Solved

Manually choosing block in System Control



Show first post

34 replies

Userlevel 7

@DanP wrote:
I've been thinking a bit about this one, and going back to the OP in this thread, the question was about setting an undetected PUA to Monitor and the Block in order to use the rollback feature in order to uninstall the software.
 
With most PUAs - and most programs in general - it is the installer that makes the changes that you would want to roll back. In the case of most PUAs, the Process that would be set to Monitor and then block may not be making changes to the system, so there would not be anything to be rolled back. 
 
-Dan

Quite so, quite so.
 
While I was entirely wrong in my expectations of how the rollback worked, I was still correct in that in the case of the OP it would still not do what he wanted.
Userlevel 7
Badge +55
Yeppers I agree in the case of the OP it would not rollback because it's after the fact! @DanP can we get some info on the SafeStart Sandbox could a user run a program inside the sandbox to test programs and use it to remove all traces of the program like in the case of testing a program to see if you want to keep it or not? http://www.webroot.com/En_US/SecureAnywhere/PC/WSA_PC_Help.htm#C10_SystemControl/CH10c_UsingSafeStart.htm
 
Daniel ;)
 


Userlevel 7
Good question Daniel!
 
Again, I know some of the material we are discussing here is  beyond the average user, but we do get questions on it and it would REALLY help the more advanced users here to be able to really fully understand it for our own use, but also in trying to answer questions on the Forum.  We can answer much more accurately if we understand more fully.
 
Thanks you Dan for all the info so far!
Userlevel 3

@DanP wrote:
I've been thinking a bit about this one, and going back to the OP in this thread, the question was about setting an undetected PUA to Monitor and the Block in order to use the rollback feature in order to uninstall the software.
 
With most PUAs - and most programs in general - it is the installer that makes the changes that you would want to roll back. In the case of most PUAs, the Process that would be set to Monitor and then block may not be making changes to the system, so there would not be anything to be rolled back. 
 
-Dan

 
Well, I was refering to the fact that if WSA marks a PUA on install as 'monitor' (user not doing it). Or any file really...I would like to have the ability to utilize the rollback feature to the best of my ability if of course I know what I am doing.
 
If a piece of malware, pua, ...whatever installs and I know for a fact that this file is bad...I check the System Control menu and see that it was classifeded as 'monitored' by WSA. Instead of scanning with Malwarebytes, calling WSA support, etc. I could therorectically just block the file, and rollback any actions it may have performed (which would be hard to determine if it did any at all...better safe than sorry), and then scan with a third party program to make sure the remnants are clear. This method doesn't seem detrimental as long as you are blocking the right programs.
Userlevel 7
Hi mar122999
 
I understand what you are asking which is essentailly what I paraphrased in my last post above.  I still believe that a manually initiated change from 'Monitor' to 'Block' will not initiate the rollback function even if the 'Monitor' was set automatically.  I believe that it is WSA itself that has to make that change for the rollback to be initiated...but we have no official answer so let's try to get it from someone else who may be able to advise... @Shawn  would you be able to advise on this point, please...it would be extremely useful either way to know what occurs in these circumstances/how the feature works or does not work in relation to the above scenario.
 
Regards, Baldrick
 
 
Userlevel 3

@Baldrick wrote:
Hi mar122999
 
I understand what you are asking which is essentailly what I paraphrased in my last post above.  I still believe that a manually initiated change from 'Monitor' to 'Block' will not initiate the rollback function even if the 'Monitor' was set automatically.  I believe that it is WSA itself that has to make that change for the rollback to be initiated...but we have no official answer so let's try to get it from someone else who may be able to advise... @Shawn  would you be able to advise on this point, please...it would be extremely useful either way to know what occurs in these circumstances/how the feature works or does not work in relation to the above scenario.
 
Regards, Baldrick
 
 

Setting to block does initiate a roll back. In a previous reply, I tested the rollback with a not well known application called Focus Writer (simple word type program). I made a doc on the desktop from Focus Writer, set the process to block, and my file dissappeared due to the rollback procedure.
 
I guess my question is now: 
 
When does the journaling start?
 
Ex: I install a PUA app. Its gets auto set to Monitor. Does journaling start after the installation or before?
 
If it is before, then the above test I did didn't work because the rollback procedure did not delete the installation files of Foucs Writer, only the changes the program did after installation.
 
Thanks!
Userlevel 7
Badge +32

@mar122999 wrote:

Setting to block does initiate a roll back. In a previous reply, I tested the rollback with a not well known application called Focus Writer (simple word type program). I made a doc on the desktop from Focus Writer, set the process to block, and my file dissappeared due to the rollback procedure.

I guess my question is now: 
When does the journaling start?
Ex: I install a PUA app. Its gets auto set to Monitor. Does journaling start after the installation or before?
If it is before, then the above test I did didn't work because the rollback procedure did not delete the installation files of Foucs Writer, only the changes the program did after installation.
Thanks!

Journalling should start when an Unknown process enters memory and is Monitored. 
 
Only the changes made by the monitored process will be journalled, so only those changes would be rolled back.
 
Using what you saw  with Focus Writer as an example, journalling and rollback worked as would be expected. The Monitored file was the Focus Writer application file, which created the document, so the change of the created document was rolled back. Since that process did not create the installation files, those files would not be deleted.
 
If you wanted to remove the installation files, you would need to go to Manual Threat Removal, and select the installation file for Focus Writer. If the installer was monitored and journalled, the changes made by the installer would rolled back. 
 
-Dan
 
Userlevel 7
Thanks DanP!  I THINK I am starting to understand it a lot better....  :)
Userlevel 3

@DanP wrote:

@mar122999 wrote:

Setting to block does initiate a roll back. In a previous reply, I tested the rollback with a not well known application called Focus Writer (simple word type program). I made a doc on the desktop from Focus Writer, set the process to block, and my file dissappeared due to the rollback procedure.

I guess my question is now: 
When does the journaling start?
Ex: I install a PUA app. Its gets auto set to Monitor. Does journaling start after the installation or before?
If it is before, then the above test I did didn't work because the rollback procedure did not delete the installation files of Foucs Writer, only the changes the program did after installation.
Thanks!

Journalling should start when an Unknown process enters memory and is Monitored. 
 
Only the changes made by the monitored process will be journalled, so only those changes would be rolled back.
 
Using what you saw  with Focus Writer as an example, journalling and rollback worked as would be expected. The Monitored file was the Focus Writer application file, which created the document, so the change of the created document was rolled back. Since that process did not create the installation files, those files would not be deleted.
 
If you wanted to remove the installation files, you would need to go to Manual Threat Removal, and select the installation file for Focus Writer. If the installer was monitored and journalled, the changes made by the installer would rolled back. 
 
-Dan
 

Yes, thank you. That clears it up. I didn't know about Manual Threat Removal also.

Reply

    Cookie policy

    We use cookies to enhance and personalize your experience. If you accept or continue browsing you agree to our cookie policy. Learn more about our cookies.

    Accept cookies Cookie settings