Solved

W32.Trojan.Gen. False Positive Fix - April 24



Show first post

289 replies

Userlevel 1
I have never loved working with them. From taking 6 months to solve an issue with terminal servers, to this.
Userlevel 1
We had to uninstall webroot from 4 more servers this morning because whitelists were being ignored and preventing some .exe's from running. NOT FIXED.
I've worked with several.  Overall I have had less problems with webroot than others and fewer infections.  But this... this is a crippling flaw and has gone unaddressed, it seems, for almost a year after being discovered.
Userlevel 1
Your steps are probably right, providing things are working as they should.
Of all my client sites, only one was affected severely, but it was (still is) a nightmare.
 
I was sent these instructions severals times last night, and followed them to restore about 435 quarantined .exe files.   I have a manufacturing facility's entire engineering department shut down today, and these steps aren't helping much.  It has worked for some files, but others are still logged as "Not received" inthe logs.
Luckily, I have a great contact onsite, and he is working at manually finding copies of the .exe files and pasting them into place and so on.    A long and tedious process.
 
Webroot was sold to me as a product that could reverse such issues with a few clicks - nice how I wasn't told that they meant a few clicks per affected machine (or that this might not even work)!
 
 
We are not able to restore Quarantined files now from the Agent on the desktop.  Its reporting back as controled by the  Webroot Console.  But with the Webroot system queue being overwhelmed it's not restoring from the Console.  We can't find in the policy to enable client use of Quarantine.  But even if we change that, the policy will take forever to propagate out, or never. Can you help?
Userlevel 5
Hello again
We have identified an automated approach to removing files from quarantine. But it will take time to reach all endpoints. A more detailed statement is being emailed to GSM Admins within the next few minutes It will also be posted here. In the meantime you should continue with your own remediation steps (which can be found on Webroot support or at the top of this thread.) I will jump back on here shortly. 
Mike Malloy
@and @
 
We're seeing the exact same problem. Since the Web Console is stuck not doing anything, we tried releasing files locally, only to find that Webroot says it is centrally managed and this cannot be done locally.
 
Setting the agent to unmanaged seems to work, but this is not a solution. Why can we not seem to change this anywhere in the global policy?
@ evidently you don't read all the comments that point out the steps here don't help much when the console shows that the endpoints seem to be sitting with the 'Not Received' message.  Doesn't seem like much of a help to give instructions that are taking so many hours to undo this issue.
even uninstall command from web console does not work, its been 1 hours since i tried to uninstall, none of the clients are uninstalling,
Page 1 solution still does not work.
 
 
@ can you confirm that any endpoints not currently effected will remain so?
After following the instructions on the screen for one server, 2 hours later, the files got restored. So there is still a backlog with agent commands now.
Userlevel 1
Badge +7
Will webroot be running the automated fix for quarantine themselves, or will we need to initiate it?
I have had a few client machines where registry settings were quarantined along with files.
 
The web dashboard only showed a few of the files affected, but no registry entries.  Most had a long list of files and registry settings that were flagged and quarantined shown on the local workstation interface.  I had to manually recover all affected files and registry settings using an unmanaged policy.
 
If you had files quarantined and you have remote access or competent end-users, you might also want to check the local quarantine list for any registry settings that might have been flagged.  I know this is late notice, but it might be useful if programs no longer worked, even after quarantine recovery.
 
Hopefully Webroot will take the registry settings quarantines into consideration in their "fix".
 
Good luck!!
Boy there were a lot of failures and weaknesses shown with this event.  Authenticode catalogs not honored, C&C overwhelmed, no notification to users and QC inadeqacies.  I hope webroot takes this wakeup call VERY seriously and makes these shortcomings their top priority.  No more features until this is addressed.
Userlevel 1
https://arstechnica.com/security/2017/04/av-provider-webroot-melts-down-as-update-nukes-hundreds-of-legit-files/
Userlevel 2
@ I had the same thing on some machines. I also had to go to the GUI on the local machine and restore the files and registry settings.
 
@ will the global restore you're doing also be able to restore the registry items? We're talking about hundreds of different applications, we can't easily re-install them.
 
FYI - Quickbooks is one application that has been damaged for a lot of users.
 
Thanks!
 
 
@ wrote:
Dear @,
 
We've found that if you set the affect computers with an Unmanaged policy, and then have the user "Refresh Configuration" (by right-clicking the green W icon) it will pull the policy from the console. Once that takes effect (usually about ten seconds) you can then enter the UI and restore the items from quarantine.
 
FWIW, We still were having detections happening this morning, and have had to shutdown protection completely on various companies in order for them to get their production orders out.
 
Thanks, this worked, although switching them to Unmanaged is not ideal and releasing from quarantine has to be done on a workstation-by-workstation basis. Hopefully Webroot comes up with a better fix. Luckily for us, we JUST started using Webroot and only deployed it to about 70 endpoints. I feel for those with endpoints in the thousands... But not a good first impression.
Unfortunately the agent command do not work anymore, or is taking forever, the "Unmanaged" group and policy helps at least for the moment to perform any manual actions!
Userlevel 7
Badge +35
Please see the most recent update here. We are closing that post to comments so that those who subscribe to it will only receive notifications when an official update is posted. Please continue the discussion in this forum. Thank you!
Userlevel 2
When is "this fix" to be applied? AND are we sure this is not going to break something else? Is there settings we should have set to make sure we get the fix?
 
 
Userlevel 2
I would agree. Even if its an MSP private forum or an email list or what ever, this has cost companies lots of money.
Userlevel 7
Badge +35
Apologies for the frustration @ - we do want to continue the discussion here, we just want to have a place where only official updates can be posted for those who do not want to see all comments. Please continue posting your comments/questions here as our team is continuing to monitor this thread. Thanks!
Userlevel 7
Badge +35
@ - please know that all hands are on deck with this issue and they are working through responses to your questions. I do not have the answers to your other questions yet but they will be addressed as soon as possible.
@
 
 [edited by community moderator] Regardless, all those unanswered questions are quite valid and for webroot to not have an answer after 24hrs is quite disheartening.  [edited by community moderator]
Anyways, this issue has created great damaged at our clients and your fix (automatic or manual) have still left some applications in an inoperable state (forcing us to either repair or reinstall the software).
As MSPs, we ask Webroot to be more up front and communicate with your partners.
 
Lastly, Webroot's update about not deleting files from quarantine is quite exasperating.  Do you believe having to wait for over 24hrs for a resolution is an acceptable path?  We had to do whatever we could to get our clients back in business.  [edited by community moderator]
 

Reply