Solved

W32.Trojan.Gen. False Positive Fix - April 24



Show first post

289 replies

Userlevel 7
Badge +35
UPDATE APRIL 25, 2017:  We have a final beta version of the false positive repair utility ready for immediate evaluation. We need five additional customers to participate in our test. If you would like to participate, please call our support team at one of the following numbers:
 
 
Business support phone numbers

US Support (toll free)
1-866-254-8400

Australia Support (toll free)
Australia Support (direct line)
1 800 848 307
+61 (0) 8071 1903

Ireland Support (toll free)
1 800 902 213

UK Support (toll free)
+44 (0) 808 101 7260
Userlevel 1
@ @ will this utility be able to run from the command line silently with no user input from the SYSTEM user context? That is what MSPs will require so we can easily script it in our RMM systems like Kaseya and Labtech.
@ I was doing some beta testing last night and yes, you can run from CMD. It is an executable that does run silently by default so you can push it out via your RMM tool.
Userlevel 1
The letter is available here:

http://images.saas.webroot.com/Web/Webroot/%7B70bbf60f-4ea4-40d7-a427-38593a613e93%7D_WebrootIncidentResponseLetter.pdf
Userlevel 7
Badge +48
@ @ @ Just for your reference. I'll be placing additional communications here for reference. 
Userlevel 5
Hi 
Stand by for news about the automated restoration tool. We have been working with some customers overnight to gauge its effectiveness. Its looking good. Drew will post more in a few minutes.
Mike
Userlevel 2
Ticket created 85277
Userlevel 6
Badge +24
@ wrote:
Some of the ability is already there like requesting a checkin with the console. They just need to expand on it and maybe add a CMD interface.
I agree.  If Webroot had a documented commandline set of switches and options, it would make life much easier for MSPs; we could issue scripted commands immediately to machines.
Userlevel 7
Badge +35
@ we will get a letter for our SMBs shortly and post a link to it here.
Userlevel 5
Hi When you get the tool from support, plan to push it out to your endpoints and it will execute automatically. It will restore files from this incident to their original locations. So you should plan to use a script or your RMM tool to push it to endpoints. 
Mike
This is not a fix, we can only hope that it didn't do too much damage.
What do you do if you manually added an override for specific policies?  How do you undo that?
@ Would it be ok if we run it on all machines though? We aren't certain which are afffected or not so it would be a hassle to sort through thousands to figure out which are affected if we could just run it everywhere without any issues.
Userlevel 1
Is there a full explaination as to what this "Fix" does?

It moves the quarantined files back into their proper folders, what about systems which we've manually restored quarantined files already but the agent is unresponsive to the cloud?

What else does this fix do?
Userlevel 5
I hear you. There is not a problem deploying across both affected and unaffected machines.
Mike
Userlevel 1
Not working here...can't get any files to restore. I need a drink.
Userlevel 5
Yes you can deploy the tool using the Download and Run a File agent command from the WSA console or by using any other deployment method that you may use.
Mike
Please post an actual fix. This is useless as the scans don't show the MD5 of the quarantined files.
Userlevel 5
Hi No, we dont want to hang on the phone with your team while you use it. They want to understand (quickly) if the person requesitng the tool is confident in his abiltiy to just run with it. You know some people ask for tools like this who dont actually know what theyre doing. So you will be given access to download it very quickly once you connect with support.
Mike
Userlevel 2
MSP Update:
 
So far I am seeing good success with this utility. have only run into 3 workstations so far that are not working.
 
I am not getting console commands to run at this time still... hoping that gets resolved as well>??
Userlevel 1
Even small businesses need a better solution....doing this over and over is very time consuming.
Userlevel 5
Please contact support. They can address your issues with you. 
Mike
I get the following error when trying to restore a file via MD5... 
 

Userlevel 7
Badge +48
The rule that caused this issue was live for 13 minutes before it was caught by our in-built safeguards. The result has been to mark files as trojans false positives. The rule was removed and we are in the process of rolling back all of the false positives that reside in the Webroot Threat Intelligence platform. Once this is achieved, the agent should pick up the re-determinations. Because the rule has stopped, no other endpoints should be affected by this issue. 
 
As you can imagine, we are all working hard at finding the best resolution for this issue. 
Userlevel 7
Badge +48
UPDATE 4/27/17 9:21 a.m. MNT: We have 0 calls in queue on our phone line, and are working through about 100 tickets related to the False Positive repair utility. A good portion of those are simply awaiting customer verification.
 
If you haven’t yet submitted a support ticket and you need the repair utility, please do so here. Include your phone number as well with the support ticket.
 
Our sincerest thanks to the MSP beta customers who worked with us to further test and validate this repair. We truly appreciate the support of our customers and thank you for your patience.
 

Reply