I typed this out once and got an error, so I'm going to keep it brief and informative.
I was playing Killing Floor 2 through Steam, using TeamSpeak, and streaming to YouTube through OBS. Mid game, I had a threat pop up for the dnsapi.dll. I quarantined and removed it (C:WindowsSystem32 and another amd64_windows-dns-client spot). When I restarted, I had no internet, and couldn't open Teamspeak or anything because of the missing DLL. I went into safe mode, restored in using a cmd prompt and "sfc /scannow". It restored the files, but another virus scan immediately afterwards showed them as threats again. I didn't find anything weird in the registry and no host IPs were found connecting to me in the Drivers/etc/hosts.txt.
Is this a false postive? Or do I have a real intrusion?
Already have an account? Login
Login to the community
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.
We're also affected this morning. As a managed service provider with over 4000 managed Webroot endpoints, we were LUCKY to catch this before it affected everyone.
We have over 200 machines that are effectively DEAD this morning.
Not sure if this is the information you've been given, but for us we've done some investigation and no intrusions occurred - the file was simply quarantined likely due to a recent update on the WR side.
I can't believe only two of us are talking about it if I'm honest! .....
REPLY RECEIVED FROM WEBROOT SUPPORT:
Thank you for bringing this to our attention.
We have examined the file and found that the file was incorrectly blocked due to a false positive.
We have updated our back end database to address this issue. To restore a file from Quarantine, follow these steps:
1. Log in to your Admin Console.
2. Go into Endpoint Protection and select the "Reports" tab.
3. Select "All Threats Seen" as the report type.
4. Locate the files you wish to restore and select them.
5. Along the top row, select "Restore From Quarantine".Now that this change has been applied, please send the "Scan" agent command from the management console, followed by the "Reverify all files and processes" command to all the affected endpoints. If you would like to expedite the process, go to the machine locally and right-click on the Webroot system tray icon. Select "Refresh Configuration" and click "OK". This will force a polling interval and send the two commands.
If the machines are experiencing network connectivity issues, please perform the following on the machines locally in Safe Mode with Networking:
1. Shutdown Webroot from the system tray icon. ( If you do not have this option, you can change it from Advanced Settings)
2. Locate the (hidden) Program Data folder ( %ProgramData%).
3. Locate the WRData folder and rename it.
4. In the DOS Command Prompt window type in the following command exactly as it appears and then press Enter:
Run Sfc /scanfile=c:windowssystem32dnsapi.dll
If that fails try: Sfc /scannow
5. Reboot your machine.
File needs to be ran in safe mode.
Have been followong this thread with interest, and from the little bit of research I have been doing this seems to be a relatively recent development where malware (in the cases I have read it was Shopperz, a well known browser hijack) that alters 'dnsapi.dll'.
What has been posted previously in relation to sorting this out using SFC, etc. would seem to be the consensus approach to resolving the issue, but in case some feel that running the usual & full sfc /scannow procedure takes too long, one can if one is confident about the focus of the issue then one could just replace the 'dnsapi' DLL only.
Having said that the general recommendations are that one runs the full SFC procedure (in an elevated Command Prompt) since the malware apparently does not limit itself to the more general locations that the 'dnsapi' DLL usually resides.
I think this is the bigger issue: We need to be able to operate on computers without the internet, because as you can clearly see, you cannot restore from quarantine unless the PC has access to the internet.
Webroot? Is there any way to restore a file from quarantine without having the machine online to do it? Any command line prompt or Gui available? If not, there needs to be some way to look at WR activity and restore locally.
It's not clear to me what caused what here between (chronologically):
1. Webroot's false-positive removal of dnsapi.dll yesterday,
2. my run of sfc /scannow yesterday,
3. my modem/ISP outage today, and
4. my Webroot PC's flaky wireless connection since the outage.
The outage was unusual but does happen occasionally; the flaky wifi is unprecedented for that PC.
I also run LogMeIn (remote connection tool) on this PC, which could be a factor somehow. But the wifi is going in and out even when I disable LogMeIn.
Unfortunately the bottom line for me is that the PC is now unusable whereas the laptop, running Norton, has been fine through this, and I've never had a problem like this in several years of running Norton on it.
Welcome to the Webroot Community,
I am sorry to hear about the issues you are experiencing. Would you please Submit a Support Ticket so that they can check this out? This is a free service with a active Webroot subscription.
Support Number: 1-866-612-4227
Support Ticket: https://detail.webrootanywhere.com/servicewelcome.asp
I would advise creating a ticket first so they can gather logs and determine if a callback is necessary to resolve this for you.
I'll write again if the problem does recur. Thanks for checking. (And please I hope someone at Webroot is working on avoiding similar false positives in the future.)
I'm not having any issues after that update today (KB3199209).
Please submit a trouble ticket so that support can look into this for you. Or you can call Support Number: 1-866-612-4227.
Welcome to the Community Forums.
In case you have not noticed yet this has been responded to in the other thread that you posted in HERE.