Webroot flags Windows as malware, creates chaos for customers
A Webroot antivirus signature update, which was supposedly live for only 13 minutes yesterday afternoon, flagged crucial Windows system files as malicious, causing chaos and 15 pages of customer complaints so far.
The havoc began after Webroot flagged some Windows system files as the malware Win32.Trojan.Gen and moved key system files to quarantine. As legit files were shuffled around, thousands upon thousands of Webroot customers experienced OS errors or crashed Windows systems.
Individuals with home editions, as well as managed service providers (MSP) running business editions, took to Twitter and Webroot forums to express their displeasure. Tier one customer support personnel probably wanted to tear their hair out.
At the same time that Windows was flagged as malicious, Webroot started blocking access to valid websites such as Facebook and Bloomberg.
After the bad detection rule was live for 13 minutes, anonymous security tweeter SwiftOnSecurity said a Webroot system kill switch kicked in to stop the anomalous detections. Even though files signed by Microsoft had been moved, there were enough Windows files left to allow systems to boot and to restore quarantined files.
Webroot, which has previously claimed that it has about 3 million customers, proposed a false positive fix for small business customers, but many MSPs left unhappy replies. For example, one MSP commenter asked, “How am I supposed to do this across 3 GSM’s with over 3 thousand client sites?”
Another claimed, “As a MSP with over 5600 active licenses, your proposed resolution of manually releasing files from quarantine is a no go.”
At one point yesterday, Webroot started replying to Twitter users with the promise of an upcoming fix, as well as a link to a ransomware presentation. Whether or not that inspired Twitter user Bob Ripley, he tweeted:
@Webroot I seem to have installed a nasty Ransomware app. It’s called Webroot. They already have my money, should I contact the FBI?
— Bob Ripley (@M5_Driver) April 24, 2017
This morning, Webroot issued the following statement:
On April 24, Webroot experienced a technical issue affecting some business and consumer customers. A folder that is a known target for malware was incorrectly classified as bad, and Facebook was classified as a phishing site. The Facebook issue was corrected, and the Webroot team is in the process of creating a comprehensive fix for the false positive issue. In the meantime, small business customers and consumers can follow instructions posted in the Webroot Community to address the issue.
Webroot was not breached, and customers are not at risk. Legitimate malicious files are being identified and blocked as normal. We are dedicated to resolving the issue and will provide updates as they are available in the Community.
For some, a “we’re sorry” won’t cut it. One commenter in the Webroot thread claimed, “My technicians, project managers, and developers have been up all night on this and they still have not slept.”
This is not the first time this year that a Webroot update caused systems to crash. In February, a faulty update caused the dreaded Blue Screen of Death for some customers. After the latest fiasco that is currently still not fully resolved for all MSPs, some customers are claiming on Twitter that they’ve had enough and are kicking Webroot to the curb. Depending upon how much money they have wrapped up in Webroot as a “smarter cybersecurity” solution, and how many are actual customers instead of trolls, the growls may just be a result of frustration and aggravation.
If you know anyone adversely affected by Webroot’s temporarily-issued bad rule, then it might be a good time to steer clear of them or to buy them a drink after their present nightmare ends.