The latest Webroot release 188.8.131.52 with its updated wrkrn.sys file seems to have caused some BSOD's with 2008r2 after our systems rebooted last night. I was able to delete the file from a repair command prompt and then reboot into normal operating mode.
I have a ticket in with Webroot support about this issue, but I thought my issue should be shared.
Update: I have talked with an MSP using Webroot who has had the same problem today. They also report that if you reboot your machine again after Webroot has a chance to reinstall the wrkrn.sys file it will start throwing up BSOD messages again.
Already have an account? Login
Login to the community
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.
SecureAnywhere Business Release Notes
A validated fix from development will be patched in the upcoming release.
Windows SBS 2008
Webroot: current as of 7/11/17
Page file on C and on another volume
Banged my head for a few hours chasing down BSOD's and swapping out memory modules. I couldn't get to the OS at all and finally used a recovery disk to get at a memory dump. After digging around I remembered news of WR crashing servers and started down that rabbit hole and ended here. Needless to say after renaming the WBkrn.sys file, my server booted fine. Uninstalled WR and things are running fine...however, my server is now unprotected so I still be up all night thinking about that. Yay.
My environment has never had an issue with WR and it's been about 4 years. This is the first, but it hurt...BAD.
Just curious how others nailed down the issue to webroot as my particular experience was that having a 2012R2 VM with paravirtual controllers on VMware 6.0. When it BSOD'd none of the disks were available to write any memory dumps to so I really was flying blind it would just flash up then reboot immediately without writing anything to disk (as it couldn't see them). While we were getting "IRQL NOT LESS OR EQUAL" as opposed to PAGE_FAULT, MS said that they are quite similar.
Issue was only resolved as MS "had many reports of this over the past week" and one of the first questions the tech asked "So.... do you have Webroot installed by any chance?" As soon as the Webroot drivers were set to 4/disabled in the registry accessed by the recovery environment was the issue resolved.
As with others it seems... our swap file was on a different volume and the machine rebooted itself every morning.
While we put every release through rigorous testing, in this case a serious issue was discovered after release that was not seen during testing. Going forward, we are expanding our QA coverage to address an even broader range of customer environments. We will also improve communication to ensure customers are consistently notified of releases in advance, so they are able to control how they roll out updates in their environments. Specific details will be announced in the coming weeks.
There will be other areas where I will raise this concern, but this is all the more reason why Webroot should give its partners the ability to choose whether or not to push a release out selectively or fully. Auto-Update or No Update is not a great method when you are dealing with enterprise and large numbers of agents.
Is there a way to be notified when a new agent version is released so that we may test it?
1 SBS2008 - physical
1 SBS20211 - Virtual on HyperV
1 SBS20211 - Virtual on ESXi
Today I had a Server 2012 on ESXi
When virtual - Boot up the server with only the C Drive.
Windows will create a temp pagefile on C just to work.
Configure the Pagefile to remain on C Drive.
Shutdown and add the additional Disks.
The 184.108.40.206 release made available yesterday replaces the driver component with a known good driver used previously in v220.127.116.11 which had been operating successfully since November 2016. This means that 18.104.22.168 fixes the issue at hand by removing the code changes made in the v22.214.171.124 build, and will allow affected customers to recover with assistance from our support team.
The engineering teams continue to work on determining the root cause of the fault and whilst it was proving difficult to reproduce consistently a new built was determined to be the quickest method of restoring service to impacted customers.
Following reports of difficulties installing the latest Webroot SecureAnywhere Business (WSAB) update v126.96.36.199, a new agent release titled v188.8.131.52 has been deployed automatically to all of our WSAB customers on Thurs 2nd Feb 2017. This version provides relief to those customers experiencing installation problems.
Webroot apologizes for any inconvenience caused by this updated release. Our 24/7 Support team is briefed and available to customers who may have any questions or concerns about this update.
Webroot’s Business Technical Support - call 1-866-254-8400 or open a Support Ticket: http://mysupport.webrootanywhere.com/supportwelcome.aspx?SOURCE=ENTERPRISEWSA
Also wondering if anyone who has had this issue did NOT also have the January Quality update from Microsoft installed? I'm wondering if perhaps it was this version of WR and the Quality update.
We installed the security only update and so far to my knowledge have not had issues.
It did restart last night, but it shows version 9.10.21 in add/remove programs and the portal, so not sure if it tried updating or what.
Edit#1 I logged in in safe mode, added registry key to be able to run msiexec, uninstalled WR and rebooted. Went through finninshing applying updates and then rolled back, but then booted to Windows fine, so maybe not that version of WR, but a Windows update / WR combination.
Edit#2 This is the update that shows failed now fromlast night
January, 2017 Security Monthly Quality Rollup for Windows 7 for x64-based Systems (KB3212646)
We had a Windows Small Bsuiness Server 2008 machine crash 2 nights ago and are running from our backup device now.
I was able to only recreate the issue in a lab environment on 2012R2 if I set paging file staticly on the 😨 volume.
My account manager thinks this is related to an NVidia driver that has been out for 5 weeks, I don't quite agree with that
Has anyone seen that happening? Can this be confirmed?
Thank you for the great information. Please keep an eye out for the C:WindowsMEMORY.DMP file.
Software Engineer | Webroot Inc.