W32.Trojan.Gen. False Positive Fix - April 24

Boy there were a lot of failures and weaknesses shown with this event.  Authenticode catalogs not honored, C&C overwhelmed, no notification to users and QC inadeqacies.  I hope webroot takes this wakeup call VERY seriously and makes these shortcomings their top priority.  No more features until this is addressed.

I have had a few client machines where registry settings were quarantined along with files.
 
The web dashboard only showed a few of the files affected, but no registry entries.  Most had a long list of files and registry settings that were flagged and quarantined shown on the local workstation interface.  I had to manually recover all affected files and registry settings using an unmanaged policy.
 
If you had files quarantined and you have remote access or competent end-users, you might also want to check the local quarantine list for any registry settings that might have been flagged.  I know this is late notice, but it might be useful if programs no longer worked, even after quarantine recovery.
 
Hopefully Webroot will take the registry settings quarantines into consideration in their "fix".
 
Good luck!!

Endpoints that were not affected will not be affected. THe files that were mistakenly marked bad have been re-marked good.
Mike

@ can you confirm that any endpoints not currently effected will remain so?

even uninstall command from web console does not work, its been 1 hours since i tried to uninstall, none of the clients are uninstalling,

@and @
 
We're seeing the exact same problem. Since the Web Console is stuck not doing anything, we tried releasing files locally, only to find that Webroot says it is centrally managed and this cannot be done locally.
 
Setting the agent to unmanaged seems to work, but this is not a solution. Why can we not seem to change this anywhere in the global policy?

Dear @,
 
We've found that if you set the affect computers with an Unmanaged policy, and then have the user "Refresh Configuration" (by right-clicking the green W icon) it will pull the policy from the console. Once that takes effect (usually about ten seconds) you can then enter the UI and restore the items from quarantine.
 
FWIW, We still were having detections happening this morning, and have had to shutdown protection completely on various companies in order for them to get their production orders out.

Your steps are probably right, providing things are working as they should.
Of all my client sites, only one was affected severely, but it was (still is) a nightmare.
 
I was sent these instructions severals times last night, and followed them to restore about 435 quarantined .exe files.   I have a manufacturing facility's entire engineering department shut down today, and these steps aren't helping much.  It has worked for some files, but others are still logged as "Not received" inthe logs.
Luckily, I have a great contact onsite, and he is working at manually finding copies of the .exe files and pasting them into place and so on.    A long and tedious process.
 
Webroot was sold to me as a product that could reverse such issues with a few clicks - nice how I wasn't told that they meant a few clicks per affected machine (or that this might not even work)!
 
 

I think I speak for all MSPs on here wanting more communication from Webroot. I am pretty sure you could easily setup a spam list (mailing list) we can all sign up to for critical issue alerts.
 
 If you don't know how to set one of those up I bet I can find a few IT guys on here that can gladly help with this.
 
We know mistakes happen and most of us although are very pissed off still remain loyal because over all its a good product. But the lack of communication is unbelievable!
 
I hope that you are coming with a solution PDQ.

Dear @,
 
I think it's time to put away the "Web Threat Shield Update" link and put up "HOW WE SCREWED UP Update" link instead. Over time, perhaps it could be renamed to "False Positive 4/24 issue update"
 
Sadly, your posting added no value, as there are no actionable comments you made. 
 
I'm not sure if I feel any better that not only did your company fail to alerts the MSPs, it also failed to alert the distributors, so they didn't have a chance to communicate the problem to us.

This is a PR nightmare, the lack of communication is upsurd. My technicians, project managers, and developers have been up all night on this and they still have not slept. We are an MSP and I am the people side of our company, when I recieved the call from our techs yesterday evening they said we are on it and we will send you an email when we know more. I got an email around midnight tell us what had happened. When I started getting calls from directors and owners this morning asking if something had happened we were very transparent with our clients. The situation was company wide but we have the best techs that were able to resolve the issues overnight for most places. We did replace some hardware however $$$$$. We will be filing for compensation for this. From the business side this is unacceptable, this cannot happen I called our owner this morning. We have been very happy uptil now with WR, but this most likely will affect our bottomline and that cannot be remeded with we are sorry. We are going to need more!  

I have never loved working with them. From taking 6 months to solve an issue with terminal servers, to this.