W32.Trojan.Gen. False Positive Fix - April 24

I was lucky as well. Out of 150+ computers on 2 sites, it only effected 6 computers and 1 server. It could have been much much worse. I feel the pain for the guys/gals that have 100's of computers that they have to fix. All my restore requests were processed sometime overnight and this morning, things seem to be ok. 
 
You put your trust in a cloud based solution and sometimes, it can cripple you. It really amazes me that this happened at all. Might as well be some form of ransomware that takes over your data and locks you out.

@ - The largest problem here is that it took 12 hours to get a response from someone other than a forum moderator.  We still have not seen any communication from our Customer Engagement teams or any management.

 

Hopefully not misleading by my comments, we are not having any new endpoint issues that we are aware of.  Unfortunately the hardest hit areas of our company were our Engineering and Sales Order areas which pretty much have those departments shut down.  The previous instructions for remediation of the problem did not work.  We were able to remove Webroot from a few machines, reinstall the client software and they are working to at least get some things done, but not a good feeling of having machines unprotected.
 
We are hoping the resolution in the previous message is coming quickly and does work.

@ Thanks for your reply, however, I need to know what "a little while" means. My day is about to continue from yesterday's nightmare. Since we can't restore for quarantine, we are having to go through each computer and reinstall software.
 
Two questions: 
1. Is the issue resolved?
2. ETA till we get more details on the process of moving files out of quarantine?

@ You really need to be posting these updates on the top thread, not 130 pages deep.  You guys have utterly failed at customer communication during this. 

Hi everyone,
Our team (Webroot development) has been working thru the night on a safe process for moving affected files out of quarantine. We needed to insure it would not create further issues. We will provide a more detailed message with current status in a little while. This will be followed by a report that will be something you can use in your discussions with your users and/ or clients. I speak for Webroot when I say we are very sorry for the aggravation this has caused you. Once things are settled down a bit, I would be happy to speak with each of you. We can set that up with your rep. More info in a bit.
Mike Malloy
EVP Products

Hey @
 
The rule, upon discovery has been removed and they are working on a more permanent fix to repair some of the damage.
 
So yes, it's safe to put the agent onto the systems.
 
I also got away pretty lucky with only about 9 systems affected out of over 5000+ endpoints I manage. 
 
John

We are also an MSP and between all of the clients that this has affected it has cost 10's of thousands of dollars in downtime.  Yet again, the anti-virus becomes the virus.  Everyone that uses Webroot, or any other AV is putting an unbelieveable amount of faith in your company to keep their company safe from not only viruses, but from instances like this.
 
We love Webroot, and this should go without saying, but please beef up your testing environment and your testing processes to ensure that this doesn't happen again.

Any further updates on this? We have thousands of endpoints running Webroot across hundreds of client sites. This total lack of transparency and communication is appalling.

@ Still no updates or official word for MSPs?

@Keep me posted on this.  This is the 2nd time this year that WebRoot has screwed the pooch.  Also an MSP here, and I'm spending this morning doing multiple songs and dances for my clients to explain to them how we're on top of it and they'll never see webroot again.

Class Action Suit?  This is a case for legal action.
 
We have spent most of the night working on fixing the most important systems in our client environments.  We have over 200 sites, spread across 100 miles radius.  This event has damaged our Labtech and ScreenConnect server, we had to get this to work first.  Obviously the solution proposed by WR support is not going to work for us: to manually restore and intervene on each workstation?  Without our RMM and remote tool?  After spending a while on the phone with support we were told to simply re-install our LabTech/ScreenConnect server.  Up to now the cost is very high, all our techs stayed most of the night working overtime, some clients are upset and two of them are talking about compensation for the trouble.  One of our clients is a manufacturing plant and they were stopped for many hours, this client cost per hour is 25,000$  We are not able to use recovery because most of the backup server cores are affected also, some of the servers are not yet up and we look like fools.
 
Our legal advisor is discussing the possibility to do a class action against WebRoot to recover part of the cost we all had during this event, we wonder if any of you would like compensation from WR, or to take action against them for the cost incured.  As far as we are concerned the cost up to now is over 10,000$ and there is no way we can recover any of this money, unless WR would be free for a few years, but then even for free would you like to use a product that can damage all your systems within a few minutes?  Following a human error, where only ONE person can decide about what happens to all our systems? 
 
We are a serious shop and follow ITIL guidelines: what standards of the industry does WebRoot follow? 
 
As MSP we expected faster, better results to resolve this issue, WR was nice and offered support, but not a resolution.  This morning the phones start to ring, and we have nothing to say but we are sorry. 
 
Sorry will not pay back the loss, and definitely not make our clients systems work... those interested in a class action suit should post here, so we know if there is interest.
 

Still not working... created override and restore from quarantine still not working as of 11pm PST
Any update from webroot?