W32.Trojan.Gen. False Positive Fix - April 24

Show first post

289 replies

We are an MSP and this is causing us serious issues.  We have files that appear to be deleted, not quarantined as a result of this issue.  GSM does not show our missing files as quarantined and logs show nothing either.  I think it's quite a coincidence that files mysteriously are deleted. 

We are facing having to restore to previous day and lose entire day's work for multiple clients.  Anyone else seeing a better way to address this problem on a global scale to recover/restore files.
This is costing us lots of time and resources to deal with.  Could use some positive fixes.
Userlevel 7
Badge +48
UPDATE 4/27/17 2:46 p.m. MNT: We have 0 calls in queue on our phone line, and are working through about 130 tickets related to the False Positive repair utility. A good portion of those are simply awaiting customer verification.
If you haven’t yet submitted a support ticket and you need the repair utility, please do so here. Include your phone number as well with the support ticket.
Our sincerest thanks to the MSP beta customers who worked with us to further test and validate this repair. We truly appreciate the support of our customers and thank you for your patience.
Userlevel 7
Badge +48
For those that have not seen this email yet from Mike Malloy, Executive VP Product & Strategy, I wanted to share this with you. We sent this out earlier today.

We want to remind you that we have created a repair utility to address a false positive issue that arose on Monday.  
On April 24 at 11:52 am MT, some good applications were mistakenly categorized by Webroot as malware. This created false positives across the affected systems and resulted in those applications being quarantined and unable to function. 
Our repair utility will release and restore quarantined applications to working order on the affected endpoints.  
To obtain the repair utility, please open a support ticket, or reply to your existing support ticket related to this issue. Please include your phone number in the ticket.  
We appreciate the support of our customers and partners, and thank you for your patience.
Yours sincerely,
Mike Malloy
Executive VP of Product & Strategy
Userlevel 7
Badge +48
UPDATE 4/28/17 11:44 a.m. MNT: We have 0 calls in queue on our phone line, and are working through about 80 tickets related to the False Positive repair utility. A good portion of those are simply awaiting customer verification.
Please note, the utility was built to address only this specific false positive issue. It will be deactivated in the future. 
If applications are operating normally on your systems, you do not need to implement the utility. 
If you haven’t yet submitted a support ticket and you need the repair utility, please do so here. Include your phone number as well with the support ticket.
Thank you.
How are you guys restoring the files from quarantine manually?  I don't have that option it says that it's "SecureAnywhere is currently managed by the Web Console...." when I try manually restore a file from the quarantine on a system
Userlevel 7
@ There is no real documented command-line interface for Webroot, unfortunately.
Tell your agents to pick up the phone. 1 hour 11 minutes on hold so far.
edit1: 1 hour 1:53 minutes.
edit2: 2 hours 19 minutes
And how do you recommend that we put the clients into an unmanaged policy if the commands from the console are not being processed?
Our agent is set to a 15 minute polling time but commands from the console are not being executed for well over 2 hours now.
This entire event is unacceptable and we have already had several long internal conversations about what is obviously a serious flaw in cloud console based antivirus software. The solution to our current dilema "could" be easy to impliment if it wasn't for the fact that every single webroot customer is trying to fix their computers at the same time. Since all customers have no direct or local method of managing their webroot deployment we must rely on the cloud console to do anything and all of our workarounds have been queued up pending deployment all afternoon. 
I do feel that I must point out that this problem exists with all cloud managed software and as a result we will be carefully weighing the pros and cons as a result of this. In the mean time everyone needs to realize that Webroot has been a great product with very few problems in contrast to many other platforms. With that said, how they react and manage communications will define our response and the net loss in revenue they experience overall. There is no way any company could manage direct communication during a disaster that affects 100% of their customers but this forum thread appears to still be the only direct communication and it is very lacking and the updates are too infrequent. 
This Facebook blocking symptom that only started shortly ago has yet to be acknowledged and if it does turn out that there has been a security breach at Webroot and PR has taken control of official responses we will be departing immediately trust with customers is a requirement with any vendor in security related markets. 
Webroot Staff: Please make communcations a priority, even if you don't have something new to share as we are all pressing refresh on this forum over and over while listening to your hold music........ Thankfully its pleasant.
Userlevel 1
Badge +8
Sadly enough the music you play on hold is the same that McAfee Support plays on hold.
And the really sad thing is that I had to know that...:-(
Userlevel 2
I can report that agent commands are most definitely not "caught up".
Still waiting on ANY news for us MSPs with hundreds of systems we would need to restore files on.
I would also like to second that comunication to resellers should have been a top priority and the fact that I havent seen an official word on this yet is giving me flash backs to the last major issue that took DAYS to confirm.
Userlevel 1
Sounds like Webroot uses the same PR department as United Airlines....
Why don't you just let the resellers and MSPs handle the bad press and instead, just TELL us when something has gone terribly wrong. I can't speak for everyone, but my clients and my company REALLY like Weboot. It's a great product. And we're the first line of contact when something goes wrong. We just don't like being the LAST to know.
So, make up for the lack of communications by sending us an email tonight, with ALL the details of what happend (Yes, that means CONFESSING TO THE PROBLEM!) and then tell us that you've written that global script and any of the falsely identified programs that were quarantined, have now been restored to their original locations.
Userlevel 2
I agree with ATechGuy. I look forward to an e-mail from my MSP Account Manager informing me of the issues and what Webroot plans on resolving this in the future. I like Webroot's product a great deal but I dislike having my clients angry and furious at me for something I had no control over. Also, I would like to know how Webroot is willing to address this in the future for their MSPs. I was in the blind for much of what was going on. I understand that the stress of everything coming on at once but I would have appreciated an e-mail from someone at Webroot so I could pass the information along to my clients. I dislike having to stalk social media sites that I feel should be the responsibility of Webroot to notify me of an issue. If I hadn't rang my POC's phone off the hook, I imagine that I would have been left blind. :(
I still have several client computers that aren't fixed. I spent the greater part of my evening trying to at least prioritize workstations and who the manually fix. As an MSP, I have too many endpoints that it's not feasible to remote to all to resolve the issue. I look forward to how Webroot plans on resolving this issue for us MSPs.
I am seeing expired sites as well after suspending and then enabling.
Userlevel 7
Badge +48
@ @ @ @ Please contac customer support at 1-866-254-8400 so that they can troubleshoot this further.  
Userlevel 2
All this time I thought these instructions were for MSP's. Is there another forum just for MSP customers?
@is it necessary to create new overrides for files that previously did not have one that were blocked by today's problem?

If the files worked fine before are we safe to only issue a restore command?
If we could all get an email for MSP's when a real fix is available that would be great...  This is very damaging, and to find out via twitter is disheartening.  In all honesty, as soon as you found out honesty would have been the best thing you can do.  We all make mistakes.  When I make a mistake I admit it!!  That is the fastest way for us all to let OUR customers know that we know what is going on.
I sent hundreds of restore file commands to our agents at 4PM PST. It's now over 6 hours laters!! Why are the commands not being executed? The agents have been checking in. I have been forcing them to check with the "poll" command locally as well. I sent the reverify command and surprise! It hasn't executed either. Any advice Webroot? 
Still not working... created override and restore from quarantine still not working as of 11pm PST
Any update from webroot?
Webroot any update on this, I have about 30 minutes before a bunch of pissed off customers start in on my support staff.
Userlevel 5
Hi, we will go thru all the progress the team made overnight and assess whether all files have been cleared. If your files have been restored from quarantine then you're set. See if the apps perform as intended. If so you're done. More news in a bit.
Userlevel 1
Dear @,
I think it's time to put away the "Web Threat Shield Update" link and put up "HOW WE SCREWED UP Update" link instead. Over time, perhaps it could be renamed to "False Positive 4/24 issue update"
Sadly, your posting added no value, as there are no actionable comments you made. 
I'm not sure if I feel any better that not only did your company fail to alerts the MSPs, it also failed to alert the distributors, so they didn't have a chance to communicate the problem to us.
I have to assume that Webroot has a MAJOR Q/C problem.  If after 13min an update like this can cause the kind of damage it has accross my 5600 seats it COULD NOT HAVE BEEN properly Q/Ced.   WebRoot please before you release another update on your "partners" release it on your internal systems.  Also your communication has been horrible.