Webroot causes massive headaches after falsely flagging Windows files as malicious
Webroot upset many of its customers when one of its signature updates caused its anti-virus solution to flag critical Windows files as malicious.
The endpoint security provider’s anti-virus platform melted down between 13:00 and 15:00 MST on 24 April. In that time span, Webroot began detecting legitimate Windows files, some of which are essential for Microsoft’s operating system to function, as W32.Trojan.Gen, its generic name for a Windows trojan. The anti-virus platform responded by moving all these falsely flagged files into quarantine, rendering an untold number of computers inoperable.
Not too long after the update took effect, customers took to social media to voice their disbelief and share their stories.
And @webroot goes into meltdown. Hoping global restores will work. We have lot’s of valid exe’s for all types of software being flagged
— Dave Devery (@Davedevery) April 24, 2017
@Webroot everything is breaking, money is flying out the window… where are you? I have been on hold 20+min
— iSupportU (@isupportu) April 24, 2017
Like many IT admins today, I am dealing with a headache caused by @Webroot‘s signature update. I feel for their tier 1 support staff.
— Eric K. ☮ (@ericemoji) April 24, 2017
Information security observer @SwiftonSecurity told Ars Technica that Webroot had falsely flagged “several hundred” files used by Windows Insider Preview at their place of work. Hundreds of “line of business” apps also went down as a result of the issue.
Strangely enough, Webroot even prevented users from accessing Facebook after it flagged the social network as a phishing site.
The flawed update was in place for 13 minutes before Webroot pulled it. Subsequently, the security firm released a workaround that users can implement to recover their files. This solution works for home users who have one or two affected PCs. But it doesn’t do much good for managed services providers (MSPs) that cater to hundreds or thousands of clients. For those clients, Webroot said in an update posted to its forums that it’s “still working to resolve this issue through the night and will keep you updated as soon as more information becomes available.”
That’s a small comfort to those affected by this incident. Still, it’s better than receiving a link to a slideshare about ransomware, something which Webroot sent to some of its users who complained.
All home users affected by Webroot’s snafu can reportedly fix the issue by uninstalling Webroot, restoring the quarantined files from a backup drive, and reinstalling the anti-virus platform. Let’s hope it doesn’t take long for the firm to release a solution for its business clients.
For more discussion around the issue, be sure to check out this edition of the “Smashing Security” podcast:
Update: Mike Malloy of Webroot has offered the following statement:
Webroot has issued a standalone repair utility that provides a streamlined fix for our business customers. This is in addition to the manual fix issued Monday, April 24.
For access to the repair utility, business customers should open a ticket with Webroot support, or reply to an existing support ticket related to this issue.
The instructions we shared with our consumer customers yesterday are still the best solution for these users.
Our entire Webroot team has been working around-the-clock on this repair and is implementing additional safeguards to prevent this from happening in the future. We apologize to our customers affected and appreciate their patience during this challenging issue.