Remediating a false positive

If a file was incorrectly detected as bad and quarantined by Webroot Endpoint Protection, there are multiple options available to the Business admin to reverse the false positive detection and restore it.

Webroot does all it can to avoid creating false positives, there is higher chance of them occurring with custom applications. When a false positive occurs, a good file override should be created to prevent the file from being quarantined again.

Below are the options available for remediating a false positive:

Option 1 contains steps to create a good global file override and restore the file using the Webroot Management console.
Options 2 and 3 focus on using the Webroot agent GUI to restore the file. When the Webroot agent GUI is used to restore a file from quarantine, it creates a local good override as part of the restore process.
Option 4 references using a Windows restore point. A good file override will need to be created for this option to be effective.

+Option 1: Agent Commands via the Webroot Management console

You can use the Webroot Management console to create a good file override and restore the file from quarantine.

Log in to the Webroot Management console.
On the Entities page, click the device to see its details, then click the Scan History tab.
Find the most recent scan with Threats Detected and click the caret next to the scan to display a list of the detected files.
Under Actions, click the 3 dots. Choose Add File to Allow List, provide a Name / Description, leave MD5 as the type (Webroot provides the MD5 value), then click Create. This creates the good global file override.
Under Actions, click the 3 dots. Choose Restore from Quarantine, then click Restore File.
Use the Entities page to find the device and send the Agent Command - Re-Verify Data. Then immediately send the Agent Command - Run Scan.

The good global file override will prevent this file from being quarantined in the future. However, any devices that had this file quarantined will need the Restore File Agent Command issued to them to restore the quarantined file.

+Option 2: Access to agent - Unmanaged policy must be applied

If you can access the affected devices and launch the Webroot agent GUI, you can use the agent GUI to restore the files from quarantine (click the PC Security gear icon > Quarantine). The Webroot agent needs to have the Unmanaged endpoint policy applied for this to be possible.

+Option 3: Access to agent - reboot to safe mode w/ networking

If the devices are having difficulty booting normally, try booting in Safe Mode with networking. Once the system boots, open the Webroot GUI and restore the files from quarantine. This should restore the machine to a state prior to the issue.

+Option 4: Restore Point

If you are running in an Active Directory environment and have recent restore points for the affected machines, it is recommended to create a script to roll these machines back to a time prior to the issue.

Important information for Option 4: A good file override needs to be created for the file or the false positive reversed, otherwise the file will be quarantined again.

If you need additional assistance, please contact Webroot Support.

Thanks for your feedback!