Solved

W32.Trojan.Gen. False Positive Fix - April 24



Show first post

289 replies

Had one this morning but it was an machine we were in the process of deploying Webroot on and removing AVG Cloudcare. AVG had not removed yet so we manually removed AVG and then all was fine. File causing the BSOD error was netio.sys.
I'd really like to know if anyone has any idea on machines bluescreening after they get to the login screen in Windows 7/10 after this. Just bootlooping over and over. 
 
Has anyone found an effective fix other than wiping the machines? Removing the WRkrn.sys file (which works for a botched Webroot install) does not workin in this instance due to the mangled files from this issue.
 
Any help would be awesome!
Userlevel 1
Any word on a mass-scale fix? This is painful.
Userlevel 7
Badge +48
UPDATE: We've got an update on the initial post in this thread. This update includes further messaging around addressing the issue manually. We are conducting a thorough technical review to ensure we have a complete understanding of the root cause. I wanted to make sure that all of our subscribers got the message. Please continue the discussion in this forum. Thanks.
" We have rolled back the false positives. Once the fix is deployed, the agent should pick up the re-determinations and perform as normal."
 
Has the fix been deployed yet? It is not clear.  What about files still in quarantine? Do we have restore from Quarantine (again)? Since we already did, yesterday, and it clearly does not work.
 
Will our files automatically be restored?
 
Please provide us with more details on this fix and how and when we will get it.
 
Thanks
 
@ I almost appreciate the "all hands-on deck" statement BUT in as much as this is making the national news, affecting business for so many companies, detrimentally affection client relationships with MSPs all over, not to mention the huge financial impact to both clients and MSPs, I would have expected Webroot to be much more transparent and responsive. As it is the response from Webroot appears to me to be extraordinarily apathetic.

Where is our official statement? Where is our comprehensive solution? Are we going to have to deal with the effects of this tomorrow as well?
 
Regards,
Mark G
All,
 
I've been paying very close attention to this failure and been up most of the night trying to monitor and see if we were affected in any way.  We have seemingly dodged a bullet here but that's not to say we are out of the woods by any means.  We can't seem to pinpoint how we avoided the failure but only point to the fact that our scan times are set to 11pm-3am everyday as opposed to daytime defaults that Webroot uses.  I can't say for certain that this helped us avoid the disaster, but we can't find any other reason as to why we got lucky here.  Our guess is that because the update went out yesterday morning, and deep scans occurred after that for endpoints, perhaps that's when it flagged .exe's as false positives and quarantined them.  And since we didn't scan during that period, and Webroot released the first fix during the afternoon, we missed that window.  
 
Not sure if you guys will find this helpful, but if Webroot is issuing these updates during the day, perhaps think about changing your deeps scans for afterhours to avoid that window of updating to see if there are any issues and allows Webroot time to fix the problems. (Not that this should have happened in the first place)
Userlevel 7
Badge +35
@ we are fully focused on resolving this issue and do not want to spend time defending false rumors. Please continue posting your questions, but kindly refrain from adding rumors and false information. Your post has been edited to remove the offending comments. You may also review the Community Guidelines here.
Userlevel 2
@
 
Thanks for that we will try that now. On the third pot this morning but got no sleep last night.  Thanks for the insight I am willing to try just about anything at this point...
 
Can a Webroot Employee or support please let us know an ETA, lie to me I don't care but at least give us some hope of sleep today.
 
:mansad:
Is it possible to restore the latest working state: applications, files, system images; and fallback to the most previous working Webroot version?
A few notes for people who are working to resolve the issue on a local level.
 
We are still noting that attempts at restoring quarantined files from the cloud are not working.  We are using the 'Unmanaged' profile to access local Quarantined files.
 
When applying the 'Unmanaged' profile, you may use WRSA.exe -poll to immediately enforce the change from the local machine.  For our cloud instance, that is working quickly.  I suspect that the cloud instances for some of the larger MSPs here are under greater load (at the risk of understating the issue)
 
If for some reason, you cannot access Quarantined files, sometimes they will be in C:Quarantine as the restore command you issued sometime earlier this week was unable to restore to the prior location.  You MAY have the option to use 'previous versions' of a folder (ie. Windows Shadow Storage) to pull your files out of the nether.  
 
I thought we were all caught up last night and found that a fair number of customers were affected and not flagged, and that I did not receive email alerting for all endpoints with issues - I would recommend anyone with multiple organizations to run a report showing all detections in the last 24 hours in order to make sure your bases are covered.
 
I hope everyone has enough coffee to get through the day.
 
 
@
 
 [edited by community moderator] Regardless, all those unanswered questions are quite valid and for webroot to not have an answer after 24hrs is quite disheartening.  [edited by community moderator]
Anyways, this issue has created great damaged at our clients and your fix (automatic or manual) have still left some applications in an inoperable state (forcing us to either repair or reinstall the software).
As MSPs, we ask Webroot to be more up front and communicate with your partners.
 
Lastly, Webroot's update about not deleting files from quarantine is quite exasperating.  Do you believe having to wait for over 24hrs for a resolution is an acceptable path?  We had to do whatever we could to get our clients back in business.  [edited by community moderator]
 
Userlevel 7
Badge +35
@ - please know that all hands are on deck with this issue and they are working through responses to your questions. I do not have the answers to your other questions yet but they will be addressed as soon as possible.
Userlevel 2
Thank you for responding to point 1
 
Can you comment on point 2 for me and all of the users/partners that are affected.
 
Has the fix been pushed out, if not, when will the global fix be pushed out?  
 
I would ask other important questions but at the risk of questions being selectively answered I'll limit it to one at a time.
Userlevel 7
Badge +35
Apologies for the frustration @ - we do want to continue the discussion here, we just want to have a place where only official updates can be posted for those who do not want to see all comments. Please continue posting your comments/questions here as our team is continuing to monitor this thread. Thanks!
Userlevel 2
I would agree. Even if its an MSP private forum or an email list or what ever, this has cost companies lots of money.
Userlevel 1
Badge +7
Once this is over you guys have to find a better way for MSP's to do things globally.
 
This has shown a lot of weakness in the platform. We should not have to go into every site and run manual whitelists and restores for things like this. 
 
This, along with globally removing machines that have not checked in have been a constant request for years now. 
Userlevel 2
I find it frustrating that you put out a new thread, but don't allow anyone to reply, when there are still issues that partners are facing.  This feels like you are trying to silence people and point people to a new thread stating everything is OK.  
  
Can you please comment when the fix is going out and what partners should be doing in the meantime to remediate their situations.  Some of us don't have the ability to refresh configuration if we've hidden the tray icon.  
  
 
Userlevel 2
When is "this fix" to be applied? AND are we sure this is not going to break something else? Is there settings we should have set to make sure we get the fix?
 
 
Well, since we cannot reply to the most recent update . . . 
 
"
  • We have rolled back the false positives. Once the fix is deployed, the agent should pick up the re-determinations and perform as normal.
"
 
What does that mean? Has the fix not been deployed? Are we waiting for a fix to be deployed? Do we need to deploy a manual fix?
Userlevel 7
Badge +35
Please see the most recent update here. We are closing that post to comments so that those who subscribe to it will only receive notifications when an official update is posted. Please continue the discussion in this forum. Thank you!
Unfortunately the agent command do not work anymore, or is taking forever, the "Unmanaged" group and policy helps at least for the moment to perform any manual actions!
@ wrote:
Dear @,
 
We've found that if you set the affect computers with an Unmanaged policy, and then have the user "Refresh Configuration" (by right-clicking the green W icon) it will pull the policy from the console. Once that takes effect (usually about ten seconds) you can then enter the UI and restore the items from quarantine.
 
FWIW, We still were having detections happening this morning, and have had to shutdown protection completely on various companies in order for them to get their production orders out.
 
Thanks, this worked, although switching them to Unmanaged is not ideal and releasing from quarantine has to be done on a workstation-by-workstation basis. Hopefully Webroot comes up with a better fix. Luckily for us, we JUST started using Webroot and only deployed it to about 70 endpoints. I feel for those with endpoints in the thousands... But not a good first impression.
@ wrote:
Dear @,
 
We've found that if you set the affect computers with an Unmanaged policy, and then have the user "Refresh Configuration" (by right-clicking the green W icon) it will pull the policy from the console. Once that takes effect (usually about ten seconds) you can then enter the UI and restore the items from quarantine.
 
FWIW, We still were having detections happening this morning, and have had to shutdown protection completely on various companies in order for them to get their production orders out.

Thanks for that reply ATechGuy.  That "Unmanaged" trick fixed my hosed admin laptop.
Userlevel 2
@ I had the same thing on some machines. I also had to go to the GUI on the local machine and restore the files and registry settings.
 
@ will the global restore you're doing also be able to restore the registry items? We're talking about hundreds of different applications, we can't easily re-install them.
 
FYI - Quickbooks is one application that has been damaged for a lot of users.
 
Thanks!
 
 

Reply