A bad rule in a temporarily issued Webroot update flagged crucial Windows system files as malware and caused chaos for Webroot customers Credit: Thinkstock A Webroot antivirus signature update, which was supposedly live for only 13 minutes yesterday afternoon, flagged crucial Windows system files as malicious, causing chaos and 15 pages of customer complaints so far.The havoc began after Webroot flagged some Windows system files as the malware Win32.Trojan.Gen and moved key system files to quarantine. As legit files were shuffled around, thousands upon thousands of Webroot customers experienced OS errors or crashed Windows systems.Individuals with home editions, as well as managed service providers (MSP) running business editions, took to Twitter and Webroot forums to express their displeasure. Tier one customer support personnel probably wanted to tear their hair out.At the same time that Windows was flagged as malicious, Webroot started blocking access to valid websites such as Facebook and Bloomberg. Proper respect to @Webroot for calling it like it is. pic.twitter.com/kQJrQBDzKW— ﷺ HavenLabs ﷺ (@HavenLabs) April 25, 2017After the bad detection rule was live for 13 minutes, anonymous security tweeter SwiftOnSecurity said a Webroot system kill switch kicked in to stop the anomalous detections. Even though files signed by Microsoft had been moved, there were enough Windows files left to allow systems to boot and to restore quarantined files.Webroot, which has previously claimed that it has about 3 million customers, proposed a false positive fix for small business customers, but many MSPs left unhappy replies. For example, one MSP commenter asked, “How am I supposed to do this across 3 GSM’s with over 3 thousand client sites?” Another claimed, “As a MSP with over 5600 active licenses, your proposed resolution of manually releasing files from quarantine is a no go.”At one point yesterday, Webroot started replying to Twitter users with the promise of an upcoming fix, as well as a link to a ransomware presentation. Whether or not that inspired Twitter user Bob Ripley, he tweeted:@Webroot I seem to have installed a nasty Ransomware app. It’s called Webroot. They already have my money, should I contact the FBI?— Bob Ripley (@M5_Driver) April 24, 2017This morning, Webroot issued the following statement:On April 24, Webroot experienced a technical issue affecting some business and consumer customers. A folder that is a known target for malware was incorrectly classified as bad, and Facebook was classified as a phishing site. The Facebook issue was corrected, and the Webroot team is in the process of creating a comprehensive fix for the false positive issue. In the meantime, small business customers and consumers can follow instructions posted in the Webroot Community to address the issue.Webroot was not breached, and customers are not at risk. Legitimate malicious files are being identified and blocked as normal. We are dedicated to resolving the issue and will provide updates as they are available in the Community.For some, a “we’re sorry” won’t cut it. One commenter in the Webroot thread claimed, “My technicians, project managers, and developers have been up all night on this and they still have not slept.”This is not the first time this year that a Webroot update caused systems to crash. In February, a faulty update caused the dreaded Blue Screen of Death for some customers. After the latest fiasco that is currently still not fully resolved for all MSPs, some customers are claiming on Twitter that they’ve had enough and are kicking Webroot to the curb. Depending upon how much money they have wrapped up in Webroot as a “smarter cybersecurity” solution, and how many are actual customers instead of trolls, the growls may just be a result of frustration and aggravation..@WebrootSupport @Webroot If ya don’t fix deez issues you’ve created for MSPs, I’ma use my 3000 monitored workstations to DDOS your shit.— Subtle Steve (@subtlesteve1) April 24, 2017If you know anyone adversely affected by Webroot’s temporarily-issued bad rule, then it might be a good time to steer clear of them or to buy them a drink after their present nightmare ends. Related content news Dow Jones watchlist of high-risk businesses, people found on unsecured database A Dow Jones watchlist of 2.4 million at-risk businesses, politicians, and individuals was left unprotected on public cloud server. By Ms. Smith Feb 28, 2019 4 mins Data Breach Hacking Security news Ransomware attacks hit Florida ISP, Australian cardiology group Ransomware attacks might be on the decline, but that doesn't mean we don't have new victims. A Florida ISP and an Australian cardiology group were hit recently. By Ms. Smith Feb 27, 2019 4 mins Ransomware Security news Bare-metal cloud servers vulnerable to Cloudborne flaw Researchers warn that firmware backdoors planted on bare-metal cloud servers could later be exploited to brick a different customer’s server, to steal their data, or for ransomware attacks. By Ms. Smith Feb 26, 2019 3 mins Cloud Computing Security news Meet the man-in-the-room attack: Hackers can invisibly eavesdrop on Bigscreen VR users Flaws in Bigscreen could allow 'invisible Peeping Tom' hackers to eavesdrop on Bigscreen VR users, to discreetly deliver malware payloads, to completely control victims' computers and even to start a worm infection spreading through VR By Ms. Smith Feb 21, 2019 4 mins Hacking Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe