That was just an example above for future reference.
Best answer by DanP
View originalBest answer by DanP
View originalQuite so, quite so.@ wrote:
I've been thinking a bit about this one, and going back to the OP in this thread, the question was about setting an undetected PUA to Monitor and the Block in order to use the rollback feature in order to uninstall the software.
With most PUAs - and most programs in general - it is the installer that makes the changes that you would want to roll back. In the case of most PUAs, the Process that would be set to Monitor and then block may not be making changes to the system, so there would not be anything to be rolled back.
-Dan
@ wrote:
I've been thinking a bit about this one, and going back to the OP in this thread, the question was about setting an undetected PUA to Monitor and the Block in order to use the rollback feature in order to uninstall the software.
With most PUAs - and most programs in general - it is the installer that makes the changes that you would want to roll back. In the case of most PUAs, the Process that would be set to Monitor and then block may not be making changes to the system, so there would not be anything to be rolled back.
-Dan
Setting to block does initiate a roll back. In a previous reply, I tested the rollback with a not well known application called Focus Writer (simple word type program). I made a doc on the desktop from Focus Writer, set the process to block, and my file dissappeared due to the rollback procedure.@ wrote:
Hi mar122999
I understand what you are asking which is essentailly what I paraphrased in my last post above. I still believe that a manually initiated change from 'Monitor' to 'Block' will not initiate the rollback function even if the 'Monitor' was set automatically. I believe that it is WSA itself that has to make that change for the rollback to be initiated...but we have no official answer so let's try to get it from someone else who may be able to advise...@ would you be able to advise on this point, please...it would be extremely useful either way to know what occurs in these circumstances/how the feature works or does not work in relation to the above scenario.
Regards, Baldrick
@ wrote:
Setting to block does initiate a roll back. In a previous reply, I tested the rollback with a not well known application called Focus Writer (simple word type program). I made a doc on the desktop from Focus Writer, set the process to block, and my file dissappeared due to the rollback procedure.
I guess my question is now:Journalling should start when an Unknown process enters memory and is Monitored.
When does the journaling start?
Ex: I install a PUA app. Its gets auto set to Monitor. Does journaling start after the installation or before?
If it is before, then the above test I did didn't work because the rollback procedure did not delete the installation files of Foucs Writer, only the changes the program did after installation.
Thanks!
Yes, thank you. That clears it up. I didn't know about Manual Threat Removal also.@ wrote:
@ wrote:Setting to block does initiate a roll back. In a previous reply, I tested the rollback with a not well known application called Focus Writer (simple word type program). I made a doc on the desktop from Focus Writer, set the process to block, and my file dissappeared due to the rollback procedure.I guess my question is now:Journalling should start when an Unknown process enters memory and is Monitored.
When does the journaling start?
Ex: I install a PUA app. Its gets auto set to Monitor. Does journaling start after the installation or before?
If it is before, then the above test I did didn't work because the rollback procedure did not delete the installation files of Foucs Writer, only the changes the program did after installation.
Thanks!
Only the changes made by the monitored process will be journalled, so only those changes would be rolled back.
Using what you saw with Focus Writer as an example, journalling and rollback worked as would be expected. The Monitored file was the Focus Writer application file, which created the document, so the change of the created document was rolled back. Since that process did not create the installation files, those files would not be deleted.
If you wanted to remove the installation files, you would need to go to Manual Threat Removal, and select the installation file for Focus Writer. If the installer was monitored and journalled, the changes made by the installer would rolled back.
-Dan
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.