Rollback vs remediation

  • 24 October 2013
  • 2 replies

Userlevel 3
I wonder what is the actual difference between these two. I don't have an in-depth knowledge about how they work so I'm not sure if my thinking is correct. I understand that remediation is removing malicious code from a file. Rollback on the other hand doesn't remove the code but instead restores the whole file to its previous state. In some context both of them may seem to be doing pretty much the same thing. What's the real difference between them? Which one is better?

2 replies

Badge +7
Rollback is the term we use to describe the agents ability to "uninstall" and restore what malware did to the PC.  This happens based on a journal that WSA-EP keeps on any unknown process. When an unknown process is monitored a journal or uninstall script is built by the agent.  This captures changes to data files, new files, registry entries, startup tasks, OS changes, etc.  When the unkown file is found to be bad, then all of these changes are rolled back.
Remediation is when the agent blocks and quarantines a file. 
Userlevel 7
Rollback as a concept is far superior. Rather than trying to repair a file after the fact which can leave damage and is only possible in some situations, rollback restores the original and any other changes made to the machine in its entirety.
However, rollback only works if WSA was installed before the infection happened. Webroot licenses tools that will remediate infections against files, but I think you need to contact support in order to leverage them. We've never needed to.
I'll let Webroot provide any additional thoughts.