Slashdot Mirror


Antivirus Webroot Deletes Windows Files, Causes Serious Problems For Users (pcworld.com)

Users of Webroot's endpoint security product, consumers and businesses alike, had a nasty surprise Monday when the program started flagging Windows files as malicious. From a report: The reports quickly popped up on Twitter and continued on the Webroot community forum -- 14 pages and counting. The company came up with a manual fix to address the issue, but many users still had problems recovering their affected systems. The problem is what's known in the antivirus industry as a "false positive" -- a case where a clean file is flagged as malicious and is blocked or deleted. False positive incidents can range in impact from merely annoying -- for example, when a program cannot run anymore -- to crippling, where the OS itself is affected and no longer boots. The Webroot incident falls somewhere in the middle because it affected legitimate Windows files and sent them to quarantine. This is somewhat unusual because antivirus firms typically build whitelists of OS files specifically to prevent false positive detections.

28 of 67 comments (clear)

  1. Not exactly big news. by richy+freeway · · Score: 4, Funny

    I'm sure all three users were massively upset though.

    1. Re:Not exactly big news. by Anonymous Coward · · Score: 1

      And Webroot isn't exactly wrong either. ;)

      I'd spin this as "BrickerBot for Windows" and bask in the praises of Slashdot.

    2. Re:Not exactly big news. by LinuxIsGarbage · · Score: 1

      McAfee has done something like this before As I recall it impacted Intel.

  2. Is there a problem? by Anonymous Coward · · Score: 5, Funny

    > the program started flagging Windows files as malicious

    I don't see the problem. Works well.

    1. Re:Is there a problem? by kurkosdr · · Score: 5, Insightful

      Translation: GOT THE JOKE??? I am an FSF neckbeard and consider Windows malicious for not conforming with my personal definition of non-malicious, and for that reason I think Webroot flagging Windows files as malicious is funny!!111 Joking aside, this incident proves WebRoot doesn't run automated tests before farting out a definition update, which every AV vendor should do.

    2. Re:Is there a problem? by Bearhouse · · Score: 1

      You beat me to it; now if only it went the whole hog and forcibly installed an upgrade to Linux or BSD

  3. Flags Windows as malicious by rmdingler · · Score: 3, Funny

    Something /. users have been doing for years.

    --
    Happiness in intelligent people is the rarest thing I know.

    Ernest Hemingway

  4. False positive or truely negative? by Anonymous Coward · · Score: 1

    Are they sure those Windows files weren't malicious? Just because they belong to the OS doesn't mean they should automatically be trusted, especially in Windows.

  5. Every Antivirus has done this. by freeze128 · · Score: 4, Insightful

    This has happened to every Antivirus. This is why Microsoft made their own - Microsoft Security Essentials, and also Windows Defender. In the era of Microsoft's own AV, there is no need for a third-party AV installed on Windows.

    1. Re:Every Antivirus has done this. by Anonymous Coward · · Score: 2, Insightful

      including microsoft's.

      and, btw, microsoft did not "make their own".

      they bought rav from gecad in '03, and giant antispyware in '04. those turned into onecare (later mse) and defender, respectively.

      this is what they do: buy other companies or other companies technologies; and failing that, copy someone else's idea or product or poach their employees to recreate them.

    2. Re:Every Antivirus has done this. by UnknownSoldier · · Score: 1

      Denial is not just a river in Egypt.

      * List of mergers and acquisitions by Microsoft

      * Microsoft's "Innovations"

    3. Re:Every Antivirus has done this. by UnknownSoldier · · Score: 1

      > they bought rav from gecad in '03, and giant antispyware in '04. those turned into onecare (later mse) and defender, respectively.

      Yup, those were Microsoft Acquisitions #72 and #77, respectively.

      Number Date Company Business Country Value (USD) References
      72 June 10, 2003 GeCAD Software Antivirus technology Romania $???,??? [93]
      77 December 16, 2004 GIANT Company Software Anti-spyware United States $???,??? [98]

    4. Re:Every Antivirus has done this. by BronsCon · · Score: 1

      Well, he's not wrong. That said, it's good business; and they're BUYING the companies, nobody's holding a gun to anyone's head, the companies sell willingly. Some of what they buy is actually good and they certainly have a wide reach, so I'm not sure it's all bad.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
    5. Re:Every Antivirus has done this. by dcooper_db9 · · Score: 2

      In the era of Microsoft's own AV, there is no need for a third-party AV installed on Windows.

      Not according to Microsoft. They say that Defender is intended as a fallback to provide some level of protection when no other antivirus is installed. It is not intended to provide full anti-malware protection.

      --
      I do not block ads. I do block third party scripts.
    6. Re:Every Antivirus has done this. by godefroi · · Score: 1

      So, pretty much like any company ever, then?

      --
      Karma: Poor (Mostly affected by lame karma-joke sigs)
  6. Well On The Bright Side by Greyfox · · Score: 4, Funny

    After it can't boot anymore, Windows is WAY more secure than it was. Really, you could say they're doing a GREAT job of keeping your system free of virusses!

    --

    I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

  7. Not False Positive by Anonymous Coward · · Score: 1

    It found NSA malware hidden code in .dll files

  8. Checksum and recheck by DigiShaman · · Score: 1

    This is a solved problem. For performance, scan all system files with an MD5 checksum and flag all suspects (but don't do anything yet). Scan multiple files at once multithreaded for extra performance. Now, go back and rescanned all suspect files with SHA-1 or SHA-256 to validate any potential false-positives that may have been flagged from the previous MD5.

    --
    Life is not for the lazy.
    1. Re:Checksum and recheck by bill_mcgonigle · · Score: 1

      Sounds like he's talking about md5 collisions. But that's not the cause of AV false flags.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    2. Re:Checksum and recheck by godefroi · · Score: 1

      Yes, multithread that file scan! That way, both your disk *and* your CPU can be pegged full-time, and any potential viruses won't have any CPU time or IO available to do anything nefarious!

      --
      Karma: Poor (Mostly affected by lame karma-joke sigs)
  9. Another day in the Windows world by OneHundredAndTen · · Score: 4, Insightful

    Windows users are probably used to this kind of nonsense by now.

  10. Not the first time this has happened. by harperska · · Score: 1

    The company I was working at in 2010 was effectively shut down for a day when McAfee flagged and quarantined svchost.exe.

    http://www.theregister.co.uk/2...

  11. It has to be said... by hyades1 · · Score: 1

    "Users of Webroot's endpoint security product, consumers and businesses alike, had a nasty surprise Monday when the program started flagging Windows files as malicious."

    If the files in question are from Win 10, then it's pretty much a case of Webroot just doing its job.

    --
    I've calculated my velocity with such exquisite precision that I have no idea where I am.
  12. Reasons for not Microsoft by DrYak · · Score: 3, Informative

    In the era of Microsoft's own AV, there is no need for a third-party AV installed on Windows.

    Nope, quite the contrary : There IS need for third-parties too.

    The more diverse the antivirus landscape is, the more AV virus-writer needs to test their creations against.
    Avoid monoculture !
    It's harder when a Virus needs to go unnoticed by all of Microsoft AV, Kaspersky AV, Avira, F-Prot, Clam, etc. rather than only the first one on the list.

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
    1. Re:Reasons for not Microsoft by michaelwigle · · Score: 4, Funny

      Yup, that's why I install all of them at once! No virus is gonna get me (because my system won't boot)... :P

      P.S. I agree. Diverse 3rd party products do help make the bad guys job harder.

  13. Re: Gahh by kurkosdr · · Score: 1

    Which means the solution lies in whitelisting (aka signed exes with the signature given out to identified devs, much like Windows does) coupled with tight sandboxing and an ask-permissions-for-anything policy for the non-whitelisted stuff (Windows doesn't do that unfortunately) plus the usual warnings.

  14. Re: Gahh by godefroi · · Score: 1

    Windows *does* do that; it asks permission for anything you don't have rights to do. I don't use MacOS a lot, but it seemed to be very similar to how OSX did/does it.

    Now, if you meant "ask permission to execute any .exe not on the whitelist", then yeah, I don't know of any OS that does *that*.

    --
    Karma: Poor (Mostly affected by lame karma-joke sigs)
  15. Re: Gahh by EndlessNameless · · Score: 1

    tight sandboxing and an ask-permissions-for-anything policy for the non-whitelisted stuff

    This is the correct answer only if you are a competent IT admin.

    But Webroot doesn't sell to enterprises. Or if they do, no one I know has ever bought them. Webroot sells to home users who know jack.

    Home users will never have a viable means of addressing malware unless the device, OS, and applications are all managed for them. Expert users despise walled gardens, but they are the only real hope for most of the population.

    --

    ---
    According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.