Solved

W32.Trojan.Gen. False Positive Fix - April 24


Userlevel 7
Badge +48
  • Community and Advocacy Manager
  • 1663 replies
Update April 28, 11:45 a.m. MDT: 
 
Please click here to see the most recent update.
 
 
UPDATE 4/28/17 11:45 a.m. MNT: We have 0 calls in queue on our phone line, and are working through about 80 tickets related to the False Positive repair utility. A good portion of those are simply awaiting customer verification.
 
Please note, the utility was built to address only this specific false positive issue. It will be deactivated in the future. 
 
If applications are operating normally on your systems, you do not need to implement the utility. 
 
If you haven’t yet submitted a support ticket and you need the repair utility, please do so here. Include your phone number as well with the support ticket.
 
Thank you.
 
icon

Best answer by freydrew 26 April 2017, 18:25

UPDATE: April 26, 2017

 

In addition to the manual fix issued Monday, April 24, we have now issued a standalone repair utility that provides a streamlined fix for business customers. It will release and restore quarantined applications to working order on the impacted endpoints. 

 

For access to the repair utility, customers should open a support ticket, or reply to your existing support ticket related to this issue.  Please include your phone number within the support ticket.

 

Our sincerest thanks to the MSP beta customers who worked with us to test and validate this repair. We appreciate the support of our customers and thank you for your patience.
View original

289 replies

That is the one focused for MSPs... I'm not a MSP.  
Userlevel 7
Badge +35
@ we will get a letter for our SMBs shortly and post a link to it here.
Userlevel 2
@
 
Do we know how long it will take them to respond to support tickets for the Utillity?
Userlevel 7
Badge +48
It is not our intention to be deceptive. We want to work with customers still being affected by this issue on an individual level to make sure that the issue is completely resolved.
 
If those customers and partners can notify us via a support ticket, that is the fastest way for us to identify and assist them. We are happy to submit a ticket on your behalf if that would be helpful. 
Userlevel 2
@
 
Can you tell us as MSP's officially what is the plan for this utility? Do we need to run it on every client? Or just infected clients? what about clients we seem to have fixed and stabalized?
 
Just trying to make a plan of attack for our team. Thanks for any input you can give. Also how long before support ticket gets answered?
 
Appreciate all that you guys are doing.
Userlevel 7
Badge +48
@ Just talked with support and we're seeing an average response time of one hour. 
Userlevel 2
But I am over an hour already...... Can you respond on other questions? I also posted those to the ticket as well. Just wanting some clarification.
Userlevel 5
Hi When you get the tool from support, plan to push it out to your endpoints and it will execute automatically. It will restore files from this incident to their original locations. So you should plan to use a script or your RMM tool to push it to endpoints. 
Mike
Userlevel 2
@
 
All endpoints or just the effected ones? We lucked out on some clients and have not had the issue, others we have manually fixed and some still struggling.
 
Thanks
Userlevel 5
Just the affected ones will benefit from the tool because its specifically designed to move the affected files back into the right folders. 
Mike
@ Would it be ok if we run it on all machines though? We aren't certain which are afffected or not so it would be a hassle to sort through thousands to figure out which are affected if we could just run it everywhere without any issues.
Userlevel 1
Is there a full explaination as to what this "Fix" does?

It moves the quarantined files back into their proper folders, what about systems which we've manually restored quarantined files already but the agent is unresponsive to the cloud?

What else does this fix do?
Userlevel 5
I hear you. There is not a problem deploying across both affected and unaffected machines.
Mike
@
 
If this tool is an .exe file and hosted at a url, wouldn't it be easy enough to actually use the webroot console to "download and run a file" from the 'Agent Commands option - Advanced' in the endpoints list rather than using a separate interface? Seems like Webroot employees would recommend that over using a script or RMM tool to push it to endpoints. One to one contact in the interface that is affected would be much easier for the person fixing the problem.

I have used the "Download and run a file" with great success with shared google drive files (with direct download link conversion). However, it doesn't work if you select a full page of hosts and check the 'send to all pages' option. It also doesn't work with an .msi file. I use msi2exe to convert the file.
Userlevel 5
Yes you can deploy the tool using the Download and Run a File agent command from the WSA console or by using any other deployment method that you may use.
Mike
I requested the "fix" through the already-open ticket.  The response can be summarized by "We would like to schedule an appointment to call you, during which a member of the Webroot Advanced Malware Removal Team will provide remote assistance on the affected computer."  It appears that Webroot wants me to be on the phone with their support engineers for several days deploying this to all of our machines.
Userlevel 5
Hi No, we dont want to hang on the phone with your team while you use it. They want to understand (quickly) if the person requesitng the tool is confident in his abiltiy to just run with it. You know some people ask for tools like this who dont actually know what theyre doing. So you will be given access to download it very quickly once you connect with support.
Mike
Is anyone else having issues with files upwards of 20GB being created from this, filling up hard drive space?
Userlevel 2
MSP Update:
 
So far I am seeing good success with this utility. have only run into 3 workstations so far that are not working.
 
I am not getting console commands to run at this time still... hoping that gets resolved as well>??
Userlevel 5
@ Here's the document that customers can share with their management team. 
Userlevel 1
Badge +4
Hello. I ran the tool on one of the infected machines, it disabled my Webroot. How do we know when the fix is done? After 10 minutes I enabled Webroot again and it ran a scan and the file that was falsely identified was once again found as a threat, I allowed it ... but I feel like I'm still not back to normal. I even had support (and myself), whitelist that file and folder in my console. 
 
I have around 350 endpoints, it took out 3 security cameras and quoting software, and then some facebook pages. This has caused a lot of headaches and I've only had a few issues. Can't imagine if it would have taken out servers and all my workstations. I'm still not feeling very confident with Webroot now, and to make matters worse my Account Rep never replies to my e-mails. 
Userlevel 5
Please contact support. They can address your issues with you. 
Mike
Userlevel 7
Badge +48
@ One possible reason why you're experiencing this would be if the system were low on drive space when the issue happened. I'd recommend talking with support and submitting a ticket so that they can further assist you. https://www.webroot.com/us/en/about/contact-us 
 
Thanks!
Userlevel 7
Badge +35
@, I spoke with our support team and asked our SEs to reach out to you. Can you please let us know if your case was resolved?
Userlevel 1
Badge +4
Shane C. and Sarah M. reached out and were both great and answered lots of my questions. Thank you!!!

Reply