W32.Trojan.Gen. False Positive Fix - April 24

Show first post

289 replies

Userlevel 5
Stand by for news about the automated restoration tool. We have been working with some customers overnight to gauge its effectiveness. Its looking good. Drew will post more in a few minutes.
Is there any official update for us MSP's?  Removing and reinstaling does not  always work.  Luckily most of my clients are ok, however one of our biggest and noisiest lost about 7 hours of business due to not being able to run transactions yesterday.  It was a fun day! 
Some of the ability is already there like requesting a checkin with the console. They just need to expand on it and maybe add a CMD interface.
Userlevel 1
I actually made that recommendation to the engineer I spoke with yesterday regarding the use of registry flags under the Actions key to attempt to force agents to local run things like Reverify all files and processes.
    So a lesson that could come out of this is that Webroot needs to add the abilty to override the web console locally for instances just like this where the commands are so backed up, or not working at all frorm the cloud. Many other AV packages have a local Admin override whereas you can login to the local agent as the admin and make changes locally. 
Userlevel 1
I am not able to get commands processed from the console yet. I still have commands from yesterday in a "Not received yet" status.

We are whitelisting, but may of these applications already had some form of exclusion in place (MD5 or folder/file path) but they appear to have been ignored.
Userlevel 2
Thanks for the update, but do you know if the beta utility is working? How long are they going to test it? any idea of MSP release time?
For MSP guys:
Has anyone been able to get commands to work via console yet? If so what did you do? 
Are you white listing programs as they get Quarintined?
We have went in and even excluded directories from scans and realtime scanning and seems if client restarts computer they get re-quarantined.
Userlevel 7
Badge +48
@ Appreciate it. Thank you. 
I'm still very confused. Everything Webroot is saying is that the problem only occurred for 13 minutes, but it seems the problem is still ongoing.
We deactivated every endpoint yesterday morning. We just reactivated them today, based on the comments from Webroot that the problem was fixed. On the server where we first encountered the problem though, Webroot tried to quarantine the same files! (It was in silent auidt mode, so nothing happened.)
Update: We then uninstalled Webroot from the server, and reinstalled. A subsequent scan did not result in false-positives.
Can someone please provide a detailed technical report of what happend, what has been done so far, and what we should expect to occur in various scenarios?
Userlevel 1
Thanks Drew, I'm watching that post as well. Appreciate the information!
Userlevel 7
Badge +48
@ @ @ Just for your reference. I'll be placing additional communications here for reference. 
@ we had one in-house machine experience that exactly - we were able to resolve by removing/reinstalling the endpoint software. I sincerely hope we don't start seeing the same at customer sites.
Userlevel 7
Badge +48
@ I will PM you and try to troublehsoot with support. 
Userlevel 1
The letter is available here:
Userlevel 2
Good Morning
Can we have an update this morning as to how the tool is doing with the beta testers? If and When this might be a reliable solution or not.  Machines we fixed yesterday seem to exhibit same issues today all over again.
Also I did not recieve the email for MSP's to use for clients. can we post that here or please make sure I recieve a copy via email.
From what I can tell clients are still not recieving commands from cloud console is that still locked for a reason or is there a way to unlock that?
Userlevel 5
Good idea to have a doc users can use to show to their management (vs an MSP doc). We will post such a doc later this morning.
Userlevel 1
Good morning.
I arrived today to find some PC's that had been repaired yesterday exhibiting the same behavior today. Key notes:
  1. We have followed previous recommendations for MSP's
  2. Files were added to the exclusion list both with MD5 hashes as well as by folder path.
  3. Application files were flagged again but this time with a different infection.
  4. The malware group reported is win32.autoblock.1
  5. I was again able to restore from quarantine as we are now running almost every client as "Unmanaged"
  6. I ran the wsalogs.exe utility to grab full diagnostic logs as well as scan logs from a single workstation before performing the manual repair.
  7. I still see agent commands in the GSM from yesterday as "Not yet recieved"
  8. I provided an update to my ticket already logged with  Webroot Support as well as sent direct emails to my Channel Account Manager and the Sales Engineer I worked with in beta testing yesterday afternoon
At this point, I'm unable to tell how widespread the issue is. So far, it's not as broad as what we saw originally but I have multiple clients running the same EHR application that is getting quarantined.
Are there any additional updates or is anyone else out there experiencing the same issue?
@ I would snag a Windows 10 repair disk/USB image and try to repair from boot.  What a mess, I'm sorry you have to deal with that.  
@ I was doing some beta testing last night and yes, you can run from CMD. It is an executable that does run silently by default so you can push it out via your RMM tool.
I saw the letter MSPs can use, but what about regular small businesses?  I would like an official letter too that I can share with executives that are beating down my door.  
Userlevel 1
@ @ will this utility be able to run from the command line silently with no user input from the SYSTEM user context? That is what MSPs will require so we can easily script it in our RMM systems like Kaseya and Labtech.
Userlevel 1
@ you might be boned dude. Good luck.
Can anyone offer suggestions for a computer that has been almost completely disabled by these false positives? I cannot boot to safe mode or safe mode with networking to performing any of the gui-based fixes. sfc /scannow via windows 10 startup troubleshooting is unsuccessful. I was able to capture the dlb.db file from the broken laptop's hard drive (per tech support's instructions) and load it on an unmanaged webroot endpoint to view all of the files that were quarantined. The list has got to be 200-300 items long and is 95% registry entries. How can I get this broken laptop working again? Support has suggested various fixes (none of which have worked) but has also stated that these fixes don't apply to the registry files that were incorrectly quarantined. Help!
Userlevel 7
Badge +48
UPDATE: We continue to make progress on a resolution to our false positive issue. 
We created a comprehensive repair utility, and have successfully completed QA. We are currently rolling out the utility to a group of beta customers to ensure it works for our broader customer base. We expect to complete that work soon, and then will make it available incrementally to the entire customer base to ensure a successful deployment.
Stay here for ongoing updates.
Our Support team remains available to those of you who need urgent assistance, and we thank you for working with us through this challenging issue.
Userlevel 7
Badge +48
@ Thank you! I've notified Shawn about this issue and he'll reach out.