Webroot causes massive headaches after falsely flagging Windows files as malicious

Let’s just say customers are *not* pleased.

David bisson
David Bisson
@
@DMBisson

Webroot causes massive headaches after falsely flagging Windows files as malicious

Webroot upset many of its customers when one of its signature updates caused its anti-virus solution to flag critical Windows files as malicious.

The endpoint security provider’s anti-virus platform melted down between 13:00 and 15:00 MST on 24 April. In that time span, Webroot began detecting legitimate Windows files, some of which are essential for Microsoft’s operating system to function, as W32.Trojan.Gen, its generic name for a Windows trojan. The anti-virus platform responded by moving all these falsely flagged files into quarantine, rendering an untold number of computers inoperable.

Not too long after the update took effect, customers took to social media to voice their disbelief and share their stories.

Sign up to our free newsletter.
Security news, advice, and tips.

https://twitter.com/ericemoji/status/856621654537109504

Information security observer @SwiftonSecurity told Ars Technica that Webroot had falsely flagged “several hundred” files used by Windows Insider Preview at their place of work. Hundreds of “line of business” apps also went down as a result of the issue.

Strangely enough, Webroot even prevented users from accessing Facebook after it flagged the social network as a phishing site.

Webroot blocks facebook

The flawed update was in place for 13 minutes before Webroot pulled it. Subsequently, the security firm released a workaround that users can implement to recover their files. This solution works for home users who have one or two affected PCs. But it doesn’t do much good for managed services providers (MSPs) that cater to hundreds or thousands of clients. For those clients, Webroot said in an update posted to its forums that it’s “still working to resolve this issue through the night and will keep you updated as soon as more information becomes available.”

That’s a small comfort to those affected by this incident. Still, it’s better than receiving a link to a slideshare about ransomware, something which Webroot sent to some of its users who complained.

O47hjms

All home users affected by Webroot’s snafu can reportedly fix the issue by uninstalling Webroot, restoring the quarantined files from a backup drive, and reinstalling the anti-virus platform. Let’s hope it doesn’t take long for the firm to release a solution for its business clients.


For more discussion around the issue, be sure to check out this edition of the “Smashing Security” podcast:

Smashing Security #018: 'Windows is a virus. True or False?'

Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...


Update: Mike Malloy of Webroot has offered the following statement:

Webroot has issued a standalone repair utility that provides a streamlined fix for our business customers. This is in addition to the manual fix issued Monday, April 24.

For access to the repair utility, business customers should open a ticket with Webroot support, or reply to an existing support ticket related to this issue.

The instructions we shared with our consumer customers yesterday are still the best solution for these users.

Our entire Webroot team has been working around-the-clock on this repair and is implementing additional safeguards to prevent this from happening in the future. We apologize to our customers affected and appreciate their patience during this challenging issue.


David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

7 comments on “Webroot causes massive headaches after falsely flagging Windows files as malicious”

  1. danR2

    Strangely enough, Webroot even prevented users from accessing Facebook after it flagged the social network as a phishing site.

    What's so strange?

  2. danR2

    I've been using Macs for >2 decades. Been running Sophos for years and years, but it never finds anything.
    Given how often Windows throws a 'Unknown Publisher' modal alert for Windows own code, I'm surprised this sort of behavior isn't a daily way of life for PC's.

  3. ben

    For ITs, it looks like nightmare at is best!…at least Webroot didn't flag itself as a threat…:)

  4. Alistair

    Mental note: check antivirus test result reports (AV-comparatives dot org): does Webroot AV feature in the very good, okay, or mediocre category?
    [why are all these business users and MSPs choose Webroot? – it has never featured on my business AV option list, never mind shortlist..]

    Webroot will surely lose a lot of customers over this.. And I don't mean blocking of Facebook, which would appear advantageous to most business outside of some with sole web presence there..
    Almost all antivirus products do something bad from time to time, but this is a so big.. (far bigger than McAfee hiding all a client's user files under Windows 8.1 pro in 2016. That resolved by uninstalling McAfee and installing a reliable product instead.)

  5. Stu Clayton

    I am fighting right now with a similar problem in Windows 7 Prof due to Kaspersky Internet Security., which I have had only 2 weeks. It suddenly started flagging eclipse JARs as "corrupt" (they weren't): Now, instead of that, it flags the 64-bit Java (8u131, the latest Oracle version) as "incompatible 16-.bit version" that I use to start eclipse.

    A month ago I paid for a 3-machine Bitdefender product that I finally deinstalled, because it was preventing my machine from shutting down, and then strangely started fiddling around with my task bar (icons and size became different). Now I have these Kaspersky problems.

    In between giving all these guys a chance to clean up their act, I deinstall their software and reinstall Microsoft Security Essentials, which I've been using to my satisfaction for years.

    This story about Webroot has really made me sweat. Looks like I'll have to spend a lot of money short-term on a fast backup system that I should use daily – I have a lot of changing development data. Gotta go into AAV (anti-antivirus) mode.

  6. Mark Jacobs

    What I cannot understand is why Webroot failed to test their own signatures on Windows PCs BEFORE distributing them! I have been using Webroot for 3 years now and even have it in our business because I personally recommended it. The only problem I have ever had with it is with an esoteric MIDI sequencer called Seq303. I reported the false positive to them, and they still have done nothing about it. I run Windows 10 Defender instead on that particular PC running Seq303.

    That said, Webroot is the least intrusive, lightest resource usage, and easily most effective AV product I have ever used. It spotted viruses Kaspersky failed to spot. And it has heuristic analysis built in for zero-days. It is still excellent IMO, despite this wobble!

    1. Trevor Money · in reply to Mark Jacobs

      And I have installed Kapsersky products on Client computers that were infected when Webroot failed to detect an infection on their computers.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.