That was just an example above for future reference.
Best answer by DanP
View originalBest answer by DanP
View originalAgreed!@ wrote:
Personally, as rare as it is needed to do a Rollback, and as technical as I believe it might be, I think it best to leave it to Support. It is not so simple as simply clicking a button and letting it go.
That videos shows that manually marking it blocked, then scan/delete rolls the software back.@ wrote:
Another thing about this if the PUA came as a Bundle the Rollback might remove to the point of the installation of the program. And can go along the lines of this short video: https://community.webroot.com/t5/Webroot-Education/What-Happens-if-Webroot-quot-Misses-quot-a-Virus/ta-p/10202 but it would be nice to hear from some Webroot Threat Researchers on this or even the Developer of that feature?@ will know who!
Thanks,
Daniel ;)
@ wrote:
@
Manually setting a file to Monitor would cause the file to be monitored and journaled from the point that the file was set to monitor. Only changes made by that file after it was set to monitor would be journaled and be able to be rolled back.
Monitoring will limit program access. There are several different levels of monitoring that are based on the behavior of the file, so in the case of a file manually set to monitor this would be limited to the behavior of the file after being set to monitor.
-Dan
@ wrote:
As soon as you set a file to block and close the window a scan Window will pop-up and the file will be removed. Another scan will then start to verify that its been removed. We only recommend that advanced users use this screen as you can cause all sorts of trouble if you start adding windows files to block.
I have seen it many a times where a user has googled "SVCHost" and seen somebody has said its a virus and to remove it. Yes its a common spoofed filename but its a legimate windows file!
@ wrote:
At that point the file would be determined Bad on the local machine, and the active process would be terminated. On a scan the cleanup/rollback process would start and any changes made by that file after it was set to monitor would be rolled back along with the generic cleanup routine.@ In the event that the user changes the status from Monitor to Block, what would happen at that point?
Thanks :)
Perfect.. thanks!@ wrote:
@ wrote:At that point the file would be determined Bad on the local machine, and the active process would be terminated. On a scan the cleanup/rollback process would start and any changes made by that file after it was set to monitor would be rolled back along with the generic cleanup routine.@ In the event that the user changes the status from Monitor to Block, what would happen at that point?
Thanks :)
-Dan
"No you can add process to the Identity Shield if you so wish. I dont have the list of native apps that automatically handy at the moment. Any executed process that is unknown in our database will be journalled. If its determined that its bad its changes will be rolled back. This as I said earlier is only one component of our program.
For instance on my PC here, a new version of this application was released recently and its a new .EXE
Monitoring process E:gamesSteamsteamappscommonWar Thunderaces.exe [B2771208D7A3ABD19ADF7F1A7E797AB7]
The client is keeping an eye on what its doing. If it starts doing things that the client determines is bad (behaviour based) it can locally block it too in which case you may see:
Blocked process from accessing protected data C:
oymalwarevaultwebinstallerjd1.exe [Type: 11]"
Now from my scan log:
Fri 17-10-2014 21:38:23.0834 Monitoring process C:Program FilesVoodooShieldVoodooShieldService.exe [3504C7F055D5E2359F7888478AC74BB7]. Type: 3 (3479)
Fri 17-10-2014 21:38:23.0834 Monitoring process C:Program FilesVoodooShieldVoodooShieldService.exe [3504C7F055D5E2359F7888478AC74BB7]. Type: 4 (3479)
Fri 17-10-2014 21:38:23.0834 Monitoring process C:Program FilesVoodooShieldVoodooShieldService.exe [3504C7F055D5E2359F7888478AC74BB7]. Type: 6 (3479)
Fri 17-10-2014 21:38:23.0850 Monitoring process C:Program FilesVoodooShieldVoodooShield.exe [3F527670FE1BFE85E4F00F7183FFEFBE]. Type: 3 (3478)
Fri 17-10-2014 21:38:23.0850 Monitoring process C:Program FilesVoodooShieldVoodooShield.exe [3F527670FE1BFE85E4F00F7183FFEFBE]. Type: 4 (3478)
Fri 17-10-2014 21:38:23.0850 Monitoring process C:Program FilesVoodooShieldVoodooShield.exe [3F527670FE1BFE85E4F00F7183FFEFBE]. Type: 6 (3478)
See the different levels and even Roy showed Level 11 so it would depend on like they said already the Behaviour is taken into account from the Cloud. I don't think they are willing to explain the many levels in public as we don't want to give the malware writers any inside info!
I hope you can understand what I'm trying to say without saying more?
Daniel
That is what I was trying to say, but you phrased it quite better :)@ wrote:
David & Solly if you look at this video: https://community.webroot.com/t5/Webroot-Education/What-Happens-if-Webroot-quot-Misses-quot-a-Virus/ta-p/10202 Monitoring only starts when the file is Executed and able to rollback at the point of Execution which allows the EXE file there right? Now the same you set a process to monitored then it starts watching what the process is doing then when you set it to block it rollsback to the time of the Monitoering started so in most cases like Dan & Roy said there are many levels of of monitering! I'm going to quote Roy from a post he posted at Wilders!
Daniel
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.