Solved

Manually choosing block in System Control


Userlevel 3
If I install a peice of PUA that is undetected by WSA and set to monitor, couldn't I therorectically choose 'block' to revert the changes of this PUA? If so, this would seem to be a much easier and more thorough way of uninstalling unwanted software (if done right of course).
 
That was just an example above for future reference.
icon

Best answer by DanP 27 October 2014, 16:18

@mar122999 wrote:

Setting to block does initiate a roll back. In a previous reply, I tested the rollback with a not well known application called Focus Writer (simple word type program). I made a doc on the desktop from Focus Writer, set the process to block, and my file dissappeared due to the rollback procedure.

I guess my question is now: 
When does the journaling start?
Ex: I install a PUA app. Its gets auto set to Monitor. Does journaling start after the installation or before?
If it is before, then the above test I did didn't work because the rollback procedure did not delete the installation files of Foucs Writer, only the changes the program did after installation.
Thanks!

Journalling should start when an Unknown process enters memory and is Monitored. 
 
Only the changes made by the monitored process will be journalled, so only those changes would be rolled back.
 
Using what you saw  with Focus Writer as an example, journalling and rollback worked as would be expected. The Monitored file was the Focus Writer application file, which created the document, so the change of the created document was rolled back. Since that process did not create the installation files, those files would not be deleted.
 
If you wanted to remove the installation files, you would need to go to Manual Threat Removal, and select the installation file for Focus Writer. If the installer was monitored and journalled, the changes made by the installer would rolled back. 
 
-Dan
 

View original

34 replies

Userlevel 7
Hello there, 
 
Changing the setting to Block will not cause the PUA to be removed, quarantined, nor will it trigger a rollback to restore any changes made by the PUA.  The Rollback really can only be done, as far as I know, under supervision of Webroot Support.
 
It WILL keep the PUA from running or doing anything further, but it is not a 'good' replacement for proper PUA management (Uninstalling the garbage or stopping it from installing in the first place.)
Userlevel 7
Hi David
 
If I may on this one, based on my understanding...what you say is essentially correct.
 
But the rollback feature is only available for files set to 'Monitor', but even then a file can either be set to 'Monitor' automatically by WSA based on it being unknown or manually by the user.  In either case the 'Monitor' status will cause its activities to be journalled...however, in terms of rollback based on the journalling , only when a file that has been set to 'Monitor' is deemed to be malicious will WSA rollback its activities.
 
In the case of the user set 'Monitor' statis even ifthe file is deemed to be malicious by WSA (unlikely to happen as WSA would most probably have spotted that before the user intervention) or the user  chnages the status for 'Monitor' to 'Block' no rollback will occur. Whether or not the Support Team canuse the manually initiated journalling by the user is a moot point...and I suggest that it is worth asking someone like Roy or Dan to comment/advise on this point for us all. @DanP @Rakanisheu 
 
Regards, Baldrick 
Userlevel 7
Excellent additional info Baldrick.. Thank You!
Userlevel 7
Hi David, my pleasure but I will feel better as and when either Roy and/or Dan comeback to confirm or precise further, as my post is based on some recollections of conversations that occured a while back...and I am no spring chicken so the memory may be playing tricks on me.
 
Regards, Baldrick
Userlevel 3
Maybe this might be a good idea for 'ideas exchange': Allow users to rollback programs. 
 
Sometimes contacting support can take time. I like having the ability to fix issues on my PC and clients without having to contact support. I understand there can be risks if a neccessary program is rolled back, but I'm sure WSA can come up with something to eleviate that issue (rules, ...etc).
Userlevel 7
Badge +55
Another thing about this if the PUA came as a Bundle the Rollback might remove to the point of the installation of the program. And can go along the lines of this short video: https://community.webroot.com/t5/Webroot-Education/What-Happens-if-Webroot-quot-Misses-quot-a-Virus/ta-p/10202 but it would be nice to hear from some Webroot Threat Researchers on this or even the Developer of that feature? @dmyers will know who!
 
Thanks,
 
Daniel ;)
Userlevel 7
Personlly, as rare as it is needed to do a Rollback, and as technical as I believe it might be, I think it best to leave it to Support.  It is not so simple as simply clicking a button and letting it go.
Userlevel 7
Badge +55

@shorTcircuiT wrote:
Personally, as rare as it is needed to do a Rollback, and as technical as I believe it might be, I think it best to leave it to Support.  It is not so simple as simply clicking a button and letting it go.

Agreed!
 
Daniel ;)
Userlevel 3
Another question. Does 'monitor' limit program access?
Userlevel 3

@TripleHelix wrote:
Another thing about this if the PUA came as a Bundle the Rollback might remove to the point of the installation of the program. And can go along the lines of this short video: https://community.webroot.com/t5/Webroot-Education/What-Happens-if-Webroot-quot-Misses-quot-a-Virus/ta-p/10202 but it would be nice to hear from some Webroot Threat Researchers on this or even the Developer of that feature? @dmyers will know who!
 
Thanks,
 
Daniel ;)

That videos shows that manually marking it blocked, then scan/delete rolls the software back.
 
EDIT: see below
Userlevel 3
I just did a short test with a peice of odd software that I have in my collection (DVR program). WSA marked it for monitor. I then chose "block", scan/delete the file...but no rollback of the installation. I am guessing that Webroot will not rollback the program/folders/files/registry ...etc, but only the files created/changed AFTER installation of the program. I'm confused now lol.
 
 
UPDATE: I did another short test using a program called Focus Writer:
 
http://gottcode.org/focuswriter/
 
WSA marked as monitor, I open the program...create a doc and saved to desktop, blocked progam...scan/delete and during cleanup phase the file that I created dissapeared. So WSA doesn't delete the installed files of the program, only what it CREATES after installation. I guess ;P
 
So if you come across a computer with PUA/riskware/scareware ...etc., I'm glad that I can block, scan/delete, then uninstall the program to know that any changes done to the system (wallpaper change, homepage change, default search changed ...etc) would be rolled back (if the changes were done after installation...i'm not sure if changes during installation are rolled back). I guess a dev would have to answer when the journaling process starts.
Userlevel 7
Badge +32
@mar122999 
Manually setting a file to Monitor would cause the file to be monitored and journaled from the point that the file was set to monitor. Only changes made by that file after it was set to monitor would be journaled and be able to be rolled back. 
 
Monitoring will limit program access. There are several different levels of monitoring that are based on the behavior of the file, so in the case of a file manually set to monitor this would be limited to the behavior of the file after being set to monitor. 
 
-Dan
 
 
Userlevel 7

@DanP wrote:
@mar122999 
Manually setting a file to Monitor would cause the file to be monitored and journaled from the point that the file was set to monitor. Only changes made by that file after it was set to monitor would be journaled and be able to be rolled back. 
 
Monitoring will limit program access. There are several different levels of monitoring that are based on the behavior of the file, so in the case of a file manually set to monitor this would be limited to the behavior of the file after being set to monitor. 
 
-Dan
 
 

@DanP  In the event that the user changes the status from Monitor to Block, what would happen at that point?
 
Thanks :)
Userlevel 7
As soon as you set a file to block and close the window a scan Window will pop-up and the file will be removed. Another scan will then start to verify that its been removed. We only recommend that advanced users use this screen as you can cause all sorts of trouble if you start adding windows files to block.
 
I have seen it many a times where a user has googled "SVCHost" and seen somebody has said its a virus and to remove it. Yes its a common spoofed filename but its a legimate windows file! 
Userlevel 7

@Rakanisheu wrote:
As soon as you set a file to block and close the window a scan Window will pop-up and the file will be removed. Another scan will then start to verify that its been removed. We only recommend that advanced users use this screen as you can cause all sorts of trouble if you start adding windows files to block.
 
I have seen it many a times where a user has googled "SVCHost" and seen somebody has said its a virus and to remove it. Yes its a common spoofed filename but its a legimate windows file! 

@Rakanisheu 
 
Oh I fully agree with that.... .Untold damage can, and does, happen.
 
What I was curious about was simply for the information of  advanced users, if the rollback function would be automatically triggered to undo any changes made whlie the file was in the Monitor status once the file was placed into Block status.
 
I too have seen WAY too many times when people start removing things that they don't know what it is, or what it does.  The number one rule is "If you do not know what it is or what it does, DO NOT TOUCH IT.
Userlevel 7
Badge +32

@shorTcircuiT wrote:

@DanP  In the event that the user changes the status from Monitor to Block, what would happen at that point?
Thanks :)

At that point the file would be determined Bad on the local machine, and the active process would be terminated. On a scan the cleanup/rollback process would start and any changes made by that file after it was set to monitor would be rolled back along with the generic cleanup routine.
 
-Dan
Userlevel 7

@DanP wrote:

@shorTcircuiT wrote:

@DanP  In the event that the user changes the status from Monitor to Block, what would happen at that point?
Thanks :)

At that point the file would be determined Bad on the local machine, and the active process would be terminated. On a scan the cleanup/rollback process would start and any changes made by that file after it was set to monitor would be rolled back along with the generic cleanup routine.
 
-Dan

Perfect.. thanks!
 
I was in grave error above on my first reply then... I did not think the rollback would be automatically triggered.  Thank you VERY much for the clarifications @DanP  and @Rakanisheu   I do appreciate it!  
 
I know very well to NOT advise a general user to blindly go about blocking files... it is very dangerous if they happen to tag a Windows file... but at the same time I think it important that the more advanced users and members here have a GOOD understanding of it.  I did not..... 
 
I am not sure if I have a good understanding now, but at least it is a lot better than where I was yesterday at this time :)
Userlevel 7
Would it be possible for Dan or Roy to advise/clarify for us as to what happens if a user has manually sets a file to 'Monitor', and so limitation of activity/journalling commences...OK...but what happens if the user decides that the file is 'bad' and so sets it subsequently to 'Block'?  It is my understanding that, unlike when WSA determines a file should be blocks, does so and the rollback takes place, that in the case of the user 'determination' of maliciousness the rollback process does not start!  Is that correct?  
 
And if it is then could the user contact Support and they use the journalled information (held in the dbxxxx.dat files) to initiate a rollback.  As if neither of the above occur then there is a question as to what use there is to manually setting a file to 'Monitor'...yes, that will limit activity but in the end that is all if the journalled information cannot be used, etc.
 
Many thanks in anticipation.
 
Regards, Baldrick
Userlevel 7
From what DanP said here, it looks like if the user manually changes it from Monitor to Block, on that particular PC, and only that PC, WSA will now recognize the file as "bad", remove the file, and trigger the rollback for any changes made while the file was in Monitor status.  
 
This would trigger a "bad" determination, and rollback, only on the specific machine that has had the file manually marked as "Block".
 
 
Userlevel 7
Badge +55
David & Solly if you look at this video: https://community.webroot.com/t5/Webroot-Education/What-Happens-if-Webroot-quot-Misses-quot-a-Virus/ta-p/10202  Monitoring only starts when the file is Executed and able to rollback at the point of  Execution which allows the EXE file there right? Now the same you set a process to monitored then it starts watching what the process is doing then when you set it to block it rollsback to the time of the Monitoering started so in most cases like Dan & Roy said there are many levels of monitering! I'm going to quote Roy from a post he posted at Wilders!
 

"No you can add process to the Identity Shield if you so wish. I dont have the list of native apps that automatically handy at the moment. Any executed process that is unknown in our database will be journalled. If its determined that its bad its changes will be rolled back. This as I said earlier is only one component of our program.

For instance on my PC here, a new version of this application was released recently and its a new .EXE

Monitoring process E:gamesSteamsteamappscommonWar Thunderaces.exe [B2771208D7A3ABD19ADF7F1A7E797AB7]

The client is keeping an eye on what its doing. If it starts doing things that the client determines is bad (behaviour based) it can locally block it too in which case you may see:

Blocked process from accessing protected data C:
oymalwarevaultwebinstallerjd1.exe [Type: 11]"

Now from my scan log:

Fri 17-10-2014 21:38:23.0834 Monitoring process C:Program FilesVoodooShieldVoodooShieldService.exe [3504C7F055D5E2359F7888478AC74BB7]. Type: 3 (3479)
Fri 17-10-2014 21:38:23.0834 Monitoring process C:Program FilesVoodooShieldVoodooShieldService.exe [3504C7F055D5E2359F7888478AC74BB7]. Type: 4 (3479)
Fri 17-10-2014 21:38:23.0834 Monitoring process C:Program FilesVoodooShieldVoodooShieldService.exe [3504C7F055D5E2359F7888478AC74BB7]. Type: 6 (3479)
Fri 17-10-2014 21:38:23.0850 Monitoring process C:Program FilesVoodooShieldVoodooShield.exe [3F527670FE1BFE85E4F00F7183FFEFBE]. Type: 3 (3478)
Fri 17-10-2014 21:38:23.0850 Monitoring process C:Program FilesVoodooShieldVoodooShield.exe [3F527670FE1BFE85E4F00F7183FFEFBE]. Type: 4 (3478)
Fri 17-10-2014 21:38:23.0850 Monitoring process C:Program FilesVoodooShieldVoodooShield.exe [3F527670FE1BFE85E4F00F7183FFEFBE]. Type: 6 (3478)

See the different levels and even Roy showed Level 11 so it would depend on like they said already the Behaviour is taken into account from the Cloud. I don't think they are willing to explain the many levels in public as we don't want to give the malware writers any inside info!

I hope you can understand what I'm trying to say without saying more?

Daniel

Userlevel 7

@TripleHelix wrote:
David & Solly if you look at this video: https://community.webroot.com/t5/Webroot-Education/What-Happens-if-Webroot-quot-Misses-quot-a-Virus/ta-p/10202  Monitoring only starts when the file is Executed and able to rollback at the point of  Execution which allows the EXE file there right? Now the same you set a process to monitored then it starts watching what the process is doing then when you set it to block it rollsback to the time of the Monitoering started so in most cases like Dan & Roy said there are many levels of of monitering! I'm going to quote Roy from a post he posted at Wilders!
 

Daniel

That is what I was trying to say, but you phrased it quite better :)
 
 
Userlevel 7
Hi Daniel, thanks...but this I know other than the last part and I am sure that I have seen a thread in which it was stated that WSA setting something to Monitor and a user doing that does not have the same end result in terms of the rollback...hence why Webroot do not recommend  (at least as I understand it, but perhaps incorrectly) that users set files to Monitor.
 
@Rakanisheu Roy...I think that it was in one of your post in a thread a good few months ago where I thought this was said...can you by any chance recall this and advise as to whether what I am saying is a delusion or not?
 
Many thanks
 
 
 
Baldrick
Userlevel 7
Badge +55
Yes and I Agreed I don't even play with it, but only to set to Allow from Monitored when I know it's a safe Program and processes from an updated program and most times I contact support to get them Whitelisted and of courses if it's not good there are not going to Whitelist it they will mark it Bad and WSA will remove it. LOL
 
Daniel ;)
Userlevel 7
Badge +32
I've been thinking a bit about this one, and going back to the OP in this thread, the question was about setting an undetected PUA to Monitor and the Block in order to use the rollback feature in order to uninstall the software.
 
With most PUAs - and most programs in general - it is the installer that makes the changes that you would want to roll back. In the case of most PUAs, the Process that would be set to Monitor and then block may not be making changes to the system, so there would not be anything to be rolled back. 
 
-Dan
Userlevel 7
Hi Daniel...I am with you on that.  I do the same...;)
 
But more specifically if I, a user mark a file as 'Monitor', it journals, etc., and then I switch it to 'Block' (the OP asked..."couldn't I therorectically choose 'block' to revert the changes"...I believe that no rollback will or can occur.  That is what I would like to confirm, and also...if I have manually generated journals, as per the above method...if they remain on disk...in the apropriate directory, then could Support use them as part of a manually initiated rollback action...if such a thing is even possible?
 
C'est tout, mon ami...:D
 
Le Baldricque

Reply

    Cookie policy

    We use cookies to enhance and personalize your experience. If you accept or continue browsing you agree to our cookie policy. Learn more about our cookies.

    Accept cookies Cookie settings