Staff member
Malware Hunter
Even automated security tool thinks Redmond's snooping operating system is 'malicious'

Webroot's security tools went berserk today, mislabeling key Microsoft Windows system files as malicious and temporarily removing them – knackering PCs in the process.

Not only were people's individual copies of the antivirus suite going haywire, but also business editions and installations run by managed service providers (MSPs), meaning companies and organizations relying on the software were hit by the cockup.

Between 1200 and 1500 MST (1800 and 2100 UTC) today, Webroot's gear labeled Windows operating system data as W32.Trojan.Gen – generic-Trojan-infected files, in other words – and moved them into quarantine, rendering affected computers unstable. Files digitally signed by Microsoft were whisked away – but, luckily, not all of them, leaving enough of the OS behind to reboot and restore the quarantined resources.

We understand that all versions of Windows were affected by today's gaffe, and that a kill switch within Webroot's systems kicked in to halt the mass quarantining before any major damage was done.

There are official fixes suggested for those using the Home edition and Business edition.

"We understand that this is a consumer and business issue," a Webroot rep confessed in a on its support forums. "We understand that MSPs will require a different solution. We are currently working on this universal solution now."

Suffice to say, there are a wedge of furious and confused folks on the support boards, with angry IT admins reporting thousands of endpoints going nuts.


Webroot, whose slogan is "smarter cybersecurity," is working on a solution for all. The timing of the file classification blunder couldn't be worse for at least one employee. Gary Hayslip was hired earlier this month as Webroot's chief information security officer, and this can't be a fun first few weeks on the job.

The biz is also looking to hire a senior software engineer for its Windows line. Based on today's kerfuffle, they might want to consider upping the headcount a bit more in this area to ensure that customers don't get hammered in the same way again, in light of February's little snafu that also left Windows users borked.

A Webroot spokesperson told The Reg: "We know how important internet security is to our customers, and the Webroot team is dedicated to resolving the issue. We will provide updates as soon as they are available."


Level 20
Content Creator
Sadly it is not the first time this happens. In the past Panda, AVG and Sophos had similar issues flagging windows files and processes as malware.
Although this is not supposed to happen, we must keep in mind that an AV is not something magical that stops every bad file and let run every safe file. It is still a software made by human people and often enriched with AI to get more automatic detections. Be it an individual human error or an overreacting artificial intelligence detection, it of course should be avoided by testing before releasing, but knowing that there are so many new files and processes that needs analysis each minute, each second, it is still something that possibly can go wrong.
It's an anoying mistake, but the fact that this doesn't happen every day, proves that AV vendors are doing their best as they can to avoid these issues.
It's time to for Webroot now to prove how good their customer service is and release a fix as soon as possible, which they already partially did.
I'm not a webroot user or a fan, but all the ones that are laughing now at webroot, keep in mind that tommorow the same thing also can happen with your favorite antivirus. I'm not defending Webroot too much as this error should be avoided at any cost, but no software is 100% bulletproof.