To Customer Support To Customer Support
Solved

Webroot Journaling and Remidiation/Roll back

  • 27 July 2023
  • 4 replies
  • 100 views
D

Hello,

 

I have been using the Webroot for a quite a time and while gong through the notes and news of the product. I came through one of the Webroot's feature “Pseudo Execution” and can’t understand the concept clearly. 

  1. Pseudo execution is the feature of the Webroot executed when the file/code entered in the system is unknown to the Webroot database
  2. Will be the unknown file executed partially in the system or any sandbox? 
  3. How the journaling will be done and how the logs are stored?
  4. If the file/code turned out to be good one the product will whitelist and allows for full execution.
  5. If the file turned out to be a Malware/Ransomware or which leads to harm the system, then will it be quarantined or blocked? 
  6. If blocked will that be notified to the user? Can the user change from Block to Allow?
  7. What happens to the file after it kept in quarantine, is it still able to access the files in the system or restricted?
  8. What happens to the files that are effected by the malicious file/code before sent to quarantine will they be Rollbacked or Remediated?

Please help me out with these. Thanks in advance.

 

Regards,

Deepak

icon

Best answer by jhartnerd123 27 July 2023, 21:01

View original

4 replies

J
Rank
Userlevel 7
Badge +33

Hey @deepak.chow01 

 

I’ll answer your points here.

 

  1. Sudo exection is where the agent will begin to allow the unknown to run and it starts to very closely watch what the program is doing.
  2. The file is executed in a semi-sandbox (meaning it’s regularly executed on the system but not allowed to access system files/processes).
  3. Journaling and logging is done by the agent itself in a hidden folder on the system.
  4. Once found good, the agent is updated by the cloud to say it’s good and the journaling stops and full execution is permitted.
  5. If found bad, the file is terminated and the file quarantined.
  6. Yes the user or admin will be alerted once found bad. This usually happens automatically. User CAN change from “monitor” to “allow” or “block” if the program is still being “monitored.”
  7. Once a threat is detected, it’s name is changed and it becomes encrypted and moved into a quarantine in a hidden folder on the device. No, once it’s bad, it cannot perform any further actions. 
  8. If the agent is able to, after a threat is quarantined, it will attempt to use it’s logs/journals, to revert any changes made to the system.

Some of this is slightly different in terms of user access if you are using the home/commercial product, vs a business version. But the agent itself functions the same.

Hope this helps

Cheers

John H


Reg

TripleHelix
Rank
Userlevel 7
Badge +63

Great job @jhartnerd123 

 

 

Daniel - Windows 10 Pro x64 for Workstations 22H2 on my Alienware 17R2 and Alienware 17R5 Laptops with Webroot SecureAnywhere Complete Beta Tester for PC & Android Moto G9 Plus OS 11. "Take Them to the Train Station"
TripleHelix
Rank
Userlevel 7
Badge +63

This is a 6 year old Video and Webroot continues to improve it’s detection and Client Protection!

 

 

Daniel - Windows 10 Pro x64 for Workstations 22H2 on my Alienware 17R2 and Alienware 17R5 Laptops with Webroot SecureAnywhere Complete Beta Tester for PC & Android Moto G9 Plus OS 11. "Take Them to the Train Station"
M
Rank

Good explanation, @jhartnerd123.

May I also add that while any unknown process is being monitored, all sensitive and personal data is also fully protected from its prying eyes. This, I believe, is done by the Privacy Shield, which can be viewed in the GUI page by going to the right hand panel and clicking “Privacy Protection”.

(Please correct me, any moderator, if I got any detail here wrong!)

--------------------------------

@deepak.chow01 

Reply


Terms & Conditions

© 2004 - Webroot Inc.

We have recently updated our Privacy Policies. We encourage you to read the full terms here.