Webroot causes massive headaches after falsely flagging Windows files as malicious

Let’s just say customers are *not* pleased.

Webroot causes massive headaches after falsely flagging Windows files as malicious

Webroot upset many of its customers when one of its signature updates caused its anti-virus solution to flag critical Windows files as malicious.

The endpoint security provider's anti-virus platform melted down between 13:00 and 15:00 MST on 24 April. In that time span, Webroot began detecting legitimate Windows files, some of which are essential for Microsoft's operating system to function, as W32.Trojan.Gen, its generic name for a Windows trojan. The anti-virus platform responded by moving all these falsely flagged files into quarantine, rendering an untold number of computers inoperable.

Not too long after the update took effect, customers took to social media to voice their disbelief and share their stories.

Information security observer @SwiftonSecurity told Ars Technica that Webroot had falsely flagged "several hundred" files used by Windows Insider Preview at their place of work. Hundreds of "line of business" apps also went down as a result of the issue.

Strangely enough, Webroot even prevented users from accessing Facebook after it flagged the social network as a phishing site.

Webroot blocks facebook

The flawed update was in place for 13 minutes before Webroot pulled it. Subsequently, the security firm released a workaround that users can implement to recover their files. This solution works for home users who have one or two affected PCs. But it doesn't do much good for managed services providers (MSPs) that cater to hundreds or thousands of clients. For those clients, Webroot said in an update posted to its forums that it's "still working to resolve this issue through the night and will keep you updated as soon as more information becomes available."

That's a small comfort to those affected by this incident. Still, it's better than receiving a link to a slideshare about ransomware, something which Webroot sent to some of its users who complained.

O47hjms

All home users affected by Webroot's snafu can reportedly fix the issue by uninstalling Webroot, restoring the quarantined files from a backup drive, and reinstalling the anti-virus platform. Let's hope it doesn't take long for the firm to release a solution for its business clients.

For more discussion around the issue, be sure to check out this edition of the "Smashing Security" podcast:

Subscribe: Apple Podcasts | Google Play | Overcast | Stitcher | RSS for you nerds.

Update: Mike Malloy of Webroot has offered the following statement:

Webroot has issued a standalone repair utility that provides a streamlined fix for our business customers. This is in addition to the manual fix issued Monday, April 24.

For access to the repair utility, business customers should open a ticket with Webroot support, or reply to an existing support ticket related to this issue.

The instructions we shared with our consumer customers yesterday are still the best solution for these users.

Our entire Webroot team has been working around-the-clock on this repair and is implementing additional safeguards to prevent this from happening in the future. We apologize to our customers affected and appreciate their patience during this challenging issue.

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

, ,

7 Responses

  1. danR2

    April 25, 2017 at 6:32 pm #

    Strangely enough, Webroot even prevented users from accessing Facebook after it flagged the social network as a phishing site.

    What's so strange?

  2. danR2

    April 25, 2017 at 6:36 pm #

    I've been using Macs for >2 decades. Been running Sophos for years and years, but it never finds anything.
    Given how often Windows throws a 'Unknown Publisher' modal alert for Windows own code, I'm surprised this sort of behavior isn't a daily way of life for PC's.

  3. ben

    April 25, 2017 at 8:17 pm #

    For ITs, it looks like nightmare at is best!…at least Webroot didn't flag itself as a threat…:)

  4. Alistair

    April 26, 2017 at 12:03 pm #

    Mental note: check antivirus test result reports (AV-comparatives dot org): does Webroot AV feature in the very good, okay, or mediocre category?
    [why are all these business users and MSPs choose Webroot? – it has never featured on my business AV option list, never mind shortlist..]

    Webroot will surely lose a lot of customers over this.. And I don't mean blocking of Facebook, which would appear advantageous to most business outside of some with sole web presence there..
    Almost all antivirus products do something bad from time to time, but this is a so big.. (far bigger than McAfee hiding all a client's user files under Windows 8.1 pro in 2016. That resolved by uninstalling McAfee and installing a reliable product instead.)

  5. Stu Clayton

    April 26, 2017 at 1:38 pm #

    I am fighting right now with a similar problem in Windows 7 Prof due to Kaspersky Internet Security., which I have had only 2 weeks. It suddenly started flagging eclipse JARs as "corrupt" (they weren't): Now, instead of that, it flags the 64-bit Java (8u131, the latest Oracle version) as "incompatible 16-.bit version" that I use to start eclipse.

    A month ago I paid for a 3-machine Bitdefender product that I finally deinstalled, because it was preventing my machine from shutting down, and then strangely started fiddling around with my task bar (icons and size became different). Now I have these Kaspersky problems.

    In between giving all these guys a chance to clean up their act, I deinstall their software and reinstall Microsoft Security Essentials, which I've been using to my satisfaction for years.

    This story about Webroot has really made me sweat. Looks like I'll have to spend a lot of money short-term on a fast backup system that I should use daily – I have a lot of changing development data. Gotta go into AAV (anti-antivirus) mode.

  6. Mark Jacobs

    April 26, 2017 at 5:18 pm #

    What I cannot understand is why Webroot failed to test their own signatures on Windows PCs BEFORE distributing them! I have been using Webroot for 3 years now and even have it in our business because I personally recommended it. The only problem I have ever had with it is with an esoteric MIDI sequencer called Seq303. I reported the false positive to them, and they still have done nothing about it. I run Windows 10 Defender instead on that particular PC running Seq303.

    That said, Webroot is the least intrusive, lightest resource usage, and easily most effective AV product I have ever used. It spotted viruses Kaspersky failed to spot. And it has heuristic analysis built in for zero-days. It is still excellent IMO, despite this wobble!

    • Trevor Money in reply to Mark Jacobs.

      April 26, 2017 at 7:34 pm #

      And I have installed Kapsersky products on Client computers that were infected when Webroot failed to detect an infection on their computers.

Leave a Reply