W32.Trojan.Gen. False Positive Fix - April 24

Show first post

289 replies

Userlevel 2
Good Morning
Can we have an update this morning as to how the tool is doing with the beta testers? If and When this might be a reliable solution or not.  Machines we fixed yesterday seem to exhibit same issues today all over again.
Also I did not recieve the email for MSP's to use for clients. can we post that here or please make sure I recieve a copy via email.
From what I can tell clients are still not recieving commands from cloud console is that still locked for a reason or is there a way to unlock that?
Userlevel 7
Badge +48
@ I will PM you and try to troublehsoot with support. 
@ we had one in-house machine experience that exactly - we were able to resolve by removing/reinstalling the endpoint software. I sincerely hope we don't start seeing the same at customer sites.
I'm still very confused. Everything Webroot is saying is that the problem only occurred for 13 minutes, but it seems the problem is still ongoing.
We deactivated every endpoint yesterday morning. We just reactivated them today, based on the comments from Webroot that the problem was fixed. On the server where we first encountered the problem though, Webroot tried to quarantine the same files! (It was in silent auidt mode, so nothing happened.)
Update: We then uninstalled Webroot from the server, and reinstalled. A subsequent scan did not result in false-positives.
Can someone please provide a detailed technical report of what happend, what has been done so far, and what we should expect to occur in various scenarios?
Userlevel 7
Badge +48
@ Appreciate it. Thank you. 
Userlevel 2
Thanks for the update, but do you know if the beta utility is working? How long are they going to test it? any idea of MSP release time?
For MSP guys:
Has anyone been able to get commands to work via console yet? If so what did you do? 
Are you white listing programs as they get Quarintined?
We have went in and even excluded directories from scans and realtime scanning and seems if client restarts computer they get re-quarantined.
Userlevel 1
I actually made that recommendation to the engineer I spoke with yesterday regarding the use of registry flags under the Actions key to attempt to force agents to local run things like Reverify all files and processes.
Is there any official update for us MSP's?  Removing and reinstaling does not  always work.  Luckily most of my clients are ok, however one of our biggest and noisiest lost about 7 hours of business due to not being able to run transactions yesterday.  It was a fun day! 
Userlevel 2
Will you post here or on other thread or both?

Thanks for the updates! Still having command issues from Console, We have also found that if machine is left on and programs open they don't get RE-Quarantined.

However as soon as a restart comes through it rescans and re-quarantines
Userlevel 5
Badge +24
@ wrote:
Can anyone offer suggestions for a computer that has been almost completely disabled by these false positives? I cannot boot to safe mode or safe mode with networking to performing any of the gui-based fixes. sfc /scannow via windows 10 startup troubleshooting is unsuccessful. I was able to capture the dlb.db file from the broken laptop's hard drive (per tech support's instructions) and load it on an unmanaged webroot endpoint to view all of the files that were quarantined. The list has got to be 200-300 items long and is 95% registry entries. How can I get this broken laptop working again? Support has suggested various fixes (none of which have worked) but has also stated that these fixes don't apply to the registry files that were incorrectly quarantined. Help!
Have you tried booting from recovery media or into Recovery mode and using System Restore to go back to an earlier time?
That's about the only option I can think of that you have.
Userlevel 2
I would third that, many of us MSP's use a management and monitoring program and could easily use scripts to better service our clients.
Any update on an official letter for businesses that can be shared with executives?  
Userlevel 2
I believe you can use this one
Userlevel 1
@ A letter was posted here:
That is the one focused for MSPs... I'm not a MSP.