back to article Webroot antivirus goes bananas, starts trashing Windows system files

Webroot's security tools went berserk today, mislabeling key Microsoft Windows system files as malicious and temporarily removing them – knackering countless PCs in the process. Not only were people's individual copies of the antivirus suite going haywire, but also business editions and installations run by managed service …

  1. Tommy Pock
    1. Anonymous Coward
      Anonymous Coward

      Kaspersky No Better

      Nobody measures the downtime due to Kaspersky foul ups vs the protection it gives from viruses that do similar damage.

      Kaspersky encryption has left my laptop unusable SO many times, and it's virus "protection" is laughable.

      1. Sir Runcible Spoon
        Trollface

        Re: Kaspersky No Better

        I'm in two minds on this story.

        On the one hand you have a company borking thousands of Windows machines (do they test their signature packs before delivery?!) - and on the other you have the possibility that the software is actually doing it's job :P

        1. Fred Flintstone Gold badge

          Re: Kaspersky No Better

          Yup, that was my immediate reaction too.

          Webroot's security tools went berserk today, mislabeling key Microsoft Windows system files as malicious and temporarily removing them

          AFAIK that makes it the only anti malware tool actually doing its job :).

          1. handleoclast
            Trollface

            Re: AFAIK that makes it the only anti malware tool actually doing its job

            Ummm, look again at what you quoted from the article:

            Webroot's security tools went berserk today, mislabeling key Microsoft Windows system files as malicious and temporarily removing them

            See that word "temporarily"? It might have been doing a better job than other AV s/w but then it screwed up by not removing the files permanently.

            1. Sir Runcible Spoon

              Re: AFAIK that makes it the only anti malware tool actually doing its job

              " it screwed up by not removing the files permanently."

              You know that putting files into Quarantine doesn't actually delete them, and is normal behavior for AV software?

              1. Anonymous Coward
                Anonymous Coward

                Re: AFAIK that makes it the only anti malware tool actually doing its job

                You know that putting files into Quarantine doesn't actually delete them, and is normal behavior for AV software?

                Yes, quite a shame in this instance, isn't it?

                :)

        2. Anonymous Coward
          Anonymous Coward

          Re: Kaspersky No Better

          The problem is, you need a balanced approach, risk by doing something vs risk by not doing something. This is something my people don't get.

          We had a AV signature update silently delete some of our compiled support EXEs from our build server during the build process (as the guys in charge of AV don't understand what heuristic means). It wasn't spotted by the testers (as it was tested as an upgrade), only when it hit the field, did customers spot that our latest software release wasn't complete, making the company look like idiots. Of course the team in charge of AV, it wasn't THEIR fault, it never is...

      2. TheVogon

        Re: Kaspersky No Better

        "and it's virus "protection" is laughable."

        Could you explain why? I don't use Kaspersky, but it's one of the best at detecting the many zero day nasties I upload to Virus Total.

        1. Anonymous Coward
          Anonymous Coward

          Re: Kaspersky No Better

          A good virus detection program has good positive detection and LOW false positives ratios. Kaspersky fails badly on the later metric, it's also regularly screwing up systems here, deleting important files, and refusing to boot the system. It's extremely invasive, unreliable trash.

          1. TheVogon

            Re: Kaspersky No Better

            "A good virus detection program has good positive detection and LOW false positives ratios. Kaspersky fails badly on the later metric, it's also regularly screwing up systems here, deleting important files, and refusing to boot the system. It's extremely invasive, unreliable trash."

            Thanks for the info. I have experience of Symantec, Sophos, McAfee, and Microsoft amongst others but not that one...

    2. TheVogon

      "meaning companies and organizations relying on the software were hit"

      People use webroot in companies?!

    3. JCitizen
      FAIL

      Never

      I learned a LONG time ago to never use anything made by Webroot again. My new clients keep proving this to me for years now.

  2. Your alien overlord - fear me

    Best type of security - kill the PC on your terms before letting miscreants do it :-0

  3. bombastic bob Silver badge
    Happy

    a crowning moment of AWESOME!

    this made my day! (Shadenfreude)

    Anti-virus is SO overrated.

    "Safe Surfing" works better, In My Bombastic Opinion. That is no MS browsers, aggressively use the 'NoScript' plugin, don't view HTML e-mail as HTML, don't auto-view e-mail attachments, no MS Outlook (aka 'virus outbreak'), and NEVER access the internet or e-mail while logged in with ADMIN privs [unless you're doing a software update with a legitimate source, and then be vewy vewy caweful...]

    It would've been even funnier if MS's anti-virus had caused this

    1. Anonymous Coward
      Anonymous Coward

      Re: a crowning moment of AWESOME!

      That may be a better solution for people with a clue, but even "don't use a Microsoft browser" will confuse some of the masses and "use the 'NoScript' plugin" will confuse almost all of the rest.

      1. Mr.Bill

        Re: a crowning moment of AWESOME!

        The masses should by now no longer be using PCs as a personal connected device - only used in professional/business environments properly locked down and maintained by IT. (not that that would have changed the outcome of this particular situation)

        Thankfully the masses seem to have moved on as shown by the drop in PC sales over the years and prevalence of safer devices like tablets, smartphones and chromebooks.

        1. Infernoz Bronze badge
          Facepalm

          Re: a crowning moment of AWESOME!

          Other devices can be even less safe, especially when the manufacturers or providers fail to provide OS updates, or the OS is provided by spy driven businesses like Google!

          I have Android devices but I seriously restrict what personal content is on them because I expect it to be vulnerable.

    2. Anonymous Coward
      Anonymous Coward

      Re: a crowning moment of AWESOME!

      In many company environments, you CAN'T install whatever you like on a machine assigned to you. And that's a sensible security practice as well.

      1. tiggity Silver badge

        Re: a crowning moment of AWESOME!

        .. and in many company environments (company specified /controlled / deployed) anti virus is mandatory.

        1. Mk4

          Re: a crowning moment of AWESOME!

          And none of the above objections to Bob notes that companies can choose to implement a safe surfing approach. No-one is asking users to be IT experts. I think the suggestion is that IT experts should be the IT experts.

          1. Potemkine Silver badge

            Re: a crowning moment of AWESOME!

            I think the suggestion is that IT experts should be the IT experts.

            Like the ones at Webroot? ^^

            (yeah, easy shot... sorry for pouring water on a drowning person)

          2. Anonymous Coward
            Anonymous Coward

            Re: a crowning moment of AWESOME!

            companies can choose to implement a safe surfing approach

            Only against the obvious NSFW sites. Unfortunately safer-surfing and white-listing won't protect a company from watering hole attacks, and I'd suspect that the main corporate threat is from well organised crims who won't be relying on some dumbo looking at that sort of content.

        2. Infernoz Bronze badge

          Re: a crowning moment of AWESOME!

          Often that horrible resource hog McAfee too for businesses!

      2. Anonymous Coward
        Anonymous Coward

        Re: a crowning moment of AWESOME!

        Not if you are a Software Engineer it is not. It's a pain in the butt.

    3. Infernoz Bronze badge
      Holmes

      Re: a crowning moment of AWESOME!

      I barely tolerate spyware behaviour in Win. 10, because it can be disabled/blocked, but I won't tolerate malware like behaviour in application software, so SRWare Iron instead of the spyware Chrome, LibreOffice instead of Microsoft Office, Firefox instead of Edge, Avast (several false positive plugins disabled) instead of conflict of interest (Chocolatey false positives) Avira etc.!

      I use NoScript, but uMatrix is also useful for protecting multiple browsers, because by default it blocks frames and other sites, and allow selective enabling/disabling of cookies, css, images, plugins, scripts, XHR (XML requests), etc. for each domain and sub-domain, in a drop-down table pane.

      With some sites I even disable images, because they are not essential for the content and mostly used for annoying adverts.

      I will rarely trust/use Microsoft anti-malware because it will allow their OS spyware and may add other malware like behaviour.

    4. Fatman
      Linux

      Re: a crowning moment of AWESOME!

      You forgot the most important recommendation:

      Don't use Windows, PERIOD!!!!!!!

    5. Anonymous Coward
      Anonymous Coward

      Re: a crowning moment of AWESOME!

      "Safe Surfing" works better, In My Bombastic Opinion.

      Yeah, but you look weird in a full body condom, trust me.

  4. a_yank_lurker

    Finally the truth

    So they finally told the truth about 'Bloat that it is the biggest pile of malware, spyware, etc. known.

  5. inmypjs Silver badge

    Second thing to make be laugh today

    1st was on the beeb about lawyers seeking stays of execution for two death row inmates on the grounds of poor health.

    1. Trilkhai

      That actually made sense

      I saw the same BBC headline and was thrown by it until I read the article. Turns out that the request actually makes sense: their health problems (cardiovascular issues, diabetes, extreme obesity, etc.) mean that the sedative to knock them unconscious might not work properly, leaving them to suffer horribly during execution. Witness accounts on whether each did or not are conflicting.

  6. allthecoolshortnamesweretaken

    "The timing of the file classification blunder couldn't be worse for at least one employee. Gary Hayslip was hired earlier this month as Webroot's chief information security officer, and this can't be a fun first few weeks on the job."

    Ooh, I geddit - haze the new guy! Really funny, guys.

    1. Anonymous Coward
      Anonymous Coward

      Not sure the new CISO will G-a-F. If he's doing his job properly then he'll be a million miles from the technical activities that buggered up his company's customers. His job is to protect the information assets of Webroot (intellectual property, employee and customer data) though arguably he'll have less to protect as the existing customers go elsewhere.

  7. Winkypop Silver badge
    Devil

    Webrooted

    Seems they haven't changed much since I last used their software.

  8. noddybollock

    Sounds like the anti-virus prog was working fine, getting rid of the spyware (MS windoze)

  9. anthonyhegedus Silver badge

    Don't use MS browsers? I have a customer who says "but I like it" when referring to Internet Explorer on their windows 10 machine.

    What can I do?

    They're running Norton Antivirus too...

    1. Baldrickk

      Get firefox to show the IE logo and point the shortcut at it?

    2. Anonymous Coward
      Anonymous Coward

      They're running Norton Antivirus too...

      Serious question from a habitual Norton Antivirus user who's sick of it -

      What do folks recommend as a superior and safe alternative?

      / Still on Win 7 (fight the power, etc.)

      // No, Linux is not the superior alternative I'm looking for

      1. K

        Re: They're running Norton Antivirus too...

        For home use?

        I recommend Sophos, they offer the full product (AV, Web Protection etc) for free to home users, including Cloud-based managed.

        As the "family's PC repair man", I have the whole family on this, so I can manage everything from 1 console, including the kids and grand parents!

        1. CrazyOldCatMan Silver badge

          Re: They're running Norton Antivirus too...

          I recommend Sophos, they offer the full product (AV, Web Protection etc) for free to home users, including Cloud-based managed.

          I wondered about using them (but then, I only have one Windows desktop and it only gets used for Word/Excel type stuff) especially as I'm using what used to be called Astao Linux (now Sophos UTM - and even more amazingly, they don't appear to have broken it).

          Sopfos UTM comes with built-in management for the Windows & Mac Sophos AV.

          Mind you, if I think need AV on my Mac, I'd be using clamav..

          1. Anonymous Coward
            Anonymous Coward

            Re: They're running Norton Antivirus too...

            Thank you all - time to change!

        2. Anonymous Coward
          Anonymous Coward

          Re: They're running Norton Antivirus too...

          My advice would be to steer well away from Sophos.

          They have been particularly bad with false positives causing big issues with key software. They managed to take out many of the key apps on all PCs, including their own software updater (which meant that you couldn't easily fix it as you couldn't download an updated definition file).

          It had gone through 5 layers of testing which should have picked up the issue but none managed to spot the problem (let me reiterate, it borked their own software!).

          After that I left them and since then they have had more issues, even towards the end of last year they killed winlogon.exe and disabled PCs. Luckily we had moved on since then.

      2. Rimpel

        Re: They're running Norton Antivirus too...

        Take a look at the current av tests here. I was using Avast but I got fed up of it's nagware, currently I'm using bitdefender (free)

        https://www.av-test.org/en/antivirus/home-windows/windows-7/

        https://www.av-comparatives.org/

        1. Infernoz Bronze badge

          Re: They're running Norton Antivirus too...

          I identified the offending plugins and settings in Avast and disabled them because they really aren't necessary.

      3. Colin Critch

        Re: They're running Norton Antivirus too...

        GData seems good on Windoz 7 and has 2 scanning engines. Also F secure seems to have it's a good set of software.

        Avoid the others

        AVG

        Symantec

        1. Anonymous Coward
          Anonymous Coward

          Re: They're running Norton Antivirus too...

          F Secure have been around a long time, as has been Kaspersky, both with a rather low error count on signatures that nuke your computer's OS. That said, Kaspersky on macOS* is thoroughly disappointing so I can't really recommend it.

          In addition, I recommend a rebuild every year if possible, especially Windows machines appear to accumulate the electronic equivalent of kettle fur and a rebuild speeds them up - just make sure you have all the license codes and passwords and a damn good (tested!) backup before you do it.

          I'm about to do the same on macOS, but that's because it's gone weird after making installing Office 365 (client request, but that project is finished). I won't make that mistake again.

          * Yes, macOS and anti-virus, I believe in facts rather than marketing.

      4. Kiwi
        Boffin

        Re: They're running Norton Antivirus too...

        Serious question from a habitual Norton Antivirus user who's sick of it -

        What do folks recommend as a superior and safe alternative?

        Well. Nothing.

        Seriously. Running nothing would protect you more than Norton!

        If you're looking for paid, and what IME is best overall (as of a couple of years back when I last looked), I would recommend Eset.

        Free.. MS's own program wasn't too bad IME, but I found Avira and Avast better. But one of the two did a lot of advertising. Bit Defender is currently one I like as well (paid or free), largely because of how good their rescue disk was and how not-crap the rest of their system was.

        I've heard good things about Trend Micro and Comodo but have never tried them. I did set up Comodo's firewall at one workplace, and the place never had a problem despite the best efforts of the retard who did most of their filing (I do not have the language to describe how bad this guy was). It was a whitelisting firewall comparable at least to Zone Alarm back then.

        Overall though I recommend Eset, however it has been a while so my information may be out-dated. Part of that is based on the customer service I got from them, which was pretty good.

  10. WibbleMe

    Check Check and Check again!

    1. Anonymous Coward
      Anonymous Coward

      Check Check and Check again!

      That sounds like Microsoft. No, wait,, that's cheque, cheque and cheque again, my bad.

      :)

  11. Ken Hagan Gold badge

    Quarantined *signed* files?

    If WebRoot are aware of a way of faking a signature, perhaps they'd be willing to share this major breakthrough in cryptography that undermines the security of all e-commerce everywhere.

    If not ... it is surely criminally negligent not to whitelist files that are signed by Microsoft.

    1. Richard 26

      Re: Quarantined *signed* files?

      You have a good point but it's not as if compromised certificates and signed malware doesn't happen.

      1. Ken Hagan Gold badge

        Re: Quarantined *signed* files?

        There's a system for compromised certificates and whilst I've heard stories that CAs have been tricked into issuing certificates that say "Microsoft" on the front, I haven't heard stories of rogue certificates that have been counter-signed by Microsoft's own root certs. And unless you (or an AV vendor) can find an instance where this happened, I maintain that the presence of such a signature proves beyond reasonable doubt that the file in question is not malware. Quarantining it is just reckless and proves that the AV vendor doesn't care about trashing your system.

  12. Milton

    But what if we invented the internet all over again

    I've decided that I'll bite: let's ask, What if we invented all this shit now, instead of letting it grow like cancer for the last 30 years?

    A reasonable person might agree that for any device you own:

    1. You'd complete a preferences questionnaire about which private data about yourself you are willing to share, with whom and under what circumstances. So "Share my family photos with everyone" would be a NO, whereas a YES might be "Allow retailer to keep my credit card on file if I click YES for their certified site". "Send loads of usage data including contents of my documents to an OS vendor" would probably be a NO.

    2. A modern anti-malware system would take those preferences into account, and if it were a *true* learning system, would observe that some software tried to appropriate and export data that you don't want it to. It would determine that some software providers were untrustworthy and block access to data, and then disable functionality if necessary. It would be acting according to your express wishes.

    3. In that respect, a product like Webroot is doing exactly what we would want it to: identifying data theft and stopping it.

    If anti-malware software gets clever enough—moves from blind signature-based recognition to a more learning-of-intentions based approach—my guess is that Windows would have to be excluded as an entire unit from any checking, else it would constantly be blocked as malware.

    1. Doctor Syntax Silver badge

      Re: But what if we invented the internet all over again

      "You'd complete a preferences questionnaire about which private data about yourself you are willing to share"

      That's nothing to do with the internet per se, it's to do with all the wide boys setting up businesses and taking advantage of the stupidity of the numpties who use it. The only way of preventing that by re-inventing the internet is to make it too difficult for the numpties to use.

    2. aberglas

      Re: But what if we invented the internet all over again

      There would be no peer to peer networking.

      There would be no such thing as universal email. There would be lots of walled gardens.

      The Telcos would control which sites you could use/visit. Only they would be able to produce servers.

      There would be no anonymous sites or browsing.

      But fortunately, all those things got out of the bag before the MBAs took control.

  13. Doctor Syntax Silver badge

    Nominative determinism?

    Thie name makes Webroot sound like the sort of malware Lenovo might plant on your PC before they sell it to you.

  14. chivo243 Silver badge

    Funnier still...

    Would have been that it only took these actions against Win10...

  15. TRT Silver badge

    Funny, I've always thought...

    it was pronounced "We Brew Tea".

  16. adam payne
    Joke

    "Between 1200 and 1500 MST (1800 and 2100 UTC) today, Webroot's gear labeled Windows operating system data as W32.Trojan.Gen – generic-Trojan-infected files, in other words – and moved them into quarantine, rendering affected computers unstable. Files digitally signed by Microsoft were whisked away – but, luckily, not all of them, leaving enough of the OS behind to reboot and restore the quarantined resources."

    If your going to flag Windows system files you could at least do it correctly and completely brick it. I don't know these companies and their half measures. /sarcasm

  17. JJKing
    Facepalm

    Fanbois rejoyce.

    Don't use Windows, PERIOD!!!!!!!

    So what happens when Linux has the 80% market share of the operating systems. Would that then not make it the largest attack surface for hackers, viruses and malware? What is the war cry then:

    Don't use Linux, PERIOD!!!!!!!

  18. Howard Hanek
    Happy

    Change Their Logo

    ....to a circular firing squad.

  19. Kiwi
    Trollface

    At last!

    Webroot's security tools went berserk today, mislabeling key Microsoft Windows system files as malicious and temporarily removing them

    [..]

    Its software also.. misidentified Facebook .. as phishing .., blocking access to them.

    About time we got some decent, accurate AV and anti-phishing software out there for those poor windows victims!

  20. Boris Winkle

    Gotta love how HSBC are STILL offering webroot when you log into their system (hsbcnet.com) :-

    --

    Webroot SecureAnywhere

    WebRoot Secure Anywhere promotion

    Maximise your security with Webroot SecureAnywhere online protection.

    Webroots

    HSBC has teamed up with Webroot to provide HSBCnet online banking customers exclusive access to download the award-winning SecureAnywhere security software at no charge.

    In addition to advanced anti-virus protection, Webroot SecureAnywhere software uses a number of innovative features and methods to protect your device against sophisticated malware attacks that may go undetected by your standard anti-virus software. This enhanced security helps protect against the threats most prevalent in today’s online environment: phishing e-mails and users visiting websites which automatically download malicious software (or malware). Webroot SecureAnywhere offers:

    protection against highly adaptive and ever-evolving threats using superior malware detection and advanced anti-virus protection;

    a cloud-based delivery that is compatible with existing security applications and ensures you always have the latest protection;

    protection that keeps working even when users are offline.

    To get your complimentary extra protection right away select "Download now". Or, select "Tell me more", for more information about Webroot SecureAnywhere software.

  21. zen1

    goes bananas?

    or really a public service?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like