Creating a Webroot account 9
Logging in and using the Setup Wizard 12
Logging in for the first time 12
Selecting a default policy during configuration 13
Selecting a deployment method and performing a test install 15
Using the Management Portal 19
Using the main tabs 21
Opening the Endpoint Protection Menu 22
Opening and collapsing panels 23
Exporting data to a spreadsheet 24
Opening video tutorials 24
Opening the Help files 24
Accessing product information 25
Sorting data in tables and reports 26

Chapter 2: Managing User Accounts 29

Editing your own account settings 30
Managing portal users 33
Creating new portal users 33
Editing user information 36
Setting permissions for portal users 38
Adding keycodes to your account 42
Adding consoles to your account 44
Adding a console 44
Renaming a console 46
Switching consoles 46
Renewing or upgrading your account 47

Chapter 3: Managing Endpoints 49

Deploying SecureAnywhere to endpoints 50
 Using the SecureAnywhere installer 52
Using MSI for deployment 57
Using GPO for deployment 58
Changing an endpoint keycode 59
Renaming endpoints 61
Searching for endpoints 62
Issuing commands to endpoints 63
Checking scan results and managing threats 69
Viewing the scan history 69
Restoring a file from quarantine 70
Setting an override for the file 71
Deactivating endpoints 73
Deactivating an endpoint 73
Reinstalling SecureAnywhere on the endpoint 74
Managing endpoint upgrades and other changes 75
Migrating to a new operating system 75
Changing hardware on an endpoint 75
Moving endpoints to a new subnet 75
Forcing immediate updates (forced polling) 76
Using SecureAnywhere on the endpoint 77
Uninstalling SecureAnywhere 79

Chapter 4: Checking Status 81

Viewing endpoint status 82
Viewing recent threat status 84
Viewing an agent version overview 85

Chapter 5: Managing Policies 87

Implementing policies 88
Selecting a new default policy 89
Creating policies 90
Creating a new policy 90
Copying a policy 91
Changing policy settings 92
Basic Configuration 95
Scan Schedule 97
 Scan Settings 98
Self Protection 99
Heuristics 100
Realtime Shield 103
Behavior Shield 104
Core System Shield 105
Web Threat Shield 106
Identity Shield 107
Firewall 108
User Interface 109
System Cleaner 109
Renaming a policy 114
Exporting policy settings to a spreadsheet 115
Deleting policies 116
Viewing endpoints assigned to a policy 117
Moving endpoints to another policy 118

Chapter 6: Managing Groups 119

Organizing endpoints into groups 120
Adding a new group 122
Applying a policy to endpoint groups 124
Applying a policy to a group 124
Applying a policy to a single endpoint 125
Moving endpoints to another group 127
Deleting groups 128
Renaming groups 129

Chapter 7: Viewing Reports 131

Generating Endpoint Protection reports 132
Generating the Agent Version Spread report 134
Generating the Agents Installed report 137
Generating the All Threats Seen report 139
Generating the All Undetermined Software Seen report 141
Generating the Endpoints with Threats on Last Scan report 143
Generating the Endpoints with Undetermined Software on Last Scan report 146
Generating the Threat History (Collated) report 148
 Generating the Threat History (Daily) report 152

Chapter 8: Managing Alerts 155

Implementing alerts 156
Creating a distribution list 157
Creating customized alerts 158
Viewing your defined alert messages 162
Suspending or deleting alerts 164

Chapter 9: Using Overrides 165

Implementing overrides 166
Applying overrides from the Overrides tab 167
Applying overrides to files from groups 170
Applying overrides to files from reports 172
Viewing overrides 174
Deleting overrides 176
Exporting overrides to a spreadsheet 177

Chapter 10: Viewing Logs 179

Viewing the Change Log 180
Viewing the Command Log 182

Glossary 183
Index 187
Chapter 1: Getting Started

Webroot® SecureAnywhere™ Endpoint Protection secures your enterprise from malware and other threats by
combining Webroot’s behavior recognition technology with cloud computing. Endpoint Protection includes a
Management Portal (also called an Admin Console), which is a centralized website used to view and manage
your endpoints. (An endpoint can be any Windows corporate workstation, such as a PC, laptop, server, or
virtual server.) You can deploy SecureAnywhere software to these endpoints within seconds, protecting users
immediately. Once SecureAnywhere runs a scan on the endpoints, it reports their status into the Management
Portal.

This user guide describes how administrators can deploy SecureAnywhere and use the Management Portal to
view threat alerts, data charts, and other information about endpoint activity. The tasks you can perform depend
on your access permissions and what mode of management you select during Endpoint Configuration. This
guide is intended for administrators who are using Endpoint Protection with full access permissions.

-5-
Endpoint Protection Administrator Guide

Note: For an online version of this guide, go to:

http://www.webroot.com/En_US/SecureAnywhere/SME/EndpointProtection.htm.

To begin using Endpoint Protection, see the following topics:

Preparing for setup 7

Overview of configuration steps 7
System requirements 8
Creating a Webroot account 9
Logging in and using the Setup Wizard 12
Logging in for the first time 12
Selecting a default policy during configuration 13
Selecting a deployment method and performing a test install 15
Using the Management Portal 19
Using the main tabs 21
Opening the Endpoint Protection Menu 22
Opening and collapsing panels 23
Exporting data to a spreadsheet 24
Opening video tutorials 24
Opening the Help files 24
Accessing product information 25
Sorting data in tables and reports 26

-6-
 Chapter 1: Getting Started

Preparing for setup

Before you begin, review the configuration steps in this section and make sure your environment meets the
system requirements.

Note: These configuration steps are intended for the Endpoint Protection administrator who has full
access permissions.

Overview of configuration steps

1. Create an account using your keycode. You should have received the keycode in an email from Webroot.
See "Creating a Webroot account" on page 9.
2. Log in to the Management Portal and open the Setup Wizard. In the wizard, you must select a default
policy for SecureAnywhere installations on endpoints. (An endpoint can be any Windows corporate
workstation, such as a PC, laptop, server, or virtual server. A policy defines the SecureAnywhere
settings, including how the program scans for threats and manages detected items.) After you select a
policy, a Welcome panel opens and provides information about how to deploy SecureAnywhere to
endpoints. See "Logging in and using the Setup Wizard" on page 12.
3. Optional. Edit your account settings for the Management Portal, including your contact number and a
time zone where you are located. See "Editing your own account settings" on page 30. You can also
create logins for other administrators to access the Management Portal. See "Managing portal users" on
page 33.
4. Deploy the SecureAnywhere software to the endpoints. See "Deploying SecureAnywhere to endpoints"
on page 50.
5. Determine if the default policy is sufficient for your business needs. If desired, add new policies with
different settings as described in "Implementing policies" on page 88. (You cannot change the Webroot
default policies.) You may also need to create overrides for certain files that you consider legitimate
applications. See "Applying overrides from the Overrides tab" on page 167.
6. Determine if you need to create separate groups of endpoints for different management purposes. When
you deploy SecureAnywhere to your endpoints, Endpoint Protection places them all in one Default group.
If desired, you can create new groups and assign them to new policies. See "Organizing endpoints into
groups" on page 120.
7. Optional. Customize alert messages that will be sent to a distribution list whenever endpoints report an
infection or whenever SecureAnywhere is installed on new endpoints. See "Implementing alerts" on
page 156.

-7-
Endpoint Protection Administrator Guide

System requirements

You can use Endpoint Protection with the following browsers and server platforms.

Browsers and platforms

Browsers Internet Explorer: versions 8, 9, and 10

Firefox: the latest 5 versions
Chrome: the latest 5 versions
Safari: versions 5.0 and above
Server platforms Windows Server 2003 Standard, Enterprise, 32- and 64-bit
Windows Server 2008 R2 Foundation, Standard, Enterprise
Windows Small Business Server 2008 and 2011
Virtual server platform VM Workstation 6.5, 7.0
Citrix XenDesktop 5 and XenServer 5.0, 5.5, 5.6
Endpoint requirements Operating systems:
for PCs and laptops Windows XP 32- and 64-bit SP2, SP3
Windows Vista 32-bit (all editions), Windows Vista SP1, SP2 32-
and 64-bit (all editions)
Windows 7 32- and 64-bit (all editions)
Windows 7 SP1 32- and 64-bit (all editions)
Processor:
Intel Pentium/Celeron family
AMD K6/Athlon/Duron family
Other compatible processor with those listed above
Memory: 128 MB RAM (minimum)

Browsers:
Internet Explorer: versions 8, 9, and 10
Firefox: the latest 5 versions
Chrome: the latest 5 versions
Safari: versions 5.0 and above
Opera: the latest 5 versions

-8-
 Chapter 1: Getting Started

Creating a Webroot account

Before you can log in to Endpoint Protection, you must create an account using your license keycode. You
should have received the keycode in an email sent from Webroot.

To create an account:

1. Go to the SecureAnywhere website: https://my.webrootanywhere.com.

2. In the Log in panel, click Sign up now.

The registration page opens.

-9-
Endpoint Protection Administrator Guide

3. Complete the following information:

Account registration

Webroot Product Enter the license keycode you received when you purchased Endpoint
Keycode Protection.
Email Address Enter the email address for the administrator who will manage Endpoint
Protection. The account activation confirmation is sent to this email
address, which is also the username for logging in to the Management
Portal.
Password Enter a minimum of 9 characters. Your password must contain at least
6 alphabetic characters and 3 numeric characters. Your password can
be longer than the required 9 characters. It can include special
characters, except for the angle brackets: < >. Your password is case
sensitive.
As you type, the Strength meter shows how secure your password is.
For optimum security, it’s a good idea to make your password as strong
as possible.
Your Personal Enter a word or number, which will be used for an extra security step
Security Code after you enter the password during login. Choose a code that is easy to
remember, using a minimum of 6 characters. Every time you log in, the
Management Portal prompts you to enter two random characters of this
code. For example, if your code is 123456 and it prompts you for the
fourth and sixth character, you would enter 4 and 6. Your Personal
Security Code is case sensitive.
Security Question Choose a question from the drop-down list. If you forget details of your
login later, you will need to provide the answer to this question to
retrieve the information.
Security Answer Type an answer to your security question. The Security Answer is
case-sensitive.

4. Click Register Now.

Endpoint Protection verifies the keycode you entered, and then displays a License Agreement at the
bottom of the panel as shown in the following example.

- 10 -
 Chapter 1: Getting Started

5. Click the link to read the agreement. When you're done, click the checkbox to accept the agreement and
click Register Now again.
Webroot sends a confirmation message to the email address you specified.
6. Open your email application and click the link in the confirmation email message.
7. When the Confirm Registration page opens, enter the two randomly selected characters of the security
code you specified when you created the account. Click Confirm Registration Now.
You can now log in to the Management Portal to begin configuring Endpoint Protection. See "Logging in
and using the Setup Wizard" on page 12.

- 11 -
Endpoint Protection Administrator Guide

Logging in and using the Setup Wizard

After you create an account (see "Creating a Webroot account" on page 9), you can log in to the Management
Portal. On your first login, a Setup Wizard opens to help you begin configuration.

Logging in for the first time

1. Open a browser and go to the SecureAnywhere website: https://my.webrootanywhere.com.
Tip: To display a language other than English, click the drop-down arrow in the upper right corner of the
page, select a language, then click Go. Be aware that to enable languages that use double-byte character
sets, you must have the appropriate language pack installed on your computer.
2. In the Log in panel, enter the email address and password you specified when you created an account.
Click Log in.
Tip: If you forget your password or security code, click the Can't log in? link, then click I forgot my
password or I forgot my security code. Endpoint Protection prompts you to enter your email address,
and sends you an email message containing a link for resetting your password or security code.

3. In the Confirm Logon panel, enter the requested characters of your security code and click Login.
This personal security code was defined when you created a Webroot account. Every time you log in,
Endpoint Protection will require this extra security step. Be aware that it prompts for two random
characters of your code. For example, if your code is 123456 and it prompts you for the fourth and sixth
characters, you would enter 4 and 6.

- 12 -
 Chapter 1: Getting Started

4. When the SecureAnywhere website opens, click Go to Endpoint Protection.

Note: If you also purchased Mobile Protection, you will have access to the portal for Mobile Protection
as well; otherwise, you will not see the Mobile Protection panel.

The first time you log in, the Setup Wizard opens. Continue with the next section to select a default
policy.

Selecting a default policy during configuration

The Setup Wizard prompts you to select a default policy for new SecureAnywhere installations on endpoints.
(A policy defines the SecureAnywhere settings, including how the program scans for threats and manages
detected items.)

- 13 -
Endpoint Protection Administrator Guide

The Setup Wizard provides the following default policies:

l Recommended Defaults. Provides our recommended security, with threats automatically

removed and quarantined.
l Recommended Server Defaults. Provides our recommended security for servers, with
threats automatically removed and quarantined, while also allowing the servers to run with
optimal performance.
l Silent Audit. Scans for threats without user interaction. Does not block or quarantine
detected items. This policy allows you to review SecureAnywhere's threat detections first,
so you can review detected items and add overrides for any legitimate application files.
Use this policy if you are concerned about a false positive being detected or you are
applying SecureAnywhere to a critical server. This policy is helpful if you want to
preconfigure overrides before applying a stricter policy that will automatically remediate
detected items. For more information about overrides, see "Applying overrides from the
Overrides tab" on page 167.
l Unmanaged. Provides our recommended security, while also allowing users to change
their own SecureAnywhere settings on their endpoints. Unmanaged endpoints still report
into the Management Portal and show scan results. Administrators can also send them
commands, but cannot change the policy settings.

- 14 -
 Chapter 1: Getting Started

Tip: If you are not sure which policy to select, the Recommended Defaults policy is a
good starting point for protecting endpoints immediately. You can easily change the default
policy later, as described in "Selecting a new default policy" on page 89, or create your
own policies and assign them to groups of endpoints, as described in "Creating policies" on
page 90.

To select a default policy:

1. Open the drop-down menu and select one of policies.

2. Click Submit.
The Endpoint Protection status page opens, showing a Welcome panel on the top, deployment options on
the bottom, and Support resources on the right. Continue with the next section to select a deployment
method.

Selecting a deployment method and performing a test install

The Welcome panel describes methods of deploying the SecureAnywhere program to endpoints.

l If you have a small network (less than 100 endpoints), you may want to use the quick method described
in the How to get started panel. Follow the instructions provided.
l If you have a large network and use Active Directory, we recommend that you click Deploying
Webroot SecureAnywhere at the bottom to learn more about advanced deployment options. See also
"Deploying SecureAnywhere to endpoints" on page 50.

- 15 -
Endpoint Protection Administrator Guide

Note: If you close out of the Welcome panel, you can view the keycode and deployment information
again by clicking the Resources tab.

To get started, we recommend that you deploy SecureAnywhere to at least one test endpoint so you can see its
status in the Management Portal.

To deploy SecureAnywhere to a test endpoint:

1. Look for your keycode in the How to get started panel.

This keycode identifies your Endpoint Protection license.

- 16 -
 Chapter 1: Getting Started

2. Download the SecureAnywhere installer file by clicking the Download link.

3. From the endpoint, run the installer file. When the following Installation panel appears, enter your
Endpoint Protection keycode and click Agree and Install.

Alternatively, you can send a test email to an end user who will install SecureAnywhere. To do this,
click the Email template link from the Welcome panel (or Resources tab), and then cut and paste the
text into an email message. The link automatically adds the correct keycode for the user. Next, the user
clicks the link to begin installation. The program installs silently in the background, with the correct
keycode already entered. When it's done, a Webroot icon appears in the endpoint's system tray.
4. Wait for SecureAnywhere to finish its first scan. This should only take a few minutes.
When it's done, SecureAnywhere reports into the Management Portal.

- 17 -
Endpoint Protection Administrator Guide

5. After the endpoint finishes a scan, log in to the SecureAnywhere website again and see its status. When
you click Go to Endpoint Protection, the Management Portal opens (you won't see the Setup Wizard
again). See "Using the Management Portal" on page 19.

- 18 -
 Chapter 1: Getting Started

Using the Management Portal

The Management Portal is a central website that administrators can use to view and manage network status.
The administrator who first created the Webroot account has access to all functions in the portal (see "Creating
a Webroot account" on page 9). If desired, the administrator can create additional users with full or limited
access (see "Managing portal users" on page 33).

To log in to the Management Portal:

1. Go to the SecureAnywhere website: https://my.webrootanywhere.com.

2. In the Log in panel, enter the email address and password you specified when you created an account.
Click Log in.

3. In the Confirm Logon panel, enter the requested characters of your security code and click Login.

This personal security code was defined when you created a Webroot account. Every time you log in,
Endpoint Protection will require this extra security step. Be aware that it prompts for two random
characters of your code. For example, if your code is 123456 and it prompts you for the fourth and sixth
characters, you would enter 4 and 6.

The SecureAnywhere website opens and shows the total number of endpoints protected in your network,
any endpoints that have threats, and any endpoints with threats detected in the last 24 hours.
4. From the Endpoint Protection panel (see the following example), you can click Go to Endpoint
Protection to open the Management Portal or click an "Endpoint Infected" link (if any) to open the
Management Portal and go directly to the threat information panel.

- 19 -
Endpoint Protection Administrator Guide

The Management Portal looks similar to the following example. The Status panel includes threat alerts,
endpoint activity, and data charts. You can click tabs along the top that allow you to access configuration and
other tasks.

- 20 -
 Chapter 1: Getting Started

The following sections describe the areas of the Management Portal, including its tabs, menus, panels, tables,
search functions, and export functions.

Using the main tabs

The following table describes the Endpoint Protection tabs.

Management Portal tabs

Status A dashboard that shows:

l An alert notification panel, if endpoints need attention. Click the
notification to see a list of endpoints that encountered threats.
l A bar chart showing the number of endpoints that encountered
threats in the last 7 days.
l A pie chart showing the SecureAnywhere versions installed on
your endpoints.
l An endpoint activity panel showing the number of endpoints
reporting into the Management Portal (based on a timeframe you
select). If any endpoints have not reported their status recently, you
can click the View link next to Not Seen to determine which
endpoints are not reporting status.
l A panel showing the endpoints with the most recent threats.You
can click on a row to view more information and add an override,
if desired.
l A panel with links to Webroot's threat blog, guides, videos, release
notes, and other news. (Not shown in the example above; see
"Accessing product information" on page 25.)

Policies Policies define the behavior of SecureAnywhere on the endpoints, such

as when it runs a scan and how it blocks potential threats.
Group Management Groups help you organize endpoints for easy management. You can view
your groups and each endpoint in the group. You can also select
individual endpoints to see their scan histories.
Reports Reports show threats and unidentified software present on your endpoints,
as well as the versions of SecureAnywhere they are running.
Alerts Alerts allow you to customize warnings and status messages for a
distribution list of administrators.

- 21 -
Endpoint Protection Administrator Guide

Management Portal tabs

Overrides Overrides provide administrative control over the files running in your
environment. You can override files so they are not blocked or always
quarantined.
Logs Logs provide a view of changes and a history of command usage.
Resources Resources provides information on deployment options for endpoints.

Opening the Endpoint Protection Menu

The arrow next to your login ID opens the menu for Endpoint Protection. The options available on the menu
vary, depending on your access permissions.

See the following table for more information about the Endpoint Protection Menu.

Endpoint Protection Menu

Account Settings Edit your account settings, including your password and other
information. See "Editing your own account settings" on page 30.
Manage Users Provide other users with access to the Management Portal. See
"Managing portal users" on page 33.

- 22 -
 Chapter 1: Getting Started

Endpoint Protection Menu

Manage Keycodes View your current Endpoint Protection license keycodes and add more to
the portal, if you purchased additional keycodes. See "Adding keycodes to
your account" on page 42.
Downloads Download the SecureAnywhere installer file and read more about
deployment options.
Help Open the online instructions for the Management Portal.
Support Open the interactive knowledgebase to find product information.
Logout Exit out of the Management Portal.

Opening and collapsing panels

For a larger view of the data charts, you can collapse the panels on the far left and the far right. Click the
Collapse buttons (shown in the following example). The bar charts in the middle panel are static; you cannot
collapse them or change the type of charts that display.

To re-open the panel, click the Collapse button again, as shown in the following example.

- 23 -
Endpoint Protection Administrator Guide

Exporting data to a spreadsheet

When you see a spreadsheet icon, you can click that icon to export the displayed data into a spreadsheet.

Opening video tutorials

When you see a television icon (shown in the following example), you can click that icon to view a video that
describes a procedure related to the panel.

Opening the Help files

When you see a Question mark icon, you can click that icon to open Help for the current panel. You can also
go to:
http://www.webroot.com/En_US/SecureAnywhere/SME/EndpointProtection.htm.

- 24 -
 Chapter 1: Getting Started

Accessing product information

Webroot's threat blog, guides, videos, release notes, and other news are available from the right panel. Click a
link to access the resources under Help and Support or News and Updates.

If this panel is not open, click on the Collapse button on the far right:

- 25 -
Endpoint Protection Administrator Guide

Sorting data in tables and reports

You can sort, hide, and show data in tables and reports, as follows:

l Quick sort on a column: Click the desired column head to sort by that subject. For example, if you want
to sort data by policy name, you would click the Policy column header.
l Change the ascending or descending order: Click at the end of a column header to display the drop-
down arrow, then click the arrow to open the menu. Select either Sort Ascending or Sort Descending
to change the order of data points in a column.
l Show or hide columns: Click at the end of a column header to display the drop-down arrow, then click
the arrow to open the menu. Select a box (check) to show a column. Deselect a box (uncheck) to hide a
column.

The following table describes subject data that may appear in Endpoint Protection tables and reports. The data
that appears depends on the type of table or report displayed.

- 26 -
 Chapter 1: Getting Started

Data points in tables and reports

Agent Language The language selected when SecureAnywhere was installed:

en = English
ja = Japanese
es = Spanish
fr = French
de = German
it = Italian
nl = Dutch
ko = Korean
zh-cn = Simplified Chinese
pt = Brazilian Portuguese
ru = Russian
tr = Turkish
zh-tw = Traditional Chinese
Agent Version The version of the SecureAnywhere software installed on the endpoint.
All Endpoints More information about the endpoints where a file was detected and
blocked.
All Versions More information about the SecureAnywhere versions where a file was
detected and blocked.
Approx Scan Time The duration of a scan in minutes and seconds.
Area A flag for the country where the endpoint is located.
Cloud Determination The Webroot classification of the file, which can be Good, Bad, or
Undetermined.
Days Infected The number of days the endpoint remained infected.
Device MID A Machine ID value that identifies the hardware for an endpoint.
Webroot uses an algorithm to determine this value.
Endpoints Affected The number of endpoints with a detected file.
File Size The size of the file in bytes.
Filename The filename of the detected threat.
First Infected The date and time a threat was detected.
First Seen The date and time this endpoint first checked into the Management Portal.
Group The group assigned to the endpoint.
Hostname The machine name of the endpoint.

- 27 -
Endpoint Protection Administrator Guide

Data points in tables and reports

Instance MID A value that identifies the Windows operating system SID (Security
Identifier). Webroot uses an algorithm to determine this value.
IP Address The IP address of the endpoint.
Keycode The license used to install SecureAnywhere on the endpoint.
Last Infected The date and time the endpoint reported an infection.
Last Scan Time The time of the last scan on this endpoint.
Last Seen The date and time this endpoint last checked into the Management Portal.
Malware Group The classification of the malware; for example: Trojan or System
Monitor.
MD5 The Message-Digest algorithm 5 value, which acts like a fingerprint to
uniquely identify a file.
OS The operating system of the endpoint.
Pathname The directory (folder) where the file was detected.
Policy The policy assigned to the endpoint.
Product The name of the product associated with the file, if SecureAnywhere can
determine that information.
Scan Type The type of scan: Deep Scan, Post Cleanup Scan, or Custom/Right-
Click Scan.
Status The current status of the endpoint: Protected (no infections), Infected
(malware detected), Not Seen Recently (has not reported into the portal),
Expired (SecureAnywhere license has lapsed), or Infected & Expired.
System Pack The number of the service pack for the operating system.
System Type Either 32-bit or 64-bit.
Vendor The name of the vendor associated with the file, if SecureAnywhere can
determine that information.
Version The version of the product associated with the file, if SecureAnywhere
can determine that information.
VM Yes, if the endpoint is installed on a virtual machine.
Windows Full OS The name of the Windows operating system.

- 28 -
Chapter 2: Managing User Accounts

To manage your Webroot account, see the following topics:

Editing your own account settings 30

Managing portal users 33
Creating new portal users 33
Editing user information 36
Setting permissions for portal users 38
Adding keycodes to your account 42
Adding consoles to your account 44
Adding a console 44
Renaming a console 46
Switching consoles 46
Renewing or upgrading your account 47

- 29 -
Endpoint Protection Administrator Guide

Editing your own account settings

An account defines your user details (login name, password, etc.) and access permissions. For your own
account, you can change any setting except the email address specified for your login name.

Note: If you want to edit settings for other portal users, see "Managing portal users" on page 33.

To edit your account settings:

1. Open the Endpoint Protection menu by clicking the arrow next to your login ID, then click Account
Settings.

2. In the Account Settings panel, click one of the Change links to open another panel where you can edit
the information.

- 30 -
 Chapter 2: Managing User Accounts

3. In the User Details panel, make the desired changes to your name and phone numbers.
Note: The Display Name is the name that appears in the Management Portal.
If you need to change the time zone, click the pencil icon at the right, then type the country, region, or
city to open a drop-down menu of choices.

4. To check your access permissions, click the Access & Permissions tab. If you are the main Endpoint
Protection administrator, we recommend that you keep the default settings as shown in the following
example. For more information about the settings, see "Setting permissions for portal users" on page 38.

- 31 -
Endpoint Protection Administrator Guide

5. Click Save Access & Permissions when you're done.

- 32 -
 Chapter 2: Managing User Accounts

Managing portal users

If you have Admin permission for Endpoint Protection (see "Setting permissions for portal users" on page 38),
you can create new Management Portal users, set access permissions for them, and edit their information.
When you create new users, Endpoint Protection sends them an email with further details for creating a
password and logging in.

Creating new portal users

You might want to add other administrators so they can access Endpoint Protection reports. You can also add
users with limited permissions so they can view data, but not make changes.

To create a new portal user:

1. Open the Endpoint Protection menu by clicking the arrow next to your login ID, then click Manage
Users.

2. In the Manage Users panel, click Create New User.

- 33 -
Endpoint Protection Administrator Guide

3. In the Create New User panel, enter the user's email address (the address where the user receives the
confirmation message). The email address will also serve as the user's login name.
If you entered the wrong email address and the user does not receive the message, you will be able to
change the email address and re-send it later. See "Editing user information" on page 36.
4. Select the time zone where this user is located. Click the pencil icon at the right, then type the country,
region, or city to open a drop-down menu of choices.

5. Next to Do you wish to give this user Console access?, click in the Yes checkbox.
Additional fields appear at the bottom, as shown in the following example.

In these two fields, you must specify the level of access to give the user for SecureAnywhere or
Endpoint Protection. The two types of consoles are described as follows:

l SecureAnywhere: The Home page of my.webrootanywhere.com (see the following

example). From here, the user can access other Webroot portals, such as the Mobile

- 34 -
 Chapter 2: Managing User Accounts

Protection portal (if your company purchased Mobile Protection).

l Endpoint Protection: The Management Portal (or Admin Console) for Endpoint Protection.
When users have access to this portal, they will see the Go to Endpoint Protection button
and can click it to enter the Management Portal (see the following example).

6. In the SecureAnywhere field, click the drop-down arrow to select either Basic (limited access to
consoles and account settings) or Admin (full access to all keycodes, users, and account settings in
Webroot portals).
7. In the Endpoint Protection field, click the drop-down arrow to change No Access to either Basic (read-
only access to endpoint scans) or Admin (full access to all settings).
You can further modify this user's permissions later, as described in "Setting permissions for portal
users" on page 38.

- 35 -
Endpoint Protection Administrator Guide

8. When you're done, click Create User to send a confirmation email to the new user.
The user's email message includes a temporary password for the first login. When the user clicks the
confirmation link in the email, the Confirm Registration panel opens for the user to enter login
information (see the following example).

Editing user information

After the user confirms registration, you can return to the Manage Users panel and edit information for that
user. (You cannot view or edit other users' passwords, security codes, or security questions; only they have
access to that information.)

If the user has not confirmed registration, you will see the user's status as Awaiting Confirmation. The status
changes to Activated when the user receives the email and confirms the registration. If desired, you can resend
the confirmation email by clicking the envelope icon next to the Awaiting Confirmation status.

- 36 -
 Chapter 2: Managing User Accounts

To edit portal users:

1. Locate the row for the user you want to edit, then click that user's edit icon.
The edit icon is at the far right, as shown in the following example.

Note: If your account has multiple consoles, you see only users who are associated with the keycodes
for the currently active console. For more information about consoles, see "Adding consoles to your
account" on page 44.
2. In the User Details panel, make the desired changes to the name and phone numbers.
If the user has an Awaiting Confirmation status, this dialog shows an email field at the top. You might
want to change the email address if you entered an incorrect address for the user and need to resend the
registration.

3. If you want to change the settings under Access & Permissions, see "Setting permissions for portal
users" on page 38 for further instructions.

4. Click Save Details when you're done.

- 37 -
Endpoint Protection Administrator Guide

Setting permissions for portal users

If you have Admin permission for Endpoint Protection, you can edit the following permissions for other
Management Portal users:

l Site access. Change the level of access between Basic and Admin levels for the SecureAnywhere
website (Home panel of my.secureanywhere.com) and the Management Portal of Endpoint Protection.
l Groups. Specify whether the user can create and modify groups of endpoints, deactivate or reactivate
endpoints, or assign endpoints to groups.
l Policies. Specify whether the user can create and modify policies or assign policies to endpoints.
l Overrides. Specify whether the user can make overrides to files, designating them as "good" or "bad."
l Commands. Specify what types of commands the user can issue to the endpoints.
l Alerts. Allow this user to create and edit warning messages.

To set user permissions:

1. Open the Endpoint Protection menu by clicking the arrow next to your login ID, then click Manage
Users.

2. Locate the row for the user you want to edit, then click that user's edit icon.
The edit icon is at the far right, as shown in the following example.

- 38 -
 Chapter 2: Managing User Accounts

The User Details panel opens.

3. Click the Access & Permissions tab to see the list of Endpoint Protection functions and their associated
access permissions.

- 39 -
Endpoint Protection Administrator Guide

4. Assign access permissions for this user, as described in the following table. When you're done, click
Save Access & Permissions.

- 40 -
 Chapter 2: Managing User Accounts

Access & Permissions

Groups Create & Edit. Define and modify groups of endpoints.

Deactivate/Reactivate Endpoints. Deactivate and reactivate endpoints
from the Management Portal. See "Deactivating endpoints" on page 73.
Assign Endpoints to Groups. Allows the portal user to move one or
more endpoints from one group to another.
See "Organizing endpoints into groups" on page 120.
Policies Create & Edit. Define, delete, rename, copy, and export policies.
Assign Policies to Endpoints. Associate a policy with an endpoint or
group of endpoints.
See "Implementing policies" on page 88.
Overrides MD5. Override how a file is detected by entering the MD5 value of a
file. MD5 (Message-Digest algorithm 5) is a cryptographic hash
function that acts like a fingerprint to uniquely identify a file.
Determination Capability. Specify overrides based on these settings:
l Good — Allow files containing the specified MD5 value.
l Bad — Block files containing the specified MD5 value. When a
scan encounters this file, it flags it and requests action from the
SecureAnywhere user.
l Good & Bad — Allow either Good or Bad.
See "Implementing overrides" on page 166.
Commands None. Do not allow this user to send commands to endpoints.
Simple. Access to the Agent and Clear Data commands, and view
commands for selected endpoints.
Advanced. Access to Agent, Clear Data, Keycode, Power & User
Access, Antimalware Tools, Files & Processes commands, and view
commands for selected endpoints.
Expert. Access all commands, including Expert Advanced options.
See "Issuing commands to endpoints" on page 63.
Alerts Create & Edit. Configure instant or scheduled alerts for endpoint
activity.
See "Implementing alerts" on page 156.

- 41 -
Endpoint Protection Administrator Guide

Adding keycodes to your account

You can have one or more keycodes in your Webroot account. A keycode is a 20-character license used to
install SecureAnywhere on endpoints, which identifies how many seats you have available for installations. If
you purchase more keycodes, you must add them manually as described in this section.

Note: To view existing keycodes and add new ones, you must have Admin permission for Endpoint
Protection (see "Setting permissions for portal users" on page 38).

To purchase and add keycodes:

1. Open the Endpoint Protection menu by clicking the arrow next to your login ID, then click Manage
Keycodes.

The Manage Keycodes panel opens.

Note: If your account has multiple consoles, you see only the keycodes that are associated with the
currently active console.

- 42 -
 Chapter 2: Managing User Accounts

The Keycode list shows the attributes associated with each Endpoint Protection license.

Manage Keycodes panel

Keycode The 20-character license you received when you purchased Endpoint
Protection.
Edition Endpoint Protection, or another Webroot product you purchased.

Devices Number of endpoints that can use this keycode.

Days Remaining Number of days remaining for this keycode to be active, and the
expiration date.

Renew A link for renewing your subscription. See "Renewing or upgrading your
account" on page 47.

Upgrade A link for purchasing more endpoint seats for this license. See
"Renewing or upgrading your account" on page 47.

2. If you need to purchase another keycode, click Buy a Keycode now at the top of the list.
The Webroot Business website opens. From here, you can buy another keycode.
3. After you purchase the keycode, you can add it to Endpoint Protection by clicking Add Product
Keycode.

4. In the Add a Keycode dialog, enter the keycode you just purchased and click Add.
Your new keycode will appear in the Manage Keycodes panel and in the Resources tab.

- 43 -
Endpoint Protection Administrator Guide

Adding consoles to your account

When you first created an account, Endpoint Protection organized your managed devices into a single console.
A console is a collection of one or more endpoints running SecureAnywhere or other Webroot products. If you
have a large network with hundreds of endpoints, you might want to create multiple consoles for simplified
views of device groups. For example, you can create separate consoles for endpoints in remote offices or
endpoints in separate departments.

Note: Adding a console requires that you obtain a new keycode from Webroot. Keep in mind that our
Endpoint Protection billing system is based on the number of seats you have, not on the number of
keycodes. You do not need to purchase a new keycode, unless you have exceeded your maximum
allowance of endpoint seats. Contact your Webroot sales representative for more information.

This section describes how to add a console, rename a console, and switch between consoles.

Adding a console

Before you create a console, you must first obtain a new keycode and deploy SecureAnywhere to the
endpoints with that keycode. When you create the console, it will automatically discover the endpoints that use
the new keycode. (If you need to migrate existing endpoints from one console to another, you must contact
Webroot Business Support for assistance.)

To add a console to your account:

1. Go to the SecureAnywhere website: https://my.webrootanywhere.com.

2. Instead of logging in to your account, click Sign up now.

- 44 -
 Chapter 2: Managing User Accounts

3. In the first field, enter the new keycode.

4. In the remaining fields, specify your existing account information for the email address, password,
security code, and security question and answer.
5. Click Register Now.
As shown in the following example, Webroot recognizes your account information and prompts you to
either create a new console for the keycode or add the keycode to an existing console.

6. Click Select in the left panel to add a new console.

The SecureAnywhere website creates the console and prompts you to log in.
7. Log in with your account information, then choose the new "Unnamed Console." (You can rename it as
described in the following section.)
Your new console shows any endpoints that use the keycode you entered.

- 45 -
Endpoint Protection Administrator Guide

Renaming a console

To rename the console:

1. Click Rename (located below your login name in the upper right).

2. Enter the new name (using numbers and spaces, but not special characters), then click Save.

Switching consoles

To switch between consoles:

1. Click Change Console (located below your login name in the upper right).

2. Select the console name from the table.

- 46 -
 Chapter 2: Managing User Accounts

Renewing or upgrading your account

From the Management Portal, you can easily renew your Endpoint Protection license or add more seats to your
license. When your license is about to expire or has already expired, you will see a warning message on the
Status panel, similar to the example below:

You can click Upgrade/Renew from this message or you can go to the Manage Keycodes panel as described
below.

To renew or upgrade your account:

1. Open the Endpoint Protection menu by clicking the arrow next to your login ID, then click Manage
Keycodes.

- 47 -
Endpoint Protection Administrator Guide

2. In the Manage Keycodes panel, click either Renew to extend your license or Upgrade to add more
seats to your license.
Note: Your license is tied to a keycode, so select the appropriate row for the keycode you need to renew
or upgrade.

The Webroot website opens with further instructions.

- 48 -
Chapter 3: Managing Endpoints

To deploy SecureAnywhere to endpoints and to manage endpoints in the portal, see the following topics:

Deploying SecureAnywhere to endpoints 50

Using the SecureAnywhere installer 52
Using MSI for deployment 57
Using GPO for deployment 58
Changing an endpoint keycode 59
Renaming endpoints 61
Searching for endpoints 62
Issuing commands to endpoints 63
Checking scan results and managing threats 69
Viewing the scan history 69
Restoring a file from quarantine 70
Setting an override for the file 71
Deactivating endpoints 73
Deactivating an endpoint 73
Reinstalling SecureAnywhere on the endpoint 74
Managing endpoint upgrades and other changes 75
Migrating to a new operating system 75
Changing hardware on an endpoint 75
Moving endpoints to a new subnet 75
Forcing immediate updates (forced polling) 76
Using SecureAnywhere on the endpoint 77
Uninstalling SecureAnywhere 79

- 49 -
Endpoint Protection Administrator Guide

Deploying SecureAnywhere to endpoints

You can deploy SecureAnywhere to endpoints using a variety of methods, depending on your business
requirements and network size. An endpoint can be a Windows PC, laptop, server, or virtual server installed in
your network. (A list of endpoint system requirements is provided in "Preparing for setup" on page 7.)

Tip: You can configure alerts so that administrators receive notification whenever new endpoints are
installed. See "Implementing alerts" on page 156.

To deploy SecureAnywhere to endpoints, follow these steps:

1. Find your keycode. If you don't know your keycode, look in the Resources tab of the Management
Portal.

Note: Devices must use the Endpoint Protection keycode before they can report into the Management
Portal. If there are endpoints in your network that already have SecureAnywhere installed with a
different keycode, see "Changing an endpoint keycode" on page 59.
2. Select a method of deployment that best suits your environment.
The following table describes methods of deployment.

- 50 -
 Chapter 3: Managing Endpoints

Deployment options

Deploy the Deploy the SecureAnywhere installer file using one of these
SecureAnywhere methods:
executable file
l Manually install the executable file on each endpoint.
l Send emails to end users, so they can install the software
by clicking on the link provided in the email template.
l Rename the executable file using your keycode. (The
email template also provides a renamed executable file
with the keycode.)
l Use additional commands with the executable file to
deploy it in the background.
l Use command-line options with the installer to deploy to
endpoints that are behind a proxy server.

Use MSI Deploy the SecureAnywhere installer file using the Microsoft
deployment options Installer (MSI).
Use Windows Deploy the SecureAnywhere installer file using GPO (Group
Group Policy Policy Object). You should have experience with Microsoft’s
Object (GPO) Active Directory and the Group Policy Object editor.

Tip: If you have a small network with less than 100 endpoints, we recommend that you use the simple
deployment options described in the Resources tab. If you have a large network and use Active
Directory, you should use the advanced deployment options. For large networks, you may also want to
organize endpoints into separate consoles for simplified views into smaller groups (see "Adding
consoles to your account" on page 44).

3. Deploy SecureAnywhere to the endpoints, as described in one of these sections:

l "Using the SecureAnywhere installer" on page 52.

l "Using MSI for deployment" on page 57.

l "Using GPO for deployment" on page 58.

4. Check the Management Portal to make sure the endpoints have reported their status. See "Viewing
endpoint status" on page 82.
All endpoints are first assigned to your default policy and a default group. You can change those
assignments later, if desired. See "Implementing policies" on page 88 and "Applying a policy to endpoint
groups" on page 124.

- 51 -
Endpoint Protection Administrator Guide

Using the SecureAnywhere installer

You can deploy the SecureAnywhere installer file using one of these methods:

l Install SecureAnywhere on each endpoint.

l Send emails to end users, so they can install the software by clicking on the link provided in the email
template.
l Rename the executable file using your keycode. This method is useful if you plan to use your own
deployment tool and if you prefer not to use MSI commands to run the installation in the background.
l Use additional commands with the executable file to deploy it in the background.
l Use command-line options with the installer to deploy to endpoints that are behind a proxy server.

To use the SecureAnywhere installer:

1. On the endpoint, download the SecureAnywhere installer file.

The installer file is available from the Resources tab or by clicking this link:
http://anywhere.webrootcloudav.com/zerol/wsasme.exe
2. In the installation panel (shown below), enter the keycode.
Your keycode is shown in the Resources tab.

- 52 -
 Chapter 3: Managing Endpoints

3. Optionally, you can click Change installation options at the bottom of the installation panel and set
these options:

l Create a shortcut to SecureAnywhere on the desktop. This option places a shortcut

icon on the Windows Desktop for SecureAnywhere.
l Randomize the installed filename to bypass certain infections. This option changes the
Webroot installation filename to a random name (for example, “QrXC251G.exe”), which
prevents malware from detecting and blocking Webroot’s installation file.
l Protect the SecureAnywhere files, processes, and memory from modification. This
option enables self protection and the CAPTCHA prompts. (CAPTCHA requires you to
read distorted text on the screen and enter the text in a field before performing any critical
actions.)
l Change Language. To change the language displayed in SecureAnywhere, click the
Change Language button and select from the supported languages. (You can only change
the displayed language during installation, not after.)

4. Click Agree and Install.

During installation, SecureAnywhere runs an immediate scan on the endpoint.

To send an email to end users so they can install SecureAnywhere themselves:

1. Click the Resources tab.

2. Click the Email template link.
The email template opens in the panel below.

3. Cut and paste the text into an email message. The link automatically adds the correct keycode for the
user. Send the email to the users.
The user clicks the link to begin installation. The program installs silently in the background, with the
correct keycode already entered. When it's done, a Webroot icon appears in the endpoint's system tray.

- 53 -
Endpoint Protection Administrator Guide

To run a background installation by renaming the executable file:

You can deploy SecureAnywhere by renaming the executable file with the keycode. This method is useful if
you plan to use your own deployment tool and if you prefer not to use MSI commands to run the installation in
the background. You can also use the email template (described above), which is preconfigured to include a
renamed installer file with your keycode.

Note: In User Account Control environments, the account used to run the installer must have local
admin rights. You must run the installer from a process that has elevated privileges in UAC
environments, to prevent the end user from seeing a UAC prompt.

1. On the endpoint, download the SecureAnywhere installer file:

http://anywhere.webrootcloudav.com/zerol/wsasme.exe
2. Rename the installer file by replacing wsasme with your keycode.
The resulting file name will have this format: XXXX-XXXX-XXXX-XXXX-XXXX.exe
3. Install the SecureAnywhere software on your endpoints, using your own deployment tool.

To run a background installation from a command line:

1. On the endpoint, download the SecureAnywhere installer file:

http://anywhere.webrootcloudav.com/zerol/wsasme.exe
2. Run the installer from a command line, using any of the command options listed in the following table.
(More options are available; contact Webroot Business Support for more information.)

Command line options

/key=keycode Installs with the provided keycode, with or without hyphens. For
example: wsasme.exe/key=xxxx-xxxx-xxxx-xxxx-xxxx
/silent Installs in the background.
/nostart Installs without starting SecureAnywhere.

- 54 -
 Chapter 3: Managing Endpoints

Command line options

/lockautouninstall= Allows automatic uninstallation of SecureAnywhere using the

password password you specify. This option is useful if you need to silently
uninstall SecureAnywhere later. To uninstall, use the /autouninstall
command.
When you use /lockautouninstall, SecureAnywhere is not included in
the Add/Remove Programs list in the Control Panel. Use the
/exeshowaddremove command to include SecureAnywhere in
Add/Remove Programs.
/autouninstall= Corresponds to /lockautouninstall. Example:
password wsasme.exe/autouninstall=password
By default, SecureAnywhere does not appear in the Add/Remove
Programs list in the Control Panel, which prevents the user from
removing the software in unmanaged mode.
/exeshowaddremove Includes SecureAnywhere in the Control Panel Add/Remove Programs
list.
Example: wsasme.exe /key=xxxx-xxxx-xxxx-xxxx
/lockautouninstall=password /exeshowaddremove
Note: Adding SecureAnywhere to Add/Remove Programs enables the
endpoint user to remove the software in unmanaged mode.
/group=groupname Deploys endpoints directly into a specified group. For example:
wsasme.exe /key=xxxxxxxxx /silent /group=Sales
Note: Does not support spaces or localized characters in the group
name. Certain characters like “-“, “_”, or “@” are supported.
Other requirements:
l The group must already exist in the console.
l You can only use this option for new installs on systems that the
console has not previously seen.
l For MSI installs you must use command line and not an MSI
editor.

- 55 -
Endpoint Protection Administrator Guide

Command line options

Specifies proxy settings.

-proxyhost=X -
proxyport=X - Note about proxy settings: If the endpoint connects
proxyuser=X - through a proxy server, SecureAnywhere will
proxypass=X - automatically detect the proxy settings. SecureAnywhere
proxyauth=# checks for changes to the proxy settings every 15 minutes
and when the endpoint restarts. We recommend using
auto-detection for proxy settings; however, you can use
command-line options if you prefer.
To enable proxy support, use these command-line options:
wsasme.exe -proxyhost=nn.nn.nn.nn
-proxyauth=n
(where n can be 0=Any, 1=Basic, 2=Digest, 3=Negotiate, 4=NTLM)
-proxyuser=proxyuser
-proxypass=password
-proxyport=port_number

We recommend that you use a specific value for -proxyauth, instead

of 0 (any). The any option requires the endpoint to search through all
authentication types, which might result in unnecessary errors on proxy
servers as well as delayed communications.

If you use this command-line option, use all parameters and blank out
any value you don't need with double quotes (i.e. proxypass="").
/lang=LanguageCode Specifies the language to use for the product, rather than allow default
language detection.
Codes include:
en = English
ja = Japanese
es = Spanish
fr = French
de = German
it = Italian
nl = Dutch
ko = Korean
zh-cn = Simplified Chinese
pt = Brazilian Portuguese
ru = Russian
tr = Turkish
zh-tw = Traditional Chinese

Example: wsasme.exe /key=xxxxxxxxxxxx /silent /lang=ru

- 56 -
 Chapter 3: Managing Endpoints

Using MSI for deployment

The Microsoft Installer (MSI) requires commands during installation, which apply the keycode and options that
activate Endpoint Protection installation mode. The MSI installer is interactive by default, and requires the
msiexec.exe option /qn to run an automated installation in the background. This is an example of an MSI
command: msiexec /i wsasme.msi GUILIC=licensekey CMDLINE=SME,quiet /qn /l*v install.log.

Note: In User Account Control environments, the account used to run the installer must have local
admin rights. You must run the installer from a process that has elevated privileges in UAC
environments, to prevent the endpoint user from seeing a UAC prompt.

To remove SecureAnywhere later (if desired):

If you need to remove the SecureAnywhere software from the endpoint later, use the standard MSI command:

msiexec /x wsasme.msi /qn /L*v uninstall.log

To use an MSI editor:

If you use your own methods to deploy the SecureAnywhere software on endpoints, see the following table for
commands you can pass to msiexec.exe during installation.

CMDLINE SME,quiet
GUILIC The license key, with or without hyphens.
Note: If you don't provide a keycode, the installation will continue;
however, the endpoint will not have a keycode associated with it and
will not be protected. If you install without a keycode, you must
uninstall the software and re-install to add it.

You can also modify these commands directly, using an MSI editor such as ORCA:

l Set the CMDLINE property in the Property table to the appropriate value.
l Set the GUILIC property in the Property table to your keycode.

- 57 -
Endpoint Protection Administrator Guide

Using GPO for deployment

To install SecureAnywhere using GPO (Group Policy Object), you should have experience with Microsoft’s
Active Directory and the Group Policy Object editor.

You can also watch a video for using GPO at:

How to Deploy Using Group Policy - Webroot SecureAnywhere Business

To install SecureAnywhere using GPO:

1. Download the SecureAnywhere MSI installer to a network share:

http://anywhere.webrootcloudav.com/zerol/wsasme.msi
Downloading the file makes it accessible to all endpoints on which you will deploy SecureAnywhere.
2. Go to the server that is the domain controller for the deployment group.
3. Open the GPO editor on the domain controller and create a policy for the deployment group.
4. Assign SecureAnywhere to all endpoints that belong to the Organizational Unit where the Group Policy
is created.
SecureAnywhere installs on the endpoints in the group when they restart.

- 58 -
 Chapter 3: Managing Endpoints

Changing an endpoint keycode

Endpoints must use the Endpoint Protection keycode before they can report into the Management Portal. If there
are endpoints in your network that already have SecureAnywhere installed with a different type of keycode (for
example, a Consumer version of SecureAnywhere), change the keycode either by issuing a Change Keycode
command (see "Issuing commands to endpoints" on page 63) or by activating a new keycode directly from the
endpoint, as described below.

To change a keycode on an endpoint:

1. From the endpoint, open SecureAnywhere by double-clicking the Webroot icon in the system tray.
2. Click the My Account tab.
3. Click Activate a new keycode, as shown in the following example.

4. In the dialog, enter your Endpoint Protection keycode and click the Activate button.
When you enter a new keycode, SecureAnywhere launches a scan. (If it does not launch a scan

- 59 -
Endpoint Protection Administrator Guide

automatically, go to the PC Security tab, then click Scan My Computer.) When the scan completes,
SecureAnywhere reports into the Management Portal.

5. Return to the Management Portal and look for the new endpoint in the Default group.
If desired, you can reassign the endpoint to another group. See "Moving endpoints to another group" on
page 127.

- 60 -
 Chapter 3: Managing Endpoints

Renaming endpoints
When you add an endpoint, SecureAnywhere identifies it in the Management Portal by its machine name. You
might want to change the machine name to something more meaningful, such as "Gallagher-Laptop" or
"LabTest-1."

Note: Do not change the name of an endpoint on a virtual machine. If you do, it will appear as a new
endpoint in the Management Portal and will use an extra seat in your license.

To rename an endpoint:

1. Click the Group Management tab.

2. From the Groups panel on the left, select the group that contains the desired endpoint.
3. From the Endpoints panel on the right, double-click on the endpoint name (in the Hostname column).

4. Enter the new name and press the Enter key.

A red flag appears in the upper left of the field to indicate that the change is not yet saved.
5. Click Save Changes from the command row.
The new name appears in the Hostname column.
6. If you decide later to revert to the original name, you can click the Revert button on the far right of the
row.

- 61 -
Endpoint Protection Administrator Guide

Searching for endpoints

You can search for a specific endpoint from the field in the upper right of the Management Portal. This field is
accessible from any area of the portal. Enter a full or partial endpoint name (case-insensitive) and click the
magnifying glass search icon.

The Management Portal displays all endpoints matching the search criteria in the bottom panel.

- 62 -
 Chapter 3: Managing Endpoints

Issuing commands to endpoints

From the Management Portal, you can issue commands to individual endpoints or to a group of endpoints. For
example, you might want to scan an endpoint at a remote location. With these commands, you can easily run all
the same commands that are available on the endpoint's SecureAnywhere software.

Be aware that the endpoint may not receive the command until the next polling interval. If necessary, you can
change the polling interval in its associated policy (see "Changing policy settings" on page 92) or you can force
an immediate polling, as described in "Forcing immediate updates (forced polling)" on page 76.

Note: Depending on your access permissions for Commands (Simple, Advanced, or Expert), you may
not see all the commands listed in this section. Administrators can change access permissions, as
described in "Setting permissions for portal users" on page 38.

To issue commands to endpoints:

1. Click the Group Management tab.

2. From the Groups panel on the left, select the group that contains the desired endpoints.

3. From the Endpoints panel on the right, select one or more endpoints.
Tip: You can select all endpoints within the group by clicking the Hostname checkbox at the top of the
list (first column).

- 63 -
Endpoint Protection Administrator Guide

4. Click Agent Commands from the command bar.

5. From the dialog that opens, select a category of agent commands and then a command to run.
For a description of each command, see the tables following these steps.
6. To see the status of commands you sent, you can click View commands for selected endpoints near
the bottom of the menu. You can also review the Command Log on the Logs tab.

Endpoint Protection will issue the commands on the next polling interval. If necessary, you can either
change the polling interval in Basic Configuration of the group's policy (see the following example) or
you can force the changes immediately as described in "Forcing immediate updates (forced polling)" on
page 76.

- 64 -
 Chapter 3: Managing Endpoints

The following tables describe each of the endpoint commands:

Agent commands

Scan Run a Deep scan in the background as soon as the endpoint receives the
command. When the scan completes, the Scan History panel shows the results for
a Deep scan. Be aware that any detected threats are not automatically
quarantined. You must take action yourself in the portal by running a Clean-up or
by creating an override.
Change scan time Select a new time of day to scan the endpoint. By default, SecureAnywhere runs
a scan every day at about the same time it was installed. For example, if you
installed SecureAnywhere on the endpoint at noon, a scan will always run around
12 p.m. With this command, you can change it to a different hour.
Scan a folder Runs a full, file-by-file scan on a specific folder. Be sure to enter the full path
name. For example:
C:\Documents and Settings\Administrator\My Documents\
When the scan completes, the Scan History panel shows results for the
Custom/Right Click Scan.

- 65 -
Endpoint Protection Administrator Guide

Agent commands

Clean up Start a scan and automatically quarantine malicious files. When the scan
completes, the Scan History panel shows results for the Post Cleanup Scan.
System Cleaner Run the System Cleaner on the endpoint, which removes all traces of web
browsing history, files that reveal the user's activity, and files that consume
valuable disk space (files in the Recycle Bin and Windows temp files). You can
change the System Cleaner options in the Policy settings.
Uninstall Uninstall SecureAnywhere from the endpoint. With this command, the endpoint is
still shown in the Management Portal. If you want to uninstall SecureAnywhere
and free up a seat in your license, deactivate the endpoint instead. See
"Deactivating endpoints" on page 73.
Reset Return SecureAnywhere settings on the endpoint to their default values.
Remove password Disable password protection from the endpoint user's control, which allows
protection administrators to gain access to the endpoint if they are locked out.

Clear Data commands

Clear files Erase current log files, which frees space on the endpoint.
Disable proxy settings Disable any proxy settings the endpoint user set on the endpoint.
Note: Do not use this command if the endpoint's only Internet access is through
the proxy server. The endpoint will no longer be able to communicate with the
cloud.

Keycode commands

Change keycode Enter a different keycode.

Note: The drop-down list shows only keycodes that are assigned to this console.
Change keycode Switch the keycode used for this endpoint temporarily, which might be necessary
temporarily for testing purposes. In the dialog box, choose a keycode from the drop-down list,
then specify the dates for SecureAnywhere to use it. When the specified time for
the change elapses, the keycode reverts to the original.

- 66 -
 Chapter 3: Managing Endpoints

Power & User Access commands

Lock endpoint Lock this endpoint by activating the Windows Login screen. The user must enter
a user name and password to log back in.
Log off Log the user out of the account.
Restart Restart this endpoint when it reports in.
Reboot in Safe Mode Restart this endpoint in Safe Mode with Networking.
with Networking
Shutdown Shut down this endpoint when it reports in.

Antimalware Tools commands

Reset desktop Reset the desktop wallpaper to the default settings, which might be necessary if
wallpaper the endpoint was recently infected with malware that changed it. After sending
this command, the user must restart the endpoint.
Reset screen saver Reset the screen saver to the default settings, which might be necessary if the
endpoint was recently infected with malware that changed it.
Reset system policies Reset the Windows system policies, which might be necessary if the endpoint
was recently infected with malware that changed such policies as the Task
Manager settings.
Note: This command resets Windows policies, not Endpoint Protection policies.
Restore file Restores a quarantined file to its original location, using its MD5 value. For more
information about how to locate a file's MD5 value, see "Applying overrides from
the Overrides tab" on page 167.

File & Processes commands

Reverify all files and Re-verify this file's classification when the next scan runs. This command is
processes useful if you have established some overrides and need them to take effect on an
endpoint.
Consider all items as Consider all detected files on this endpoint as safe to run. This command is useful
good if you find numerous false positives on an endpoint and need to quickly tag them
as "Good."
Allow processes Allow communication for all processes that are blocked by the Firewall setting.
blocked by firewall
Stop untrusted Terminate any untrusted processes, which might be necessary if a regular scan
processes did not remove all traces of a malware program. The processes stop immediately,
but are not prevented from running again later.

- 67 -
Endpoint Protection Administrator Guide

Identity Shield commands

Allow application Allow an application to run on the endpoint. To identify the application, you must
enter its MD5 value. (To determine an MD5 value, see "Applying overrides from
the Overrides tab" on page 167.)
Deny application Block an application from running on the endpoint. To identify the application,
you must enter its MD5 value. (To determine an MD5 value, see "Applying
overrides from the Overrides tab" on page 167.)
Allow all denied Re-set all applications previously blocked, so they can run on the endpoint.
applications
Protect an application Add extra security to an application running on the endpoint. To identify the
application, you must enter its MD5 value. (To determine an MD5 value, see
"Applying overrides from the Overrides tab" on page 167.)
Unprotect an Re-set the application to standard protection, if you previously used the Protect
application an application command to add extra security. To identify the application, you
must enter its MD5 value. (To determine an MD5 value, see "Applying overrides
from the Overrides tab" on page 167.)

Advanced commands

Run Customer Support Run a clean-up script on the endpoint to remove malware infections. You must
script specify a network path to the file.
Customer Support Run the WSABLogs utility to gather information about an infected endpoint. The
Diagnostics Customer Support Diagnostics dialog shows the location of the utility's executable
file, and the email address associated with the endpoint account. Clicking Submit
runs the utility and sends the results to Webroot Business support. You can
specify optional advanced settings to send an additional file, to save the log
locally instead of sending it, and gather a memory dump.
Download and run a Specify a file's direct URL to download it to the agent, and then run it remotely at
file the system level.
You can also enter command-line options; for example, you could specify the /s
parameter so that the file you download runs silently in the background.
Command-line options must be supported by the file you are downloading and
executing.
Run a DOS command Specify the DOS command to run remotely at the system level, which is useful
for simple changes or for running a script. Keep in mind that the Management
Portal will not display results.
Run a registry Specify the registry command to run remotely at the system level. This command
command uses the same syntax as reg.exe, but does not call reg.exe. You can only refer
directly to local registry hive paths (for example, HKLM\Software\). You cannot
include the name of the computer in the path.

- 68 -
 Chapter 3: Managing Endpoints

Checking scan results and managing threats

From Group Management, you can view the scan history of endpoints and manage any detected threats. You
can restore a file from quarantine if you know it is legitimate (see "Restoring a file from quarantine" on page
70). You can also reclassify a file as "Good" (allowed to run) or "Bad" (auto-quarantined), as described in
"Setting an override for the file" on page 71.

Viewing the scan history

You can view a scan history for endpoints from the Group Management panel, which helps you determine
where threats were found.

To view the scan history:

1. Click the Group Management tab.

2. From the Groups panel on the left, select a group with the desired endpoints.

3. From the Endpoints panel on the right, select one of the endpoints as shown in the following example.
The Scan History panel opens, showing scan activity and any threats detected on the endpoint.

Note: If the pathname where a threat was identified includes a drive letter, the letter is masked with a
question mark. For example, you might see a pathname that looks similar to the following:
?:\users\user1\desktop.

- 69 -
Endpoint Protection Administrator Guide

4. If desired, you can show or hide additional data about the endpoint and the scan history. Click a column
header to open the drop-down menu, then click in the checkboxes to select the columns to add or
remove. For descriptions of the data in the columns, see "Sorting data in tables and reports" on page 26.

Restoring a file from quarantine

You can restore a file from quarantine from the Scan History panel (as described below) or from the All
Threats Seen report (see "Generating the All Threats Seen report" on page 139). The file is automatically
returned to its original location on the endpoint.

To restore a file:

1. View the scan history for a particular endpoint, as described previously in this section.
2. In the Scan History panel, locate the file by either clicking View in the Status column for the date when
the threat was detected or by clicking View all threats seen on this endpoint.

- 70 -
 Chapter 3: Managing Endpoints

3. In the dialog that opens, select a file by clicking on its checkbox.

4. Click Restore from Quarantine.

The file returns to its original location on the endpoint.

Setting an override for the file

You can set an override for a file from the Scan History panel (as described below) or from the Overrides tab
(see "Applying overrides from the Overrides tab" on page 167).

To set an override:

1. View the scan history for a particular endpoint, as described previously in this section.
2. In the Scan History panel, locate the file by either clicking View in the Status column for the date when
the threat was detected or by clicking View all threats seen on this endpoint.

3. In the dialog that opens, select a file in the list.

4. Click Create override.

- 71 -
Endpoint Protection Administrator Guide

The following dialog opens:

5. Open the Determination drop-down menu by clicking the arrow to the right of the field. Select one of
the following:

l Good: Always allow the file to run.

l Bad: Always send the file to quarantine.

6. You can apply this override globally or to an individual policy, as follows:

l To apply the override to all policies, keep the Apply the override globally checkbox
selected.
l To select an individual policy for the override, deselect the checkbox. When the Policy
field appears, click the drop-down arrow to the right of the field and select a policy.

- 72 -
 Chapter 3: Managing Endpoints

Deactivating endpoints
You can deactivate an endpoint so that it no longer reports in to Endpoint Protection. (You can reactivate an
endpoint later, if necessary.) By deactivating an endpoint, you can free the license seat so you can install
another endpoint in its place.

Note: If you don't want to deactivate the endpoint from the Management Portal, you can send an
Uninstall command to the endpoint instead. This action retains the endpoint entry in the Management
Portal (although it displays as "not seen" after 7 days). See "Issuing commands to endpoints" on page 63.

Deactivating an endpoint

Deactivation sends an Uninstall command to the endpoint and removes the endpoint entry from the
Management Portal.

To deactivate an endpoint:

1. Click the Group Management tab.

2. From the Groups panel on the left, select a group that includes the desired endpoints.

3. Select one or more endpoints and click Deactivate from the command bar.

- 73 -
Endpoint Protection Administrator Guide

A dialog warns you that a deactivated endpoint will no longer be able to report to Endpoint Protection.
4. Click Yes to send an Uninstall command to the endpoint, so that it removes SecureAnywhere.
Once SecureAnywhere is removed, the endpoint is shown in the Deactivated Endpoints group. After 7
days, the status changes to "Not Seen Recently."

Note: You cannot permanently remove endpoints from the Deactivated Endpoints group yourself.
Contact Webroot Technical Support if you need to clean up this list and remove old items.

Reinstalling SecureAnywhere on the endpoint

If you deactivate an endpoint from the Group Management tab, you can reactivate it later if necessary.

To reactivate the endpoint:

1. Reinstall SecureAnywhere on the endpoint.

2. Open the Management Portal and click the Group Management tab.
3. Select the endpoint from the Deactivated Endpoints group.
4. Click Reactivate from the command bar.

The endpoint is then moved back into its former group.

- 74 -
 Chapter 3: Managing Endpoints

Managing endpoint upgrades and other changes

This section describes some special circumstances you may encounter when you change hardware and
operating systems on endpoints.

Migrating to a new operating system

If you install a new operating system on an endpoint, the change will create duplicate endpoint entries in the
Management Portal. Before you install a new operating system, you should deactivate the endpoint. See
"Deactivating endpoints" on page 73.

If you have already performed the OS installation, you can simply deactivate the oldest entry in the
Management Portal. The extra license is then removed and the duplicate endpoint is placed in the Deactivated
Endpoints group.

Note: In most cases, a simple upgrade to an operating system will not create duplicate entries.

Changing hardware on an endpoint

If you install a new hard drive in an endpoint and reinstall SecureAnywhere on it, it will appear as a new entry
in the Management Portal. Before you switch out a hard drive, you should first deactivate the endpoint from the
Management Portal so you do not use an extra license. See "Deactivating endpoints" on page 73.

If you change other types of hardware on an endpoint (for example, you install a new motherboard, processor,
or network adaptor), that upgraded computer will not appear as a new entry in the Management Portal. You do
not need to deactivate the endpoint first.

Moving endpoints to a new subnet

If you move endpoints to a new subnet, make sure the same communication lines are open as on the previous
subnet. These domains should be allowed through the firewall:

*.webrootcloudav.com
*.*.webrootcloudav.com
*.p4.webrootcloudav.com
*.compute.amazonaws.com
*.webroot.com
*.webrootanywhere.com
*.prevx.com

- 75 -
Endpoint Protection Administrator Guide

Forcing immediate updates (forced polling)

The polling interval determines how often the endpoint sends its status and receives commands (for example,
every 15 minutes or every hour). If necessary, you can change the polling interval in Basic Configuration of
the group's policy (see "Changing policy settings" on page 92) or you can force an immediate update as
described below.

To force an update:

1. Go to the endpoint and look for the Webroot icon in the system tray.
2. Right-click on the Webroot icon.
3. Click Refresh configuration.

- 76 -
 Chapter 3: Managing Endpoints

Using SecureAnywhere on the endpoint

On occasion, you may need to access an endpoint to change settings in the SecureAnywhere interface. This
might be necessary if you assign an endpoint to the Unmanaged policy, which is not controlled through the
Management Portal.

Note: For complete instructions on using the SecureAnywhere interface on the endpoint, see
SecureAnywhere User Guide for PCs or the Webroot SecureAnywhere for PCs Online Help.

To open the SecureAnywhere main interface, go to the endpoint and do one of the following:

l Double-click the Webroot shortcut icon on the desktop:

l Right-click on the Webroot icon from the system tray menu, then click Open.

l If the system tray icon is hidden, open the Windows Start menu, click All Programs (or Programs),
Webroot SecureAnywhere, then Webroot SecureAnywhere again.

The Overview panel opens, similar to the following example.

- 77 -
Endpoint Protection Administrator Guide

Along the top of the panel, the main interface includes navigation tabs.

Main Interface tabs

Overview View the system status and manually scan the computer.
PC Security Run custom scans, change shield settings, and manage the quarantine.
Identity & Privacy Protect sensitive data that may be exposed during online transactions.
System Tools Use tools to manage processes and files, view reports, and submit a file
to Webroot Support. Also use the System Cleaner to remove Internet
browser activity and to remove temp files.
My Account View SecureAnywhere account information and check for updates.

- 78 -
 Chapter 3: Managing Endpoints

Uninstalling SecureAnywhere
You can remove the SecureAnywhere program from an endpoint by using one of the following methods:

l Deactivate an endpoint so that it no longer reports in to Endpoint Protection. (You can reactivate an
endpoint later, if necessary.) By deactivating an endpoint, you can free the license seat so you can install
another endpoint in its place. See "Deactivating endpoints" on page 73.
l Send an Uninstall command to the endpoint from the Management Portal. See "Issuing commands to
endpoints" on page 63. Be aware that by using this method, the endpoint is still shown in the
Management Portal. If you want to uninstall SecureAnywhere and free up a seat in your license,
deactivate the endpoint instead.

- 79 -
- 80 -
Chapter 4: Checking Status

To learn more about the Status panel, see the following topics:

Viewing endpoint status 82

Viewing recent threat status 84
Viewing an agent version overview 85

- 81 -
Endpoint Protection Administrator Guide

Viewing endpoint status

You can see the status of all endpoints in the Management Portal. Endpoints report their status when
SecureAnywhere runs a scan on them or when a polling interval has completed.

Note: To see more detailed information about an endpoint's scan history, see "Checking scan results and
managing threats" on page 69.

To view endpoint status:

1. Log in to the SecureAnywhere website: https://my.webrootanywhere.com.

2. Click Go to Endpoint Protection.
If any endpoints are infected, you can click a link for those endpoints to go directly to a details panel.

When the Management Portal opens, you can see the endpoint status in the left panels for Status (top)
and Endpoint activity (bottom).

- 82 -
 Chapter 4: Checking Status

You can drill down for more detail in both of these panels:

l If you see an alert message in the top panel, click the link to see more information about
the endpoints.
l If any endpoints have not reported into the portal (Not Seen), click the View link in the
Endpoint activity panel.

You can see endpoints in the Status tab (home panel) and the Group Management tab. The Group Management
tab provides more detailed information (see "Organizing endpoints into groups" on page 120).

- 83 -
Endpoint Protection Administrator Guide

Viewing recent threat status

From the Status tab, you can quickly view endpoints that reported a threat in the past week.

To view endpoints encountering threats in the past week:

1. Make sure the Status tab is selected.

The bar chart at the top shows a daily summary of threats found on endpoints. The table at the bottom of
the panel shows more details about the endpoints.

2. To learn more about a threat, locate the threat in the row and click the View link in the Blocked
Programs column.
3. If desired, you can show or hide additional data about the recently infected endpoints in the bottom
panel. Click a column header to open the drop-down menu, then click in the checkboxes to select the
columns to add or remove. For descriptions of the data in the columns, see "Sorting data in tables and
reports" on page 26.
4. For more details about threats and further options, you can generate the Endpoints with Threats on
Last Scan report. From this report, you can change the endpoint's policy, run a scan, create an override
for a file, or restore a file from quarantine. See "Generating the Endpoints with Threats on Last Scan
report" on page 143.

- 84 -
 Chapter 4: Checking Status

Viewing an agent version overview

The Agent Version Spread pie chart on the Status tab shows a high-level overview of the SecureAnywhere
versions installed on endpoints. (An agent is the SecureAnywhere software running on the endpoint.)

To view the Agent Version Spread pie chart:

1. Make sure the Status tab is selected.

The Agent Version Spread chart is located on the right.
2. To see more details, move your cursor over sections of the pie chart.

3. For more details, see "Generating the Agent Version Spread report" on page 134.

- 85 -
- 86 -
Chapter 5: Managing Policies

To manage policies, see the following topics:

Implementing policies 88
Selecting a new default policy 89
Creating policies 90
Creating a new policy 90
Copying a policy 91
Changing policy settings 92
Basic Configuration 95
Scan Schedule 97
Scan Settings 98
Self Protection 99
Heuristics 100
Realtime Shield 103
Behavior Shield 104
Core System Shield 105
Web Threat Shield 106
Identity Shield 107
Firewall 108
User Interface 109
System Cleaner 109
Renaming a policy 114
Exporting policy settings to a spreadsheet 115
Deleting policies 116
Viewing endpoints assigned to a policy 117
Moving endpoints to another policy 118

- 87 -
Endpoint Protection Administrator Guide

Implementing policies
When you first configured Endpoint Protection, you selected one of its default policies. (A policy defines the
SecureAnywhere settings on endpoints, such as the scan schedule and shielding behavior.) You can continue to
use your selected default policy or you can define more policies and assign them to endpoints. For example, you
might want to give system administrators more control than you would other employees. In that case, you could
create a new policy for administrators and keep everyone else on the default policy.

Note: To fully implement policies, you must have access permissions for Policies: Create & Edit and
Policies: Assign Policies to Endpoints. To change access permissions, see "Setting permissions for
portal users" on page 38.

To begin implementing policies, follow these steps:

1. Decide if you want to keep using your default policy. All policies appear in the Policy tab. Your default
policy is indicated by a gray arrow on the far left (see the highlighted row in the following example).
Double-click on your default policy name to open the settings. (You cannot see any settings for the
Unmanaged policy, because that policy specifies that endpoint users have control, not the administrator.)
You can then review the SecureAnywhere settings and determine if the default policy meets your
business requirements. If not, you need to create a new policy (you cannot modify the Webroot defaults).

2. To add a new policy, see "Creating policies" on page 90.

Tip: We suggest you determine policy names and settings first to make the process easier.
3. Once you create new policies, you can assign them to endpoints in the Group Management tab. See
"Applying a policy to endpoint groups" on page 124.

- 88 -
 Chapter 5: Managing Policies

Selecting a new default policy

Whenever you install SecureAnywhere on new endpoints, Endpoint Protection assigns them to your default
policy. If desired, you can set a different default policy for any endpoints that you install in the future.

To select a new default policy:

1. Click the Policies tab.

A list of policies appears in the bottom panel. A gray arrow indicates the current default policy (on the
far left), as shown in the following example.
2. In the Policy Name column, click on the policy you want to use as the new default.
Once highlighted, Set as Default activates in the command bar.

3. Click Set as Default from the command bar.

4. When prompted, click Yes.
The gray arrow moves to that new policy. From now on, this policy is applied to any new
SecureAnywhere installations.

- 89 -
Endpoint Protection Administrator Guide

Creating policies
You can add policies in one of two ways, either by creating a new policy or by copying an existing policy as a
starting point. Each method is described below. Once you have defined a policy name and given it a
description, you can then determine the policy settings as described in "Changing policy settings" on page 92.

Tip: Policy names must be unique, so plan your policies in advance to avoid conflicts later. Once you
give a policy a name, you cannot re-use that same name even after a policy has been deleted.

Creating a new policy

You create a new policy by giving it a name and description. Your new policy will pick up the Recommended
Default settings as a starting point, but you can change those settings later.

To create a new policy:

1. Click the Policies tab.

2. Click Create from the command bar.

3. In the Create Policy dialog, enter a policy name and description of up to 50 alphanumeric characters,
then click Create Policy.

4. Locate your new policy in the Policy tab. Double-click the policy you just created and modify the
settings. See "Changing policy settings" on page 92.

- 90 -
 Chapter 5: Managing Policies

You can apply a policy to an individual endpoint or to a group of endpoints. See "Applying a policy to
endpoint groups" on page 124.

Copying a policy

If you have a similar policy already defined, you can copy it and rename it. Your new policy will use the
settings from the policy you copied, but you can change the settings later.

To copy a policy:

1. Click the Policies tab.

2. In the Policy Name column, click the policy you want to use as a starting point and then click Copy
from the command bar.

In the Copy Policy dialog, the policy you selected is displayed in the first field. You can select a
different one, if desired.
3. In the next two fields, enter a unique name and a description of up to 50 alphanumeric characters, then
click Create Policy.

4. Locate your new policy in the Policy tab. Double-click the policy you just created and modify the
settings as desired. See "Changing policy settings" on page 92.
You can apply a policy to an individual endpoint or to a group of endpoints. See "Applying a policy to
endpoint groups" on page 124.

- 91 -
Endpoint Protection Administrator Guide

Changing policy settings

Once you create a policy (see "Creating policies" on page 90), you can change its settings to suit your business
purposes. If desired, you can make temporary changes (create drafts) and then implement them later (promote
to live).

Note: You cannot change the settings for Webroot default policies.

Policies control the following SecureAnywhere settings on managed endpoints:

SecureAnywhere settings controlled by policies

Basic settings General preferences that change the behavior of the SecureAnywhere
program, such as whether the program icon appears in the endpoint's
system tray and whether the user can shut down the program.
Scan schedule Settings that allow you to run scans at different times, change the
settings scanning behavior, or turn off automatic scanning. If you do not modify
the scan schedule, SecureAnywhere launches scans automatically
every day, at about the same time you installed the software.
Scan settings Settings that provide more control over scans, such as performing a
more thorough scan.
Self protection Additional protection that prevents malicious software from modifying
settings the SecureAnywhere program settings and processes on the endpoint. If
SecureAnywhere detects another product attempting to interfere with
its functions, it launches a protective scan to look for threats.
Heuristics Threat analysis that SecureAnywhere performs when scanning
endpoints. Heuristics can be adjusted for separate areas of the
endpoints, including the local drive, USB drives, the Internet, the
network, CD/DVDs, and when the endpoint is offline.
Realtime shield Settings that block known threats listed in Webroot's threat definitions
settings and in Webroot's community database.
Behavior shield Settings that analyze the applications and processes running on the
settings endpoints.
Core shield settings Settings that monitor the computer system structures to ensure that
malware has not tampered with them.

- 92 -
 Chapter 5: Managing Policies

SecureAnywhere settings controlled by policies

Web shield settings Settings that protect endpoints as users surf the Internet and click links
in search results.
Identity shield Protection from identity theft and financial loss. It ensures that sensitive
settings data is protected, while safe-guarding users from keyloggers, screen-
grabbers, and other information-stealing techniques.
Firewall settings Firewall protection that monitors data traffic traveling out of computer
ports. It looks for untrusted processes that try to connect to the Internet
and steal personal information. The Webroot firewall works in
conjunction with the Windows firewall, which monitors data traffic
coming into the endpoints.
User interface User access to the SecureAnywhere program on the endpoint.
settings
System Cleaner Settings that control the System Cleaner behavior, such as an automatic
cleanup schedule and what types of files and traces to remove from the
endpoint.

To change policy settings:

1. Click the Policies tab.

A list of policies opens in the bottom panel.
2. In the Policy Name column, find the policy in the list and double-click anywhere in the row.

The Policy dialog opens, with the Basic Configuration category selected (see the following example).

- 93 -
Endpoint Protection Administrator Guide

The Live column shows how the setting is currently implemented on the endpoints. The Draft column is
where you can make changes.
3. Under the Section column (left side), choose the category to edit.

4. Under the Draft column (far right side), click in the cell to view the options, then select the desired
setting.
A complete description of each setting follows these steps.
5. When you're done with a section, click Save Changes at the bottom. (For example, when you have
finished editing Basic Configuration, save your changes before moving to Scan Schedule.)

6. Continue editing the policy, making sure to click Save Changes before you move to another section.
7. If you're not ready to implement the changes (promote to live), you can return to the Policy tab.
Any policy with changes not yet implemented displays Yes in the Draft Changes column.

- 94 -
 Chapter 5: Managing Policies

8. To implement the changes, return to the Policy dialog and click Promote Draft Changes to Live
(bottom left). Your changes do not take effect until you promote them.

Basic Configuration

The Basic Configuration settings control the behavior of the SecureAnywhere software on managed endpoints.

- 95 -
Endpoint Protection Administrator Guide

Basic Configuration settings

Show a Webroot shortcut on Provides quick access to the main interface by placing the
the desktop shortcut icon on the endpoint desktop.
Show a system tray icon Provides quick access to SecureAnywhere functions by placing
the Webroot icon in the endpoint system tray.
Show a splash screen on Opens the Webroot splash screen when the endpoint starts.
bootup
Show Webroot in the Start Lists SecureAnywhere in the Windows Startup menu items.
Menu
Show Webroot in Lists SecureAnywhere in the Windows Add/Remove Programs
Add/Remove Programs panel.
Show Webroot in Windows Lists SecureAnywhere in the Windows Security/Action
Security/Action Center Center, under Virus Protection information.
Hide the Webroot keycode Hides the keycode on the endpoint's My Account panel.
on-screen Asterisks replace the code, except for the first four digits.
Automatically download and Downloads product updates automatically without alerting the
apply updates endpoint user.
Operate background Saves CPU resources by running non-scan related functions in
functions using fewer CPU the background.
resources
Favor low disk usage over Saves disk resources by saving only the last four log items.
verbose logging (fewer
details stored in logs)
Lower resource usage when Suppresses SecureAnywhere functions while the user is
intensive applications or gaming, watching videos, or using other intensive applications.
games are detected
Allow Webroot to be shut Shows a Shutdown command in the endpoint's system tray
down manually menu. Deselecting this option removes the Shutdown command
from the menu.
Force non-critical Suppresses information-only messages from appearing in the
notifications into the system tray.
background
Fade out warning messages Closes warning dialogs in the system tray after a few seconds.
automatically If you disable this option, the user must manually click on a
message to close it.

- 96 -
 Chapter 5: Managing Policies

Basic Configuration settings

Store Execution History Stores data for the Execution History logs, available under
details Reports.
Poll interval Specifies how often the endpoint checks for updates. For
example: 15 minutes, 30 minutes, 1 hour, or 2 hours.

Scan Schedule

SecureAnywhere runs scans automatically every day, at about the same time you installed the software. You
can use the Scan Schedule settings to change the schedules and run scans at different times.

Scan Schedule settings

Enable Scheduled Scans Allows scheduled scans to run on the endpoint.

Scan Frequency Determines how often to run the scan. You can set a day of the
week or select "on bootup" (when the computer starts).
Time Specifies the time to run the scan:
l Scan time options for when computer is idle are before
8:00 a.m., before noon, before 5:00 p.m., or before
midnight.
l Scan time options for when resources are available are
hourly, from 12:00 a.m. to 11:00 p.m.

Scan on bootup if the Launches a scheduled scan within an hour after the user turns
computer is off at the on the computer, if the scan did not run at the normally
scheduled time scheduled time. If this option is disabled, SecureAnywhere
ignores missed scans.
Hide the scan progress Runs scans silently in the background. If this option is disabled,
window during scheduled a window opens and shows the scan progress.
scans
Only notify me if an infection Opens an alert only if it finds a threat. If this option is disabled,
is found during a scheduled a small status window opens when the scan completes,
scan whether a threat was found or not.
Do not perform scheduled Helps conserve battery power. If you want SecureAnywhere to
scans when on battery power launch scheduled scans when the endpoint is on battery power,
deselect this option.

- 97 -
Endpoint Protection Administrator Guide

Scan Schedule settings

Do not perform scheduled Ignores scheduled scans when the user is viewing a full-screen
scans when a full screen application, such as a movie or a game. Deselect this option if
application or game is open you want scheduled scans to run anyway.
Randomize the time of Determines the best time for scanning (based on available
scheduled scans up to one system resources) and runs the scan within an hour of the
hour for distributed scanning scheduled time. If you want to force the scan to run at the
scheduled time, deselect this option.
Perform a scheduled Quick Runs a quick scan of memory. We recommend that you keep
Scan instead of a Deep Scan this option deselected, so that deep scans run for all types of
malware in all locations.

Scan Settings

Scan settings give advanced control over scanning performance.

Scan Settings

Enable Realtime Master Protects the endpoint against master boot record (MBR)
Boot Record (MBR) infections. An MBR infection can modify core areas of the
Scanning system so that they load before the operating system and can
infect the computer. We recommend that you keep this option
selected. It adds only a small amount of time to the scan.
Enable Enhanced Rootkit Checks for rootkits and other malicious software hidden on
Detection disk or in protected areas. Spyware developers often use
rootkits to avoid detection and removal. We recommend that
you keep this option selected. It adds only a small amount of
time to the scan.
Enable "right-click" scanning Enables an option for scanning the currently selected file or
in Windows Explorer folder in the Windows Explorer right-click menu. This option is
helpful if the user downloads a file and wants to scan it
quickly.
Update the currently scanned Displays a full list of files as SecureAnywhere scans each one.
folder immediately as If you want to increase scan performance slightly, deselect this
scanned option so that file names only update once per second on the
panel. SecureAnywhere will still scan all files, just not take the
time to show each one on the screen.

- 98 -
 Chapter 5: Managing Policies

Scan Settings

Favor low memory usage Reduces RAM usage in the background by using less memory
over fast scanning during scans, but scans will also run a bit slower. Deselect this
option to run faster scans and use more memory.
Favor low CPU usage over Reduces CPU usage during scans, but scans will also run a bit
fast scanning slower. Deselect this option to run faster scans.
Save non-executable file Saves all file data to the scan log, resulting in a much larger
details to scan logs log file. Leave this option deselected to save only executable
file details to the log.
Show the "Authenticating Opens a small dialog whenever the user runs a program for the
Files" popup when a new file first time. Leave this option deselected if you do not want users
is scanned on-execution to see this dialog.
Scan archived files Scans compressed files in zip, rar, cab, and 7-zip archives.
Automatically reboot during Restarts the computer after running a clean-up, which is the
cleanup without prompting process of removing all traces of a malware file.
Never reboot during malware Prevents the endpoint from restarting during cleanup, which is
cleanup the process of removing all traces of a malware file.
Automatically remove threats Removes threats during scans that run in the endpoint's
found during background background and sends them to quarantine.
scans
Automatically remove threats Removes threats during the first scan on the endpoint and sends
found on the learning scan them to quarantine.
Enable Enhanced Support Allows logs to be sent to Webroot customer support.
Show Infected Scan Results Shows scan results. If not enabled, the endpoint does not show
scan results even if malware is detected.

Self Protection

Self Protection prevents malicious software from modifying the SecureAnywhere program settings and
processes. If SecureAnywhere detects that another product is attempting to interfere with its functions, it
launches a protective scan to look for threats. It will also update the internal self protection status to prevent
incompatibilities with other software.

- 99 -
Endpoint Protection Administrator Guide

Note: We recommend that you leave Self Protection at the Maximum settings, unless you use other
security software in addition to SecureAnywhere. If you use additional security software, adjust Self
Protection to Medium or Minimum. The Maximum setting might interfere with other security
software.

Self Protection settings

Enable self-protection Turns self-protection on and off.

response cloaking
Self-protection level Sets the detection level to:
l Minimum. Protects the integrity of the
SecureAnywhere settings and databases. Recommended
if the endpoint has several other security products
installed.
l Medium. Prevents other programs from disabling
protection. Provides maximum possible compatibility
with other security software.
l Maximum. Provides the highest protection of the
SecureAnywhere processes. Recommended.

Heuristics

With heuristics, you can set the level of threat analysis that SecureAnywhere performs when scanning
managed endpoints. SecureAnywhere includes three types of heuristics: advanced, age, and popularity.

l Advanced Heuristics. Analyzes new programs for suspicious actions that are typical of malware.
l Age Heuristics. Analyzes new programs based on the amount of time the program has been in the
community. Legitimate programs are generally used in a community for a long time, but malware often
has a short life span.
l Popularity Heuristics. Analyzes new programs based on statistics for how often the program is used in
the community and how often it changes. Legitimate programs do not change quickly, but malware often
mutates at a rapid pace. Malware may install as a unique copy on every computer, making it statistically
unpopular.

- 100 -
 Chapter 5: Managing Policies

You can adjust these types of heuristics for several areas: the local drive, USB drives, the Internet, the
network, CD/DVDs, and when your computer is offline. For each of these areas, you can set the following
options:

l Disable Heuristics. Turns off heuristic analysis for the local drive, USB drives, the Internet, the
network, CD/DVDs, or when your computer is offline. Not recommended.
l Apply advanced heuristics before Age/Popularity heuristics. Warns against new programs as well as
old programs that exhibit suspicious behavior on the local drive, USB drives, the Internet, the network,
CD/DVDs, or when your computer is offline.
l Apply advanced heuristics after Age/Popularity heuristics. Warns against suspicious programs
detected with Advanced Heuristics, based on Age/Popularity settings on the local drive, USB drives, the
Internet, the network, CD/DVDs, or when your computer is offline.
l Warn when new programs execute that are not known good. Warns when malicious, suspicious, or
unknown programs try to execute on the local drive, USB drives, the Internet, the network, CD/DVDs,
or when your computer is offline. (This setting may result in false detections.)

- 101 -
Endpoint Protection Administrator Guide

Heuristics levels

Advanced Heuristics Disabled turns off Advanced Heuristics, leaving it vulnerable

to new threats. (However, it will still be protected against
known threats.)
Low detects programs with a high level of malicious activity.
This setting ignores some suspicious behavior and allows most
programs to run.
Medium balances detection versus false alarms by using our
tuned heuristics in the centralized community database.
High protects against a wide range of new threats. Use this
setting if you think your system is infected or at very high risk.
(This setting may result in false detections.)
Maximum provides the highest level of protection against new
threats. Use this setting if you think that your system is infected
or at very high risk. (This setting may result in false
detections.)
Age Heuristics Disabled turns off Age Heuristics, leaving it vulnerable to new
threats. (However, it will still be protected against known
threats.)
Low detects programs that have been created or modified very
recently.
Medium detects programs that are fairly new and not trusted,
preventing zero-day or zero-hour attacks. We recommend using
this setting if you do not allow unpopular programs to be
installed on your managed endpoints and you want extra
security to prevent mutating threats.
High detects programs that have been created or modified in a
relatively short time and are not trusted. This setting is
recommended only if new programs are rarely installed on your
managed endpoints, and if you feel that your systems are
relatively constant. This setting might generate a higher level
of false detections on more obscure or unpopular programs.
Maximum detects all untrusted programs that have been
created or modified fairly recently. Use this setting only if your
managed endpoints are in a high-risk situation, or if you think
that they are currently infected.

- 102 -
 Chapter 5: Managing Policies

Heuristics levels

Popularity Heuristics Low detects programs that are seen for the first time. This
setting is recommended if new or beta programs are frequently
installed on your managed endpoints, or if endpoint users are
software developers who frequently create new programs.
Medium detects unpopular and mutating programs, preventing
zero-day and zero-hour attacks. We recommend using this
setting if you do not allow new programs to be installed
frequently on your managed endpoints and you want extra
security over standard settings.
High detects programs that a significant percentage of the
community has seen. This setting is recommended if you do not
allow new programs on your managed endpoints and you
suspect that they are currently infected.
Maximum detects programs that a large percentage of the
community has seen. We recommend this setting if you think
your managed endpoints are at very high risk, and you accept
that you might receive false detections because of the strict
heuristic rules.

Realtime Shield

The Realtime shield blocks known threats that are listed in Webroot's threat definitions and community
database. If the shield detects a suspicious file, it opens an alert and prompts you to block or allow the item. If
it detects a known threat, it immediately blocks and quarantines the item before it causes damage to the
endpoint or steals its information.

Realtime shield settings

Realtime Shield Enabled Turns the Realtime shield on and off.

Enable Predictive Offline Downloads a small threat definition file to your managed
Protection from the central endpoints, protecting them even when they are offline. We
Webroot database recommend that you leave this setting on.
Remember actions on Remembers how the user responded to an alert (allowed a file
blocked files or blocked it) and will not prompt again when it encounters the
same file. If this setting is deselected, SecureAnywhere opens
an alert every time it encounters the file in the future.

- 103 -
Endpoint Protection Administrator Guide

Realtime shield settings

Automatically quarantine Opens an alert when it encounters a threat and allows the user
previously blocked files to block it and send it to quarantine. If this setting is off, the
user must run a scan manually to remove a threat.
Automatically block files Blocks threats and sends them to quarantine. If this setting is
when detected on execution off, the user must respond to alerts about detected threats.
Scan files when written or Scans any new or modified files that are saved to disk. If this
modified setting is off, it ignores new file installations (however, it still
alerts the user if a threat tries to launch).
Block threats automatically if Stops threats from executing even when managed endpoints are
no user is logged in logged off. Threats are sent to quarantine without notification.
Show realtime event Opens an alert when suspicious activity occurs.
warnings
Show realtime block modal Shows alerts when Heuristics detects malware, and prompts
alerts the user to allow or block the action.
Note: This setting must be set to "on" if Heuristics is set to
"Warn when new programs execute that are not known good."
Otherwise, users will not see the alert.
Show realtime block Shows a tray notification if the Realtime shield detects
notifications malware. If this setting is off, there is no tray notification, but
malware is blocked and the home page shows that threats were
detected.

Behavior Shield

The Behavior shield analyzes the applications and processes running on your managed endpoints. If it detects a
suspicious file, it opens an alert and prompts you to block or allow the item. If it detects a known threat, it
immediately blocks and quarantines the item before it causes damage to managed endpoints or steals
information.

Behavior shield settings

Behavior Shield Enabled Turns the Behavior shield on and off.

Assess the intent of new Watches the program's activity before allowing it to run. If it
programs before allowing appears okay, SecureAnywhere allows it to launch and
them to execute continues to monitor its activity.

- 104 -
 Chapter 5: Managing Policies

Behavior shield settings

Enable advanced behavior Analyzes a program to examine its intent. For example, a
interpretation to identify malware program might perform suspicious activities like
complex threats modifying a registry entry, then sending an email.
Track the behavior of Watches programs that have not yet been classified as
untrusted programs for legitimate or as malware.
advanced threat removal
Automatically perform the Does not prompt the user to allow or block a potential threat.
recommended action instead SecureAnywhere determines how to manage the item.
of showing warning
messages
Warn if untrusted programs Opens an alert if an unclassified program tries to make
attempt low-level system changes to your managed endpoints when they are offline.
modifications when offline (SecureAnywhere cannot check its online threat database if
endpoints are disconnected from the Internet.)

Core System Shield

The Core System shield monitors system structures of your managed endpoints and makes sure malware has
not tampered with them. If the shield detects a suspicious file trying to make changes, it opens an alert and
prompts the user to block or allow the item. If it detects a known threat, it immediately blocks and quarantines
the item before it causes damage or steals information.

Core System shield settings

Core System Shield Enabled Turns the Core System shield on and off.
Assess system modifications Intercepts any activity that attempts to make system changes
before they are allowed to on your managed endpoints, such as a new service installation.
take place
Detect and repair broken Locates corrupted components, such as a broken Layered
system components Service Provider (LSP) chain or a virus-infected file, then
restores the component or file to its original state.
Prevent untrusted programs Stops unclassified programs from changing the kernel memory.
from modifying kernel
memory

- 105 -
Endpoint Protection Administrator Guide

Core System shield settings

Prevent untrusted programs Stops unclassified programs from changing system processes.
from modifying system
processes
Verify the integrity of the Monitors the Layered Service Provider (LSP) chain and other
LSP chain and other system system structures to make sure malware does not corrupt them.
structures
Prevent any program from Stops spyware from attempting to add or change the IP address
modifying the HOSTS file for a website in the Hosts file, and opens an alert for the user
to block or allow the changes.

Web Threat Shield

The Web Threat shield protects your endpoints as users surf the Internet. If it detects a website that might be a
threat, it opens an alert for users to block the site or continue despite the warning. When they use a search
engine, this shield analyzes all the links on the search results page, then displays an image next to each link
that signifies whether it's a trusted site (green checkmark) or a potential risk (red X).

Web Threat shield settings

Web Threat Shield Enabled Turns the Web Threat shield on and off.
Analyze search engine Analyzes search engine results, SecureAnywhere analyzes all
results and identify malicious links displayed on the search results page by running the URLs
websites before visitation through its malware-identification engine. It then displays an
image next to each link that signifies if the site is safe (green
checkmark) or a potential risk (red X).
Enable deep content analysis Analyzes all data traffic on your managed endpoints as users
visit websites. If threats try to install, it blocks the threat's
activity.
Look for malware on Analyzes URLs in a browser's address bar and links to sites. If
websites before visitation the site is associated with malware, it blocks it from loading in
your browser.
Look for exploits in website Looks for cross-site scripting attacks that might try to redirect
content before visitation users to a different website.
Suppress the user's ability to Prevents the endpoint user from overriding the Web Threat
make local Web Threat Shield settings. If disabled, endpoint users can create overrides
Shield overrides when they are blocked from accessing a website.

- 106 -
 Chapter 5: Managing Policies

Identity Shield

The Identity shield protects sensitive data that might be exposed during online transactions. You can change the
behavior of the Identity shield and control what it blocks.

Identity shield settings

Identity Shield Enabled Turns the Identity shield on and off.

Look for identity threats Analyzes websites as users browse the Internet or open links.
online If the shield detects malicious content, it blocks the site and
opens an alert.
Analyze websites for Analyzes websites for phishing threats as users browse the
phishing threats Internet or open links. If the shield detects a phishing threat, it
blocks the site and opens an alert.
Verify websites when visited Analyzes the IP address of each website to determine if it has
to determine legitimacy been redirected or is on our blacklist. If the shield detects an
illegitimate website, it blocks the site and opens an alert.
Verify the DNS/IP resolution Looks for servers that could be redirecting users to a malicious
of websites to detect Man-in- website (man-in-the-middle attack). If the shield detects a
the-Middle attacks man-in-the-middle attack, it blocks the threat and opens an
alert.
Block websites from creating Blocks third-party cookies from installing on your managed
high risk tracking information endpoints if the cookies originate from malicious tracking
websites.
Prevent programs from Blocks programs from accessing login credentials (for
accessing protected example, when you type your name and password or when you
credentials request a website to remember them).
Warn before blocking Opens an alert any time malware attempts to access data,
untrusted programs from instead of blocking known malware automatically.
accessing protected data
Allow trusted screen capture Allows screen capture programs, no matter what content is
programs access to protected displayed on the screen.
screen contents

- 107 -
Endpoint Protection Administrator Guide

Identity shield settings

Enable Identity Shield Allows certain applications to run that the Identity shield might
compatibility mode block during normal operations. You can enable this option if
you notice problems with an application's functions after
SecureAnywhere was installed on the endpoint. With this
compatibility mode enabled, the endpoint is still protected by
the Identity shield's core functionality.
Enable keylogging protection Allows endpoints with non-Latin systems (such as Japanese
in non-Latin systems and Chinese) to be protected from keyloggers.

Firewall

The Webroot firewall monitors data traffic traveling out of endpoint ports. It looks for untrusted processes that
try to connect to the Internet and steal personal information. It works with the Windows firewall, which
monitors data traffic coming into your managed endpoints. With both the Webroot and Windows firewall turned
on, network data has complete inbound and outbound protection.

The Webroot firewall is preconfigured to filter traffic on your managed endpoints. It works in the background
without disrupting normal activities. If the firewall detects unrecognized traffic, it opens an alert. You can
either block the traffic or allow it to proceed.

Firewall settings

Enabled Turns the Firewall on and off.

Firewall level Default Allow: Allows all processes to connect to the Internet,
unless explicitly blocked.
Warn unknown and infected: Warns if any new, untrusted
processes connect to the Internet, if the endpoint is infected.
Warn unknown: Warns if a new, untrusted process connects
to the Internet.
Default Block: Warns if any process connects to the Internet,
unless explicitly blocked.

- 108 -
 Chapter 5: Managing Policies

Firewall settings

Show firewall management Controls the alert shown by SecureAnywhere when the
warnings Windows firewall is off:
l On. The user sees an alert when SecureAnywhere
detects that the Windows firewall is off.
l Off. No alert appears when the Windows firewall is off.

Show firewall process Controls the firewall alerts. If this is setting is Off, no firewall
warnings alerts appear. This option works in conjunction with the
Firewall Level settings. For example, if Show firewall
process warnings and Default Block options are both set to
On, the endpoint user sees an alert if a new process tries to
connect. If Show Firewall process warnings is set to Off, no
alert appears to the endpoint user and the process is allowed.

User Interface

Gives administrative control over the SecureAnywhere interface on the endpoints using this policy.

User Interface setting

GUI Blocks or allows endpoint user access to the main

SecureAnywhere interface. If users try to open
SecureAnywhere when this option is set to Hide, a message
tells them to contact the administrator to access the interface.
Note: This option does not also hide the Webroot system tray
icon.

System Cleaner

The System Cleaner removes traces of the end user's web browsing history, files that show computer use, and
unnecessary files that consume valuable disk space, such as files in the Recycle Bin or Windows temporary
files. The System Cleaner does not run automatically; you need to schedule cleanups and select the items you
want removed.

- 109 -
Endpoint Protection Administrator Guide

Note: Cleanups remove unnecessary files and traces, not malware threats. Malware (spyware and
viruses) are removed during scans. You can think of the System Cleaner as the housekeeper of a
computer, while the Scanner serves as the security guard.

System Cleaner settings

Manage System Cleaner Enables the administrator to change System Cleaner settings,
centrally as follows:
l On. The System Cleaner settings are shown in the panel
and are available to change.
l Off. No settings appear in this panel.

Scheduled Cleanup (Monday Sets the days of the week (one or more) to automatically run
through Sunday) the System Cleaner.
Cleanup at specific time of Sets the hour of the day the System Cleaner runs on the
day - hour endpoints.
Cleanup at specific time of Sets the time (in 15-minute increments) the System Cleaner
day - minute runs on the endpoints.
Run on bootup if the system Launches a missed scheduled cleanup when the endpoint
was off at the scheduled time powers on (applicable only if the endpoint was off during a
scheduled cleanup). Otherwise, skips the missed cleanup.
Enable Windows Explorer Includes an option for permanently erasing a file or folder in
right click secure file erasing Windows Explorer on the endpoint. A menu item appears when
the user right-clicks on a file or folder:

Windows Desktop:
Recycle Bin Removes all files from the Recycle Bin in Windows Explorer.

- 110 -
 Chapter 5: Managing Policies

System Cleaner settings

Recent document history Clears the history of recently opened files, which is accessible
from the Windows Start menu. (The cleanup does not delete
the actual files.)
Start Menu click history Clears the history of shortcuts to programs that end users
recently opened using the Start menu.
Run history Clears the history of commands recently entered into the Run
dialog, which is accessible from the Start menu.
Note: After the cleanup, the end user may need to restart the
computer to completely remove items from the Run dialog.
Search history Clears the history of files or other information that the end user
searched for on the computer. This history displays when the
end user starts entering a new search that starts with the same
characters. (The cleanup does not delete the actual files.)
Start Menu order history Reverts the list of programs and documents in the Start menu
back to alphabetical order, which is the default setting. After
the cleanup runs, the list reverts back to alphabetical order
after a system re-boot.
Windows System:
Clipboard contents Clears the contents from the Clipboard, where Windows stores
data used in either the Copy or Cut function from any Windows
program.
Windows Temporary folder Deletes all files and folders in the Windows temporary folder,
but not files that are in use by an open program. This folder is
usually: C:\Windows\Temp.
System Temporary folder Deletes all files and folders in the system temporary folder, but
not files that are in use by an open program. This folder is
usually in: C:\Documents and Settings\[username]\Local
Settings\Temp.
Windows Update Temporary Deletes all files and subfolders in this folder, but not files that
folder are in use by an open program. Windows uses these files when
a Windows Update runs. These files are normally in
C:\Windows\Software\Distribution\Download.
Windows Registry Streams Clears the history of recent changes made to the Windows
registry. (This option does not delete the registry changes
themselves.)

- 111 -
Endpoint Protection Administrator Guide

System Cleaner settings

Default logon user history Deletes the Windows registry entry that stores the last name
used to log on to your computer. When the registry entry is
deleted, end users must enter their user names each time they
turn on or restart the computer. This cleanup option does not
affect computers that use the default Welcome screen.
Memory dump files Deletes the memory dump file (memory.dmp) that Windows
creates with certain Windows errors. The file contains
information about what happened when the error occurred.
CD burning storage folder Deletes the Windows project files, created when the Windows
built-in function is used to copy files to a CD. These project
files are typically stored in one of the following directories:
C:\Documents and Settings\[username]\Local
Settings\Application Data\Microsoft\CDBurning
or
C:\Users\[username]
\AppData\Local\Microsoft\Windows\Burn\Burn
Flash cookies Deletes bits of data created by Adobe Flash, which can be a
privacy concern because they track user preferences. (Flash
cookies are not actually “cookies,” and are not controlled
through the cookie privacy controls in a browser.)
Internet Explorer:
Address bar history Removes the list of recently visited websites, which is stored
as part of Internet Explorer’s AutoComplete feature. You see
this list when you click the arrow on the right side of the
Address drop-down list at the top of the Internet Explorer
browser.
Cookies Deletes all cookies from the endpoint. Be aware that if you
remove all cookie files, the end user must re-enter passwords,
shopping cart items, and other entries that these cookies stored.
Temporary Internet Files Deletes copies of stored web pages that the end user visited
recently. This cache improves performance by helping web
pages open faster, but can consume a lot of space on the hard
drive.
URL history Deletes the History list of recently visited websites of the
Internet Explorer toolbar.
Setup Log Deletes log files created during Internet Explorer updates.

- 112 -
 Chapter 5: Managing Policies

System Cleaner settings

Microsoft Download Folder Deletes the contents in the folder that stores files last
downloaded using Internet Explorer.
MediaPlayer Bar History Removes the list of audio and video files recently opened with
the media player in Internet Explorer. (The cleanup does not
delete the files themselves.)
Autocomplete form Deletes data that Internet Explorer stores when the end user
information entered information into fields on websites. This is part of
Internet Explorer’s AutoComplete feature.
Clean index.dat (cleaned on Marks files in the index.dat file for deletion, then clears those
reboot) files after the system reboots. The index.dat file is a growing
Windows repository of web addresses, search queries, and
recently opened files. This option works when you also select
one or more of the following options: Cookies, Temporary
Internet Files, or URL History.
Note: Index.dat functions like an active database. It is only
cleaned after you reboot Windows.
Secure File Removal:
Control the level of security Removes files permanently in a “shredding” process, which
to apply when removing files overwrites them with random characters. This shredding
feature is a convenient way to make sure no one can ever
access the endpoint's files with a recovery tool.
By default, file removal is set to Normal, which means items
are deleted permanently (bypassing the Recycle Bin).
However, with the Normal setting, data recovery utilities could
restore the files. If you want to make sure files can never be
recovered, select Maximum. Medium overwrites files with
three passes, whereas Maximum overwrites files with seven
passes and cleans the space around the files. Also be aware
that cleanup operations take longer when you select Medium or
Maximum.

- 113 -
Endpoint Protection Administrator Guide

Renaming a policy
You can rename a policy from the Policies tab. Keep in mind that policy names must be unique.

To rename a policy:

1. Click the Policies tab.

2. From the Policy Name column, select the policy to rename.
3. Click Rename from the command bar.

4. In the Rename Policy dialog, enter a new name and a description for the policy.
5. Click Rename Policy.

- 114 -
 Chapter 5: Managing Policies

Exporting policy settings to a spreadsheet

You can export all policy information to a spreadsheet, which is convenient if you want to review policy
settings with IT colleagues.

To export a policy:

1. Click the Policies tab.

2. From the Policy Name column, select the desired policy.
3. Click Export to CSV from the command bar.

4. From the prompt, save the policy to a CSV file.

Endpoint Protection saves it to a file with the policy name and a CSV extension. For example, if the
policy is named "Policy 1," the file is saved to Policy1.csv.

- 115 -
Endpoint Protection Administrator Guide

Deleting policies
You can delete all policies except for the original default policies. When you delete a policy, Endpoint
Protection removes it from the list of active policies and moves it to a Deleted Policies list, so it is still
accessible to the report logs.

Note: Be aware that if you delete a policy, you cannot re-use the same policy name again. Also, you
cannot restore a deleted policy, but you can copy and rename it.

To delete a policy:

1. Click the Policies tab.

2. From the Policy Name column, select the desired policy and click Delete from the command bar.

After you confirm the deletion, you are prompted to move any endpoints from the deleted policy to
another.
3. Open the drop-down list in the Move any endpoints dialog and select a new policy for the endpoints.
4. Click Save to remove the policy from the list.
Note: Deleted policies are moved to a Deleted Policies list. To view them, select the Show Deleted
Policies checkbox on the Policies tab to display them in the list. The Deleted policies are shown in gray:

- 116 -
 Chapter 5: Managing Policies

Viewing endpoints assigned to a policy

From the Policies tab, you can quickly view which endpoints are assigned to a policy.

To view endpoints assigned to a policy:

1. Click the Policies tab.

2. From the Policy Name column, select the desired policy.
The bottom panel shows which groups use this policy.
3. To view endpoints, you can do either of the following:

l Click View all endpoints using this policy from the command bar.
l Select the View link in the row for the group.

A dialog opens and shows the endpoint names and status.

4. If desired, you can show or hide additional data about the endpoints. Click a column header to open the
drop-down menu, then click in the checkboxes to select the columns to add or remove. For descriptions
of the data in the columns, see "Sorting data in tables and reports" on page 26.

- 117 -
Endpoint Protection Administrator Guide

Moving endpoints to another policy

From the Policy tab, you can move all endpoints assigned to one policy to another policy.

Note: If you want to move individual endpoints to a policy, see "Applying a policy to endpoint groups"
on page 124.

To move endpoints to another policy:

1. Click the Policies tab.

2. From the Policy Name column, select the desired policy.
The bottom panel shows which groups use this policy.
3. Click Move all endpoints on this policy to another policy from the command bar.

4. In the dialog, click the drop-down arrow to open a list of policies. Select the policy and click Save.

5. Check the Policies list to make sure the new endpoints are shown under the new assignment.

- 118 -
Chapter 6: Managing Groups

To manage groups and the endpoints within each group, see the following topics:

Organizing endpoints into groups 120

Adding a new group 122
Applying a policy to endpoint groups 124
Applying a policy to a group 124
Applying a policy to a single endpoint 125
Moving endpoints to another group 127
Deleting groups 128
Renaming groups 129

- 119 -
Endpoint Protection Administrator Guide

Organizing endpoints into groups

When you install SecureAnywhere on endpoints, those endpoints are automatically assigned to your default
policy and to the Default group. (A group is a collection of endpoints, which helps you organize your devices
for easy management.) Once endpoints report into the Management Portal (after performing the first scan), you
can move them to a different group. For example, you might organize endpoints by time zone so that you can
schedule the same scan time for all of them.

Note: To fully manage groups, you must have access permissions for Groups: Create & Edit, Groups:
Deactivate/Reactivate Endpoints, and Groups: Assign Endpoints to Groups. To change access
permissions, see "Setting permissions for portal users" on page 38.

You can view all groups in the Group Management tab, which looks similar to the example below. Select a
group from the Groups panel on the left to see the endpoints and policies associated with that group on the right.
Endpoints are shown on the top; policies are shown on the bottom.

Note: All endpoints are assigned to the Default group, unless you used the /groupname switch in the
command line during a silent installation. See "Deploying SecureAnywhere to endpoints" on page 50.

- 120 -
 Chapter 6: Managing Groups

To create more groups and move endpoints, follow these steps:

1. Add one or more new groups, as described in "Adding a new group" on page 122.
2. Move endpoints to the newly created groups, as described in "Moving endpoints to another group" on
page 127.
3. Assign a policy to the new group of endpoints, as described in "Applying a policy to endpoint groups" on
page 124.

- 121 -
Endpoint Protection Administrator Guide

Adding a new group

When you first deploy SecureAnywhere to endpoints, Endpoint Protection assigns them all to the Default group.
If desired, you can add more groups for different management purposes and re-assign endpoints to those new
groups.

To create a group:

1. Click the Group Management tab.

2. Click Create from the command bar.

3. In the Create Group dialog, enter a group name and description, then click Create Group.

The new group appears in the Groups panel on the left.

4. To move endpoints into this group, click the group where the endpoints currently reside.
5. Select one or more endpoints from the Endpoints panel on the right.
Tip: You can select all endpoints within the selected group by clicking the Hostname checkbox at the
top of the list (first column).

- 122 -
 Chapter 6: Managing Groups

6. Click Move endpoints to another group from the command bar.

7. When the Move dialog opens, click the drop-down arrow to display the list of groups. Select your new
group from the drop-down field and click Save.

8. You can then apply policies to the entire group or to individual endpoints, as described in "Applying a
policy to endpoint groups" on page 124.

- 123 -
Endpoint Protection Administrator Guide

Applying a policy to endpoint groups

All endpoints are first assigned to your default policy. If you want to change the policy assignment, you must
first define a new policy (see "Implementing policies" on page 88), then follow the instructions below to apply
that policy to a group.

Applying a policy to a group

From the Group Management tab, you can apply a policy to multiple endpoints.

To apply a policy to a group of endpoints:

1. Click the Group Management tab.

2. From the Groups panel on the left, select a group that includes the desired endpoints.

3. From the Endpoints panel on the right, select one or more endpoints.
Tip: You can select all endpoints within the selected group by clicking the Hostname checkbox at the
top of the list (first column).
4. Click Apply policy to endpoints from the command bar.
Note: If the group has more than one page of endpoints, the dialog prompts you to apply the policy either
to the endpoints on the current page or to all pages of endpoints.

- 124 -
 Chapter 6: Managing Groups

5. Select the new policy for the group, and click Apply.

6. Check the Policy column to make sure the new policy is applied to the selected endpoints.

Applying a policy to a single endpoint

If you want to apply a policy to only one endpoint, the quickest method is to double-click in the Policy column
and change it there.

To apply a policy to an individual endpoint:

1. Click the Group Management tab.

2. From the Groups panel on the left, select a group that includes the desired endpoint.

- 125 -
Endpoint Protection Administrator Guide

3. From the Endpoints panel on the right, select the endpoint.

4. In the Policy column of the selected endpoint, double-click the policy name to open a drop-down of
available policies.

5. Select the policy and press Enter.

You will see the new policy name in the column with a red flag at the upper left corner. This indicates
that your changes are in a draft stage and you can still select Undo Changes to revert back to the
previous settings. If desired, you can continue making other changes in this panel until you are ready to
save the changes.
6. To apply the change, click Save Changes.

The red flag is then removed from the row.

- 126 -
 Chapter 6: Managing Groups

Moving endpoints to another group

You can move endpoints into a different group, as described in this section. You can move individual endpoints
or an entire group of endpoints.

To move endpoints to another group:

1. Click the Group Management tab.

2. From the Groups panel on the left, select the group that contains the endpoints you want to move.
Note: For this procedure you must select a specific group, not All Endpoints.
3. From the Endpoints panel on the right, select one or more endpoints.
Tip: You can select all endpoints within the selected group by clicking the Hostname checkbox at the
top of the list (first column).
4. Click Move endpoints to another group from the command bar.
Note: If the group has more than one page of endpoints, the dialog prompts you to apply the policy either
to the endpoints on the current page or to all pages of endpoints.

5. When the Move dialog opens, click the drop-down arrow to display the list of groups. Select the group
from the drop-down field and click Save.

6. Click the group you selected from the left panel. Make sure all the endpoints are shown in the Endpoints
panel on the right.

- 127 -
Endpoint Protection Administrator Guide

Deleting groups
In the Group Management tab, you can easily delete a group from the list and move its endpoints to another
group. (You cannot retrieve a deleted group; however, you can re-use a deleted group name.)

To delete a group:

1. Click the Group Management tab.

2. Select the group from the left panel.
3. Click Delete from the command bar.

4. Click Yes at the prompt.

If endpoints are assigned to this group, another dialog asks you to select a group where you want the
endpoints moved.
5. Select the target group, then click Save.

- 128 -
 Chapter 6: Managing Groups

Renaming groups
In the Group Management tab, you can easily rename a group in the list. The endpoints remain in that renamed
group; you do not need to move them.

To rename a group:

1. Click the Group Management tab.

2. Select the group from the left panel.
3. Click Rename from the command bar.

The Rename Group dialog opens

4. Enter a new name and description, then click Rename Group.

- 129 -
- 130 -
Chapter 7: Viewing Reports

To generate reports, see the following topics:

Generating Endpoint Protection reports 132

Generating the Agent Version Spread report 134
Generating the Agents Installed report 137
Generating the All Threats Seen report 139
Generating the All Undetermined Software Seen report 141
Generating the Endpoints with Threats on Last Scan report 143
Generating the Endpoints with Undetermined Software on Last Scan report 146
Generating the Threat History (Collated) report 148
Generating the Threat History (Daily) report 152

- 131 -
Endpoint Protection Administrator Guide

Generating Endpoint Protection reports

With Endpoint Protection, you can view detailed reports about SecureAnywhere versions and threat activity on
the endpoints. The following table provides suggestions for the types of reports you might want to generate,
depending on your business needs.

Reports

To locate endpoints with Generate the Agent Version Spread report. (An agent is the
different SecureAnywhere SecureAnywhere software running on the endpoint.) You can use
versions installed: this report to locate endpoints that should be upgraded.
Note: You can also view the Agent Version Spread pie chart
shown on the Status panel, although this chart is less detailed
than the Agent Version Spread report.
See "Generating the Agent Version Spread report" on page 134.
To locate endpoints with newly Generate the Agent Installed report. From here, you can see the
installed SecureAnywhere dates when SecureAnywhere was installed on an endpoint, as
software: well as the number of endpoints receiving the installations. See
"Generating the Agents Installed report" on page 137.
To locate and manage detected Generate either the All Threats Seen report or the Endpoints
threats: with Threats on Last Scan report.
l The All Threats Seen report lists threats by filename,
along with where SecureAnywhere detected them. From
here, you can create an override for a file or restore it
from quarantine. See "Generating the All Threats Seen
report" on page 139.
l The Endpoints with Threats on Last Scan report shows
threats by endpoint location. From here, you can change
the endpoint's policy, run a scan, create an override for a
file, or restore a file from quarantine. See "Generating the
Endpoints with Threats on Last Scan report" on page 143.

- 132 -
 Chapter 7: Viewing Reports

Reports

To locate files classified as Generate either the All Undetermined Software Seen or the
Undetermined: Endpoints with Undetermined Software on Last Scan
report.
l The All Undetermined Software Seen report shows a
list of files that are classified as "Undetermined" (they
appear legitimate, but also exhibit questionable
behavior). This report lists items by filename, along with
where SecureAnywhere detected them. You can use this
report to create overrides and tag files as either Good or
Bad, so SecureAnywhere knows how you want to
classify them in the future. See "Generating the All
Undetermined Software Seen report" on page 141.
l The Endpoints with Undetermined Software on Last
Scan report shows a list of endpoints reporting
Undetermined files during the last scan. You can use
this report to create overrides and tag files as either
Good or Bad, so SecureAnywhere knows how you want
to classify them in the future. See "Generating the
Endpoints with Undetermined Software on Last Scan
report" on page 146.

To view a summary of Generate the Threat History (Collated) report. This report
detected threats: shows a bar chart for endpoints with detected threats and
blocked programs. From here, you can create overrides for
blocked programs and restore files from quarantine.
See "Generating the Threat History (Collated) report" on page
148.
To view a summary of threats Generate the Threat History (Daily) report. This report shows
detected on a daily basis: each day where SecureAnywhere found threats on endpoints.
See "Generating the Threat History (Daily) report" on page
152.

- 133 -
Endpoint Protection Administrator Guide

Generating the Agent Version Spread report

To locate endpoints with different SecureAnywhere versions installed, you can generate the Agent Version
Spread report. (An agent is the SecureAnywhere software running on the endpoint.) You can use this report to
locate endpoints that should be upgraded. The report displays a bar chart showing the version numbers in your
network and the endpoints using each version.

You can modify the report data as follows:

l View all versions within a selected group, which is helpful if you need to narrow search results to a
specific set of endpoints.
l Drill down to see the endpoints using a specific version, which is helpful if you want to determine which
endpoints should be upgraded.

Note: You can quickly glance at the Status tab to see a pie chart of the agent version spread. For more
information, see "Viewing an agent version overview" on page 85.

To generate the Agent Version Spread report:

1. Click the Reports tab.

2. In the Report Type field, click the drop-down arrow to display a list of reports.
3. Select Agent Version Spread and click Submit.

A list of groups opens along with the Agent Version Spread report, as shown in the following example.

- 134 -
 Chapter 7: Viewing Reports

4. To view data for a specific group, click the group name on the left.
The bar chart redisplays the data with only the selected group.
5. To view the endpoints using the version, click a bar to see details.
The bottom panel displays data about each endpoint.

- 135 -
Endpoint Protection Administrator Guide

6. If desired, you can show or hide additional data for the report. Click a column header to open the drop-
down menu, then click in the checkboxes to select the columns to add or remove. For descriptions of the
data in the columns, see "Sorting data in tables and reports" on page 26.

- 136 -
 Chapter 7: Viewing Reports

Generating the Agents Installed report

To see a chart of SecureAnywhere installations, generate the Agents Installed report. (An agent is the
SecureAnywhere software running on the endpoint.) This report displays a bar chart showing the dates when
SecureAnywhere was installed on endpoints, as well as the number of endpoints receiving the installations.
You can modify the report data as follows:

l View all SecureAnywhere installations within a selected policy or group, which is helpful if you need to
narrow search results to a specific set of endpoints.
l Drill down to see the endpoints with SecureAnywhere installed on the same date, which is helpful if you
need to narrow the results to a time period and need to assign policies to a set of endpoints installed on a
specific date.

To generate the Agents Installed report:

1. Click the Reports tab.

2. In the Report Type field, click the drop-down arrow to display a list of reports.
3. Select Agents Installed.
4. If desired, select a specific policy or group.
Otherwise, the report data shows all policies and groups, and may take a long time to generate
(depending on your environment).
5. In the bottom two fields, enter a start and end date for the report data.
6. Click Submit.

The report opens in the right panel, as shown in the following example.

- 137 -
Endpoint Protection Administrator Guide

7. To view the endpoints where SecureAnywhere was installed on a specific date, click a bar to see
details.
The bottom panel displays data about each endpoint.

8. If desired, you can show or hide additional data for the report. Click a column header to open the drop-
down menu, then click in the checkboxes to select the columns to add or remove. For descriptions of the
data in the columns, see "Sorting data in tables and reports" on page 26.

- 138 -
 Chapter 7: Viewing Reports

Generating the All Threats Seen report

To locate and manage detected threats, you can generate the All Threats Seen report. This report lists threats
by filename, along with when and where SecureAnywhere detected them. This report might show duplicate
entries if the threats were detected multiple times or in multiple places. From here, you can create an override
for a file or restore it from quarantine.

You can modify the report data as follows:

l View all detected threats within a selected policy or group, which is helpful if you need to narrow
search results to a specific set of endpoints.
l Drill down to see the threats detected within a date range, which is helpful if you want to narrow the
search results to a specific time period.

To generate the All Threats Seen report:

1. Click the Reports tab.

2. In the Report Type field, click the drop-down arrow to display a list of reports.
3. Select All Threats Seen.
4. If desired, select a specific policy and group.
Otherwise, the report data shows all policies and groups, and may take a long time to generate
(depending on your environment).
5. Optionally, you can click the Select time period checkbox to enter a date range for the data.
6. Click Submit.

The report opens in the right panel. Each threat is listed by its filename, along with where and when

- 139 -
Endpoint Protection Administrator Guide

SecureAnywhere detected and removed it.

7. From this panel, you have the following options:

l Create override: If you want to bypass Endpoint Protection and designate the file as Good
(allow the file to run) or Bad (detect and quarantine the file), click Create override from
the command bar. For further instructions, see "Applying overrides to files from reports" on
page 172.
l Restore from Quarantine: If the file is safe and you want to restore it to the original
location on the endpoint, click Restore from Quarantine from the command bar.

8. If desired, you can show or hide additional data for the report. Click a column header to open the drop-
down menu, then click in the checkboxes to select the columns to add or remove. For descriptions of the
data in the columns, see "Sorting data in tables and reports" on page 26.

- 140 -
 Chapter 7: Viewing Reports

Generating the All Undetermined Software Seen

report
SecureAnywhere may sometimes detect a file that appears legitimate, but also exhibits questionable behavior.
In these cases, it classifies the file as "Undetermined." To locate files that SecureAnywhere classified as
"Undetermined," you can generate the All Undetermined Software Seen report. The All Undetermined
Software Seen report shows all undetermined software (typically executable files) that SecureAnywhere
cannot classify as either safe or as malware.

This report lists items by filename, along with when and where SecureAnywhere detected them. This report
might show duplicate entries if the undetermined software was detected multiple times or in multiple places.
You can also use this report to create overrides and tag files as either Good or Bad, so SecureAnywhere knows
how you want to classify them in the future.

Note: To view the most recent endpoints with undetermined software, see "Generating the Endpoints
with Threats on Last Scan report" on page 143.

From the report, you can modify the report data as follows:

l View all undetermined software within a selected policy or group, which is helpful if you need to narrow
search results to a specific set of endpoints.
l Drill down to see the files detected within a date range, which is helpful if you want to narrow the
search results to a specific time period.

To generate the All Undetermined Software Seen report:

1. Click the Reports tab.

2. In the Report Type field, click the drop-down arrow to display a list of reports.
3. Select All Undetermined Software Seen.
4. If desired, select a specific policy and group.
Otherwise, the report data shows all policies and groups, and may take a long time to generate
(depending on your environment).
5. Optionally, you can click the Select time period checkbox to enter a date range for the data.
6. Click Submit.

- 141 -
Endpoint Protection Administrator Guide

The report opens in the right panel:

7. From this panel, you can select a file and click Create override to reclassify it as follows:

l Good: Always allow the file to run on the endpoint. Do not detect the file during scans or
send it to quarantine. After you select Good, the file is listed in the Overrides tab with
Good as the Manual Determination, but the Cloud Determination remains Undetermined.
l Bad: Always send the file to quarantine when detected during scans. After you select Bad,
the file is listed in the Overrides tab with Bad as the Manual Determination, but the Cloud
Determination remains Undetermined.

You can also select whether you want to apply this override to all policies or selected policies, so
you don't need to create this override again on other endpoints.

8. If desired, you can show or hide additional data for the report. Click a column header to open the drop-
down menu, then click in the checkboxes to select the columns to add or remove. For descriptions of the
data in the columns, see "Sorting data in tables and reports" on page 26.

- 142 -
 Chapter 7: Viewing Reports

Generating the Endpoints with Threats on Last

Scan report
To locate and manage detected threats from the last scan, you can generate the Endpoints with Threats on Last
Scan report. This report shows threats by endpoint location. From the report, you can change the endpoint's
policy, run a scan, create an override for a file, or restore a file from quarantine.

You can modify the report data as follows:

l View all detected threats within a selected policy or group, which is helpful if you need to narrow
search results to a specific set of endpoints.
l Drill down to see the threats detected within a date range, which is helpful if you want to narrow the
search results to a specific time period.

To generate the Endpoints with Threats on Last Scan report:

1. Click the Reports tab.

2. In the Report Type field, click the drop-down arrow to display a list of reports.
3. Select Endpoints with Threats on Last Scan, then click Submit.

The report opens in the right panel, where you have the following options:

l View and change the policy: To open the policy settings for that endpoint and change the
settings, you can click the View link. (Endpoints assigned to the Unmanaged policy have
no View link because they are controlled at the endpoint level.)
l Launch scan. Click the broom icon on the far right to initiate a scan and auto-quarantine
threats.

- 143 -
Endpoint Protection Administrator Guide

4. To view more details about threats found on an endpoint, click a hostname from the upper panel to see
details in the bottom panel.

- 144 -
 Chapter 7: Viewing Reports

5. From the bottom panel, you can perform one of the following actions on a selected threat:

l Create override: If you want to bypass Endpoint Protection and designate the file as Good
(allow the file to run) or Bad (detect and quarantine the file), click Create override from
the command bar. For further instructions, see "Applying overrides to files from reports" on
page 172.
l Restore from Quarantine: If the file is safe and you want to restore it to the original
location on the endpoint, click Restore from Quarantine from the command bar.

6. If desired, you can show or hide additional data for the report. Click a column header to open the drop-
down menu, then click in the checkboxes to select the columns to add or remove. For descriptions of the
data in the columns, see "Sorting data in tables and reports" on page 26.

- 145 -
Endpoint Protection Administrator Guide

Generating the Endpoints with Undetermined

Software on Last Scan report
SecureAnywhere may sometimes detect a file that appears legitimate, but also exhibits questionable behavior.
In these cases, it classifies the file as "Undetermined." To locate files that SecureAnywhere classified as
"Undetermined" on the last scan, you can generate the Endpoints with Undetermined Software on Last Scan
report. You can select an endpoint to drill down for more details about the files.

To generate the Endpoints with Undetermined Software on Last Scan report:

1. Click the Reports tab.

2. In the Report Type field, click the drop-down arrow to display a list of reports.
3. Select Endpoint with undetermined software on last scan, then click Submit.

The report opens in the right panel, showing all the endpoints.

4. To view more details about the undetermined software found, click an endpoint's row to see details in
the bottom, as shown in the following example.

- 146 -
 Chapter 7: Viewing Reports

5. From this panel, you can select a file and click Create override to reclassify the file as follows:

l Good: Always allow the file to run on the endpoint. Do not detect the file during scans or
send it to quarantine. After you select Good, the file is listed in the Overrides tab with
Good as the Manual Determination, but the Cloud Determination remains Undetermined.
l Bad: Always send the file to quarantine when detected during scans. After you select Bad,
the file is listed in the Overrides tab with Bad as the Manual Determination, but the Cloud
Determination remains Undetermined.

You can also select whether you want to apply this override to all policies or selected policies, so
you don't need to create this override again on other endpoints.

6. If desired, you can show or hide additional data for the report. Click a column header to open the drop-
down menu, then click in the checkboxes to select the columns to add or remove. For descriptions of the
data in the columns, see "Sorting data in tables and reports" on page 26.

- 147 -
Endpoint Protection Administrator Guide

Generating the Threat History (Collated) report

To view a summary of detected threats, you can generate the Threat History (Collated) report. This report
shows a bar chart for endpoints with detected threats and blocked programs. From here, you can create
overrides for blocked programs and restore files from quarantine.

Note: To view a summary of threats, see "Generating the Threat History (Daily) report" on page 152.
The Threat History (Daily) report is just a summary; you cannot manage threats from that report.

You can modify the report data as follows:

l View all threats within a selected policy or group, which is helpful if you need to narrow search results
to a specific set of endpoints.
l Drill down to see the threats detected within a date range, which is helpful if you want to narrow the
search results to a specific time period.

To generate the Threat History (Collated) report:

1. Click the Reports tab.

2. In the Report Type field, click the drop-down arrow to display a list of reports.
3. Select Threat History (Collated).
4. If desired, select a specific policy or group.
Otherwise, the report data shows all policies and groups, and may take a long time to generate
(depending on your environment).
5. In the bottom two fields, enter a start and end date for the report data.
6. Click Submit.

- 148 -
 Chapter 7: Viewing Reports

The report opens in the right panel.

7. From this panel, you can click one of the bars to view more details about Endpoints with threats or
Blocked Programs.
If you click the Blocked Programs bar chart, the bottom panel shows details about the programs.

- 149 -
Endpoint Protection Administrator Guide

8. From the bottom panel you can click the View links in the All Endpoints and All Versions column to
view more information.

The View link under All Endpoints displays this panel:

The View link under All Versions displays this panel:

9. If you want to set an override for the file or restore it from quarantine, select the Endpoints with
threats bar to display more information in the bottom panel.

- 150 -
 Chapter 7: Viewing Reports

10. Locate the row for the endpoint that has the blocked program and select the View link in the Blocked
Programs column to open the following dialog:

11. From this dialog, you have the following options:

l Create override: If you want to bypass Endpoint Protection and designate the file as Good
(allow the file to run) or Bad (detect and quarantine the file), click Create override from
the command bar. For further instructions, see "Applying overrides to files from reports" on
page 172.
l Restore from Quarantine: If the file is safe and you want to restore it to the original
location on the endpoint, click Restore from Quarantine from the command bar.

You can also select whether you want to apply this override to all policies or selected policies, so
you don't need to create this override again on other endpoints.

12. If desired, you can show or hide additional data for the report. Click a column header to open the drop-
down menu, then click in the checkboxes to select the columns to add or remove. For descriptions of the
data in the columns, see "Sorting data in tables and reports" on page 26.

- 151 -
Endpoint Protection Administrator Guide

Generating the Threat History (Daily) report

To view a summary of threats detected on a daily basis, you can generate the Threat History (Daily) report.
This report shows each day where SecureAnywhere found threats on endpoints. You can modify the report data
as follows:

l View daily threats within a selected policy or group, which is helpful if you need to narrow search
results to a specific set of endpoints.
l Drill down to see the threats detected within a date range, which is helpful if you want to narrow the
search results to a specific time period.

To generate the Threat History (Daily) report:

1. Click the Reports tab.

2. In the Report Type field, click the drop-down arrow to display a list of reports.
3. Select Threat History (Daily).
4. If desired, select a specific policy or group.
Otherwise, the report data shows all policies and groups, and may take a long time to generate
(depending on your environment).
5. In the bottom two fields, enter a start and end date for the report data.
6. Click Submit.

The report opens in the right panel.

- 152 -
 Chapter 7: Viewing Reports

7. To view more details about threats, click on a bar to see details for a specific day.
The bottom panel shows details about the endpoints with the detected threats.

8. To view more information about a block program, click a View link in the Blocked Programs column.

- 153 -
Endpoint Protection Administrator Guide

9. If desired, you can show or hide additional data for the report. Click a column header to open the drop-
down menu, then click in the checkboxes to select the columns to add or remove. For descriptions of the
data in the columns, see "Sorting data in tables and reports" on page 26.

- 154 -
Chapter 8: Managing Alerts

To learn more about alerts, see the following topics:

Implementing alerts 156

Creating a distribution list 157
Creating customized alerts 158
Viewing your defined alert messages 162
Suspending or deleting alerts 164

- 155 -
Endpoint Protection Administrator Guide

Implementing alerts
You can customize alert messages and send them to a distribution list whenever the following types of events
occur:

l Endpoints reporting an infection

l New SecureAnywhere installations on endpoints

For both of these event types, you can customize the alerting method so administrators receive a message as
soon as the event occurs or on a schedule (daily, weekly, or monthly). Using a setup wizard in the Alerts tab,
you can customize the subject heading and body of the messages. You can also use variables to add information
for the endpoints triggering the alerts, affected groups, and other specifics about the event.

Note: To customize alerts, you must have access permissions for Alerts: Create & Edit. To change
access permissions, see "Setting permissions for portal users" on page 38.

To create customized alerts:

1. Create a distribution list based on email addresses (list members do not need to be defined in the
Manage Users panel of the Management Portal). See "Creating a distribution list" on page 157.
2. Create alert messages that are sent to the distribution list whenever endpoints report an infection or
SecureAnywhere is installed on an endpoint. See "Creating customized alerts" on page 158.

All your customized alerts will appear in the Alerts tab.

- 156 -
 Chapter 8: Managing Alerts

Creating a distribution list

From the Alerts tab, you can easily create a distribution list of users who will receive alert messages. For
example, you might want to create a list of administrators who need to respond to threat detections at a remote
office.

Note: You can also create a distribution list in the Create Alert wizard, as described in "Creating
customized alerts" on page 158.

To create a distribution list:

1. Click the Alerts tab.

2. In the Distribution Lists panel on the right, click Create from the command bar.

3. In the dialog, enter a name for the list and the email addresses of the recipients.

4. Click Save.
The new list is added to the Distribution Lists panel.

If you need to delete the list later, click the name and click Delete from the command bar.

- 157 -
Endpoint Protection Administrator Guide

Creating customized alerts

You can customize the alert messages sent to a distribution list for the following types of events:

l Infection Detected. An immediate message sent when an endpoint reports an infection.

l Endpoint Installed. An immediate message sent as soon as SecureAnywhere is installed on an endpoint
and it reports into the Management Portal.
l Infection Summary. A summary message that provides an overview of threats detected on endpoints.
The summary can be scheduled for a daily, weekly, or monthly distribution.
l Install Summary. A summary message that provides an overview of SecureAnywhere installations. The
summary can be scheduled for a daily, weekly, or monthly distribution.

You can use the Create Alert wizard to define the messages and a distribution list, as described below. (You
can also define a distribution list separately, as described in "Creating a distribution list" on page 157.)

To create a custom alert:

1. Click the Alerts tab.

2. In the Alerts panel on the left, click Create from the command bar.

The following dialog opens.

3. In the Alert Type field, click the drop-down arrow to select an alert type. In the Alert Name field,
enter a description for this alert. Click Next at the bottom right.

- 158 -
 Chapter 8: Managing Alerts

If you select one of the summary alerts, another field appears where you must select the frequency for
sending the alerts: either daily, weekly, or monthly.

4. In the next panel, you can select from an existing distribution list or you can create a new one.

If you already created a distribution list, click Use existing list and then click Next.

If you have not yet created a distribution list, click Create new list, enter a list
name, then enter the email addresses. When you're done, click Next.

5. In the next panel, you can enter the subject and message for the email message. In the Email title field,
enter the subject head for the message. In the Email message body field, enter the text for the message.

- 159 -
Endpoint Protection Administrator Guide

The wizard also provides "data inputs" within the text, which are variables you can use for automatically
inserting such information as the hostname of the endpoint. Some data inputs are already displayed for
you in the sample text. Data inputs are shown in brackets.
6. To add your own data inputs, click inside the text where you want a variable to appear, then click the
drop-down arrow for one of the Data Inputs buttons. There is one button for the subject head and one
for the body.

7. Select from the data inputs, which are all described below.
Note: Depending on the type of alert message you are defining, only the applicable data inputs appear in
the drop-down menu.

- 160 -
 Chapter 8: Managing Alerts

Data inputs for alert messages

Hostname The name of the endpoint triggering the alert.

Group Name The group assigned to the endpoint triggering the alert.
Policy name The policy assigned to the endpoint triggering the alert.
Keycode The keycode used for the endpoint triggering the alert.
Current User The user of the endpoint triggering the alert.
Console Name The name of the Console where the endpoint is included.
First Seen The date and time when this event was first detected.
Last Seen The date and time when this event was last detected.
Last Infected The date and time the endpoint triggering the alert was last infected.
Operating System The operating system version on the endpoint triggering the alert.
Agent Version The version number of the SecureAnywhere software installed on the
endpoint triggering the alert.
MAC Address The Media Access Control address (MAC address) on the network
where the endpoint triggering the alert is installed.
Workgroup The network workgroup where the endpoint is located (if any).
Active Directory The name of the Active Directory.
Infection List A list of infections.
Infection Summary A summary of the infections.
Install Summary A summary of the SecureAnywhere installations.

8. To view the email message, click Preview at the bottom of the wizard.
9. If you are satisfied with the message, click Finish.

- 161 -
Endpoint Protection Administrator Guide

Viewing your defined alert messages

All your customized alerts will appear in the Alerts tab with a status of Active. From here, you can edit the
alert by double-clicking in its row. On the right side of the panel are the distribution lists you defined.

If desired, you can show or hide additional data about the alert messages. Click a column header to open the
drop-down menu, then click in the checkboxes to select the columns to add or remove.

The columns provide the data described in the following table.

Columns in the Alerts panel

Alert Name The name defined in the Create Alert wizard. This column is static and
cannot be hidden.
Alert Type One of the alert types: Infection Detected, Endpoint Installed, Infection
Summary, Install Summary.

- 162 -
 Chapter 8: Managing Alerts

Columns in the Alerts panel

Distribution List The email recipients for this alert.

Date Created The date the alert message was defined.
Created By The administrator who created the alert message.
Date Edited The date (if any) that the alert message was modified.
Edited By The administrator who modified the alert message (if applicable).
Status The alert status, which is either Active or Suspended.

- 163 -
Endpoint Protection Administrator Guide

Suspending or deleting alerts

After customizing alert messages for a distribution list, you may decide later that an alert is no longer
necessary. You can permanently delete an alert; or if you think it might be useful again sometime in the future,
you can temporarily suspend it instead.

To suspend or delete an alert:

1. Click the Alerts tab.

2. Select an alert from the left panel.
3. Click Delete or Suspend from the command row.

If you selected Suspend, the alert is grayed out in the panel with "Suspended" in the Status column.
Later, you can select the alert again and click Resume.

If you selected Delete, click Yes in the prompt. The alert is permanently removed from Endpoint
Protection.

- 164 -
Chapter 9: Using Overrides

To use overrides, see the following topics:

Implementing overrides 166

Applying overrides from the Overrides tab 167
Applying overrides to files from groups 170
Applying overrides to files from reports 172
Viewing overrides 174
Deleting overrides 176
Exporting overrides to a spreadsheet 177

- 165 -
Endpoint Protection Administrator Guide

Implementing overrides
Overrides provide administrative control of the files and applications in your environment, allowing you to
designate files as Good (always run) or Bad (always quarantine). For example:

l You may decide to quarantine legitimate files for certain business purposes. For example, if you don't
allow users to make Skype voice calls during business hours, you can set an override that always sends
the Skype executable file to quarantine when detected during scans.
l Conversely, if Endpoint Protection is quarantining a file that you want to allow, you can set an override
that ignores the file during scans.

Note: To fully manage overrides, you must have access permissions for Overrides: MD5 and
Overrides: Determination Capability. To change permissions, see "Setting permissions for portal
users" on page 38.

To change how a file is detected and managed, you can apply one of the following overrides:

l Good: Always allow the file to run on the endpoint. Do not detect the file during scans or send it to
quarantine.
l Bad: Always send the file to quarantine when detected during scans.

You can add overrides from several locations:

l From the Overrides tab, you can create either a "Good" or "Bad" override for any type of file. To do
this, you must first scan the endpoint, save its scan log, and locate the MD5 value of the file. MD5
(Message-Digest algorithm 5) is a cryptographic hash function that produces a 128-bit value, which acts
like a fingerprint to uniquely identify a file. For more information, see "Applying overrides from the
Overrides tab" on page 167.
l From the Group Management tab, you can search for endpoints where threats were detected and
quickly apply overrides. The MD5 value is already identified for the file. For more information, see
"Applying overrides to files from groups" on page 170.
l From the Reports tab, you can search for endpoints where threats were detected in certain reports and
quickly apply overrides. The MD5 value is already identified for the file. For more information, see
"Applying overrides to files from reports" on page 172.

An override can have different settings at the global level and at the policy level. Be aware that Policy
settings take precedence over Group settings.

- 166 -
 Chapter 9: Using Overrides

Applying overrides from the Overrides tab

When you add overrides from the Overrides tab, you must first locate the MD5 values of files by running a
scan on the endpoint. When SecureAnywhere scans the device, it creates a scan log where it stores the path
name, file name, and MD5 value for executables and other types of files that run a process. You need that
MD5 value to create the override.

Tip: If you want to override a file designated as "Bad," you should go to the Groups or Reports tabs.
These tabs show detected threats and their associated MD5 values, which saves you time in creating
"Bad" overrides.

To locate and save MD5 values:

1. Run a scan on the endpoint to capture MD5 values.

You can run the Scan command either from the endpoint itself or by using the Scan command from the
Groups tab (see "Issuing commands to endpoints" on page 63).
2. On the endpoint (the PC or other device), open SecureAnywhere. Click the System Tools tab, then
Reports. In the Scan Log section of the page, click Save as and specify a name and location for the log.

3. Open the scan log and locate the MD5 value to the right of the filename.
The following example shows the MD5 value for a file named csrss.exe.

- 167 -
Endpoint Protection Administrator Guide

4. Copy the value, so you can paste it into the Management Portal.

To add an MD5 override from the Overrides tab:

1. Return to Endpoint Protection and click the Overrides tab.

2. Click Create from the command bar.

3. In the Create Override dialog, paste the copied MD5 value into the MD5 field.

- 168 -
 Chapter 9: Using Overrides

4. Open the Determination drop-down menu by clicking the arrow to the right of the field. Select one of
the following:

l Good: Always allow the file to run.

l Bad: Always send the file to quarantine.

5. You can apply this override globally or to an individual policy, as follows:

l To apply the override to all policies, keep the Apply the override globally checkbox
selected.
l To select an individual policy for the override, deselect the checkbox. When the Policy
field appears, click the drop-down arrow to the right of the field and select a policy.

6. When you're done, click Save.

7. If you want to test how SecureAnywhere will detect the file, you can send the endpoint a Reverify all
files and processes command (see "Issuing commands to endpoints" on page 63).

- 169 -
Endpoint Protection Administrator Guide

Applying overrides to files from groups

From a group level, you can apply an override to a file designated as a threat so it won't be detected and
quarantined again in the future.

To apply an override from groups:

1. Click the Group Management tab.

2. From the left panel, select the group for the endpoint where the file was detected.

3. In the right panel, select the endpoint where the file was detected.

4. In the Scan History list at the bottom, you can click View in the Status column for the date when the
threat was detected or you can click View all threats seen on this endpoint.

5. In the dialog, select the desired filename by clicking in its checkbox.

6. Click Create override.

- 170 -
 Chapter 9: Using Overrides

The following dialog opens:

7. Open the Determination drop-down menu by clicking the arrow to the right of the field. Select one of
the following:

l Good: Always allow the file to run.

l Bad: Always send the file to quarantine.

8. You can apply this override globally or to an individual policy, as follows:

l To apply the override to all policies, keep the Apply the override globally checkbox
selected.
l To select an individual policy for the override, deselect the checkbox. When the Policy
field appears, click the drop-down arrow to the right of the field and select a policy.

9. When you're done, click Save.

10. If you want to test the file's detection, you can send the endpoint a Reverify all files and processes
command (see "Issuing commands to endpoints" on page 63).

- 171 -
Endpoint Protection Administrator Guide

Applying overrides to files from reports

From the Reports tab, you can apply an override to a file designated as a threat so it won't be detected and
quarantined again in the future. You can add overrides from these reports:

l All Threats Seen.

l All Undetermined Software Seen.
l Endpoints with Threats on Last Scan, in the panel for Threats Seen on this Endpoint panel (individual
endpoints only).
l Endpoints with Undetermined Software on Last Scan, in the panel for All Undetermined Software Seen
on this Endpoint (individual endpoints only).

To create an override from reports:

1. Click the Reports tab and generate one of the reports listed above.
2. Select the desired filename and click Create override from the command bar.

The following dialog opens:

3. Open the Determination drop-down menu by clicking the arrow to the right of the field. Select one of
the following:

l Good: Always allow the file to run.

l Bad: Always send the file to quarantine.

- 172 -
 Chapter 9: Using Overrides

4. You can apply this override globally or to an individual policy, as follows:

l To apply the override to all policies, keep the Apply the override globally checkbox
selected.
l To select an individual policy for the override, deselect the checkbox. When the Policy
field appears, click the drop-down arrow to the right of the field and select a policy.

5. When you're done, click Save.

6. If you want to test the file's detection, you can send the endpoint a Reverify all files and processes
command (see "Issuing commands to endpoints" on page 63).

- 173 -
Endpoint Protection Administrator Guide

Viewing overrides
After you add overrides to Endpoint Protection, you can view them in the Overrides tab. Select a policy from
the left panel to narrow the results shown on the right. Your selected overrides appear under the Manual
Determination column.

If desired, you can show or hide additional data about the overrides. Click a column header to open the drop-
down menu, then click in the checkboxes to select the columns to add or remove.

- 174 -
 Chapter 9: Using Overrides

The columns provide the following data:

Columns in the Overrides tab

MD5 The Message-Digest algorithm 5 value, which acts like a fingerprint to

uniquely identify a file.
Command Filename The name of the Windows file as it would display in a file folder. This
column is static; you cannot hide it.
Common Pathname The name of the Windows folder structure.
File Size The file size in bytes.
Vendor The name of the vendor associated with the file, if SecureAnywhere can
determine that information.
Product The name of the product associated with the file, if SecureAnywhere can
determine that information.
Version The version of the product associated with the file, if SecureAnywhere
can determine that information.
Manual Determination Your designation for the file, which is either Good or Bad.
Cloud Determination Webroot's classification for the file, which is Good, Bad, or
Undetermined.
Data Created The date and time this override was defined.
Policy The policy where this override is applied.

- 175 -
Endpoint Protection Administrator Guide

Deleting overrides
If you want to remove an override that you previously defined, you can delete it from the Overrides tab.

To delete an override:

1. Click the Overrides tab.

2. If you want to narrow the results in the right panel, select a specific policy from the left.
3. Click Delete from the command bar.

After you confirm the deletion, the override is moved to the "deleted" list. You can view all deleted
overrides by selecting All Deleted Overrides from the left panel. Be aware that you cannot restore
deleted overrides.

- 176 -
 Chapter 9: Using Overrides

Exporting overrides to a spreadsheet

You can export all override information to a spreadsheet, which is convenient if you want to review settings
with your colleagues.

To export override settings:

1. Click the Overrides tab.

2. If you want to narrow the results in the right panel, select a specific policy from the left.
3. Click Export to CSV from the command bar.

4. From the prompt, save the overrides to a CSV file.

Endpoint Protection saves it to a file named Overrides.csv. If you save additional files, it appends a
number to the base name, such as Overrides (2).csv.

- 177 -
- 178 -
Chapter 10: Viewing Logs

To use logs, see the following topics:

Viewing the Change Log 180

Viewing the Command Log 182

- 179 -
Endpoint Protection Administrator Guide

Viewing the Change Log

In the Change Log, you can see when the following types of events have occurred:

l Logon: When the administrator logged into the Management Portal.

l Policy: Any policies created, changed, or deleted.
l Agent Commands: When a command was initiated.
l Override: Any overrides created, changed, or deleted.
l Group: Any groups created, changed, or deleted.
l Endpoint: Any endpoints renamed or moved to another group.
l Reports: Any reports generated.

You can filter the Change Log by date range, event type, user, group, and policy.

To view the Change Log:

1. Click the Logs tab.

The Change Log opens by default. It lists change events, and provides filters for narrowing the list.

- 180 -
 Chapter 10: Viewing Logs

2. You can use the Filter Change Log options in the left panel to narrow the data. When you have selected
the filtering criteria, click Submit.
You can choose to filter the data, as follows:

l Between and And: Enter the time frame in these two fields in MM/DD/YYYY format or
by clicking the calendar icons to choose dates.
l Event Type: Select an event from the drop-down list. Events include changes in groups,
endpoints, or policies, as well as overrides and user logons.
l Involving User: Select a user from the drop-down list.
l Involving Group: Select a group from the drop-down list.
l Involving Policy: Select a policy from the drop-down list.

3. If the data exceeds 50 items, you can use the navigation buttons at the bottom to move between
additional pages.

You can also use the Refresh button to update the data:

- 181 -
Endpoint Protection Administrator Guide

Viewing the Command Log

In the Command Log, you can review information about recent and outstanding commands. The log includes
data for:

l Hostname. The name of the endpoint that received the command.

l Command. The command issued to the endpoint.
l Parameters. Additional parameters for executing the command, such as the full path name.
l Date Requested. The date the command was sent from the Management Portal.
l Status. Either Elapsed or Executed. The Elapsed time is 24 hours.

To view the Command Log:

1. Click the Logs tab.

2. Click the Command Log tab.
The Command Log opens.

3. If the data exceeds 50 items, you can use the navigation buttons at the bottom to move between
additional pages:

You can also use the Refresh button to update the data:

- 182 -
Glossary

adware
Software designed to display advertisements on your system or hijack web searches (rerouting searches
through its own web page). It may also change your default home page to a specific website. Adware
generally propagates itself using dialog boxes and social engineering methods.

agent
The SecureAnywhere software installed on a PC or other type of endpoint.

console
A console is a collection of one or more devices running a Webroot product and displays as separate sites in
the Managment Portal. When you first registered an account, SecureAnywhere organized your managed
devices into a single console. You can add more consoles for management purposes, if desired.

cookies
Small strings of text designed to help websites remember your browser and preferences. Cookies cannot steal
information off your machine, but some do store personal information that you may not want outside parties
to gather. You can manage cookie settings in your browser's security or privacy preferences. You can also
remove cookies using SecureAnywhere's System Cleaner.

CSV file
Comma-Separated Values file. A file format that stores tabular data.

GPO
Group Policy Object.

- 183 -
Endpoint Protection Administrator Guide

Hostname
The name of the endpoint, which is displayed in the Management Portal.

keycode
Your keycode is the 20-character license that identifies your Webroot account.

keylogger
A system monitor that records keyboard activity. Keyloggers can be used for legitimate purposes, but can also
record sensitive information for malicious purposes.

LDAP
Lightweight Directory Access Protocol. A software protocol for enabling anyone to locate resources such as
files and devices in a network, whether on the public Internet or on a corporate intranet.

LSP
Layered Service Provider.

malware
Malicious software that is designed to destroy or harm your computer system. Malware includes viruses,
spyware, adware, and all types of threats.

Management Portal
The centralized website used for Endpoint Protection, where administrators can view and manage endpoints
and network status. The portal can be divided into sub-portals called "consoles."

MD5
Message-Digest algorithm 5 is a cryptographic hash function that acts like a fingerprint to uniquely identify a
file.

MID
A machine ID that Webroot uses to identify the hardware and OS of an endpoint.

- 184 -
 Glossary

MSI
Microsoft Installer.

phishing
A fraudulent method criminals use to steal personal information. These criminals design websites or email
messages that appear to originate from trustworthy sources, such as eBay, PayPal, or even your own bank.
Typical scams can trick you into entering your user names, passwords, and credit card information.

policy
A policy defines the SecureAnywhere settings on endpoints, including how the program scans for threats and
manages detected items.

portal
A centralized website used to view and manage endpoints and network status. See "Management Portal."

registry
A database of hardware and software settings about your computer’s configuration, such as the types of
programs that are installed. Spyware can create entries in the Windows registry, which can ultimately slow
down your computer and cause problems in your system.

rootkit
A collection of tools that enables administrator-level access to a computer or network. By using file-
obfuscation techniques, rootkits can hide logins, processes, files and logs, and may include software to capture
information from desktops or a network. Spyware developers often use rootkits to avoid detection and
removal.

seat
A SecureAnywhere installation on an endpoint.

spyware
A program that may either monitor your online activities or install programs without your knowledge.
Spyware may get bundled with freeware, shareware, or email attachments. You can also accidentally install
spyware by clicking on dialog boxes in websites. Once installed, spyware can send information about your
online activities to a third party for malicious purposes.

- 185 -
Endpoint Protection Administrator Guide

Trojan Horse
A program that takes control of your computer files, allowing a hacker to install, execute, open, or close
programs. A Trojan is usually disguised as a harmless software program. It may also be distributed as an email
attachment. When you open the program or attachment, the Trojan can launch an auto-installation process
that downloads third-party programs onto your computer.

Undetermined software
A file that may appear legitimate, but also exhibits questionable behavior. In these cases, SecureAnywhere
classifies the file as "Undetermined."

virus
A self-replicating program that can infect computer code, documents, or applications. While some viruses are
purposefully malignant, others are more of a nuisance, replicating uncontrollably and inhibiting system
performance.

VM
Virtual machine.

zero-hour virus
New viruses that do not yet have recorded definitions.

- 186 -
 viewing in Status tab 82
All Threats Seen report 139
Index All Undetermined Software Seen report 141
Allow all denied applications command 68
Allow application command 68
Allow processes blocked by firewall
command 67
A Antimalware Tools commands 67

Access & Permissions 39 B

account
Basic Configuration policy settings 96
changing email address with users awaiting
Behavior Shield policy settings 104
status 37
browsers supported 8
creating 9
editing administrative settings 30 C
registering more users 33
renewing or upgrading 47 Change Console 46
Account Settings 30 Change keycode command 66
admins, adding portal users 33 Change keycode temporarily command 66
Advanced commands 68 change log, generating 180
Advanced Heuristics 100 Change scan time command 65
Age Heuristics 100 Clean up command 66
agent cleaner settings 110
commands for 65 cleanup script 68
deploying to endpoints 50 Clear Data commands 66
generating Agent Version Spread report 134 Clear files command 66
generating installation report 137 Cloud Determination 27
opening on main interface 77 Collapse button in portal 23
Agent Commands 63 columns, sorting in tables 26
Agent Version Spread chart (Status tab) 85 command log 182
Agent Version Spread report (Reports tab) 134 commands
Agents Installed report 137 assigning permissions for using 41
alerts issuing to endpoints 63
assigning permissions for creating 41 Confirm Logon 12
creating a distribution list 157 Consider all items as good command 67
creating customized messages 158 consoles
deleting a distribution list 157 creating separate consoles in the portal 44
overview of configuration 156 providing access to 34
resuming 164 renaming 46
suspending 164
Endpoint Protection Administrator Guide

switching between consoles 46 endpoints

cookies, removing 112 adding seats to your license 42
Core System Shield policy settings 105 assigning to a policy 124
Create New User 33 changing a keycode 59
Create Override 71, 145 changing hardware for 75
Custom/Right-Click Scan 65 creating a shortcut for SecureAnywhere 53
Customer Support Diagnostics command 68 deactivating and uninstalling 73
deploying SecureAnywhere to 50
D duplicates created with new OS 75
Endpoint Infected links 82
Data Inputs, entering for alerts 160
issuing commands to 63
Deep Scan command 65
locking from portal 67
Deep Scan, changing to 98
logging off user from portal 67
default policies
migrating from one policy to another 118
overview of 14
migrating to new OS 75
selecting a new default 89
moving to a new group 127
Deny application command 68
moving to new subnet 75
deploying SecureAnywhere 50
opening SecureAnywhere interface 77
Device MID 27
operating systems allowed 8
diagnostics for Customer Support 68
reinstalling 75
Disable proxy settings command 66
renaming 61
distribution lists
requirements for 8
creating for alerts 157
restarting from portal 67
deleting 157
sending Uninstall command to 66
DOS commands, sending to endpoint 68
using search to locate 62
Download and run a file command 68
viewing assignments in Policies tab 117
Draft column in policy settings 93
Endpoints with Threats on Last Scan report 143
E Explorer, enabling right-click scan 98
exporting data to a spreadsheet 24
email address
F
changing when user does not confirm
registration 37
File & Processes commands 67
limitation on changing 30
firewall
email template for deployment 15, 53
allowing blocked processes 67
Endpoint Installed alerts 158
stopping untrusted processes 67
Endpoint Protection access permissions 35
Firewall policy settings 108
Endpoint Protection menu 22
Endpoint with undetermined software on last G
scan report 146
GPO, using for deployment 58

- 188 -
 Index

groups K
adding new groups 122
applying a policy to 124 keycode
assigning permissions for creating 41 adding to your account 42
deleting 128 changing from endpoint 59
directly deploying endpoints to 55 changing temporarily 66
moving endpoints to another group 127 entering during deployment 50
overview of implementation 120 hiding from endpoint user 96
renaming 129 using agent command to change 66
Keycode commands 66
H
L
Heuristics policy settings 100
language codes for installation 56
I language codes in portal 27
language, changing for portal 19
icons in browser search results 106
license, renewing 47
Identity Shield commands 68
Live column in policy settings 93
Identity Shield policy settings 107
Lock endpoint 67
Infection Detected alerts 158
Log off command 67
Infection Summary alerts 158
login
Install Summary alerts 158
after configuration 19
installation and configuration
first-time login after account creation 12
deploying SecureAnywhere 50
logs
deploying SecureAnywhere (quick method)
Change Log 180
15 Command Log 182
installing agent in background (silent) 50 erasing on endpoint 66
overview of 7
selecting a policy 14 M
system requirements for 8
using GPO for installation 58 Malware Group 28
using MSI for deployment 57 malware reports 132
using proxy commands during Manage Keycodes 42
installation 56 Manage Users 33
using setup wizard 12 Management Portal
Instance MID 28 adding users for 33
alerts in 82
charts in 21
collapsing panels in 23
logging in 19

- 189 -
Endpoint Protection Administrator Guide

removing endpoints from 73 live settings and draft changes 93

setting access permissions 38 overview of implementation 88
MD5 value promoting changes to live 95
locating and saving 167 renaming 114
shown in tables 28 selecting a default during configuration 14
MSI, using for installation 57 selecting a new default policy 89
viewing endpoints assigned to 117
O poll interval, changing for endpoint 97
polling, forcing an immediate poll 76
operating systems
Popularity Heuristics 100
migrating to new 75
portal
supported versions for endpoints 8
adding users for 33
overrides
alerts in 82
applying the "Good" designation 167
charts in 21
assigning permissions for creating 41
collapsing panels in 23
creating from Group Management 170
logging in 19
creating from Reports 172
removing endpoints from 73
creating from Scan History panel 71
setting access permissions 38
deleting 176
Post Cleanup Scan 66
exporting to spreadsheet 177
Power & User Access commands 67
implementation overview 166
Protect an application command 68
locating and entering MD5 values 167
proxy commands, using during installation 56
testing 67
viewing all overrides 174 Q

P quarantine
restoring a file using agent commands 67
password for account
restoring a file using Scan History panel 70
changing 30, 33
Question mark icon 24
defined during registration 10
Quick Scan, changing to 98
forgotten password 12
permissions for portal use 38 R
policies
assigning endpoints to another policy 118 Realtime Shield policy settings 103
assigning permissions for creating 41 Reboot in Safe Mode command 67
changing settings 92 Refresh configuration on endpoints 76
copying policies 91 registering an account 9
creating new policies 90 registry command, sending to endpoint 68
deleting 116 release notes 25
exporting to spreadsheet 115 Remove password protection 66

- 190 -
 Index

renewing your license 47 secure file removal 113

reports SecureAnywhere
overview of 132 changing settings by using policies 92
sorting data in 26 deploying to endpoints 50
Reset desktop wallpaper command 67 generating a version report 134
Reset screen saver command 67 generating installation report 137
Reset system policies command 67 hiding from endpoint user 109
resetting SecureAnywhere settings 66 opening main interface 77
resources, conserving for endpoint 95 using installer file 52
Restart command 67 SecureAnywhere website access 34
Restore file command 67 security code
Restore from Quarantine 70, 145 changing 30
Reverify all files and processes command 67 defining during registration 10
Right-click scan in Explorer, enabling 98 entering during login 12
Run a DOS command 68 security question and answer 10
Run a registry command 68 Self Protection policy settings 100
Run Customer Support script command 68 servers supported 8
setup wizard 12
S shortcut, creating for SecureAnywhere on
endpoint 53, 96
Safe Mode reboot 67
Shutdown command 67
Scan a folder command 65
spreadsheet, exporting data to 24
Scan command 65
Status shown in tables 28
Scan History panel 69
Stop untrusted processes command 67
Scan policy settings 98
subnet, moving endpoints to new subnet 75
Scan Schedule policy settings 97
subscription, renewing 47
Scan Type shown in tables 28
System Cleaner
scanning
command for 66
changing command time for 65
settings for 109
changing frequency 97
system requirements 8
changing scan settings 98
system tray icon, hiding or showing on
checking results from Group Management 69
endpoint 96
generating a threat report 132
issuing command to endpoints 65 T
scanning a single folder 65
scanning with cleanup 66 tables, sorting columns 26
screen saver, resetting 67 task manager settings, changing on endpoint 67
scripts for cleanup 68 Technical Support 25
Search for endpoint 62 television icon 24

- 191 -
Endpoint Protection Administrator Guide

threat blog 25
Threat History (Collated) report 148
Threat History (Daily) report 152
threat reports 132

Undetermined software, locating on

endpoints 133
Uninstall command 66
Unnamed Console 45
Unprotect an application command 68
updates, forcing immediate on endpoint 76
upgrading your account 47
user guides 25
User Interface policy settings 109
user permissions 38
users for portal, adding 33

videos
icon available in panels 24
link from the Product Information panel 25
View commands for selected endpoints 64
virtual servers supported 8

wallpaper, resetting 67
Web Threat Shield policy settings 106
Webroot account 9
Webroot Support 25
Windows Explorer, enabling right-click scan 98
Windows systems supported 8
wsasme.exe 52

- 192 -