Antivirus Webroot Deletes Windows Files, Causes Serious Problems For Users

Users of Webroot's endpoint security product, consumers and businesses alike, had a nasty surprise Monday when the program started flagging Windows files as malicious. From a report: The reports quickly popped up on Twitter and continued on the Webroot community forum -- 14 pages and counting. The company came up with a manual fix to address the issue, but many users still had problems recovering their affected systems. The problem is what's known in the antivirus industry as a "false positive" -- a case where a clean file is flagged as malicious and is blocked or deleted. False positive incidents can range in impact from merely annoying -- for example, when a program cannot run anymore -- to crippling, where the OS itself is affected and no longer boots. The Webroot incident falls somewhere in the middle because it affected legitimate Windows files and sent them to quarantine. This is somewhat unusual because antivirus firms typically build whitelists of OS files specifically to prevent false positive detections.

Not exactly big news.

[richy+freeway]

I'm sure all three users were massively upset though.

Re:Not exactly big news.

And Webroot isn't exactly wrong either. ;)

I'd spin this as "BrickerBot for Windows" and bask in the praises of Slashdot.

Re:Not exactly big news.

It's one of the better corporate products and integrates well with management systems like labtech that is big amongst MSP's.

Re:Not exactly big news.

lol. I still have an unopened copy of Webroot here in my office that came free with a laptop or something from Best Buy a few years ago.

Re:Not exactly big news.

[LinuxIsGarbage]

McAfee has done something like this before As I recall it impacted Intel.

Is there a problem?

> the program started flagging Windows files as malicious

I don't see the problem. Works well.

Re:Is there a problem?

[kurkosdr]

Translation: GOT THE JOKE??? I am an FSF neckbeard and consider Windows malicious for not conforming with my personal definition of non-malicious, and for that reason I think Webroot flagging Windows files as malicious is funny!!111 Joking aside, this incident proves WebRoot doesn't run automated tests before farting out a definition update, which every AV vendor should do.

Re:Is there a problem?

[Bearhouse]

You beat me to it; now if only it went the whole hog and forcibly installed an upgrade to Linux or BSD

Re:Is there a problem?

Translation: GOT THE JOKE??? I am an FSF neckbeard and consider Windows malicious for not conforming with my personal definition of non-malicious, and for that reason I think Webroot flagging Windows files as malicious is funny!!111 Joking aside, this incident proves WebRoot doesn't run automated tests before farting out a definition update, which every AV vendor should do.

You seem pretty upset about all this gay computer shit as well, FYI.

Flags Windows as malicious

[rmdingler]

Something /. users have been doing for years.

Re: Flags Windows as malicious

Not all of us. Ive been replacing linux distros with windows for years. My customers are happy, security holes are fixed, and programs just work.

Gahh

A stunning example of why signature-based AV should be history.

Re:Gahh

Webroot uses heuristics.

Re: Gahh

[kurkosdr]

Which means the solution lies in whitelisting (aka signed exes with the signature given out to identified devs, much like Windows does) coupled with tight sandboxing and an ask-permissions-for-anything policy for the non-whitelisted stuff (Windows doesn't do that unfortunately) plus the usual warnings.

Re: Gahh

[godefroi]

Windows *does* do that; it asks permission for anything you don't have rights to do. I don't use MacOS a lot, but it seemed to be very similar to how OSX did/does it.

Now, if you meant "ask permission to execute any .exe not on the whitelist", then yeah, I don't know of any OS that does *that*.

Re: Gahh

[EndlessNameless]

tight sandboxing and an ask-permissions-for-anything policy for the non-whitelisted stuff

This is the correct answer only if you are a competent IT admin.

But Webroot doesn't sell to enterprises. Or if they do, no one I know has ever bought them. Webroot sells to home users who know jack.

Home users will never have a viable means of addressing malware unless the device, OS, and applications are all managed for them. Expert users despise walled gardens, but they are the only real hope for most of the population.

False positive or truely negative?

Are they sure those Windows files weren't malicious? Just because they belong to the OS doesn't mean they should automatically be trusted, especially in Windows.

Every Antivirus has done this.

[freeze128]

This has happened to every Antivirus. This is why Microsoft made their own - Microsoft Security Essentials, and also Windows Defender. In the era of Microsoft's own AV, there is no need for a third-party AV installed on Windows.

Re:Every Antivirus has done this.

including microsoft's.

and, btw, microsoft did not "make their own".

they bought rav from gecad in '03, and giant antispyware in '04. those turned into onecare (later mse) and defender, respectively.

this is what they do: buy other companies or other companies technologies; and failing that, copy someone else's idea or product or poach their employees to recreate them.

Re:Every Antivirus has done this.

There is, just not for small deployments or home users.

The reasons to buy an AV suite:

Central management and reporting- The ability push settings and pull reports automatically from managed workstations for threat monitoring. Gives good insight if you think a spearphishing campgain is hitting your org. Also gives you a record of compliance in the event of a shit-fan-interface event. (The report from our AV suite says these workstations had up to date virus definitions and the systems were otherwise in compliance according to policy. The report also says that special-goldenboy-Bob has a history of alerts from browsing activity and flash drives. Maybe you should take a look there.)

To tick that checkbox on the audit sheet- Yeah, it's a bullshit reason but it's bullshit you can't ignore. Fortunately it's a manageable level of bullshit you can take care of with a known level of time and money investment. (You see how the AV industry makes its money now, huh?) If you see the above you can also see how you can make the bullshit work for you.

Re:Every Antivirus has done this.

But Microsoft's anti-virus does not flag Windows 10 as the virus it is, and does not totally delete it, therefore it is not effective. It sounds like Webroot is better, but still not really effective, as it didn't totally delete the Windows 10 virus either!

I can understand Microsoft's anti-virus not detecting and removing Windows 10: Why would M$ design a virus that could remove itself? What I don't understand is why other anti-virus programs do not detect and remove the Windows 10 virus from infected systems?! After all, the Windows 10 virus has been in the wild for more than a year in various forms. Just goes to show how worthless most anti-virus software really is. Keep working on it Webroot, you are moving in the right direction, but you are not there yet!

Re:Every Antivirus has done this.

Do you ever get tired of pushing this agenda?

Re:Every Antivirus has done this.

Replace Microsoft with Apple and you are still right. Heck, replace Linux minus the buying and just copying and still right. Everyone buys. Everyone copies. Stop being a toad.

Re:Every Antivirus has done this.

*Yawn*. You must be a ton of fun at the few parties you're actually invited to.

Re:Every Antivirus has done this.

Yeah -- and Microsoft do the prudent step of scanning every known Windows file with the new AV definitions before releasing them in order to pick up brain-dead obvious false positives like this!

(The also accept submissions of new files, both false positives and false negatives. And, yes, I've submitted both, and within 48 hrs, updated definitions have been out reflecting my submissions.)

Re:Every Antivirus has done this.

[UnknownSoldier]

Denial is not just a river in Egypt.

* List of mergers and acquisitions by Microsoft

* Microsoft's "Innovations"

Re:Every Antivirus has done this.

[UnknownSoldier]

> they bought rav from gecad in '03, and giant antispyware in '04. those turned into onecare (later mse) and defender, respectively.

Yup, those were Microsoft Acquisitions #72 and #77, respectively.

Number Date Company Business Country Value (USD) References
72 June 10, 2003 GeCAD Software Antivirus technology Romania $???,??? [93]
77 December 16, 2004 GIANT Company Software Anti-spyware United States $???,??? [98]

Re:Every Antivirus has done this.

[BronsCon]

Well, he's not wrong. That said, it's good business; and they're BUYING the companies, nobody's holding a gun to anyone's head, the companies sell willingly. Some of what they buy is actually good and they certainly have a wide reach, so I'm not sure it's all bad.

Re:Every Antivirus has done this.

[dcooper_db9]

In the era of Microsoft's own AV, there is no need for a third-party AV installed on Windows.

Not according to Microsoft. They say that Defender is intended as a fallback to provide some level of protection when no other antivirus is installed. It is not intended to provide full anti-malware protection.

Re:Every Antivirus has done this.

[godefroi]

So, pretty much like any company ever, then?

Serves them right...

... for running Micro$oft Windoze.

APK?

Time is ticking...where is APK? This has some vague relevance to APK

Re:APK?

The real question is.. Who is apk?

A derranged troll from the 90s who overdosed on hot grits?

An advanced shitposting AI that escaped the control of it's creators?

A wandering Djin or other demi-entity that exists to give bad computing advice?

We'll never really know..

Norton?

Did norton buy them?

Well On The Bright Side

[Greyfox]

After it can't boot anymore, Windows is WAY more secure than it was. Really, you could say they're doing a GREAT job of keeping your system free of virusses!

Not False Positive

It found NSA malware hidden code in .dll files

Re:Not False Positive

And in .exe .jpg .mp3 .log and *.* files.

Signature hashes are not enough

Here is a virus sample which is unique on every computer it infects. Its recompiling itself as it worms from machine to machine.

https://virustotal.com/en/file/5aa2f40e7090eba0fdd1ca3e75a73cffd165d330f06ff42d35793e044dcd3cca/analysis/1493090456/

Checksum and recheck

[DigiShaman]

This is a solved problem. For performance, scan all system files with an MD5 checksum and flag all suspects (but don't do anything yet). Scan multiple files at once multithreaded for extra performance. Now, go back and rescanned all suspect files with SHA-1 or SHA-256 to validate any potential false-positives that may have been flagged from the previous MD5.

Re:Checksum and recheck

I can't help thinking that sounds like a massive oversimplification.

If something's been false-positively flagged by MD5 checksum, what's to stop it being false-positively flagged by SHA-1 or SHA-256?

Re:Checksum and recheck

[bill_mcgonigle]

Sounds like he's talking about md5 collisions. But that's not the cause of AV false flags.

Re:Checksum and recheck

Just try that. Run the md5sum of the tens of gigabytes of your C:\windows and C:\progra~1\ directories. If you eat the I/O bandwidth of a system you are effectively killing the machine, especially if it is using a hard drive. Problem here is not a hash algorithm collision, but failure in marking the file as malicious and bigger failure to do proper design as the system deletes files.

Re:Checksum and recheck

I *think* you mean that when file is flagged, check the checksum of the file against a list of known-good files to see if that file is, in reality, whitelisted.

Honstly, a simpler approach (given how rare it truely is for a file to be marked as positive by the scanning engine) is to have a known-good CA key that system core files are signed with. The whitelist then becomes 'validate signature on file signed by Microsoft's key'; which means updates to Windows will still be whitelisted.

(Never mind I'd rather windows had a file (e.g., WINDOWS.WIM) which was the read-only system image that carried as much as possible of what's currently in c:\WINDOWS. This whole file can be cryptiographically verified at boot or something (or some kind of cascading signing structure where each block is individually signed to avoid scannign the whole file at boot). It would reduce the chances of malware (this file is read only for everything); and updates become a very specialied rsync-like proces to build the new WINDOWS.WIM file and then reboot. DOesn't matter how many updates are going on, they will be consistently applied.)

Re:Checksum and recheck

[godefroi]

Yes, multithread that file scan! That way, both your disk *and* your CPU can be pegged full-time, and any potential viruses won't have any CPU time or IO available to do anything nefarious!

Re: Checksum and recheck

Windows system files have been signed for 15 years already.

Another day in the Windows world

[OneHundredAndTen]

Windows users are probably used to this kind of nonsense by now.

Re:Another day in the Windows world

as an MSP we've had this happen twice in 20 years Once with trend micro (when it brought down the japanese weather simulating super computer with the same bad update) and this.

i think there's more than a little bit of idiot snobbery going on here...

In other news

[mandark1967]

Microsoft announced today the acquisition of the Webroot Antivirus program in order to incorporate its detection technology into Microsoft Defender. Steve Ballmer is quoted as saying, "No one fucks with our users, well...except for us, and this provides an excellent means by which to do so."

Re:In other news

You...you do know that Steve Ballmer doesn't work at Microsoft anymore, right? Or are you really THAT out of touch with reality?

Not the first time this has happened.

[harperska]

The company I was working at in 2010 was effectively shut down for a day when McAfee flagged and quarantined svchost.exe.

http://www.theregister.co.uk/2...

It has to be said...

[hyades1]

"Users of Webroot's endpoint security product, consumers and businesses alike, had a nasty surprise Monday when the program started flagging Windows files as malicious."

If the files in question are from Win 10, then it's pretty much a case of Webroot just doing its job.

Re: It has to be said...

if I was Nadella I'd be heartbroken at this comment

Re: It has to be said...

Instead, you're really Nutella and you love that comment!

Answer:

No.

Are you saying Microsoft employees could have designed something that works? Microsoft Is Filled With Abusive Managers And Overworked Employees, Says Tell-All Book

Next time Satan gives a philosophy conference in Hell, attend so that you will understand the ideas about management. (I know there are people who consider that extreme. Others consider it under-stated.)

Reasons for not Microsoft

[DrYak]

In the era of Microsoft's own AV, there is no need for a third-party AV installed on Windows.

Nope, quite the contrary : There IS need for third-parties too.

The more diverse the antivirus landscape is, the more AV virus-writer needs to test their creations against.
Avoid monoculture !
It's harder when a Virus needs to go unnoticed by all of Microsoft AV, Kaspersky AV, Avira, F-Prot, Clam, etc. rather than only the first one on the list.

Re:Reasons for not Microsoft

[michaelwigle]

Yup, that's why I install all of them at once! No virus is gonna get me (because my system won't boot)... :P

P.S. I agree. Diverse 3rd party products do help make the bad guys job harder.

Never thought of users as virii

Users are the PC's greatest risk. My manual fix is that when a user deletes a file or files that break their rig or slow production, I pick tbem up and toss them out on the sidewalk.

Opps! Upgrade to 10?

Wouldn't surprise me if Microsoft got the help of an AV company to do this specifically to Windows 7 machines. They really seem to be targeting Windows 7 users lately to upgrade. Wouldn't surprise me in the least if this was found to be mostly 7 users.

Only antivirus that makes you faster

See subject: Less complexity & doesn't wreck your system APK Hosts File Engine 9.0++ SR-7 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/

Ads/script & malware rob speed/security/privacy

Hosts add speed (via hardcodes/adblocks), security (vs. bad sites/malware/poisoned dns), reliability (vs. dns down), & anonymity (vs. dns requestlogs/trackers).

Less power/cpu/ram + IO use vs. DNS/routers/addons/antivirus + less security bugs/complexity & faster vs. addons/routers/remote dns!

Avoids DNSChangers in routers/IP settings & dns redirects (99.999% of ISP DNS != patched vs. it) + lightens DNS load & resolves faster from local system RAM!

* Via what u NATIVELY have in the IP stack in FASTER kernelmode!

APK

P.S. - Safe https://www.virustotal.com/en/file/e01211ca36aa02e923f20adee0a3c4f5d5187dc65bdf1c997b3da3c2b0745425/analysis/1433430542/

Not mine & why I made MY own... apk

It makes you faster minusresource bloat + moving parts complexity + room for exploit Tavis Ormandy's exposed in their shoddy inefficient construction.

All done by using what you already have natively (since 1973 iirc as part of the IP stack itself) & a 33++ yrs. proven system via APK Hosts File Engine 9.0++ SR-7 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/

Simply by blocking access to threats BEFORE they can even get to you - you can't be hurt by what you can't touch (& hosts block the most used avenue to get to you via host-domain names which hosts block).

10 reputable reliable sources in the security community provide the data to do so (for protective data ADDITIONALLY adding speed up + security data vs. DNS & router security shortcomings via hardcoded favorites where you spend most time online).

APK

Software designed to keep PCs healthy malfunctions

Your PC has an auto-e-mmune disease, where the computer system's defenses attack itself.

Could be Amy Lloyd's "O.sys," robotoid AI-tis, SD-Card-IO my.o-PATH-y, or GNU/Lupus.

MINOR correction (not that it matters)

A 44++ yrs. proven system (typo & on the numberkey line I'm far from the best 'touch-typist')

(Had to get that in before the ineffectual nitpicker trolls have the chance for their typical asshattery on /.)

APK

P.S.=> "Mea culpa" but see subject - it doesn't matter - it works doing MORE for FAR less (on many levels) vs. ANY single other "so-called 'competitor'" does... apk

Brutal Honesty

at its finest

Misleading Article, ALL executables were trojans

My experience with this Webroot SecureAnywhere disaster was that it was quarantining any and all signed executable (.exe) files over a certain trivial size, as well as any data files that the executable was operating with!

I did not observe any instances tinkering with the windows directory or microsoft office at all. But any 3rd party software and even drivers were flagged and quarantined if they had the .exe file extension. Executables were quarantined even if they were running, causing blue-screens and data loss.

There was no local way to fix the stations, as the permissions get pushed down from a management console in "the cloud". The way SecureAnywhere is typically set up is to disallow stopping of the executable, so people just had to sit and watch their legitimate programs going into quarantine. I kid you not, I saw one post where a disk backup imager was running, and SecureAnywhere quarantined the executable AND the disk image files, leaving no way to recover. Because again the operations came from commands from "the cloud".

China using hosts = most relevant

Boffins supercharge the 'hosts' file to save users plagued by DNS outages - Chinese Academy of Sciences thinks it has a way to give DNS a backup http://www.theregister.co.uk/2017/04/26/boffins_supercharge_the_hosts_file_to_save_users_plagued_by_dns_outages/

* IMITATION = SINCEREST FORM OF FLATTERY

APK

P.S.=> APK Hosts File Engine 9.0++ SR-7 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/ ... apk