SOLVED: Issue for Mac users


Userlevel 7
Badge +47
  • Community and Advocacy Manager
  • 1328 replies
The Issue:
On April 5, 2018, Webroot experienced an issue affecting some business and consumer customers using Webroot SecureAnywhere in Mac environments. Webroot incorrectly identified some Adobe and other software files as malware. Actual malicious files were identified and blocked as normal. 
 
The Solution:
The Webroot team is aware of this issue and has released a fix:  definition build 822.  Customers should confirm they are running this definition build, and can update Webroot on devices by right clicking on the Systems Tray. Do not quarantine any files until you’ve updated to definition build 822.
 
If you have already quarantined files, please do not restart the system or the Webroot agent. Restore the items from quarantine first, and then rescan after you have updated the definition build.
 
If you have just scanned your computer and have not yet quarantined any files, close the scan results screen. Then update and verify you are on definition build 822, and rescan.
 
We appreciate your patience and working with us in resolving this issue. For more information, please see our Knowledge Base article here
 
 

27 replies

Userlevel 6
Badge +28
So what happens if the user already has rebooted not knowing and the agent updates ?
 
Tell me this isn't another issue like the false positive one a while back. 
Userlevel 4
Badge +16
This is ....... less than helpful.
 
  1. No mention of which Apps / files are incorrectly detected.
  2. Where do you find the build version? (turns out it is : Open the full app, WRSA > About .. > attached to the version number : Version 9.0.6.72: 821 ; nowhere labeled as such)
  3. Updating: On a Mac there is no 'System Tray' - it's called the Dock. There is no Webroot icon there unless you pinned it or it is running. Finally, right-clicking doesn't give you any options to update.
  4. Check for updates in the app reports it is up-to-date and doesn't increase the build number (guess: it is only checking for app updates).
  5. (on a side note: A (legit) app update on a Mac almost always triggers WR - the approval speed for mainstrean Apple apps updates needs to be faster.
How can I push out webroot to all 300 macs from the panel?  And this is a nightmare it's shut down 3 marketing companies who suddenly had to stop working yesterday while Webroot was ripping out their day-to-day software.
 
This is now the second time in a year that Webroot's false positives have totally wrecked whole sections of my customer base.  The worst part is that I have no way to stop it...so I'm forced to sit there while 6 dozen tickets come in first the alerts from webroot then clients saying that their Adobe products have stopped working.
 
As of this morning I've had at least 30 requests for dispatch already to re-install adobe, none of it I can bill.
 
Userlevel 7
Badge +35
@ wrote:
The Issue:
On April 5, 2018, Webroot experienced an issue affecting some business and consumer customers using Webroot SecureAnywhere in Mac environments. Webroot incorrectly identified some Adobe and other software files as malware. Actual malicious files were identified and blocked as normal. 
 
The Solution:
The Webroot team is aware of this issue and has released a fix:  definition build 822.  Customers should confirm they are running this definition build, and can update Webroot on devices by right clicking on the Systems Tray. Do not quarantine any files until you’ve updated to definition build 822.
 
If you have already quarantined files, please do not restart the system or the Webroot agent. Restore the items from quarantine first, and then rescan after you have updated the definition build.
 
If you have just scanned your computer and have not yet quarantined any files, close the scan results screen. Then update and verify you are on definition build 822, and rescan.
 
We appreciate your patience and working with us in resolving this issue. For more information, please see our Knowledge Base article here
 
 
To add to this, if you are able to locally manage the affected system, refer to this link on how to remove the files from quarantine, assuming you are on build 822. If you are unsure about which build you are on, refer to the image below.
 
https://docs.webroot.com/us/en/home/wsa_mac_userguide/wsa_mac_userguide.htm#ManagingQuarantine/ManagingQuarantinedItems.htm%3FTocPath%3DManaging%2520Quarantine%7C_____1 
 


 
For anyone that is only able to manage through the GSM console (or only remotely), we are currently looking into a resolution and should have something here shortly.
 
If any users have Time Machine available on their Mac (local or remote), do note that it can reverse the quarantined files and restore them.
Userlevel 7
Badge +55
@ look for a PM from me!
 
Thanks,
 
Daniel
Userlevel 6
Badge +28
How do you update the build?  Shouldn't this be done automatically when the agent polls? 
 
If not, how do we force the update or direct users to update?
Userlevel 7
Badge +35
@ wrote:
How do you update the build?  Shouldn't this be done automatically when the agent polls? 
 
If not, how do we force the update or direct users to update?
Run one or two scans locally on the machine to update the build.
 
To check the Def version:
 
It's available either via Taskbar > "About SecureAnywhere", or local GUI > My Account > "About SecureAnywhere". It should show it in the following manner: "Agent version: threat definition version"
Userlevel 4
Badge +16
@ wrote:
@ wrote:
How do you update the build?  Shouldn't this be done automatically when the agent polls? 
 
If not, how do we force the update or direct users to update?
Run one or two scans locally on the machine to update the build.
 
Unless there are good reasons to not include the build in an "Check for Updates' please add that to the process. Making a user run two scans to get a build update does not make sense.
 
Userlevel 1
@simply no sense...
 
I suggest an immediate to do:
  1. put the definition in the "Agent Version" column in GSM (you don't manage 300 Mac like @...)
  2. find an easy and immediate way to force the definition update for Mac agents from GSM
  3. put a button or a menu item to force the definition update in client GUI (2 scans for about 30 mins each in my Mac)
 
If you don't choose a correct path to solve this issue you declare that Webroot is a mediocre product with a mediocre developer team and a mediocre support service...
 
"We are determined to learn from this service issue experience, and build an even better Webroot." - Mike Malloy in Letter to Customers - May 19, 2017
 
:-/
 
I'd like to add that the instructions:
 
It's available either via Taskbar > "About SecureAnywhere", or local GUI > My Account > "About SecureAnywhere". It should show it in the following manner: "Agent version: threat definition version"
 
Don't mean anything if you don't let the users access the GUI (which I might add is disabled in the Reccomended Default) and even if it wasn't I certainly cannot get out an email fast enough to 300+ users to wander through trying to stop their AV from trashing their system.  90% don't even know what a webroot is, which is why they pay me to manage it for them.
 
 
Userlevel 1
For us RMM people with shell access: 
 
/usr/libexec/PlistBuddy -c "print :???PRODUCTSTATUS:Version" "/Library/Application Support/Webroot/WRAgentData.plist"
Hey guys,
 
It's Saturday now and my mac units are still killing adobe.  I've not yet made the drastic step of ripping all the webroots off but we are really close to doing that.
 
My agents are still sitting at 9.0.6.72 and I have no way to mass update them when they come online from the portal.
 
Whats the status on the update push out feature?  Also scheduling a reinstall via script just nets the same exact version.
 
 
 
Userlevel 6
Badge +28
Need to get this fixed ASAP guy/gals. I'm still getting thousands of alerts. I've essentially had to tell clients to leave the computers alone. 
 
I'm hoping somebody loses their job over this as we are losing lots of $$$ with support calls etc and clients with systems down. 
 
 
Userlevel 1
I'm an individual user of WebRoot. I followed your directions (run the scan one or two times) and I still cannot tell what my version of WebRoot is. It also tells me following the scan that there are still threats in my system and asks if I wish to remove those detected threats (which, based on my read of this thread, I do not want to do otherwise I may lose some Adobe functionality).
I'd really like to a) get WebRoot updated (still not sure how I can do that - why can't there be a simple download or update button to click?) and b) not lose those quarantned Adobe files. Would you mind providing some guidance, in laymen terms, as to how I do both of these things? Thank you.
Userlevel 7
Badge +55
Hello,
 
All I can suggest is to Submit a Support Ticket as they are staffed 24/7/365. It's sad this issue is not fixed for some users still since Thursday.
 
Apologizes,
 
Daniel
Since it's now Sunday and I'm still getting Mac's reporting in with false Adobe alerts I'm assuming it's still not fixed and there is no fix in sight.
 
I want to share the steps here to repair Adobe that have worked for us....as far as I know this is the only way to repair the Adobe install so that it doesn't give weird errors.  Just doing a reinstall doesn't fix it.
 
Remove Webroot and leave it off
 
Click on Finder and then hold Command + Shift + G keys on your keypad

It will open Go to folder window, type  exactly ~/Library and click on Go

Then open Application Support > Adobe folders

Trash AAMUpdater and OOBE folders.

Now click on finder and hold Command + Shift + G keys on your keypad.

This time type /Library and click on Go.

Make sure to remove ~ symbol.

Then open Application Support > Adobe folders.

Trash AAMUpdater, Adobe Application manager, OOBE folders.

Now Click on Finder and then hold Command + Shift + U keys on your keypad.

It will open utilities folder.

Trash Adobe Application Manager folders

Download and install Adobe Application Manager
Userlevel 7
Badge +47
I am sorry to hear that you are still having issues around this. I have sent in the information that I could gather from this thread to our support team and will respond back with an update. 
 
Thank you. 
 
 
Userlevel 7
Badge +47
I was able to talk with support and it's best that if you haven't, to contact them directly as they will need to look at your issue 1:1. 
 
You can call them or open up a support ticket here.
 
Thank you 
Yea I opened a ticket and support told me the exact same thing you guys have said here...however that doesn't apply or doesn't work if you are an MSP with 3 dozen macs spread across dozens of clients.
 
We still have no way to see the definition level in the panel nor for an update. 
 
I appreciate you trying and I sympathize that you are in an unwinnable situation but I've got a hot mess on my hands and it's getting worse every day as agents come online after spring break. 
 
Surely you guys can push something out from the panel to stop this....
Userlevel 1
Follow up on this item. I just spoke with Rob C. in Support. Sounds like WebRoot was caught unaware by an Adobe update last week.
 
Rob promptly helped me solve the problem and get me on my way. Appreciate the quick, friendly, helpful service. Hope others find they receive the same help I got from Rob.
Userlevel 6
Badge +28
@
 
Can you share what you needed to do? At the moment I'm NOT touching anything other than making sure the files aren't quarantined or that they're taken out. 
Looks like we got another one as well....when I applied 823 now i'm getting this on several machines
 
, ApplicationsMicrosoft Office 2011OfficeShared ApplicationsProofing ToolsSwedishGrammar.proofingtoolContentsMacOS, 00000000000000000000000000000000
 
 
Userlevel 1
@
Actually, I did very little. As an individual user Rob in support handled it remotely (via LogMeInRescue).
 
What was happening in my case was the system was continuing to show the previously identified threats as "unaddressed" (not sure of the precise lingo), so they kept popping back up even when I did a scan with the updated version of WebRoot (I'm now up to version 823). Rob went into the settings and basically adjusted the settings so WebRoot would ignore these past "threats" (all false positives). When we ran the scan again everything was clean as a whistle.
 
Not a very technical explanation, but that's the gist of it. Don't know if it will help all those providing IT support to multiple clients/customers, but it's all I got. I wish you all good luck!
Ted
 
Userlevel 1
P.S. For me, it was best to get on the phone and speak directly with the support team. It worked for me; maybe it will work for others.
Userlevel 7
Badge +47
@ wrote:
P.S. For me, it was best to get on the phone and speak directly with the support team. It worked for me; maybe it will work for others.
Great to hear. I would highly recommend if anyone else is experiencing an issue to call into support here
 
 

Reply