W32.Trojan.Gen. False Positive Fix - April 24

Show first post

289 replies

Userlevel 7
Badge +48
@ the team is working hard on fixing the issue as fast as possible. 
Userlevel 2
In the meantime 1000's of clients are having issues. Is there an update list for emails that you will send out that MSPs need to sigh up on.

This is absolutely crippling, and costing companies a large amount of money in downtime and recovery. I think MSPs need a solution more sooner than later.

Let us know if there is a plae to signup for update emails or active updates. hourly updates etc.
We were left with no choice, but threw our clients into silent audit, shadow copied back what we could, and Veeamed back the rest
This is a cyber attack, whether intentional or by accident. Can't wait for official fix
I'm curious if any of the Cyber insurance policies help pay for this.
Userlevel 2
Because the entire thing is broken at this time. I have spent the day trying hard to resolve clients. and still no updates from Webroot besides "It's being worked on". MSPs should have been a priority, they need to make this work. I have already sent messages off to other AV vendors for price quotes on our MSP practice.
Second that, smae exact issues here.. I just love working 18 hours on a Monday. 
Hi, what issues exactly have you been experiencing if you don't mind me asking?  The only issues I exprienced today was Facebook but that went away after Webroot stated they fixed it.  Are there more issues?  BSOD'S?  Windows Boot Failures?  I've been reviewing this trying to find if we were affected any further than the Facebook problem.  Thanks
@ Count us in. The complete lack of comunication has been a desaster that has only compounded the feeling that those of us with hundreds of frustrated clients are being ignored.
Just the cost for our own staff to deal with issues steming from this is going to quickly exceed 5k today. I hate to think about the per client cost... 
@Keep me posted on this.  This is the 2nd time this year that WebRoot has screwed the pooch.  Also an MSP here, and I'm spending this morning doing multiple songs and dances for my clients to explain to them how we're on top of it and they'll never see webroot again.
Userlevel 1
We're still seeing files moved to quarantine as of this morning at 7:34 EDT.
WR just shutdown Ben and Jerry's deliverys for New England.
So much for the problem being resolved yesterday.
@ Still no updates or official word for MSPs?
We called support about the sites showing "expired" or "expiring". The guy on the phone said he can usually push through the change to make the site "protected", but it wasn't responding for him. He "sent the request up the chain" and asked them to go into our site and re-enabled all 82 of them that are showing expiring. 
That was last night around 9:00PM Central. This morning, they're all still showing expiring. :(
@ wrote:
@ @ @ @ Please contac customer support at 1-866-254-8400 so that they can troubleshoot this further.  
Any further updates on this? We have thousands of endpoints running Webroot across hundreds of client sites. This total lack of transparency and communication is appalling.
Userlevel 2
After spending a good part of my evening and this morning going through servers and vital PCs, many of our endpoints are reporting that the quarantine released the files. This took over 12 hours to complete and we aren't out of the woods just yet. Now the part to face our clients who are going to have a lot of questions and rightfully so, anger. I understand that mistakes happen. I don't believe anyone on this forum can say that they haven't at least 1 big time mess up. It's just the lack of communication that hurts the most. I'm our primary POC for Webroot and I feel bad for our Account Managers because I was ringing their phones off the hook demanding an answer like so many. At least he was very nice about it and kept me in the loop but if I hadn't, I feel I would have been left to my own devices. 😕
We are also an MSP and between all of the clients that this has affected it has cost 10's of thousands of dollars in downtime.  Yet again, the anti-virus becomes the virus.  Everyone that uses Webroot, or any other AV is putting an unbelieveable amount of faith in your company to keep their company safe from not only viruses, but from instances like this.
We love Webroot, and this should go without saying, but please beef up your testing environment and your testing processes to ensure that this doesn't happen again.
Well, it seems we were luckier than most MSPs: We had two servers and two workstations that were mildly affected before we uninstalled Webroot from every endpoint we manage.
We don't know what to do now, though. Is it safe to reinstall? Is the problem going to resurface, or has it been fully resolved?
Userlevel 7
Badge +30
Hey @
The rule, upon discovery has been removed and they are working on a more permanent fix to repair some of the damage.
So yes, it's safe to put the agent onto the systems.
I also got away pretty lucky with only about 9 systems affected out of over 5000+ endpoints I manage. 
Easy to see how a product that can protect well can just as easily shut us down.  Still fighting endpoints removing our main business software as well as our CAD design software.  Definitely making a small IT department very unpopular for decisions that were made as a protection.
@, are you saying the problem is not fixed? I'm confused.
@ You really need to be posting these updates on the top thread, not 130 pages deep.  You guys have utterly failed at customer communication during this. 
@ Thanks for your reply, however, I need to know what "a little while" means. My day is about to continue from yesterday's nightmare. Since we can't restore for quarantine, we are having to go through each computer and reinstall software.
Two questions: 
1. Is the issue resolved?
2. ETA till we get more details on the process of moving files out of quarantine?
How can we tell if our customer files have been restored?
Hopefully not misleading by my comments, we are not having any new endpoint issues that we are aware of.  Unfortunately the hardest hit areas of our company were our Engineering and Sales Order areas which pretty much have those departments shut down.  The previous instructions for remediation of the problem did not work.  We were able to remove Webroot from a few machines, reinstall the client software and they are working to at least get some things done, but not a good feeling of having machines unprotected.
We are hoping the resolution in the previous message is coming quickly and does work.
We are a small MSP.  Once we heard of this issue we created a policy called "WR Screwup" that disabled realtime protection etc. Forced all endpoints to refresh configuration.  Now its 9:06EST no issues to report, reset policies back to normal and forced a refresh configuration re-scanned all endpoints with NO issues.
I don't know if we got lucky or what but out of 100+ endpoints 1 was affected.  False positives on Line of business software they've been using for years.  I created an exception for the files, un-quarantined the files form the GSM console, had the client "refresh configuration" and its back to running like normal.
We are watching or WR managed systems like a hawk.
I was lucky as well. Out of 150+ computers on 2 sites, it only effected 6 computers and 1 server. It could have been much much worse. I feel the pain for the guys/gals that have 100's of computers that they have to fix. All my restore requests were processed sometime overnight and this morning, things seem to be ok. 
You put your trust in a cloud based solution and sometimes, it can cripple you. It really amazes me that this happened at all. Might as well be some form of ransomware that takes over your data and locks you out.