Solved

W32.Trojan.Gen. False Positive Fix - April 24


Userlevel 7
Badge +48
Update April 28, 11:45 a.m. MDT: 
 
Please click here to see the most recent update.
 
 
UPDATE 4/28/17 11:45 a.m. MNT: We have 0 calls in queue on our phone line, and are working through about 80 tickets related to the False Positive repair utility. A good portion of those are simply awaiting customer verification.
 
Please note, the utility was built to address only this specific false positive issue. It will be deactivated in the future. 
 
If applications are operating normally on your systems, you do not need to implement the utility. 
 
If you haven’t yet submitted a support ticket and you need the repair utility, please do so here. Include your phone number as well with the support ticket.
 
Thank you.
 
icon

Best answer by freydrew 26 April 2017, 18:25

View original

289 replies

Userlevel 2
Good Morning
 
Can we have an update this morning as to how the tool is doing with the beta testers? If and When this might be a reliable solution or not.  Machines we fixed yesterday seem to exhibit same issues today all over again.
 
Also I did not recieve the email for MSP's to use for clients. can we post that here or please make sure I recieve a copy via email.
 
From what I can tell clients are still not recieving commands from cloud console is that still locked for a reason or is there a way to unlock that?
 
Thanks
Userlevel 1
The letter is available here:

http://images.saas.webroot.com/Web/Webroot/%7B70bbf60f-4ea4-40d7-a427-38593a613e93%7D_WebrootIncidentResponseLetter.pdf
Userlevel 7
Badge +48
@ I will PM you and try to troublehsoot with support. 
@ we had one in-house machine experience that exactly - we were able to resolve by removing/reinstalling the endpoint software. I sincerely hope we don't start seeing the same at customer sites.
Userlevel 7
Badge +48
@ @ @ Just for your reference. I'll be placing additional communications here for reference. 
Userlevel 1
Thanks Drew, I'm watching that post as well. Appreciate the information!
Userlevel 1
I'm still very confused. Everything Webroot is saying is that the problem only occurred for 13 minutes, but it seems the problem is still ongoing.
 
We deactivated every endpoint yesterday morning. We just reactivated them today, based on the comments from Webroot that the problem was fixed. On the server where we first encountered the problem though, Webroot tried to quarantine the same files! (It was in silent auidt mode, so nothing happened.)
 
Update: We then uninstalled Webroot from the server, and reinstalled. A subsequent scan did not result in false-positives.
 
Can someone please provide a detailed technical report of what happend, what has been done so far, and what we should expect to occur in various scenarios?
Userlevel 7
Badge +48
@ Appreciate it. Thank you. 
Userlevel 2
@
 
Thanks for the update, but do you know if the beta utility is working? How long are they going to test it? any idea of MSP release time?
 
For MSP guys:
 
Has anyone been able to get commands to work via console yet? If so what did you do? 
Are you white listing programs as they get Quarintined?
We have went in and even excluded directories from scans and realtime scanning and seems if client restarts computer they get re-quarantined.
 
TIA
Userlevel 1
I am not able to get commands processed from the console yet. I still have commands from yesterday in a "Not received yet" status.

We are whitelisting, but may of these applications already had some form of exclusion in place (MD5 or folder/file path) but they appear to have been ignored.
    So a lesson that could come out of this is that Webroot needs to add the abilty to override the web console locally for instances just like this where the commands are so backed up, or not working at all frorm the cloud. Many other AV packages have a local Admin override whereas you can login to the local agent as the admin and make changes locally. 
Userlevel 1
I actually made that recommendation to the engineer I spoke with yesterday regarding the use of registry flags under the Actions key to attempt to force agents to local run things like Reverify all files and processes.
Some of the ability is already there like requesting a checkin with the console. They just need to expand on it and maybe add a CMD interface.
Is there any official update for us MSP's?  Removing and reinstaling does not  always work.  Luckily most of my clients are ok, however one of our biggest and noisiest lost about 7 hours of business due to not being able to run transactions yesterday.  It was a fun day! 
Userlevel 5
Hi 
Stand by for news about the automated restoration tool. We have been working with some customers overnight to gauge its effectiveness. Its looking good. Drew will post more in a few minutes.
Mike
Userlevel 2
Will you post here or on other thread or both?

Thanks for the updates! Still having command issues from Console, We have also found that if machine is left on and programs open they don't get RE-Quarantined.

However as soon as a restart comes through it rescans and re-quarantines
Userlevel 7
Badge +48
UPDATE: April 26, 2017
 
In addition to the manual fix issued Monday, April 24, we have now issued a standalone repair utility that provides a streamlined fix for business customers. It will release and restore quarantined applications to working order on the impacted endpoints. 
 
For access to the repair utility, customers should open a support ticket, or reply to your existing support ticket related to this issue.  Please include your phone number within the support ticket.
 
Our sincerest thanks to the MSP beta customers who worked with us to test and validate this repair. We appreciate the support of our customers and thank you for your patience.
Userlevel 2
Ticket created 85277
Userlevel 5
Badge +24
@ wrote:
Can anyone offer suggestions for a computer that has been almost completely disabled by these false positives? I cannot boot to safe mode or safe mode with networking to performing any of the gui-based fixes. sfc /scannow via windows 10 startup troubleshooting is unsuccessful. I was able to capture the dlb.db file from the broken laptop's hard drive (per tech support's instructions) and load it on an unmanaged webroot endpoint to view all of the files that were quarantined. The list has got to be 200-300 items long and is 95% registry entries. How can I get this broken laptop working again? Support has suggested various fixes (none of which have worked) but has also stated that these fixes don't apply to the registry files that were incorrectly quarantined. Help!
Have you tried booting from recovery media or into Recovery mode and using System Restore to go back to an earlier time?
 
That's about the only option I can think of that you have.
Userlevel 5
Badge +24
@ wrote:
Some of the ability is already there like requesting a checkin with the console. They just need to expand on it and maybe add a CMD interface.
I agree.  If Webroot had a documented commandline set of switches and options, it would make life much easier for MSPs; we could issue scripted commands immediately to machines.
Userlevel 2
I would third that, many of us MSP's use a management and monitoring program and could easily use scripts to better service our clients.
Userlevel 2
Are you serious webroot? As if we didn't wait for hours monday trying to get in on your support phone line and getting a ticket submitted via the completely non funcitonal GSM portal before finally giving up. Now that you finally have a fix you make us come and grovel for it?
 
I'm sure you will have some excuse like you need to track the number of people that need it or something, just put a **bleep** download counter on it and post it publicly. The world already knows about your screw-up, being shady about it now is not helping your case to keep your existing clients, and that is what I'm sure this is really about is making sure that we contact you so that you can send us to the retention department because you know about every MSP out there is scrambling to test other options right now.
 
Want to mitigate the customer loss? Own your screw up, don't minimize it with this "13 minutes" BS that you are trying to spread as if that makes it better, it's been an ongoing issue for us and our clients for days now.
 
Tell us what you are going to do to be better in the future. This is at least the 3rd major screw up from webroot in the past year, and some of them like the terminal server issues are still ongoing but webroot lost interest in fixing them. No updates have been released for the agents in the past 6 months, oh except that one that broke everything and had to be rereleased with rolled back code.
 
We want to know what the heck is going on at webroot and be convinced why we shouldn't change vendors, because we are losing clients because of you, and no I don't want to call you and ask for the privilege of lip service, it needs to be public and it needs to include an actual apology from the people in charge and a plan for turning the ship around.
Any update on an official letter for businesses that can be shared with executives?  
 
Thanks!
Userlevel 2
@
 
I believe you can use this one
http://images.saas.webroot.com/Web/Webroot/%7B70bbf60f-4ea4-40d7-a427-38593a613e93%7D_WebrootIncidentResponseLetter.pdf
 
Userlevel 1
@ A letter was posted here:

http://images.saas.webroot.com/Web/Webroot/%7B70bbf60f-4ea4-40d7-a427-38593a613e93%7D_WebrootIncidentResponseLetter.pdf

Reply