Please click here to see the most recent update.
UPDATE 4/28/17 11:45 a.m. MNT: We have 0 calls in queue on our phone line, and are working through about 80 tickets related to the False Positive repair utility. A good portion of those are simply awaiting customer verification.
Please note, the utility was built to address only this specific false positive issue. It will be deactivated in the future.
If applications are operating normally on your systems, you do not need to implement the utility.
If you haven’t yet submitted a support ticket and you need the repair utility, please do so here. Include your phone number as well with the support ticket.
Best answer by freydrewView original
Has anyone found an effective fix other than wiping the machines? Removing the WRkrn.sys file (which works for a botched Webroot install) does not workin in this instance due to the mangled files from this issue.
Any help would be awesome!
Has the fix been deployed yet? It is not clear. What about files still in quarantine? Do we have restore from Quarantine (again)? Since we already did, yesterday, and it clearly does not work.
Will our files automatically be restored?
Please provide us with more details on this fix and how and when we will get it.
Where is our official statement? Where is our comprehensive solution? Are we going to have to deal with the effects of this tomorrow as well?
I've been paying very close attention to this failure and been up most of the night trying to monitor and see if we were affected in any way. We have seemingly dodged a bullet here but that's not to say we are out of the woods by any means. We can't seem to pinpoint how we avoided the failure but only point to the fact that our scan times are set to 11pm-3am everyday as opposed to daytime defaults that Webroot uses. I can't say for certain that this helped us avoid the disaster, but we can't find any other reason as to why we got lucky here. Our guess is that because the update went out yesterday morning, and deep scans occurred after that for endpoints, perhaps that's when it flagged .exe's as false positives and quarantined them. And since we didn't scan during that period, and Webroot released the first fix during the afternoon, we missed that window.
Not sure if you guys will find this helpful, but if Webroot is issuing these updates during the day, perhaps think about changing your deeps scans for afterhours to avoid that window of updating to see if there are any issues and allows Webroot time to fix the problems. (Not that this should have happened in the first place)
Thanks for that we will try that now. On the third pot this morning but got no sleep last night. Thanks for the insight I am willing to try just about anything at this point...
Can a Webroot Employee or support please let us know an ETA, lie to me I don't care but at least give us some hope of sleep today.
We are still noting that attempts at restoring quarantined files from the cloud are not working. We are using the 'Unmanaged' profile to access local Quarantined files.
When applying the 'Unmanaged' profile, you may use WRSA.exe -poll to immediately enforce the change from the local machine. For our cloud instance, that is working quickly. I suspect that the cloud instances for some of the larger MSPs here are under greater load (at the risk of understating the issue)
If for some reason, you cannot access Quarantined files, sometimes they will be in C:Quarantine as the restore command you issued sometime earlier this week was unable to restore to the prior location. You MAY have the option to use 'previous versions' of a folder (ie. Windows Shadow Storage) to pull your files out of the nether.
I thought we were all caught up last night and found that a fair number of customers were affected and not flagged, and that I did not receive email alerting for all endpoints with issues - I would recommend anyone with multiple organizations to run a report showing all detections in the last 24 hours in order to make sure your bases are covered.
I hope everyone has enough coffee to get through the day.
[edited by community moderator] Regardless, all those unanswered questions are quite valid and for webroot to not have an answer after 24hrs is quite disheartening. [edited by community moderator]
Anyways, this issue has created great damaged at our clients and your fix (automatic or manual) have still left some applications in an inoperable state (forcing us to either repair or reinstall the software).
As MSPs, we ask Webroot to be more up front and communicate with your partners.
Lastly, Webroot's update about not deleting files from quarantine is quite exasperating. Do you believe having to wait for over 24hrs for a resolution is an acceptable path? We had to do whatever we could to get our clients back in business. [edited by community moderator]
Can you comment on point 2 for me and all of the users/partners that are affected.
Has the fix been pushed out, if not, when will the global fix be pushed out?
I would ask other important questions but at the risk of questions being selectively answered I'll limit it to one at a time.
This has shown a lot of weakness in the platform. We should not have to go into every site and run manual whitelists and restores for things like this.
This, along with globally removing machines that have not checked in have been a constant request for years now.
Can you please comment when the fix is going out and what partners should be doing in the meantime to remediate their situations. Some of us don't have the ability to refresh configuration if we've hidden the tray icon.
What does that mean? Has the fix not been deployed? Are we waiting for a fix to be deployed? Do we need to deploy a manual fix?
Thanks, this worked, although switching them to Unmanaged is not ideal and releasing from quarantine has to be done on a workstation-by-workstation basis. Hopefully Webroot comes up with a better fix. Luckily for us, we JUST started using Webroot and only deployed it to about 70 endpoints. I feel for those with endpoints in the thousands... But not a good first impression.
Thanks for that reply ATechGuy. That "Unmanaged" trick fixed my hosed admin laptop.
FYI - Quickbooks is one application that has been damaged for a lot of users.