Solved

W32.Trojan.Gen. False Positive Fix - April 24



Show first post

289 replies

The updated page 1 solution does not work. No policy updates get to the client computers from the webroot servers.
Userlevel 1
The thing is too, we've been submitting suggestions and recommendations, and complaints, and questions about all sorts of parts of the Webroot management portal, which doesn't seem properly built for MSPs.  Lack of proper filtering in the "Reports" views, inability to do things that you really need to do in a central portal.  And really, over the years none of this has improved.  They're also lacking in license management/integration with major PSAs.  So Windows 10 Anniversary Update goes out... almost every computer now shows up twice.  And now the same thing for Creator's update.  And other random changes on a system, can't figure out what.  And an inability to enable a password-locked override (have to move entirely to Unmanaged profile, which does what else, loses all overrides?  Not sure) policy to be able to manually override something as needed on an endpoint.

 

Oh, and then many computers and some servers, if they shutdown improperly (at least that's the only reason we could figure out) sometimes when starting up they blue screen and won't recover due to a failed/corrupted Webroot system file.  It can't be remotely fixed on workstations unless you have vPro working.  Never saw this get fixed either and we've still seen some recent cases of this.

 

So it's not just this singular mess-up, it's a pile-up of a bunch of things in our eyes that make it a lot less usable than it should be... this just finalized it for us.  And yes, we have to apologize to customers too.  It's time to go elsewhere.
@ wrote:

Silly question coming from an IT-outsider just trying to restore our critical software for a doctor's office. When I log in to webroot console, I have no tab for "Group Management" - any suggestions?

what do you see? some of us have partner portals that may differ
Only a few months ago we had all the virual servers blue screen from a Webroot update and now this....i feel some restitution is in order.  Hundreds of hours of labor has been involved in these 2 incidents alone and i know everyone else is in the same boat.  What other A/V products are others using as MSP's?  I'm ready to move on.....
Userlevel 2
I'd love to know the answer to question @  posted.
Userlevel 1
CEO just called me. It's over webroot. You goofed for the last time.
Silly question coming from an IT-outsider just trying to restore our critical software for a doctor's office. When I log in to webroot console, I have no tab for "Group Management" - any suggestions?
and now facebook.com is showing as a "High Risk Site" , did webroot get hacked?
Userlevel 1
If files end up in the c:quarantine folder, it's because the files are in use, or samba is keeping a placeholder file in place and preventing an overwrite. I was able to solve the issue on one server by closing the samba connections to the folder in question and then overwriting the file.
Userlevel 1
Webroot:  When allow policies finally apply to an endpoint, will that restore previously-quarantined items if they're now on an allow/exception policy?
Thank you LowellP. I'm guessing the new content included the message that MSP's are still waiting for the Universal solution?
Userlevel 1
The initial post in this forum from Webroot has been updated (new content added/changed).

 

This was just supposed to be a reply to station2646's question... forums that don't properly visually thread are annoying.
Userlevel 1
This is a major flaw that I cannot restore the files myself...



Looking at my threat logs...it even deleted any files open in the exe or perhaps associated.



For example:

Deleting File> c:program files (x86)goverlan v8goverrmc.exe

Deleting File> C:UsersjpriceAppDataRoamingGoverlanGoverlanV8_DB.db3

Deleting File> C:UsersjpriceAppDataRoamingGoverlanGoverlanV8_DB.db3

Deleting File> C:UsersjpriceAppDataRoamingGoverlanGoverlanV8_DB.db3



Will the restore get those files back as well???
@ wrote:

Thanks. I eventually figured that out, but oddly enough the files wouldn't actually restore this way either. It let me restore the files but they never appeared on the system. Couldn't wait any longer so ended up reinstalling the application.
I think if it got to the "CLEAN" step , you are SOL and need to complely reinstall the app unless it has some type of repair function. My first step is to create an overide file/path for the drive

 

I have seen my apps that use a folder directly on system root and some "temp" folders get hit 
What is the new UPDATE to the initial post?
Thanks. I eventually figured that out, but oddly enough the files wouldn't actually restore this way either. It let me restore the files but they never appeared on the system. Couldn't wait any longer so ended up reinstalling the application.
@ wrote:

How are you guys restoring the files from quarantine manually?  I don't have that option it says that it's "SecureAnywhere is currently managed by the Web Console...." when I try manually restore a file from the quarantine on a system

Go to grop policy managment , select the device and "apply policy to endpoints" 

pick unmnaged 

then on the client rigth click the taskbar icon and refresh the config , click ok on pop up then open locally
Userlevel 7
Badge +48
UPDATE: We've got an update on the initial post in this thread. Wanted to make sure that all of our subscribers got the message. 
.

I attempted to restore files from quarantine 3 hours ago and they're still not restored. Same with MD5.
Userlevel 2
We spent an hour on hold and spoke to an agent.  Same answer - follow this process.  The console is getting hammered, thus restore commands are not processing.  There is no local restore option if the agent is cloud managed.

 

The agent suggested uninstalling Webroot and then restoring or reinstalling the affected program.  This was a laughable suggestion to be sure - except we didn't find it very humorous.

 

Seems like we found a major flaw in the underlying program.  If the cloud console is having issues - then nothing can be done on the local agent in case of emergency.  This is definitely something that will need to be reviewed and addressed moving forward.

 

We have found that sometimes you can refresh the agent, reboot the endpoint, and it will get the restore done.
And how do you recommend that we put the clients into an unmanaged policy if the commands from the console are not being processed?

 

Our agent is set to a 15 minute polling time but commands from the console are not being executed for well over 2 hours now.
glad you got through, all i get is busy signals.
Tell your agents to pick up the phone. 1 hour 11 minutes on hold so far.

 

edit1: 1 hour 1:53 minutes.

 

edit2: 2 hours 19 minutes
I'd like to file a complaint.

Reply