Solved

Manually choosing block in System Control

  • 21 October 2014
  • 34 replies
  • 155 views

Userlevel 2
If I install a peice of PUA that is undetected by WSA and set to monitor, couldn't I therorectically choose 'block' to revert the changes of this PUA? If so, this would seem to be a much easier and more thorough way of uninstalling unwanted software (if done right of course).
 
That was just an example above for future reference.
icon

Best answer by DanP 27 October 2014, 16:18

View original

34 replies

Userlevel 7
@ wrote:
I've been thinking a bit about this one, and going back to the OP in this thread, the question was about setting an undetected PUA to Monitor and the Block in order to use the rollback feature in order to uninstall the software.
 
With most PUAs - and most programs in general - it is the installer that makes the changes that you would want to roll back. In the case of most PUAs, the Process that would be set to Monitor and then block may not be making changes to the system, so there would not be anything to be rolled back. 
 
-Dan
Quite so, quite so.
 
While I was entirely wrong in my expectations of how the rollback worked, I was still correct in that in the case of the OP it would still not do what he wanted.
Userlevel 7
Badge +56
Yeppers I agree in the case of the OP it would not rollback because it's after the fact! @ can we get some info on the SafeStart Sandbox could a user run a program inside the sandbox to test programs and use it to remove all traces of the program like in the case of testing a program to see if you want to keep it or not? http://www.webroot.com/En_US/SecureAnywhere/PC/WSA_PC_Help.htm#C10_SystemControl/CH10c_UsingSafeStart.htm
 
Daniel ;)
 

Userlevel 7
Good question Daniel!
 
Again, I know some of the material we are discussing here is  beyond the average user, but we do get questions on it and it would REALLY help the more advanced users here to be able to really fully understand it for our own use, but also in trying to answer questions on the Forum.  We can answer much more accurately if we understand more fully.
 
Thanks you Dan for all the info so far!
Userlevel 2
@ wrote:
I've been thinking a bit about this one, and going back to the OP in this thread, the question was about setting an undetected PUA to Monitor and the Block in order to use the rollback feature in order to uninstall the software.
 
With most PUAs - and most programs in general - it is the installer that makes the changes that you would want to roll back. In the case of most PUAs, the Process that would be set to Monitor and then block may not be making changes to the system, so there would not be anything to be rolled back. 
 
-Dan
 
Well, I was refering to the fact that if WSA marks a PUA on install as 'monitor' (user not doing it). Or any file really...I would like to have the ability to utilize the rollback feature to the best of my ability if of course I know what I am doing.
 
If a piece of malware, pua, ...whatever installs and I know for a fact that this file is bad...I check the System Control menu and see that it was classifeded as 'monitored' by WSA. Instead of scanning with Malwarebytes, calling WSA support, etc. I could therorectically just block the file, and rollback any actions it may have performed (which would be hard to determine if it did any at all...better safe than sorry), and then scan with a third party program to make sure the remnants are clear. This method doesn't seem detrimental as long as you are blocking the right programs.
Userlevel 7
Hi mar122999
 
I understand what you are asking which is essentailly what I paraphrased in my last post above.  I still believe that a manually initiated change from 'Monitor' to 'Block' will not initiate the rollback function even if the 'Monitor' was set automatically.  I believe that it is WSA itself that has to make that change for the rollback to be initiated...but we have no official answer so let's try to get it from someone else who may be able to advise... @  would you be able to advise on this point, please...it would be extremely useful either way to know what occurs in these circumstances/how the feature works or does not work in relation to the above scenario.
 
Regards, Baldrick
 
 
Userlevel 2
@ wrote:
Hi mar122999
 
I understand what you are asking which is essentailly what I paraphrased in my last post above.  I still believe that a manually initiated change from 'Monitor' to 'Block' will not initiate the rollback function even if the 'Monitor' was set automatically.  I believe that it is WSA itself that has to make that change for the rollback to be initiated...but we have no official answer so let's try to get it from someone else who may be able to advise... @  would you be able to advise on this point, please...it would be extremely useful either way to know what occurs in these circumstances/how the feature works or does not work in relation to the above scenario.
 
Regards, Baldrick
 
 
Setting to block does initiate a roll back. In a previous reply, I tested the rollback with a not well known application called Focus Writer (simple word type program). I made a doc on the desktop from Focus Writer, set the process to block, and my file dissappeared due to the rollback procedure.
 
I guess my question is now: 
 
When does the journaling start?
 
Ex: I install a PUA app. Its gets auto set to Monitor. Does journaling start after the installation or before?
 
If it is before, then the above test I did didn't work because the rollback procedure did not delete the installation files of Foucs Writer, only the changes the program did after installation.
 
Thanks!
Userlevel 7
Badge +35
@ wrote:
Setting to block does initiate a roll back. In a previous reply, I tested the rollback with a not well known application called Focus Writer (simple word type program). I made a doc on the desktop from Focus Writer, set the process to block, and my file dissappeared due to the rollback procedure.
I guess my question is now: 
When does the journaling start?
Ex: I install a PUA app. Its gets auto set to Monitor. Does journaling start after the installation or before?
If it is before, then the above test I did didn't work because the rollback procedure did not delete the installation files of Foucs Writer, only the changes the program did after installation.
Thanks!
Journalling should start when an Unknown process enters memory and is Monitored. 
 
Only the changes made by the monitored process will be journalled, so only those changes would be rolled back.
 
Using what you saw  with Focus Writer as an example, journalling and rollback worked as would be expected. The Monitored file was the Focus Writer application file, which created the document, so the change of the created document was rolled back. Since that process did not create the installation files, those files would not be deleted.
 
If you wanted to remove the installation files, you would need to go to Manual Threat Removal, and select the installation file for Focus Writer. If the installer was monitored and journalled, the changes made by the installer would rolled back. 
 
-Dan
 
Userlevel 7
Thanks DanP!  I THINK I am starting to understand it a lot better....  :)
Userlevel 2
@ wrote:
@ wrote:
Setting to block does initiate a roll back. In a previous reply, I tested the rollback with a not well known application called Focus Writer (simple word type program). I made a doc on the desktop from Focus Writer, set the process to block, and my file dissappeared due to the rollback procedure.
I guess my question is now: 
When does the journaling start?
Ex: I install a PUA app. Its gets auto set to Monitor. Does journaling start after the installation or before?
If it is before, then the above test I did didn't work because the rollback procedure did not delete the installation files of Foucs Writer, only the changes the program did after installation.
Thanks!
Journalling should start when an Unknown process enters memory and is Monitored. 
 
Only the changes made by the monitored process will be journalled, so only those changes would be rolled back.
 
Using what you saw  with Focus Writer as an example, journalling and rollback worked as would be expected. The Monitored file was the Focus Writer application file, which created the document, so the change of the created document was rolled back. Since that process did not create the installation files, those files would not be deleted.
 
If you wanted to remove the installation files, you would need to go to Manual Threat Removal, and select the installation file for Focus Writer. If the installer was monitored and journalled, the changes made by the installer would rolled back. 
 
-Dan
 
Yes, thank you. That clears it up. I didn't know about Manual Threat Removal also.

Reply