That was just an example above for future reference.
Best answer by DanP
View originalBest answer by DanP
View originalYes, thank you. That clears it up. I didn't know about Manual Threat Removal also.@ wrote:
@ wrote:Setting to block does initiate a roll back. In a previous reply, I tested the rollback with a not well known application called Focus Writer (simple word type program). I made a doc on the desktop from Focus Writer, set the process to block, and my file dissappeared due to the rollback procedure.I guess my question is now:Journalling should start when an Unknown process enters memory and is Monitored.
When does the journaling start?
Ex: I install a PUA app. Its gets auto set to Monitor. Does journaling start after the installation or before?
If it is before, then the above test I did didn't work because the rollback procedure did not delete the installation files of Foucs Writer, only the changes the program did after installation.
Thanks!
Only the changes made by the monitored process will be journalled, so only those changes would be rolled back.
Using what you saw with Focus Writer as an example, journalling and rollback worked as would be expected. The Monitored file was the Focus Writer application file, which created the document, so the change of the created document was rolled back. Since that process did not create the installation files, those files would not be deleted.
If you wanted to remove the installation files, you would need to go to Manual Threat Removal, and select the installation file for Focus Writer. If the installer was monitored and journalled, the changes made by the installer would rolled back.
-Dan
@ wrote:
Setting to block does initiate a roll back. In a previous reply, I tested the rollback with a not well known application called Focus Writer (simple word type program). I made a doc on the desktop from Focus Writer, set the process to block, and my file dissappeared due to the rollback procedure.
I guess my question is now:Journalling should start when an Unknown process enters memory and is Monitored.
When does the journaling start?
Ex: I install a PUA app. Its gets auto set to Monitor. Does journaling start after the installation or before?
If it is before, then the above test I did didn't work because the rollback procedure did not delete the installation files of Foucs Writer, only the changes the program did after installation.
Thanks!
Setting to block does initiate a roll back. In a previous reply, I tested the rollback with a not well known application called Focus Writer (simple word type program). I made a doc on the desktop from Focus Writer, set the process to block, and my file dissappeared due to the rollback procedure.@ wrote:
Hi mar122999
I understand what you are asking which is essentailly what I paraphrased in my last post above. I still believe that a manually initiated change from 'Monitor' to 'Block' will not initiate the rollback function even if the 'Monitor' was set automatically. I believe that it is WSA itself that has to make that change for the rollback to be initiated...but we have no official answer so let's try to get it from someone else who may be able to advise...@ would you be able to advise on this point, please...it would be extremely useful either way to know what occurs in these circumstances/how the feature works or does not work in relation to the above scenario.
Regards, Baldrick
@ wrote:
I've been thinking a bit about this one, and going back to the OP in this thread, the question was about setting an undetected PUA to Monitor and the Block in order to use the rollback feature in order to uninstall the software.
With most PUAs - and most programs in general - it is the installer that makes the changes that you would want to roll back. In the case of most PUAs, the Process that would be set to Monitor and then block may not be making changes to the system, so there would not be anything to be rolled back.
-Dan
Quite so, quite so.@ wrote:
I've been thinking a bit about this one, and going back to the OP in this thread, the question was about setting an undetected PUA to Monitor and the Block in order to use the rollback feature in order to uninstall the software.
With most PUAs - and most programs in general - it is the installer that makes the changes that you would want to roll back. In the case of most PUAs, the Process that would be set to Monitor and then block may not be making changes to the system, so there would not be anything to be rolled back.
-Dan
That is what I was trying to say, but you phrased it quite better :)@ wrote:
David & Solly if you look at this video: https://community.webroot.com/t5/Webroot-Education/What-Happens-if-Webroot-quot-Misses-quot-a-Virus/ta-p/10202 Monitoring only starts when the file is Executed and able to rollback at the point of Execution which allows the EXE file there right? Now the same you set a process to monitored then it starts watching what the process is doing then when you set it to block it rollsback to the time of the Monitoering started so in most cases like Dan & Roy said there are many levels of of monitering! I'm going to quote Roy from a post he posted at Wilders!
Daniel
"No you can add process to the Identity Shield if you so wish. I dont have the list of native apps that automatically handy at the moment. Any executed process that is unknown in our database will be journalled. If its determined that its bad its changes will be rolled back. This as I said earlier is only one component of our program.
For instance on my PC here, a new version of this application was released recently and its a new .EXE
Monitoring process E:gamesSteamsteamappscommonWar Thunderaces.exe [B2771208D7A3ABD19ADF7F1A7E797AB7]
The client is keeping an eye on what its doing. If it starts doing things that the client determines is bad (behaviour based) it can locally block it too in which case you may see:
Blocked process from accessing protected data C:
oymalwarevaultwebinstallerjd1.exe [Type: 11]"
Now from my scan log:
Fri 17-10-2014 21:38:23.0834 Monitoring process C:Program FilesVoodooShieldVoodooShieldService.exe [3504C7F055D5E2359F7888478AC74BB7]. Type: 3 (3479)
Fri 17-10-2014 21:38:23.0834 Monitoring process C:Program FilesVoodooShieldVoodooShieldService.exe [3504C7F055D5E2359F7888478AC74BB7]. Type: 4 (3479)
Fri 17-10-2014 21:38:23.0834 Monitoring process C:Program FilesVoodooShieldVoodooShieldService.exe [3504C7F055D5E2359F7888478AC74BB7]. Type: 6 (3479)
Fri 17-10-2014 21:38:23.0850 Monitoring process C:Program FilesVoodooShieldVoodooShield.exe [3F527670FE1BFE85E4F00F7183FFEFBE]. Type: 3 (3478)
Fri 17-10-2014 21:38:23.0850 Monitoring process C:Program FilesVoodooShieldVoodooShield.exe [3F527670FE1BFE85E4F00F7183FFEFBE]. Type: 4 (3478)
Fri 17-10-2014 21:38:23.0850 Monitoring process C:Program FilesVoodooShieldVoodooShield.exe [3F527670FE1BFE85E4F00F7183FFEFBE]. Type: 6 (3478)
See the different levels and even Roy showed Level 11 so it would depend on like they said already the Behaviour is taken into account from the Cloud. I don't think they are willing to explain the many levels in public as we don't want to give the malware writers any inside info!
I hope you can understand what I'm trying to say without saying more?
Daniel
Perfect.. thanks!@ wrote:
@ wrote:At that point the file would be determined Bad on the local machine, and the active process would be terminated. On a scan the cleanup/rollback process would start and any changes made by that file after it was set to monitor would be rolled back along with the generic cleanup routine.@ In the event that the user changes the status from Monitor to Block, what would happen at that point?
Thanks :)
-Dan
@ wrote:
At that point the file would be determined Bad on the local machine, and the active process would be terminated. On a scan the cleanup/rollback process would start and any changes made by that file after it was set to monitor would be rolled back along with the generic cleanup routine.@ In the event that the user changes the status from Monitor to Block, what would happen at that point?
Thanks :)
@ wrote:
As soon as you set a file to block and close the window a scan Window will pop-up and the file will be removed. Another scan will then start to verify that its been removed. We only recommend that advanced users use this screen as you can cause all sorts of trouble if you start adding windows files to block.
I have seen it many a times where a user has googled "SVCHost" and seen somebody has said its a virus and to remove it. Yes its a common spoofed filename but its a legimate windows file!
@ wrote:
@
Manually setting a file to Monitor would cause the file to be monitored and journaled from the point that the file was set to monitor. Only changes made by that file after it was set to monitor would be journaled and be able to be rolled back.
Monitoring will limit program access. There are several different levels of monitoring that are based on the behavior of the file, so in the case of a file manually set to monitor this would be limited to the behavior of the file after being set to monitor.
-Dan
That videos shows that manually marking it blocked, then scan/delete rolls the software back.@ wrote:
Another thing about this if the PUA came as a Bundle the Rollback might remove to the point of the installation of the program. And can go along the lines of this short video: https://community.webroot.com/t5/Webroot-Education/What-Happens-if-Webroot-quot-Misses-quot-a-Virus/ta-p/10202 but it would be nice to hear from some Webroot Threat Researchers on this or even the Developer of that feature?@ will know who!
Thanks,
Daniel ;)
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.