Webroot AV leaves Enterprise Customer's PC's Unable to Boot

[Zarathustra[H]]

As we reported over the weekend, some people are starting to suggest ditching your antivirus software. I'm not sure I agree, but with stories like these on The Register, it's not difficult to understand where they are coming from.

Apparently a bad update from Webroot AV has resulted in client machines BSOD:ing and unable to boot. Webroot has issued a fix that prevents the issue from happening, but there is still no word on how to repair affected machines.

If this happened to me I'd likely be pissed enough to start looking at alternate AV providers.

Webroot released a routine update on Tuesday 31 January, containing general fixes and minor feature enhancements. For most of our millions of customers, the service has run as normal. However, some customers have experienced a problem with the update, so Webroot's 24-hour support team has been working with them directly to remedy this quickly. If you are one of those customers, we sincerely apologize.

 

[Gweenz]

Ditch it.

There are very few viruses or even malware these days. It's all social engineering, get the target on the phone. Why program something to get around an antivirus when attacking the user directly is so much more effective? The only bad viruses out there these days are crypto and the A/V rarely catches those. Anyway, a backup is the best protection against that.

My other problem with antivirus is the false sense of security it gives. I can't tell you how many times someone has said "but I have Norton/Mcafee/Webroot I thought I was protected". You are, but only against the things that those A/Vs know about. Even then, sometimes not.

Want to see my antivirus? *wiggles his click finger*

 

[jaffy]

I still prefer Webroot over any other AV, and gladly pay the $5 a year for a three machine license when it's on sale. Webroot uses far less resources than even MSE/Windows Defender. Norton and McAfee have crippled millions more PCs than Webroot ever has, though the new Norton isn't too shabby.

 

[Jim Kim]

Windows Updates has released updates that have caused systems not to boot.
Norton, McAfee and other av programs have also had bad updates. Tis the world we live in. THE SKY IS NOT FALLING, and don't uninstall your av.
Or on second thought please do, I need the work.

 

[Cobalt35]

I stopped using AV nearly a year ago. Waste of resources and time as far as I'm concerned. However, I do still recommend that my mother uses it as she's not as web-savvy as she could be. I still think it has a place for people like her who do their best but just don't have the knowledge and understanding.

Edit: If I do get infected by something, I have the knowledge and experience (and backups) to fix it myself. If my mother got infected she could not do so. That would be the yard stick I would use when recommending use of AV or not.

 

[Jim Kim]

I stopped using AV nearly a year ago. Waste of resources and time as far as I'm concerned. However, I do still recommend that my mother uses it as she's not as web-savvy as she could be. I still think it has a place for people like her who do their best but just don't have the knowledge and understanding.

Edit: If I do get infected by something, I have the knowledge and experience (and backups) to fix it myself. If my mother got infected she could not do so. That would be the yard stick I would use when recommending use of AV or not.

I remove trojans, adware, malware etc from "moms" and "dads" computers all day long. The majority of the world definitely needs av.

 

[gxp500]

I remove trojans, adware, malware etc from "moms" and "dads" computers all day long. The majority of the world definitely need av.

Anti virus programs won't stop that mom from running that "flash update" that keeps popping up and eventually encrypting her whole pc and demanding money to decrypt.

 

[Ultima99]

No AV crowd reminds me of anti-vaxxer crowd.

 

[viscountalpha]

No AV crowd reminds me of anti-vaxxer crowd.

When their box gets encrypted, that's on them.

 

[Cobalt35]

No AV crowd reminds me of anti-vaxxer crowd.

In the past 11 years I've had exactly zero instances of malware of any sort on my computer. I've run AV for 10 of those years. I don't see the point in paying for something (or getting it free) on my system that uses resources unnecessarily. If at some stage in the future I get infected then, as Ultima99 says, that's on me. However, I've worked in IT for the past 26 years and almost exclusively when I've come across an infected system it has antivirus on it that didn't detect or stop the malware. I would estimate less than 5% of the time has the infected computer had no antivirus on it. The biggest single factor when it comes to infected systems, imo, is end-users who do stupid things.

 

[Ultima99]

In the past 11 years I've had exactly zero instances of malware of any sort on my computer. I've run AV for 10 of those years. I don't see the point in paying for something (or getting it free) on my system that uses resources unnecessarily. If at some stage in the future I get infected then, as Ultima99 says, that's on me. However, I've worked in IT for the past 26 years and almost exclusively when I've come across an infected system it has antivirus on it that didn't detect or stop the malware. I would estimate less than 5% of the time has the infected computer had no antivirus on it. The biggest single factor when it comes to infected systems, imo, is end-users who do stupid things.

And we can't fix stupid so most end users should definitely have AV. I still even use it myself and you're right, its quite rare when it is needed, but I still think its a good idea.

 

[Cobalt35]

And we can't fix stupid so most end users should definitely have AV. I still even use it myself and you're right, its quite rare when it is needed, but I still think its a good idea.

Absolutely. I'm just talking about my preferences on my system.

 

[CrimsonKnight13]

I've always ran AV since I never know if I'll get tagged for accidentally downloading a hijacked file that's supposed to be legit. Even some emulators can have crap masquerading & showing up on Google before the actual "true" item. I've learned some lessons about being even more thorough with my search & downloading methodology.

 

[collegeboy69us]

Windows Defender for the past few years and never had a single issue. And I go to lots of dark scary places online.

 

[sirgallium]

My old friend Mr. Bucket who knew so much more than me about computers told me years ago matter of factly "I don't use an antivirus."

At the time it blew my mind. But since then I haven't been either. All viruses now come from websites or opening shady files.

Modern antivirus in my mind is uBlock origin along with other privacy plugins that stop them on the font line, your web browser.

I haven't had a virus that I've known of for years now.

Most AV programs now cause more trouble than good. Endless updates and notifications, taking space in the task bar, stopping good files that you actually want and not catching bad ones.

 

[Vaulter98c]

As of right now we've got 3074 clients on WebRoot (well, like 8 short, the Macs don't show up in the report on their own for some reason) and while I can say it's caused a handful of issues, especially on RDP or TS servers, I can't say I've seen WR actually blue screen something. I'm not a fan of the system but it is heads and tails better then Vipre was lol. It won't catch everything but our rate of crypto problems have gone down over the last year, we used to get a good handful (maybe 5-10 a month) but now we get maybe one a month, sometimes zero. I'm still glad we've got it in place for most users tho.

It is funny tho because we also have a few single residential customers, and there is this one old lady that calls in like every 2 weeks because WR is fucking up their PC, but they browse a ton of old websites and old flash and stuff can make WR lock the foreground or block pages or disable things.

I'd say my biggest issue with the platform tho, besides compatibility issues, are that there is no way to remotely delete a quarantined file. Whether a scan nabs a file or a cleaning nabs it, you can not delete that file unless you do it from the client side. For a system that is so heavily "cloud" based that's just the dumbest thing. And you can't remove old agents from your agent list, it just goes to a deactivated list, which can get large fast if you are cycling a bunch of agents. WebRoot really does not like deleting anything lol

 

[B00nie]

I stopped using AV nearly a year ago. Waste of resources and time as far as I'm concerned. However, I do still recommend that my mother uses it as she's not as web-savvy as she could be. I still think it has a place for people like her who do their best but just don't have the knowledge and understanding.

Edit: If I do get infected by something, I have the knowledge and experience (and backups) to fix it myself. If my mother got infected she could not do so. That would be the yard stick I would use when recommending use of AV or not.

That is unless the infection is smart and stays hidden, only logging your internet banking etc. activities without you knowing. Best bet is to ditch using Windows alltogether for anything risky.

Having said that, running an antivirus is like having a leaky boat as a rescue boat on your yacht. It may help if the shore is close but most of the time it's just baggage.

 

[Vaulter98c]

But using the baggage analogy, especially on most people here at [H], how much baggage does an AV program really take up? Even on some old ass machines we service they don't see av taking up more then a hair of their resources. If you have room for 100 boats already built in, whats the harm in keeping one leaky boat for a just in case situation, it's not like it's running handbrake encodes in the background

 

[Armenius]

Apostrophe hell in the title. Should be "Webroot AV leaves Enterprise Customers' PCs Unable to Boot."

 

[Deleted member 184142]

The problem with people suggesting others not run AV is not taking into account stupid users who NEED SOMETHING. Not perfect, but something is better than nothing.

Myself however, I have not had an AV on my computers in, gosh, going on 6 or more years? Having proper updates and settings, not going to iffy sites and downloading random shit etc and knowing what to look for is really all it takes, since I have dropped AV's, I have never had a single infection. Most users however, even with the best AV in the world, still manage to get something, because no AV can protect from a stupid (and determined) user.

 

[Shotglass01]

That is unless the infection is smart and stays hidden, only logging your internet banking etc. activities without you knowing. Best bet is to ditch using Windows alltogether for anything risky.

Stop it. Best bet is to sandbox, VM, an OS when doing things risky. No OS is impervious. I haven't run any virus or malware software in years on my main Windows drive. Haven't been hacked, haven't had ID theft, haven't had passwords hijacked. I keep the risky web limited to a sandbox.

 

[DocSavage]

But using the baggage analogy, especially on most people here at [H], how much baggage does an AV program really take up? Even on some old ass machines we service they don't see av taking up more then a hair of their resources. If you have room for 100 boats already built in, whats the harm in keeping one leaky boat for a just in case situation, it's not like it's running handbrake encodes in the background

Your old-ass machines must be pretty nice. AV takes a lot of resources on a 2GB machine and makes machines with less ram unusable.

 

[Sulphademus]

I think every AV company has done this at least once. It was McAfee, which we used, when it happened back when I was Helpdesk.

 

[ir0nw0lf]

If you are one of those customers, we sincerely apologize.

Ah, the good ole BP apology...

 

[lcpiper]

Anti virus programs won't stop that mom from running that "flash update" that keeps popping up and eventually encrypting her whole pc and demanding money to decrypt.

No, but a good disk image is all you need to repair it and a good AV will save you several other special trips or hours out of your vacation home.

There are many threats to computers and data, users, malware, hackers, refrigerator magnets ............................
No one thing protects them from everything and there is no perfect protection but a few basic defenses and a plan for how to recover and return things to an acceptable stat is the most you can plan for.



Now, back to the actual article, they are talking about Enterprise systems you have your infrastructure, maybe a lab which few will worry too much about, and then the production systems. My infrastructure would have some serious backup going on so I wouldn't have any great fear of this hurting me there. Simply restore from backup, apply your fix, and you are back in business. And my production floor is a mix of thin clients, (so a virtual machine deployment, too easy to update the base image and push it back out, and the desktops that are affected are the same basic deal, we have a base image and we have backups, take the route that looks fastest/easiest. Enterprise ain't like home systems so you usually have options most home users don't set up for themselves. Hell, a snapshot from storage in many cases can put everything right back into working order and is faster than you can believe.

Then again, a business with a large number of desktops in their Enterprise could be in for a terrible day if their IT guys are weak and didn't plan, or the company ignored recommendations and best practices and won't spend money where they should.

 

[lcpiper]

The problem with people suggesting others not run AV is not taking into account stupid users who NEED SOMETHING. Not perfect, but something is better than nothing.

Myself however, I have not had an AV on my computers in, gosh, going on 6 or more years? Having proper updates and settings, not going to iffy sites and downloading random shit etc and knowing what to look for is really all it takes, since I have dropped AV's, I have never had a single infection. Most users however, even with the best AV in the world, still manage to get something, because no AV and protect from a stupid (and determined) user.

I don't run AV on my personal machine either, haven't for years.

I have an older laptop that I don't use except for AV work. If someone brings me a machine with a virus or I pick one up because I got stupid for a moment, I just dust off that old laptop, update the OS, update the AV, yank the infected drive and scan and clean that bitch from my laptop. Much easier to clean a virus with an uncompromised OS.

 

[Deleted member 184142]

I don't run AV on my personal machine either, haven't for years.

I have an older laptop that I don't use except for AV work. If someone brings me a machine with a virus or I pick one up because I got stupid for a moment, I just dust off that old laptop, update the OS, update the AV, yank the infected drive and scan and clean that bitch from my laptop. Much easier to clean a virus with an uncompromised OS.

I have a USB with a bootable AV OS on it for work like that, I also have an extra box with a HDD dock for scanning drives. Never had to use for my own however, always friends/family.

 

[lcpiper]

Ah, the good ole BP apology...

Hey, if you are running an Enterprise and something like this really fucks up your day, you are doing it wrong.

 

[Vaulter98c]

Your old-ass machines must be pretty nice. AV takes a lot of resources on a 2GB machine and makes machines with less ram unusable.

We've got one customer, a hospital none the less lol, that has a few dozen terminal machines with some P4's or athlon era CPU's, 512MB Ram (440 only to the OS), and what I'm sure are cold war era HDD's and they don't notice any slow downs compared to the machines that didn't have WebRoot yet. Honestly, unless you have either multiple AV programs fighting on your system or have processes that are actively monitored and logged I've not seen WebRoot cause slow downs. I hate to say that because I don't like WebRoot and hate defending it but it does it's job as good as any other large scale option and is the easiest one to managed, with one glaring quirk. I can't tell you how many times we've removed the software on a few machines for a blind test and all the wrong people complain the AV is slowing their machines down. On modern hardware, short of active monitoring, no AV program should really cause slow downs or tie up a ton of resources. Almost every single time it's a slow down from something else.

Now I have seen it randomly break connections to RD servers but that's not in the scope of this scenario, and we've got a guy that's been able to come up with policies that remedy that so it's simply a matter of 3 mouse clicks to change a policy. And if you have multiple AV programs it can slow things down but having multiples of anything of that nature would. That's like trying to run ShadowProtect Acronis and MR all at the same time, it's just going to make things slow because what it's trying to do

 

[1o57]

By all means, everyone, keep running AV- rely on it. Trust it. Hold it dear. There is no way we can possibly compromise your machines when you've got AV going. No sir. None what so ever. Packer? What's that? Cat-and-mouse sig-update-definitions-merry-go-round? No such thing. Moving to heuristic based detection? Let me know how it goes.

This post is in no way a joke, nor has anything to do with my experiences behind the curtain at Intel (especially when they acquired McAfee), as an organizer of Defcon, or from any of the other lines of work I've been in.

You're safe.

Everything's fine.

 

[Vaulter98c]

Fire extinguisher can't put out a oil refinery catching on fire, guess there's not a single use or practical application for a fire extinguisher, i guess the entire country should just get rid of all fire extinguishers, trust me, I have a huge cyber cock and am also the leading expert on the only way a fire extinguisher could ever be used

See, other people can make stupid arguments too

 

[B00nie]

Stop it. Best bet is to sandbox, VM, an OS when doing things risky. No OS is impervious. I haven't run any virus or malware software in years on my main Windows drive. Haven't been hacked, haven't had ID theft, haven't had passwords hijacked. I keep the risky web limited to a sandbox.

Read-only linux live image is pretty impervious. It would have to be infected from the source.