Solved

W32.Trojan.Gen. False Positive Fix - April 24



Show first post

289 replies

We are not able to restore Quarantined files now from the Agent on the desktop.  Its reporting back as controled by the  Webroot Console.  But with the Webroot system queue being overwhelmed it's not restoring from the Console.  We can't find in the policy to enable client use of Quarantine.  But even if we change that, the policy will take forever to propagate out, or never. Can you help?
Userlevel 1
Dear @,
 
We've found that if you set the affect computers with an Unmanaged policy, and then have the user "Refresh Configuration" (by right-clicking the green W icon) it will pull the policy from the console. Once that takes effect (usually about ten seconds) you can then enter the UI and restore the items from quarantine.
 
FWIW, We still were having detections happening this morning, and have had to shutdown protection completely on various companies in order for them to get their production orders out.
Userlevel 5
Hello again
We have identified an automated approach to removing files from quarantine. But it will take time to reach all endpoints. A more detailed statement is being emailed to GSM Admins within the next few minutes It will also be posted here. In the meantime you should continue with your own remediation steps (which can be found on Webroot support or at the top of this thread.) I will jump back on here shortly. 
Mike Malloy
@and @
 
We're seeing the exact same problem. Since the Web Console is stuck not doing anything, we tried releasing files locally, only to find that Webroot says it is centrally managed and this cannot be done locally.
 
Setting the agent to unmanaged seems to work, but this is not a solution. Why can we not seem to change this anywhere in the global policy?
@ evidently you don't read all the comments that point out the steps here don't help much when the console shows that the endpoints seem to be sitting with the 'Not Received' message.  Doesn't seem like much of a help to give instructions that are taking so many hours to undo this issue.
even uninstall command from web console does not work, its been 1 hours since i tried to uninstall, none of the clients are uninstalling,
Page 1 solution still does not work.
 
 
@ can you confirm that any endpoints not currently effected will remain so?
After following the instructions on the screen for one server, 2 hours later, the files got restored. So there is still a backlog with agent commands now.
Userlevel 5
Endpoints that were not affected will not be affected. THe files that were mistakenly marked bad have been re-marked good.
Mike
Userlevel 2
Badge +7
Will webroot be running the automated fix for quarantine themselves, or will we need to initiate it?
I have had a few client machines where registry settings were quarantined along with files.
 
The web dashboard only showed a few of the files affected, but no registry entries.  Most had a long list of files and registry settings that were flagged and quarantined shown on the local workstation interface.  I had to manually recover all affected files and registry settings using an unmanaged policy.
 
If you had files quarantined and you have remote access or competent end-users, you might also want to check the local quarantine list for any registry settings that might have been flagged.  I know this is late notice, but it might be useful if programs no longer worked, even after quarantine recovery.
 
Hopefully Webroot will take the registry settings quarantines into consideration in their "fix".
 
Good luck!!
Userlevel 5
Webroot will run the automated agent command approach. But as I said it will take time to reach all endpoints. If you have critical business apps that need immediate attention, then using a local approach will be best. To the extent you can, insure your endpoints are online so commands can be received. 
More news shortly. I am working multiple threads so I may not respond instantly.
Mike
 
Boy there were a lot of failures and weaknesses shown with this event.  Authenticode catalogs not honored, C&C overwhelmed, no notification to users and QC inadeqacies.  I hope webroot takes this wakeup call VERY seriously and makes these shortcomings their top priority.  No more features until this is addressed.
Userlevel 1
https://arstechnica.com/security/2017/04/av-provider-webroot-melts-down-as-update-nukes-hundreds-of-legit-files/
Userlevel 2
@ I had the same thing on some machines. I also had to go to the GUI on the local machine and restore the files and registry settings.
 
@ will the global restore you're doing also be able to restore the registry items? We're talking about hundreds of different applications, we can't easily re-install them.
 
FYI - Quickbooks is one application that has been damaged for a lot of users.
 
Thanks!
 
 
@ wrote:
Dear @,
 
We've found that if you set the affect computers with an Unmanaged policy, and then have the user "Refresh Configuration" (by right-clicking the green W icon) it will pull the policy from the console. Once that takes effect (usually about ten seconds) you can then enter the UI and restore the items from quarantine.
 
FWIW, We still were having detections happening this morning, and have had to shutdown protection completely on various companies in order for them to get their production orders out.

Thanks for that reply ATechGuy.  That "Unmanaged" trick fixed my hosed admin laptop.
@ wrote:
Dear @,
 
We've found that if you set the affect computers with an Unmanaged policy, and then have the user "Refresh Configuration" (by right-clicking the green W icon) it will pull the policy from the console. Once that takes effect (usually about ten seconds) you can then enter the UI and restore the items from quarantine.
 
FWIW, We still were having detections happening this morning, and have had to shutdown protection completely on various companies in order for them to get their production orders out.
 
Thanks, this worked, although switching them to Unmanaged is not ideal and releasing from quarantine has to be done on a workstation-by-workstation basis. Hopefully Webroot comes up with a better fix. Luckily for us, we JUST started using Webroot and only deployed it to about 70 endpoints. I feel for those with endpoints in the thousands... But not a good first impression.
Unfortunately the agent command do not work anymore, or is taking forever, the "Unmanaged" group and policy helps at least for the moment to perform any manual actions!
Userlevel 7
Badge +35
Please see the most recent update here. We are closing that post to comments so that those who subscribe to it will only receive notifications when an official update is posted. Please continue the discussion in this forum. Thank you!
Userlevel 1
Well, since we cannot reply to the most recent update . . . 
 
"
  • We have rolled back the false positives. Once the fix is deployed, the agent should pick up the re-determinations and perform as normal.
"
 
What does that mean? Has the fix not been deployed? Are we waiting for a fix to be deployed? Do we need to deploy a manual fix?
Userlevel 2
When is "this fix" to be applied? AND are we sure this is not going to break something else? Is there settings we should have set to make sure we get the fix?
 
 
Userlevel 2
I find it frustrating that you put out a new thread, but don't allow anyone to reply, when there are still issues that partners are facing.  This feels like you are trying to silence people and point people to a new thread stating everything is OK.  
  
Can you please comment when the fix is going out and what partners should be doing in the meantime to remediate their situations.  Some of us don't have the ability to refresh configuration if we've hidden the tray icon.  
  
 
Userlevel 2
Badge +7
Once this is over you guys have to find a better way for MSP's to do things globally.
 
This has shown a lot of weakness in the platform. We should not have to go into every site and run manual whitelists and restores for things like this. 
 
This, along with globally removing machines that have not checked in have been a constant request for years now. 
Userlevel 2
I would agree. Even if its an MSP private forum or an email list or what ever, this has cost companies lots of money.

Reply