create an override for _all_ unknown files?

  • 1 October 2013
  • 2 replies
  • 17 views

Userlevel 2
Badge +3
We have several files on our saystems which are unknown to WSA - Unknown processes are monitored so changes can be reversed.
 
Main question:
a) Is it advised to have really _all_ unknown files marked either as bad or good?
 
additionla questions
b) is the monitoring based on login session and will initial start on every reboot ?
c) the list with unknown files in the webconsole is showing only the first "arriving" on the unknown file.
what happens when webroot trusts that file - will this file then be also trusted in the reports?
d) how can I aggregate the list of unknown files so i see how many times a unknown file is stored on our WSA protected systems?
 
maybe some of the experts can give me some explanations.
newmy

2 replies

Userlevel 5
a) Ideally, you'd want to have all your files as either bad or good, however with new files there is no harm in having them as unknown as that will trigger WSA to keep track of it to see if no bad behaviour is coming off it.
 
b) Monitoring should be for all login sessions as WSA is running as a service, rather then being started by the session.
 
c) If a file is marked as either good or bad it no longer is unknown and should therefor not appear as unknown in any of the reports.
 
d) Unfortunately none of the reports list how many times as unknown file has been seen on your systems. It's a good idea, so I suggest you create a https:///t5/ideas/v2/ideaexchangepage/blog-id/ent4/ out of it.
 
Please let us know what other questions you might have, we're always happy to answer them.
Userlevel 7
@ wrote:

d) Unfortunately none of the reports list how many times as unknown file has been seen on your systems. It's a good idea, so I suggest you create a feature request out of it.
 
I think this feature request is asking for the same thing.  If you support it, please add your kudos.  🙂

Reply