An antivirus service used by tens of thousands of businesses and millions of home users shut down an untold number of computers around the world Monday after it mistakenly identified core parts of Microsoft Windows as threats, the company confirmed.
Webroot Inc. of Broomfield, Colorado, didn’t immediately respond to a request for comment. But it confirmed on its support forum for customers that it issued an updated detection rule that “identified false positives” for critical Windows operating files Monday afternoon, resulting in those files’ being “quarantined” and inaccessible to Windows.
@SwiftOnSecurity, an anonymous but well-respected tech security Twitter account, reported that it appeared that the rule somehow allowed genuine “signed Microsoft files to be removed.”
The rule was distributed and applied by Webroot systems around the globe for about 13 minutes, the company said — long enough for businesses, users and administrators to find their files unavailable. Webroot reported serving about 30 million customers last year.
“The rule was removed and we are in the process of rolling back all of the false positives that reside in the Webroot Threat Intelligence platform,” the company said.
To make matters worse, Webroot’s own systems became “overloaded” by a mammoth backlog of customers’ requests to restore affected files from its cloud servers, it said.
The glitch first manifested itself as customers complained that Webroot was mistakenly flagging Facebook.com as a dangerous identity-fishing site.
The company said Monday night that it had resolved that problem. But at 10:40 p.m. ET, Webroot said it was still working to resolve the larger issue “and will keep you updated as soon as more information becomes available.”
It said it had ruled out that it had been the target of hackers.
Webroot’s customers — including numerous so-called managed service providers, or MSPs, which use Webroot to manage security for multiple clients of their own — flooded social media to complain.