Solved

W32.Trojan.Gen. False Positive Fix - April 24



Show first post

289 replies

What is the new UPDATE to the initial post?
@ wrote:
Thanks. I eventually figured that out, but oddly enough the files wouldn't actually restore this way either. It let me restore the files but they never appeared on the system. Couldn't wait any longer so ended up reinstalling the application.
I think if it got to the "CLEAN" step , you are SOL and need to complely reinstall the app unless it has some type of repair function. My first step is to create an overide file/path for the drive
 
I have seen my apps that use a folder directly on system root and some "temp" folders get hit 
Userlevel 1
This is a major flaw that I cannot restore the files myself...

Looking at my threat logs...it even deleted any files open in the exe or perhaps associated.

For example:
Deleting File> c:program files (x86)goverlan v8goverrmc.exe
Deleting File> C:UsersjpriceAppDataRoamingGoverlanGoverlanV8_DB.db3
Deleting File> C:UsersjpriceAppDataRoamingGoverlanGoverlanV8_DB.db3
Deleting File> C:UsersjpriceAppDataRoamingGoverlanGoverlanV8_DB.db3

Will the restore get those files back as well???
Userlevel 1
The initial post in this forum from Webroot has been updated (new content added/changed).
 
This was just supposed to be a reply to station2646's question... forums that don't properly visually thread are annoying.
Thank you LowellP. I'm guessing the new content included the message that MSP's are still waiting for the Universal solution?
Userlevel 1
Webroot:  When allow policies finally apply to an endpoint, will that restore previously-quarantined items if they're now on an allow/exception policy?
Userlevel 1
If files end up in the c:quarantine folder, it's because the files are in use, or samba is keeping a placeholder file in place and preventing an overwrite. I was able to solve the issue on one server by closing the samba connections to the folder in question and then overwriting the file.
and now facebook.com is showing as a "High Risk Site" , did webroot get hacked?
Silly question coming from an IT-outsider just trying to restore our critical software for a doctor's office. When I log in to webroot console, I have no tab for "Group Management" - any suggestions?
Userlevel 1
CEO just called me. It's over webroot. You goofed for the last time.
Userlevel 2
I'd love to know the answer to question @  posted.
Only a few months ago we had all the virual servers blue screen from a Webroot update and now this....i feel some restitution is in order.  Hundreds of hours of labor has been involved in these 2 incidents alone and i know everyone else is in the same boat.  What other A/V products are others using as MSP's?  I'm ready to move on.....
@ wrote:
Silly question coming from an IT-outsider just trying to restore our critical software for a doctor's office. When I log in to webroot console, I have no tab for "Group Management" - any suggestions?
what do you see? some of us have partner portals that may differ
Userlevel 1
The thing is too, we've been submitting suggestions and recommendations, and complaints, and questions about all sorts of parts of the Webroot management portal, which doesn't seem properly built for MSPs.  Lack of proper filtering in the "Reports" views, inability to do things that you really need to do in a central portal.  And really, over the years none of this has improved.  They're also lacking in license management/integration with major PSAs.  So Windows 10 Anniversary Update goes out... almost every computer now shows up twice.  And now the same thing for Creator's update.  And other random changes on a system, can't figure out what.  And an inability to enable a password-locked override (have to move entirely to Unmanaged profile, which does what else, loses all overrides?  Not sure) policy to be able to manually override something as needed on an endpoint.
 
Oh, and then many computers and some servers, if they shutdown improperly (at least that's the only reason we could figure out) sometimes when starting up they blue screen and won't recover due to a failed/corrupted Webroot system file.  It can't be remotely fixed on workstations unless you have vPro working.  Never saw this get fixed either and we've still seen some recent cases of this.
 
So it's not just this singular mess-up, it's a pile-up of a bunch of things in our eyes that make it a lot less usable than it should be... this just finalized it for us.  And yes, we have to apologize to customers too.  It's time to go elsewhere.
The updated page 1 solution does not work. No policy updates get to the client computers from the webroot servers.
Useless Admins giving kudos to useless OP.

These fixes don't work.
Ok so i got a few of my clients to restore but now the software that im restoring the exe of is shutting down every 1 to 2 min? any recommendations?
Userlevel 7
Badge +48
@ It will not. 
@ When the commands actually start going through, are we going to be able to see the data on which files were removed? At the moment a bunch of the machines have no data....
Hi, is there an ETA on the resolution? When I call into support, we get a message that says the issue has been resolved but is that really the case? Next, if it is, what is the solution to restore all these files?
 
Userlevel 7
Badge +48
For those that reported that agent commands were not working or were very delayed,
that backlog of requests has processed and we are told that it has caught up.
 
For anyone that had failures, please try again.
This entire event is unacceptable and we have already had several long internal conversations about what is obviously a serious flaw in cloud console based antivirus software. The solution to our current dilema "could" be easy to impliment if it wasn't for the fact that every single webroot customer is trying to fix their computers at the same time. Since all customers have no direct or local method of managing their webroot deployment we must rely on the cloud console to do anything and all of our workarounds have been queued up pending deployment all afternoon. 
 
I do feel that I must point out that this problem exists with all cloud managed software and as a result we will be carefully weighing the pros and cons as a result of this. In the mean time everyone needs to realize that Webroot has been a great product with very few problems in contrast to many other platforms. With that said, how they react and manage communications will define our response and the net loss in revenue they experience overall. There is no way any company could manage direct communication during a disaster that affects 100% of their customers but this forum thread appears to still be the only direct communication and it is very lacking and the updates are too infrequent. 
 
This Facebook blocking symptom that only started shortly ago has yet to be acknowledged and if it does turn out that there has been a security breach at Webroot and PR has taken control of official responses we will be departing immediately trust with customers is a requirement with any vendor in security related markets. 
 
Webroot Staff: Please make communcations a priority, even if you don't have something new to share as we are all pressing refresh on this forum over and over while listening to your hold music........ Thankfully its pleasant.
Userlevel 1
So if setting allow policies on files we know are good that have been trashed in this issue, then forcing the clients to poll for the updated policies, does not then subsequently restore those good files from Quarantine this is yet another feature that should be available within the console.  We should be able to say that caseware.exe or whatever needs to be "un-quarantined" at all sites. Then it should show all endpoints that have this quarantine and we could even manually check/uncheck if we wanted to, and apply.
Userlevel 7
Badge +48
@ Operations only caught up the agent command queue. Other databases are still processing and catching up. 
Userlevel 7
Badge +48
@ We hear you and are working on this as fast as we can. We will update you as soon as we have more information. 
 
Happy to hear you like our hold music. We don't want to put you to sleep. 

Reply