Solved

W32.Trojan.Gen. False Positive Fix - April 24



Show first post

289 replies

Userlevel 7
Badge +48
@ It will not. 
@ When the commands actually start going through, are we going to be able to see the data on which files were removed? At the moment a bunch of the machines have no data....
Hi, is there an ETA on the resolution? When I call into support, we get a message that says the issue has been resolved but is that really the case? Next, if it is, what is the solution to restore all these files?
 
Userlevel 7
Badge +48
For those that reported that agent commands were not working or were very delayed,
that backlog of requests has processed and we are told that it has caught up.
 
For anyone that had failures, please try again.
Userlevel 1
So if setting allow policies on files we know are good that have been trashed in this issue, then forcing the clients to poll for the updated policies, does not then subsequently restore those good files from Quarantine this is yet another feature that should be available within the console.  We should be able to say that caseware.exe or whatever needs to be "un-quarantined" at all sites. Then it should show all endpoints that have this quarantine and we could even manually check/uncheck if we wanted to, and apply.
Userlevel 7
Badge +48
@ Operations only caught up the agent command queue. Other databases are still processing and catching up. 
Userlevel 7
Badge +48
@ We hear you and are working on this as fast as we can. We will update you as soon as we have more information. 
 
Happy to hear you like our hold music. We don't want to put you to sleep. 
@ Agreed - not even close.
 Gotcha. I just see tabs for PC Security, Mobile Security, and Passwords.
Same here...no agent commands going through.
Userlevel 7
Badge +48
@ Webroot has not been breached. Legitimate malicious files are being identified and blocked as normal.  We continue to work on a comprehensive resolution, but a live fix has been released for the Facebook issue and is propagating through to customers now.
 
Userlevel 7
Badge +48
@ We hear you and are working on it. We will have an update for you as soon as possible. 
Should us MSPs be trying to restore files via the steps posted or hang tight for a better solution?

I would take the minute risk of 1 of the files being quarantined being bad at this rate to have a mass restore on the hundreds that have been flagged.
Userlevel 2
We ended up grabbing the list of clients that were affected and manually going through the steps to whitelist the files and "restore" them from quarantine.
 
We prioritized servers and then did the workstations.
 
Problem being now, that the "restore from quarantine" is still hung on most systems.  Mission critical application executables were recovered from backup.
Userlevel 1
I managed to get one system moved into the unmanaged policy and restore one file from quarantine.
Which is good.
The file was a scan service which ran our LAN management console and won't stay running.
Which is bad.
The rest of the systems which were hit haven't been able to poll so I have no idea how deep this goes.
 
I don't get paid by the hour and this will be the rest of my week.
 
I tried to find a dumpster fire avatar but it wouldn't let me upload one.
GG Webroot.
Our commands are still not going through the GSM. I've sent them again since informed that they were caught up, but they are still not being processed. We have a 15 minute check in time, so that isn't the issue.
Userlevel 7
Badge +48
@ We are in the process of creating a complete fix, but in the meantime, small business customers can follow instructions posted at the top of the thread to address the issue. 
 
 
Userlevel 7
Badge +48
We are still diligently working to resolve this issue. More updates to come when we have them. 
We have 2 sites that use webroot and neither site is updating the clients for restore. I have 100's of requests in the Command Log to restore files and they are just sitting at Not Yet Received since 5:30pm EST. Pushing new policy, forcing a refresh configuration and also forcing a refresh via command line mentioned in the original post does nothing.
Ditto
@
 
Our backlog of agent commands is definitely not caught up. I still have thousands of "reverify" and "restore" commands that are "not yet received" and have been for 5 hours. 
 
When can we expect a fix FROM Webroot?
Userlevel 7
Badge +33
Yes @.
 
I would simply issue a restore command followed by a reverify all files and processes and a scan command. 
Userlevel 1
Have seen 2-3 systems with commands that were pushed around 3pm today starting to Execute.
Still unable to poll and have the policy to unmanaged swap over yet.
 
Userlevel 7
Badge +48
@ Please follow the steps that we provided at the top of the thread, specifically step 2 "Reverify All Files and Processes." That will flush the local cache and reverify and receive the correct determination. 
 
 
6 hours and still no MSP solution, I have Police departments who are being affected. When is there going to be an update for MSP's? This is completely unacceptable, and I have customers already looking at litigation for lost time/revenue.

Reply