Using reports to add file overrides for Webroot Business Endpoint Protection

You can use reports to add file overrides for Webroot Business Endpoint Protection. Reports are available in the Webroot Management console and the Endpoint Protection console. Each console is used for different functions.

Webroot Management console
This is the primary console and is where most settings are managed.

Manages global file level overrides.
The site configuration setting Include Global Overrides is configured here. This setting determines if the site uses global file overrides or not.
File overrides are either Good and allow a file to execute or Bad and block a file from executing.

Below is a list of the override types and the reports used to create them. Click a report name to see instructions for running the report and creating an override.

Good
+All Threats Seen

Log in to the Webroot Management console.
In the left nav bar, click Reports.
In the Create Report section, use the drop-down menus to select:
- Site - Select All sites or a specific site
- Report - Under File Threat Reports, select All Threats Seen
- Period (will appear once the All Threats Seen report is selected) - choose a period that contains when the files that you want to override were detected by Webroot.
Click Submit.
The All Threats Seen report displays the following information:
- Filename - name of the file detected as a threat
- Pathname - file path of where the file was detected
- Malware Group - type of malware detected
- Last Seen - when the file was last detected
- Hostname - the name of the device where the file was detected
- Site - site that the device belongs to
- Actions column - provides the ability to add a good override and restore the file from quarantine
Under the Actions column, click the icon on the left (shaped like a document with a check mark on it). This opens the New Allow List Entry window.
In the New Allow List Entry window, enter or make selections for:
- Name / Description - text to name and describe the override
- Override Type - choose MD5 or Folder / File
  - MD5 - When creating an MD5 based override using reports, the MD5 of the file is supplied by Webroot and there is nothing more to configure.
  - Folder / File -
    - File Mask (optional) - you can enter a specific file name or use a wildcard to apply the override to all files of a certain type (e.g. *.exe to target all executable files). If left blank, will apply to all files in the path/folder.
    - Path / Folder Mask: The folder to target for the override. You can specify an absolute path or use a system variable. To see a list of supported system variables, enter a % into the Path / Folder Mask box.
      
      Note: System environment variables may differ from system to system and should be confirmed before being used.
    - Include Sub-folders check box:
      - Checked - applies the override to the current folder and any sub-folders.
      - Unchecked - only applies to the directory specified and not to sub-directories.
    - Detect if Malicious check box:
      - Checked - monitoring and journaling is disabled, but the agent will continue to monitor the location for malicious file activity. If malicious files are detected, they are remediated according to the policy settings.
      - Unchecked - files in this location are allowed to execute without Webroot protection.
Click Create to finish the process.

Good and Bad
+All Undetermined Software Seen

Log in to the Webroot Management console.
In the left nav bar, click Reports.
In the Create Report section, use the drop-down menus to select:
- Site - Select All sites or a specific site
- Report - Under File Threat Reports, select All Undetermined Software Seen
- Period (will appear once the All Undetermined Software Seen report is selected) - choose a period that contains when the files that you want to override were detected by Webroot.
Click Submit.
The All Threats Seen report displays the following information:
- Filename - name of the file detected as a threat
- Pathname - file path of where the file was detected
- Last Seen - when the file was last detected
- Hostname - the name of the device where the file was detected
- Site - site that the device belongs to
- Actions column - provides the ability to add a good or bad override
You can create a good override to allow the file to execute or a bad override to block the file.
- To create a Good override:
1. Under the Actions column, click the icon on the left (shaped like a document with a check mark on it). This opens the New Allow List Entry window.
2. In the New Allow List Entry window, enter or make selections for:
  - Name / Description - text to name and describe the override
  - Override Type - choose MD5 or Folder / File
    - MD5 - When creating an MD5 based override using reports, the MD5 of the file is supplied by Webroot and there is nothing more to configure.
    - Folder / File -
      - File Mask (optional) - you can enter a specific file name or use a wildcard to apply the override to all files of a certain type (e.g. *.exe to target all executable files). If left blank, will apply to all files in the path/folder.
      - Path / Folder Mask: The folder to target for the override. You can specify an absolute path or use a system variable. To see a list of supported system variables, enter a % into the Path / Folder Mask box.
        
        Note: System environment variables may differ from system to system and should be confirmed before being used.
      - Include Sub-folders check box:
        
        Checked - applies the override to the current folder and any sub-folders.
        
        Unchecked - only applies to the directory specified and not to sub-directories.
      - Detect if Malicious check box:
        
        Checked - monitoring and journaling is disabled, but the agent will continue to monitor the location for malicious file activity. If malicious files are detected, they are remediated according to the policy settings.
        
        Unchecked - files in this location are allowed to execute without Webroot protection.
- To create a Bad override:
  
  Note: You can only create bad file overrides based on MD5 and not file / path.
1. Under the Actions column, click the icon on the right (shaped like a document with an X on it). This opens the New Allow List Entry window.
2. In the New Allow List Entry window, enter or make selections for:
  - Name / Description - text to name and describe the override
Click Create to finish the process.

+Devices with Undetermined Software on Last Scan

Log in to the Webroot Management console.
In the left nav bar, click Reports.
In the Create Report section, use the drop-down menus to select:
- Site - Select All sites or a specific site
- Report - Under File Threat Reports, select Devices with Undetermined Software on Last Scan
- Period (will appear once the All Undetermined Software Seen report is selected) - choose a period that contains when the files that you want to override were detected by Webroot.
Click Submit.
The Devices with Undetermined Software on Last Scan report displays the following information:
- Device Name - the name of the device where the file was detected
- Site - site that the device belongs to
Click a Device Name to see:
- Filename - name of the file detected as a threat
- Pathname - file path of where the file was detected
- Last Seen - when the file was last detected
- Actions column - provides the ability to add a good or bad override
You can create a good override to allow the file to execute or a bad override to block the file.
- To create a Good override:
1. Under the Actions column, click the icon on the left (shaped like a document with a check mark on it). This opens the New Allow List Entry window.
2. In the New Allow List Entry window, enter or make selections for:
  - Name / Description - text to name and describe the override
  - Override Type - choose MD5 or Folder / File
    - MD5 - When creating an MD5 based override using reports, the MD5 of the file is supplied by Webroot and there is nothing more to configure.
    - Folder / File -
      - File Mask (optional) - you can enter a specific file name or use a wildcard to apply the override to all files of a certain type (e.g. *.exe to target all executable files). If left blank, will apply to all files in the path/folder.
      - Path / Folder Mask: The folder to target for the override. You can specify an absolute path or use a system variable. To see a list of supported system variables, enter a % into the Path / Folder Mask box.
        
        Note: System environment variables may differ from system to system and should be confirmed before being used.
      - Include Sub-folders check box:
        
        Checked - applies the override to the current folder and any sub-folders.
        
        Unchecked - only applies to the directory specified and not to sub-directories.
      - Detect if Malicious check box:
        
        Checked - monitoring and journaling is disabled, but the agent will continue to monitor the location for malicious file activity. If malicious files are detected, they are remediated according to the policy settings.
        
        Unchecked - files in this location are allowed to execute without Webroot protection.
- To create a Bad override:
  
  Note: You can only create bad file overrides based on MD5 and not file / path.
1. Under the Actions column, click the icon on the right (shaped like a document with an X on it). This opens the New Allow List Entry window.
2. In the New Allow List Entry window, enter or make selections for:
  - Name / Description - text to name and describe the override
Click Create to finish the process.

Endpoint Protection console
This is the legacy console, used for specific functions.

Manages site-level overrides.
Allows site-level overrides to be assigned to policies, providing more granular control.
Site-level overrides take precedence over global overrides
Policy assigned overrides take precedence over site-level overrides.
File overrides are either Good and allow a file to execute or Bad and block a file from executing.

Here is a list of the override types and the reports used to create them:

Good:
+Webroot Endpoint Protection console Report: All Threats Seen

Log in to the Webroot Management console.
In the left nav bar, select Sites List and find the Site you want to create an override for. You can also use the box at the top of the page to search for a Site by name.
On the right side of the screen under the Subscriptions column, hover your mouse over E and click the rectangular icon with the arrow pointing to the upper right. This opens the Endpoint Protection console.
In the top nav bar, click the Reports tab.
In the Select your report panel, from the Report Type drop-down menu, select All Threats Seen.
Leave the other options deselected, click the Submit button to generate the report.
Select the files you want to add an override for, click the Create override button.
- To create whitelist or blacklist overrides for multiple files, you can select all the files that require the same type of override to make the process easier.
In the Create override window, populate the following fields:
- From the Determination drop-down menu, select Good or Bad.
- In the Description field, enter a description for the override.
- For the Assign to a policy field, check the box to display a Policy drop-down menu and select a policy.
- For the Create this as a global (GSM) override field, selecting the box will result in the override being created as a global override, which removes the option to assign it to a policy. This is optional and should only be used when you want to assign this override to a specific policy.
- Click the Save button to save the override.

+Webroot Endpoint Protection console Report: Endpoints with threats on last scan

Log in to the Webroot Management console.
In the left nav bar, select Sites List and find the Site you want to create an override for. You can also use the box at the top of the page to search for a Site by name.
On the right side of the screen under the Subscriptions column, hover your mouse over E and click the rectangular icon with the arrow pointing to the upper right. This opens the Endpoint Protection console.
In the top nav bar, click the Reports tab.
In the Select your report panel, from the Report Type drop-down menu, select Endpoints with threats on last scan.
Leave the other options deselected, click the Submit button to generate the report.
The top section will display devices with threats. Select the device you are interested in, the bottom section will show all the files that were detected as threats.
Select the files you want to add an override for, click the Create override button.
- To create whitelist or blacklist overrides for multiple files, you can select all the files that require the same type of override to make the process easier.
In the Create override window, populate the following fields:
- From the Determination drop-down menu, select Good or Bad.
- In the Description field, enter a description for the override.
- For the Assign to a policy field, check the box to display a Policy drop-down menu and select a policy.
- For the Create this as a global (GSM) override field, selecting the box will result in the override being created as a global override, which removes the option to assign it to a policy. This is optional and should only be used when you want to assign this override to a specific policy.
- Click the Save button to save the override.

+Webroot Endpoint Protection console Report: Endpoints with undetermined software

Log in to the Webroot Management console.
In the left nav bar, select Sites List and find the Site you want to create an override for. You can also use the box at the top of the page to search for a Site by name.
On the right side of the screen under the Subscriptions column, hover your mouse over E and click the rectangular icon with the arrow pointing to the upper right. This opens the Endpoint Protection console.
In the top nav bar, click the Reports tab.
In the Select your report panel, from the Report Type drop-down menu, select Endpoints with undetermined software.
Leave the other options deselected, click the Submit button to generate the report.
The top section will display devices with threats. Select the device you are interested in and the bottom section will show all the files that were detected as threats.
Select the files you want to add an override for, click the Create override button.
- To create whitelist or blacklist overrides for multiple files, you can select all the files that require the same type of override to make the process easier.
In the Create override window, populate the following fields:
- From the Determination drop-down menu, select Good or Bad.
- In the Description field, enter a description for the override.
- For the Assign to a policy field, check the box to display a Policy drop-down menu and select a policy.
- For the Create this as a global (GSM) override field, selecting the box will result in the override being created as a global override, which removes the option to assign it to a policy. This is optional and should only be used when you want to assign this override to a specific policy.
- Click the Save button to save the override.

+Webroot Endpoint Protection console Report: Threat History (Daily)

Log in to the Webroot Management console.
In the left nav bar, select Sites List and find the Site you want to create an override for. You can also use the box at the top of the page to search for a Site by name.
On the right side of the screen under the Subscriptions column, hover your mouse over E and click the rectangular icon with the arrow pointing to the upper right. This opens the Endpoint Protection console.
In the top nav bar, click the Reports tab.
In the Select your report panel, from the Report Type drop-down menu, select Threat History (Daily).
Select a date range by clicking the calendar icon (under Between) to set the starting date and clicking the calendar icon (under And) to set an end date. Note: This report goes back a maximum of 90 days.
Click the Submit button to generate the report.
The top section displays the selected date range and shows the number of devices infected each day. Select the device you are interested in to display more details about that endpoint in the bottom section.
In the Blocked Programs column in the bottom section, click View.
In the Programs blocked on this endpoint window, select the files you want to add an override for and click the Create override button.
- To create whitelist or blacklist overrides for multiple files, you can select all the files that require the same type of override to make the process easier.
In the Create override window, populate the following fields:
- From the Determination drop-down menu, select Good or Bad.
- In the Description field, enter a description for the override.
- For the Assign to a policy field, check the box to display a Policy drop-down menu and select a policy. This is optional and should only be used when you want to assign this override to a specific policy.

+Webroot Endpoint Protection console Report: Threat History (Collated)

Log in to the Webroot Management console.
In the left nav bar, select Sites List and find the Site you want to create an override for. You can also use the box at the top of the page to search for a Site by name.
On the right side of the screen under the Subscriptions column, hover your mouse over E and click the rectangular icon with the arrow pointing to the upper right. This opens the Endpoint Protection console.
In the top nav bar, click the Reports tab.
In the Select your report panel, from the Report Type drop-down menu, select Threat History (Collated).
Select a date range by clicking the calendar icon (under Between) to set the starting date and clicking the calendar icon (under And) to set an end date. Note: This Report goes back a maximum of 90 days.
Click the Submit button to generate the report.
The top section displays the total number of devices that have encountered threats and the number of programs blocked.
Click the Endpoints with threats column to display all the devices that have encountered threats in the bottom panel. To add an override using this information skip to step 11.
Click the Blocked Program column to display files detected as threats in the bottom panel.
Click the file to open another window with more information about the file. Click the Create override button in the top right part of this window to open the Create override window and skip to step 13.
In the Blocked Programs column in the bottom section, click View.
In the Programs blocked on this endpoint window, select the files you want to add an override for and click the Create override button.
- To create whitelist or blacklist overrides for multiple files, you can select all the files that require the same type of override to make the process easier.
In the Create override window, populate the following fields:
- From the Determination drop-down menu, select Good or Bad.
- In the Description field, enter a description for the override.
- For the Assign to a policy field, check the box to display a Policy drop-down menu and select a policy. This is optional and should only be used when you want to assign this override to a specific policy.

Good and Bad:
+Webroot Endpoint Protection console Report: All Undetermined Software Seen

Log in to the Webroot Management console.
In the left nav bar, select Sites List and find the Site you want to create an override for. You can also use the box at the top of the page to search for a Site by name.
On the right side of the screen under the Subscriptions column, hover your mouse over E and click the rectangular icon with the arrow pointing to the upper right. This opens the Endpoint Protection console.
In the top nav bar, click the Reports tab.
In the Select your report panel, from the Report Type drop-down menu, select All Undetermined Software Seen.
Leave the other options deselected, click the Submit button to generate the report.
Select the files you want to add an override for, click the Create override button.
- To create whitelist or blacklist overrides for multiple files, you can select all the files that require the same type of override to make the process easier.
In the Create override window, populate the following fields:
- From the Determination drop-down menu, select Good or Bad.
- In the Description field, enter a description for the override.
- For the Assign to a policy field, checking the box will display a Policy drop-down menu allowing a policy to be selected.
- For the Create this as a global (GSM) override field, checking the box will create a global override, which removes the option to assign it to a policy. This is optional and should only be used when you want to assign this override to a specific policy.
- Click the Save button to save the override.

+Webroot Endpoint Protection console Report: Endpoints with undetermined software

Log in to the Webroot Management console.
In the left nav bar, select Sites List and find the Site you want to create an override for. You can also use the box at the top of the page to search for a Site by name.
On the right side of the screen under the Subscriptions column, hover your mouse over E and click the rectangular icon with the arrow pointing to the upper right. This opens the Endpoint Protection console.
In the top nav bar, click the Reports tab.
In the Select your report panel, from the Report Type drop-down menu, select Endpoints with undetermined software.
Leave the other options deselected, click the Submit button to generate the report.
The top section will display devices with threats. Select the device you are interested in and the bottom section will show all the files that were detected as threats.
Select the files you want to add an override for, click the Create override button.
- To create whitelist or blacklist overrides for multiple files, you can select all the files that require the same type of override to make the process easier.
In the Create override window, populate the following fields:
- From the Determination drop-down menu, select Good or Bad.
- In the Description field, enter a description for the override.
- For the Assign to a policy field, checking the box will display a Policy drop-down menu allowing a policy to be selected.
- For the Create this as a global (GSM) override field, checking the box will create a global override, which removes the option to assign it to a policy. This is optional and should only be used when you want to assign this override to a specific policy.
- Click the Save button to save the override.

For more information on file overrides, see:

Thanks for your feedback!