Solved

W32.Trojan.Gen. False Positive Fix - April 24



Show first post

289 replies

I requested the "fix" through the already-open ticket.  The response can be summarized by "We would like to schedule an appointment to call you, during which a member of the Webroot Advanced Malware Removal Team will provide remote assistance on the affected computer."  It appears that Webroot wants me to be on the phone with their support engineers for several days deploying this to all of our machines.
Userlevel 1
I can't get all the md5's. How come I can simply restore from the endpoint machine via the quarantine? Anyway to grant permission for that at least?
Is anyone else having issues with files upwards of 20GB being created from this, filling up hard drive space?
I've added the override exceptions for the MD5's that got flagged.  It appears that no other endpoints are getting these alerts for these MD5s, cool.
 
Then I attempted to restore the files for the individual endpoints that ran into issues but that has not worked.  Does this typically take a while to restore or am I perhaps doing something incorrectly?  It has been about an hour since I restored.
 
Thank you for your hard work getting this back to normal.
Userlevel 2
The md5 I'm trying to restore is invalid. We have a TON of alerts popping up. We've suspended realtime protection. IS there a way to restore these all at once
We need a real fix for this ASAP. I have damaged programs all over the place, at least one of which will require a complete re-install to re-register it. 
Userlevel 1
Badge +4
Hello. I ran the tool on one of the infected machines, it disabled my Webroot. How do we know when the fix is done? After 10 minutes I enabled Webroot again and it ran a scan and the file that was falsely identified was once again found as a threat, I allowed it ... but I feel like I'm still not back to normal. I even had support (and myself), whitelist that file and folder in my console. 
 
I have around 350 endpoints, it took out 3 security cameras and quoting software, and then some facebook pages. This has caused a lot of headaches and I've only had a few issues. Can't imagine if it would have taken out servers and all my workstations. I'm still not feeling very confident with Webroot now, and to make matters worse my Account Rep never replies to my e-mails. 
Userlevel 7
Badge +48
@ One possible reason why you're experiencing this would be if the system were low on drive space when the issue happened. I'd recommend talking with support and submitting a ticket so that they can further assist you. https://www.webroot.com/us/en/about/contact-us 
 
Thanks!
Userlevel 7
Badge +35
@, I spoke with our support team and asked our SEs to reach out to you. Can you please let us know if your case was resolved?
FYI for everyone: A reboot may be required to get the restored files to work properly after they have been restored.  We've been white listing as many things as possible, but the list is LONG! 
Thanks freydrew.

However what about restoring files when the listed MD5 method is not working?
Userlevel 1
I can confirm that it is still happening. Shut down another distributor client of mine. The server is set to ALL DISABLED, but it's possible a workstation did the damage. However, all of them are supposed to be set to "all disabled" as well.
Userlevel 2
When sending the "restore from quarantine" command - the command log is listing "Not yet received" - even though we have refreshed the Webroot configuration multiple times..
I too have had no luck with restores. Even if I refresh the Webroot agent itself. I think I've seen a couple 0KB files show up in place of the ones that were deleted. Maybe the system is just taking a long time to process. 
Userlevel 1
@ Glad to hear things seem to be calming down for you guys! I know it's been a difficult week and am very appreciative of the help I received from Shane, Brandon, Greg, and the other guys I've corresponded with over phone or email.
 
Still have a few concerns today. I still see agents with commands "Not yet recieved" in the console going back to 4/24 and 4/25. Any idea when this will clear up or be addressed?
 
I also have 26 of the 138 sites I have in GSM showing that that "Need attention" though I'm sure that the majority of that number do not need attention any longer. I'm sure one or two of those may be legitimate but certainly not all.
 
Is this behavior expected at this point or do I need to get back on the line with your Support Team?
 
Thanks,
Jared
Userlevel 7
Hey, @.
 
These are currently unknown issues from the false positives, so it'd be a good idea for you to reach out to our Support Team directly.
 
Business Technical Support: Call 1-866-254-8400
Open a Support Ticket
Userlevel 1
I really wish we had more control at the endpoint to manage via passcode or what not. The cloud is great and all until something like this happens. If we had full control locally as well this could be resolved very quickly.
Userlevel 2
manual restores are not processing, is there an ETA to the fix being pushed on your end?
Userlevel 1
Now the quarantines in the cloud console are empty so I have to restore everything manually. Webroot is now on its way out of all my client machines. Last **bleep**ing straw.
Ok the fixes are not working or not restoring the files quick enough. Is there anyother solutions? Can someone please send the instructions on how to find the MD5 file or how to get it into the restore?
I came across this thread while doing some due dilligence before I recommend adopting Webroot as the preferred security product for the MSP that I am Service Deliver Manager of. 
 
You will understand I'm interested to hear more about the improvements made in quality control and incident response to avoid the headaches that other MSPs have discussed in this thread. 
 
Can anyone direct me to a summary of changes implemented in the wake of lessons learned from this
incident? 
 
Thanks. 
Userlevel 2
I work for an MSP. This is greatly hurting over all of my users. I've run the reverification but it's reporting as not yet received. Is there a way that I can throw all of these end points to a new policy where I can just release the items from the quarantine besides doing it through the console? I can switch the policies without issue but I can't get any of the commands to work. 
Userlevel 7
Hi @, and welcome to our Community!
 
 
The actions we have taken include:
  • We immediately repaired and strengthened our safeguards related to the false positive on the day it occurred.  In the days and weeks following, we introduced a number of new safeguards – both technical and procedural – to reduce our exposure to similar incidents.
  • We scaled up our infrastructure to ensure our console performs well and supports the high volume of agent commands that are likely during any service issue.
  • We’ve improved our communication around product capabilities, updates and issues.  This includes the introduction of a series of certification programs to scale our information sharing on best practices, as it became clear that customers who had greater familiarity with the best practices in using our products were able to resolve issues in their environments and return to normal operations faster.  (link to partner certification: https://www.webroot.com/us/en/about/press-room/releases/webroot-launches-certification-program)
  • Finally, we are increasing the frequency of early communication across all our channels—email, social media, support, and community—so that when issues arise, the likely impact and status of remediation are shared out as quickly as possible.  
 
If there are specific questions we can answer for you, we would happily jump on a phone call with you.
Is there a solution to manually restore the files locally and how do you do that?
So far, we have found that uninstalling Webroot and then restoring the files from the backup solution and then re adding Webroot....they haven't seem to requarantined
 
Haven't gotten a release from quarantine or restore file via MD5 to work at all .
 
I sure hope the Webroot general restore from quaratine back to clients fixes the multiple of other clients we are seeing.

Reply