Antivirus Webroot Deletes Windows Files, Causes Serious Problems For Users

Users of Webroot's endpoint security product, consumers and businesses alike, had a nasty surprise Monday when the program started flagging Windows files as malicious. From a report: The reports quickly popped up on Twitter and continued on the Webroot community forum -- 14 pages and counting. The company came up with a manual fix to address the issue, but many users still had problems recovering their affected systems. The problem is what's known in the antivirus industry as a "false positive" -- a case where a clean file is flagged as malicious and is blocked or deleted. False positive incidents can range in impact from merely annoying -- for example, when a program cannot run anymore -- to crippling, where the OS itself is affected and no longer boots. The Webroot incident falls somewhere in the middle because it affected legitimate Windows files and sent them to quarantine. This is somewhat unusual because antivirus firms typically build whitelists of OS files specifically to prevent false positive detections.

Not exactly big news.

[richy freeway]

I'm sure all three users were massively upset though.

Re:

[Anonymous Coward]

And Webroot isn't exactly wrong either. ;)

I'd spin this as "BrickerBot for Windows" and bask in the praises of Slashdot.

Re:

[LinuxIsGarbage]

McAfee has done something like this before [zdnet.com] As I recall it impacted Intel.

Is there a problem?

[Anonymous Coward]

> the program started flagging Windows files as malicious

I don't see the problem. Works well.

Re:Is there a problem?

[kurkosdr]

Translation: GOT THE JOKE??? I am an FSF neckbeard and consider Windows malicious for not conforming with my personal definition of non-malicious, and for that reason I think Webroot flagging Windows files as malicious is funny!!111 Joking aside, this incident proves WebRoot doesn't run automated tests before farting out a definition update, which every AV vendor should do.

Re:

[Bearhouse]

You beat me to it; now if only it went the whole hog and forcibly installed an upgrade to Linux or BSD

Flags Windows as malicious

[rmdingler]

Something /. users have been doing for years.

Re: Gahh

[kurkosdr]

Which means the solution lies in whitelisting (aka signed exes with the signature given out to identified devs, much like Windows does) coupled with tight sandboxing and an ask-permissions-for-anything policy for the non-whitelisted stuff (Windows doesn't do that unfortunately) plus the usual warnings.

Re:

[godefroi]

Windows *does* do that; it asks permission for anything you don't have rights to do. I don't use MacOS a lot, but it seemed to be very similar to how OSX did/does it.

Now, if you meant "ask permission to execute any .exe not on the whitelist", then yeah, I don't know of any OS that does *that*.

Re:

[EndlessNameless]

tight sandboxing and an ask-permissions-for-anything policy for the non-whitelisted stuff

This is the correct answer only if you are a competent IT admin.

But Webroot doesn't sell to enterprises. Or if they do, no one I know has ever bought them. Webroot sells to home users who know jack.

Home users will never have a viable means of addressing malware unless the device, OS, and applications are all managed for them. Expert users despise walled gardens, but they are the only real hope for most of the population.

False positive or truely negative?

[Anonymous Coward]

Are they sure those Windows files weren't malicious? Just because they belong to the OS doesn't mean they should automatically be trusted, especially in Windows.

Every Antivirus has done this.

[freeze128]

This has happened to every Antivirus. This is why Microsoft made their own - Microsoft Security Essentials, and also Windows Defender. In the era of Microsoft's own AV, there is no need for a third-party AV installed on Windows.

Re:

[Anonymous Coward]

including microsoft's.

and, btw, microsoft did not "make their own".

they bought rav from gecad in '03, and giant antispyware in '04. those turned into onecare (later mse) and defender, respectively.

this is what they do: buy other companies or other companies technologies; and failing that, copy someone else's idea or product or poach their employees to recreate them.

Re:

[UnknownSoldier]

Denial is not just a river in Egypt.

* List of mergers and acquisitions by Microsoft [wikipedia.org]

* Microsoft's "Innovations" [dwheeler.com]

Re:

[BronsCon]

Well, he's not wrong. That said, it's good business; and they're BUYING the companies, nobody's holding a gun to anyone's head, the companies sell willingly. Some of what they buy is actually good and they certainly have a wide reach, so I'm not sure it's all bad.

Re:

[UnknownSoldier]

> they bought rav from gecad in '03, and giant antispyware in '04. those turned into onecare (later mse) and defender, respectively.

Yup, those were Microsoft Acquisitions [wikipedia.org] #72 and #77, respectively.

Number Date Company Business Country Value (USD) References
72 June 10, 2003 GeCAD Software Antivirus technology Romania $???,??? [93]
77 December 16, 2004 GIANT Company Software Anti-spyware United States $???,??? [98]

Re:

[godefroi]

So, pretty much like any company ever, then?

Reasons for not Microsoft

[DrYak]

In the era of Microsoft's own AV, there is no need for a third-party AV installed on Windows.

Nope, quite the contrary : There IS need for third-parties too.

The more diverse the antivirus landscape is, the more AV virus-writer needs to test their creations against.
Avoid monoculture !
It's harder when a Virus needs to go unnoticed by all of Microsoft AV, Kaspersky AV, Avira, F-Prot, Clam, etc. rather than only the first one on the list.

Re:Reasons for not Microsoft

[michaelwigle]

Yup, that's why I install all of them at once! No virus is gonna get me (because my system won't boot)... :P

P.S. I agree. Diverse 3rd party products do help make the bad guys job harder.

Re:

[dcooper_db9]

In the era of Microsoft's own AV, there is no need for a third-party AV installed on Windows.

Not according to Microsoft. They say that Defender is intended as a fallback to provide some level of protection when no other antivirus is installed. It is not intended to provide full anti-malware protection.

Well On The Bright Side

[Greyfox]

After it can't boot anymore, Windows is WAY more secure than it was. Really, you could say they're doing a GREAT job of keeping your system free of virusses!

Not False Positive

[Anonymous Coward]

It found NSA malware hidden code in .dll files

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[bill_mcgonigle]

Sounds like he's talking about md5 collisions. But that's not the cause of AV false flags.

Re:

[godefroi]

Yes, multithread that file scan! That way, both your disk *and* your CPU can be pegged full-time, and any potential viruses won't have any CPU time or IO available to do anything nefarious!

Another day in the Windows world

[OneHundredAndTen]

Windows users are probably used to this kind of nonsense by now.

In other news

[mandark1967]

Microsoft announced today the acquisition of the Webroot Antivirus program in order to incorporate its detection technology into Microsoft Defender. Steve Ballmer is quoted as saying, "No one fucks with our users, well...except for us, and this provides an excellent means by which to do so."

Not the first time this has happened.

[harperska]

The company I was working at in 2010 was effectively shut down for a day when McAfee flagged and quarantined svchost.exe.

http://www.theregister.co.uk/2... [theregister.co.uk]

It has to be said...

[hyades1]

"Users of Webroot's endpoint security product, consumers and businesses alike, had a nasty surprise Monday when the program started flagging Windows files as malicious."

If the files in question are from Win 10, then it's pretty much a case of Webroot just doing its job.