Solved

Manually choosing block in System Control

  • 21 October 2014
  • 34 replies
  • 153 views


Show first post

34 replies

Userlevel 7
@ wrote:
@ 
Manually setting a file to Monitor would cause the file to be monitored and journaled from the point that the file was set to monitor. Only changes made by that file after it was set to monitor would be journaled and be able to be rolled back. 
 
Monitoring will limit program access. There are several different levels of monitoring that are based on the behavior of the file, so in the case of a file manually set to monitor this would be limited to the behavior of the file after being set to monitor. 
 
-Dan
 
 
@  In the event that the user changes the status from Monitor to Block, what would happen at that point?
 
Thanks 🙂
Userlevel 7
@ wrote:
As soon as you set a file to block and close the window a scan Window will pop-up and the file will be removed. Another scan will then start to verify that its been removed. We only recommend that advanced users use this screen as you can cause all sorts of trouble if you start adding windows files to block.
 
I have seen it many a times where a user has googled "SVCHost" and seen somebody has said its a virus and to remove it. Yes its a common spoofed filename but its a legimate windows file! 
@ 
 
Oh I fully agree with that.... .Untold damage can, and does, happen.
 
What I was curious about was simply for the information of  advanced users, if the rollback function would be automatically triggered to undo any changes made whlie the file was in the Monitor status once the file was placed into Block status.
 
I too have seen WAY too many times when people start removing things that they don't know what it is, or what it does.  The number one rule is "If you do not know what it is or what it does, DO NOT TOUCH IT.
Userlevel 7
Would it be possible for Dan or Roy to advise/clarify for us as to what happens if a user has manually sets a file to 'Monitor', and so limitation of activity/journalling commences...OK...but what happens if the user decides that the file is 'bad' and so sets it subsequently to 'Block'?  It is my understanding that, unlike when WSA determines a file should be blocks, does so and the rollback takes place, that in the case of the user 'determination' of maliciousness the rollback process does not start!  Is that correct?  
 
And if it is then could the user contact Support and they use the journalled information (held in the dbxxxx.dat files) to initiate a rollback.  As if neither of the above occur then there is a question as to what use there is to manually setting a file to 'Monitor'...yes, that will limit activity but in the end that is all if the journalled information cannot be used, etc.
 
Many thanks in anticipation.
 
Regards, Baldrick
Userlevel 7
From what DanP said here, it looks like if the user manually changes it from Monitor to Block, on that particular PC, and only that PC, WSA will now recognize the file as "bad", remove the file, and trigger the rollback for any changes made while the file was in Monitor status.  
 
This would trigger a "bad" determination, and rollback, only on the specific machine that has had the file manually marked as "Block".
 
 
Userlevel 7
@ wrote:
David & Solly if you look at this video: https://community.webroot.com/t5/Webroot-Education/What-Happens-if-Webroot-quot-Misses-quot-a-Virus/ta-p/10202  Monitoring only starts when the file is Executed and able to rollback at the point of  Execution which allows the EXE file there right? Now the same you set a process to monitored then it starts watching what the process is doing then when you set it to block it rollsback to the time of the Monitoering started so in most cases like Dan & Roy said there are many levels of of monitering! I'm going to quote Roy from a post he posted at Wilders!
 
Daniel
That is what I was trying to say, but you phrased it quite better :)
 
 
Userlevel 7
Hi Daniel...I am with you on that.  I do the same...;)
 
But more specifically if I, a user mark a file as 'Monitor', it journals, etc., and then I switch it to 'Block' (the OP asked..."couldn't I therorectically choose 'block' to revert the changes"...I believe that no rollback will or can occur.  That is what I would like to confirm, and also...if I have manually generated journals, as per the above method...if they remain on disk...in the apropriate directory, then could Support use them as part of a manually initiated rollback action...if such a thing is even possible?
 
C'est tout, mon ami...:D
 
Le Baldricque
Userlevel 7
@ wrote:
I've been thinking a bit about this one, and going back to the OP in this thread, the question was about setting an undetected PUA to Monitor and the Block in order to use the rollback feature in order to uninstall the software.
 
With most PUAs - and most programs in general - it is the installer that makes the changes that you would want to roll back. In the case of most PUAs, the Process that would be set to Monitor and then block may not be making changes to the system, so there would not be anything to be rolled back. 
 
-Dan
Quite so, quite so.
 
While I was entirely wrong in my expectations of how the rollback worked, I was still correct in that in the case of the OP it would still not do what he wanted.
@ wrote:
I've been thinking a bit about this one, and going back to the OP in this thread, the question was about setting an undetected PUA to Monitor and the Block in order to use the rollback feature in order to uninstall the software.
 
With most PUAs - and most programs in general - it is the installer that makes the changes that you would want to roll back. In the case of most PUAs, the Process that would be set to Monitor and then block may not be making changes to the system, so there would not be anything to be rolled back. 
 
-Dan
 
Well, I was refering to the fact that if WSA marks a PUA on install as 'monitor' (user not doing it). Or any file really...I would like to have the ability to utilize the rollback feature to the best of my ability if of course I know what I am doing.
 
If a piece of malware, pua, ...whatever installs and I know for a fact that this file is bad...I check the System Control menu and see that it was classifeded as 'monitored' by WSA. Instead of scanning with Malwarebytes, calling WSA support, etc. I could therorectically just block the file, and rollback any actions it may have performed (which would be hard to determine if it did any at all...better safe than sorry), and then scan with a third party program to make sure the remnants are clear. This method doesn't seem detrimental as long as you are blocking the right programs.
@ wrote:
Hi mar122999
 
I understand what you are asking which is essentailly what I paraphrased in my last post above.  I still believe that a manually initiated change from 'Monitor' to 'Block' will not initiate the rollback function even if the 'Monitor' was set automatically.  I believe that it is WSA itself that has to make that change for the rollback to be initiated...but we have no official answer so let's try to get it from someone else who may be able to advise... @  would you be able to advise on this point, please...it would be extremely useful either way to know what occurs in these circumstances/how the feature works or does not work in relation to the above scenario.
 
Regards, Baldrick
 
 
Setting to block does initiate a roll back. In a previous reply, I tested the rollback with a not well known application called Focus Writer (simple word type program). I made a doc on the desktop from Focus Writer, set the process to block, and my file dissappeared due to the rollback procedure.
 
I guess my question is now: 
 
When does the journaling start?
 
Ex: I install a PUA app. Its gets auto set to Monitor. Does journaling start after the installation or before?
 
If it is before, then the above test I did didn't work because the rollback procedure did not delete the installation files of Foucs Writer, only the changes the program did after installation.
 
Thanks!

Reply