False positive putsch: Webroot AV cant tell friend from foe

Webroot antivirus recently went off the reservation and started labelling friends as enemies.  On 24 April, Webroot security tools were spotted red flagging Windows files. Webroot antivirus started seeing system data as Trojan infected files and moving it into quarantine, a common step for an antivirus to take when it discovers a files in labels as infected.

The act of taking key data to quarantine would then cause the affected computers to become unstable. Though the mistake supposedly only lasted for 13 minutes, unhappy users quickly took to social media to complain of downed servers, business apps and computers.

One unidentified user told Ars Technica that the false positive had isolated several hundred files from Windows Insider Preview and hundreds of “line of business” apps.

The AV also turned against Facebook and Bloomberg, labelling the popular social media platform and the financial news outlet as phishing sites and blocked them.

A kill switch within Webroot stopped any further harm being done. While it is not known how many were affected, Webroot claims to have 30 million users

Webroot issued a statement to SC Media UK, confirming that on 24 April, “A folder that is a known target for malware was incorrectly classified as bad, and Facebook was classified as a phishing site.”

Webroot is actively fixing the problems, according to the statement: The Facebook issue has been corrected and “the Webroot team is in the process of creating a comprehensive fix for the false positive issue.” The statement added that Webroot itself was not breached and customers are not at risk.

This is not the first time an antivirus has gone rogue, according to Morey J Haber, vice president of technology at BeyondTrust. He told SC Media UK, “Webroot's antivrus problems follow a long line of antivirus signature and engine problems that have caused issues from McAfee to Symantec and almost every other leading vendor.”

The balance between detection, action and false positives is a fine one: “When the balance shifts to detect a new threat, or a mistake is made providing too broad of detection, then the results can impair availability and runtime, ” said Haber.

This Webroot incident will soon be lost amid a sea of other such cases: “Webroot is just another vendor in the list of security solutions gone awry and this blip in their performance will be forgotten quick enough if they can respond and adapt quickly with their solution, quality control, and the threat landscape.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.