It is a good thing when an antivirus is effective. But it can be bad if it becomes too effective it flags even the harmless files.
This is what is happening with antivirus Webroot and Windows. The program reportedly started to flag several Windows system files as malicious, causing headaches from minor annoyance to serious system hassle.
It's another security incident involving WIndows. Earlier this month, security experts warned about hackers using MS Word to spread a malware.
Webroot Flags Windows Files As Malicious
The incident reports started to flood Webroot's community forum. What happened was after a signature update, Webroot began flagging several Windows system files as malicious. The files were identified by the program as W32.Trojan.Gen.
It means it is a generic detection program for a Trojan, a form of malicious program disguised as a legitimate software. It can do several harmful things to a computer, from installing pop-up advertisements to deleting or stealing files. Because Win32 Trojan Gen behaves both as a spyware and a virus, the best way to remove it is to use an antivirus and anti-malware software.
Which is what Webroot is. Unfortunately for Windows, even its harmless files were targeted.
This case is called "false positive." This happens when a "benign" file is tagged as malicious by the broad detection of the antivirus program. The usual solution is either to block or delete the file, which can cause serious system issues. To prevent this, antivirus software typically has a "whitelist" of files that are deemed important and/or safe.
Webroot Addresses The False Flags
In the forum, Webroot offered several fixes:
Restore Point. For users running in an Active Directory environment, they can check their recent restore points for the affected machines. Then create a script to roll back to a time before the issue.
Access to Client (Agents MUST be in an unmanaged policy). If the users can access the affected client machines and launch the Webroot GUI, then they can restore the files from the quarantine, which will roll back the machine before the issue.
Access to Client and reboot to safe mode with networking. Webroot recommends booting in Safe Mode with networking if access to the affected client is impossible. Then open the Webroot GUI and restore the files from quarantine which will roll back the machine before the issue.
These solutions weren't met favorably by users, calling them merely a "roll back." Business owners who own managed service providers or MSPs are likewise not pleased.
"How am I supposed to do this across 3 GSMs with over 3 thousand client sites? Not good enough," wrote one poster.
Webroot is currently looking for a universal solution for MSP as of this writing.
"Webroot has not been breached and customers are not at risk. Legitimate malicious files are being identified and blocked as normal. We continue to work on a comprehensive resolution, but a live fix has been released for the Facebook issue and is propagating through to customers now," wrote Webroot.