Solved

W32.Trojan.Gen. False Positive Fix - April 24


Userlevel 7
Badge +48
Update April 28, 11:45 a.m. MDT: 
 
Please click here to see the most recent update.
 
 
UPDATE 4/28/17 11:45 a.m. MNT: We have 0 calls in queue on our phone line, and are working through about 80 tickets related to the False Positive repair utility. A good portion of those are simply awaiting customer verification.
 
Please note, the utility was built to address only this specific false positive issue. It will be deactivated in the future. 
 
If applications are operating normally on your systems, you do not need to implement the utility. 
 
If you haven’t yet submitted a support ticket and you need the repair utility, please do so here. Include your phone number as well with the support ticket.
 
Thank you.
 
icon

Best answer by freydrew 26 April 2017, 18:25

UPDATE: April 26, 2017

 

In addition to the manual fix issued Monday, April 24, we have now issued a standalone repair utility that provides a streamlined fix for business customers. It will release and restore quarantined applications to working order on the impacted endpoints. 

 

For access to the repair utility, customers should open a support ticket, or reply to your existing support ticket related to this issue.  Please include your phone number within the support ticket.

 

Our sincerest thanks to the MSP beta customers who worked with us to test and validate this repair. We appreciate the support of our customers and thank you for your patience.
View original

289 replies

Userlevel 2
All this time I thought these instructions were for MSP's. Is there another forum just for MSP customers?
@is it necessary to create new overrides for files that previously did not have one that were blocked by today's problem?

If the files worked fine before are we safe to only issue a restore command?
Userlevel 7
Badge +30
Yes @.
 
I would simply issue a restore command followed by a reverify all files and processes and a scan command. 
Userlevel 1
Have seen 2-3 systems with commands that were pushed around 3pm today starting to Execute.
Still unable to poll and have the policy to unmanaged swap over yet.
 
Userlevel 7
Badge +48
@ Please follow the steps that we provided at the top of the thread, specifically step 2 "Reverify All Files and Processes." That will flush the local cache and reverify and receive the correct determination. 
 
 
6 hours and still no MSP solution, I have Police departments who are being affected. When is there going to be an update for MSP's? This is completely unacceptable, and I have customers already looking at litigation for lost time/revenue.
Userlevel 2
Like all the other MSP's I see listed here, you have absolutely crippled us and many of our clients. Backup Restores is simply not the right "Solution" or "Workarround" this needs resolved, and MSP's need a solution ASAP many critical systems are affected here and more come each hour as they update.
 
What is the status for a solution for MSPs?!?!
Userlevel 7
Badge +48
@ the team is working hard on fixing the issue as fast as possible. 
Userlevel 2
In the meantime 1000's of clients are having issues. Is there an update list for emails that you will send out that MSPs need to sigh up on.

This is absolutely crippling, and costing companies a large amount of money in downtime and recovery. I think MSPs need a solution more sooner than later.

Let us know if there is a plae to signup for update emails or active updates. hourly updates etc.
We were left with no choice, but threw our clients into silent audit, shadow copied back what we could, and Veeamed back the rest
This is a cyber attack, whether intentional or by accident. Can't wait for official fix
I'm curious if any of the Cyber insurance policies help pay for this.
If we could all get an email for MSP's when a real fix is available that would be great...  This is very damaging, and to find out via twitter is disheartening.  In all honesty, as soon as you found out honesty would have been the best thing you can do.  We all make mistakes.  When I make a mistake I admit it!!  That is the fastest way for us all to let OUR customers know that we know what is going on.
I sent hundreds of restore file commands to our agents at 4PM PST. It's now over 6 hours laters!! Why are the commands not being executed? The agents have been checking in. I have been forcing them to check with the "poll" command locally as well. I sent the reverify command and surprise! It hasn't executed either. Any advice Webroot? 
Userlevel 2
Because the entire thing is broken at this time. I have spent the day trying hard to resolve clients. and still no updates from Webroot besides "It's being worked on". MSPs should have been a priority, they need to make this work. I have already sent messages off to other AV vendors for price quotes on our MSP practice.
Second that, smae exact issues here.. I just love working 18 hours on a Monday. 
Hi, what issues exactly have you been experiencing if you don't mind me asking?  The only issues I exprienced today was Facebook but that went away after Webroot stated they fixed it.  Are there more issues?  BSOD'S?  Windows Boot Failures?  I've been reviewing this trying to find if we were affected any further than the Facebook problem.  Thanks
 
Ben 
Still not working... created override and restore from quarantine still not working as of 11pm PST
Any update from webroot?
Webroot any update on this, I have about 30 minutes before a bunch of pissed off customers start in on my support staff.
Class Action Suit?  This is a case for legal action.
 
We have spent most of the night working on fixing the most important systems in our client environments.  We have over 200 sites, spread across 100 miles radius.  This event has damaged our Labtech and ScreenConnect server, we had to get this to work first.  Obviously the solution proposed by WR support is not going to work for us: to manually restore and intervene on each workstation?  Without our RMM and remote tool?  After spending a while on the phone with support we were told to simply re-install our LabTech/ScreenConnect server.  Up to now the cost is very high, all our techs stayed most of the night working overtime, some clients are upset and two of them are talking about compensation for the trouble.  One of our clients is a manufacturing plant and they were stopped for many hours, this client cost per hour is 25,000$  We are not able to use recovery because most of the backup server cores are affected also, some of the servers are not yet up and we look like fools.
 
Our legal advisor is discussing the possibility to do a class action against WebRoot to recover part of the cost we all had during this event, we wonder if any of you would like compensation from WR, or to take action against them for the cost incured.  As far as we are concerned the cost up to now is over 10,000$ and there is no way we can recover any of this money, unless WR would be free for a few years, but then even for free would you like to use a product that can damage all your systems within a few minutes?  Following a human error, where only ONE person can decide about what happens to all our systems? 
 
We are a serious shop and follow ITIL guidelines: what standards of the industry does WebRoot follow? 
 
As MSP we expected faster, better results to resolve this issue, WR was nice and offered support, but not a resolution.  This morning the phones start to ring, and we have nothing to say but we are sorry. 
 
Sorry will not pay back the loss, and definitely not make our clients systems work... those interested in a class action suit should post here, so we know if there is interest.
 
@ Count us in. The complete lack of comunication has been a desaster that has only compounded the feeling that those of us with hundreds of frustrated clients are being ignored.
 
Just the cost for our own staff to deal with issues steming from this is going to quickly exceed 5k today. I hate to think about the per client cost... 
@Keep me posted on this.  This is the 2nd time this year that WebRoot has screwed the pooch.  Also an MSP here, and I'm spending this morning doing multiple songs and dances for my clients to explain to them how we're on top of it and they'll never see webroot again.
Userlevel 1
We're still seeing files moved to quarantine as of this morning at 7:34 EDT.
 
WR just shutdown Ben and Jerry's deliverys for New England.
 
So much for the problem being resolved yesterday.
@ Still no updates or official word for MSPs?
We called support about the sites showing "expired" or "expiring". The guy on the phone said he can usually push through the change to make the site "protected", but it wasn't responding for him. He "sent the request up the chain" and asked them to go into our site and re-enabled all 82 of them that are showing expiring. 
 
That was last night around 9:00PM Central. This morning, they're all still showing expiring. :(
@ wrote:
@ @ @ @ Please contac customer support at 1-866-254-8400 so that they can troubleshoot this further.  
 
Any further updates on this? We have thousands of endpoints running Webroot across hundreds of client sites. This total lack of transparency and communication is appalling.
Userlevel 2
After spending a good part of my evening and this morning going through servers and vital PCs, many of our endpoints are reporting that the quarantine released the files. This took over 12 hours to complete and we aren't out of the woods just yet. Now the part to face our clients who are going to have a lot of questions and rightfully so, anger. I understand that mistakes happen. I don't believe anyone on this forum can say that they haven't at least 1 big time mess up. It's just the lack of communication that hurts the most. I'm our primary POC for Webroot and I feel bad for our Account Managers because I was ringing their phones off the hook demanding an answer like so many. At least he was very nice about it and kept me in the loop but if I hadn't, I feel I would have been left to my own devices. 😕

Reply