Webroot’s antivirus service accidentally misidentified core parts of Microsoft Windows as threats to the rest of the computer, shutting down thousands of customer’s systems on Monday evening.
Twitter user @SwiftOnSecurity was one of the first to spot the error:
So it seems the fault allowed signed Microsoft files to be removed, but it nonetheless preserved enough of a shell for boot and net AV C&C
— SwiftOnSecurity (@SwiftOnSecurity) April 24, 2017
Webroot confirmed on a support forum that an updated detection rule had flagged crucial Windows operating files as “false positives” in the system. It proceeded to “quarantine” the data from being accessed by the rest of the OS, stopping the computers from functioning properly.
While the update was only available for 13 minutes, this was more than enough time to affect tens of thousands of users. Webroot’s help service was then “overloaded” with people demanding their cloud system restore the inaccessible data.
Some users noticed the glitch when Facebook was mistakenly flagged as a “high-risk site,” usually displayed when websites attempt to steal the identity of any visitors.
— Billy Rountree (@TreeBilliam) April 24, 2017
Users took to Twitter to complain about the glitch, including many managed service providers, also known as MSPs, who were using Webroot to help manage the security of their own clients’ computers.
@Webroot Any update on a fix for MSP's? I've got well over 1,000 devices affected by this.
— Pat Moore (@DueMarauder) April 24, 2017
“How am I supposed to do this across 3 GSM’s with over 3 thousand client sites????? NOT GOOD ENOUGH,” user jhartnerd123 said on Webroot’s own forums regarding the solution that they had proposed.
Webroot has said that they do not believe they were hacked.