That was just an example above for future reference.
Best answer by DanPView original
Best answer by DanPView original
Already have an account? Login
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.
Changing the setting to Block will not cause the PUA to be removed, quarantined, nor will it trigger a rollback to restore any changes made by the PUA. The Rollback really can only be done, as far as I know, under supervision of Webroot Support.
It WILL keep the PUA from running or doing anything further, but it is not a 'good' replacement for proper PUA management (Uninstalling the garbage or stopping it from installing in the first place.)
If I may on this one, based on my understanding...what you say is essentially correct.
But the rollback feature is only available for files set to 'Monitor', but even then a file can either be set to 'Monitor' automatically by WSA based on it being unknown or manually by the user. In either case the 'Monitor' status will cause its activities to be journalled...however, in terms of rollback based on the journalling , only when a file that has been set to 'Monitor' is deemed to be malicious will WSA rollback its activities.
In the case of the user set 'Monitor' statis even ifthe file is deemed to be malicious by WSA (unlikely to happen as WSA would most probably have spotted that before the user intervention) or the user chnages the status for 'Monitor' to 'Block' no rollback will occur. Whether or not the Support Team canuse the manually initiated journalling by the user is a moot point...and I suggest that it is worth asking someone like Roy or Dan to comment/advise on this point for us all.
Sometimes contacting support can take time. I like having the ability to fix issues on my PC and clients without having to contact support. I understand there can be risks if a neccessary program is rolled back, but I'm sure WSA can come up with something to eleviate that issue (rules, ...etc).
EDIT: see below
UPDATE: I did another short test using a program called Focus Writer:
WSA marked as monitor, I open the program...create a doc and saved to desktop, blocked progam...scan/delete and during cleanup phase the file that I created dissapeared. So WSA doesn't delete the installed files of the program, only what it CREATES after installation. I guess ;P
So if you come across a computer with PUA/riskware/scareware ...etc., I'm glad that I can block, scan/delete, then uninstall the program to know that any changes done to the system (wallpaper change, homepage change, default search changed ...etc) would be rolled back (if the changes were done after installation...i'm not sure if changes during installation are rolled back). I guess a dev would have to answer when the journaling process starts.
Manually setting a file to Monitor would cause the file to be monitored and journaled from the point that the file was set to monitor. Only changes made by that file after it was set to monitor would be journaled and be able to be rolled back.
Monitoring will limit program access. There are several different levels of monitoring that are based on the behavior of the file, so in the case of a file manually set to monitor this would be limited to the behavior of the file after being set to monitor.
I have seen it many a times where a user has googled "SVCHost" and seen somebody has said its a virus and to remove it. Yes its a common spoofed filename but its a legimate windows file!
Oh I fully agree with that.... .Untold damage can, and does, happen.
What I was curious about was simply for the information of advanced users, if the rollback function would be automatically triggered to undo any changes made whlie the file was in the Monitor status once the file was placed into Block status.
I too have seen WAY too many times when people start removing things that they don't know what it is, or what it does. The number one rule is "If you do not know what it is or what it does, DO NOT TOUCH IT.
I was in grave error above on my first reply then... I did not think the rollback would be automatically triggered. Thank you VERY much for the clarifications
I know very well to NOT advise a general user to blindly go about blocking files... it is very dangerous if they happen to tag a Windows file... but at the same time I think it important that the more advanced users and members here have a GOOD understanding of it. I did not.....
I am not sure if I have a good understanding now, but at least it is a lot better than where I was yesterday at this time 🙂
And if it is then could the user contact Support and they use the journalled information (held in the dbxxxx.dat files) to initiate a rollback. As if neither of the above occur then there is a question as to what use there is to manually setting a file to 'Monitor'...yes, that will limit activity but in the end that is all if the journalled information cannot be used, etc.
Many thanks in anticipation.
This would trigger a "bad" determination, and rollback, only on the specific machine that has had the file manually marked as "Block".
With most PUAs - and most programs in general - it is the installer that makes the changes that you would want to roll back. In the case of most PUAs, the Process that would be set to Monitor and then block may not be making changes to the system, so there would not be anything to be rolled back.
But more specifically if I, a user mark a file as 'Monitor', it journals, etc., and then I switch it to 'Block' (the OP asked..."couldn't I therorectically choose 'block' to revert the changes"...I believe that no rollback will or can occur. That is what I would like to confirm, and also...if I have manually generated journals, as per the above method...if they remain on disk...in the apropriate directory, then could Support use them as part of a manually initiated rollback action...if such a thing is even possible?
C'est tout, mon ami...:D