Manually choosing block in System Control

Personlly, as rare as it is needed to do a Rollback, and as technical as I believe it might be, I think it best to leave it to Support.  It is not so simple as simply clicking a button and letting it go.

David & Solly if you look at this video: https://community.webroot.com/t5/Webroot-Education/What-Happens-if-Webroot-quot-Misses-quot-a-Virus/ta-p/10202  Monitoring only starts when the file is Executed and able to rollback at the point of  Execution which allows the EXE file there right? Now the same you set a process to monitored then it starts watching what the process is doing then when you set it to block it rollsback to the time of the Monitoering started so in most cases like Dan & Roy said there are many levels of monitering! I'm going to quote Roy from a post he posted at Wilders!
 

"No you can add process to the Identity Shield if you so wish. I dont have the list of native apps that automatically handy at the moment. Any executed process that is unknown in our database will be journalled. If its determined that its bad its changes will be rolled back. This as I said earlier is only one component of our program.

For instance on my PC here, a new version of this application was released recently and its a new .EXE

Monitoring process E:gamesSteamsteamappscommonWar Thunderaces.exe [B2771208D7A3ABD19ADF7F1A7E797AB7]

The client is keeping an eye on what its doing. If it starts doing things that the client determines is bad (behaviour based) it can locally block it too in which case you may see:

Blocked process from accessing protected data C:
oymalwarevaultwebinstallerjd1.exe [Type: 11]"

Now from my scan log:

Fri 17-10-2014 21:38:23.0834 Monitoring process C:Program FilesVoodooShieldVoodooShieldService.exe [3504C7F055D5E2359F7888478AC74BB7]. Type: 3 (3479)
Fri 17-10-2014 21:38:23.0834 Monitoring process C:Program FilesVoodooShieldVoodooShieldService.exe [3504C7F055D5E2359F7888478AC74BB7]. Type: 4 (3479)
Fri 17-10-2014 21:38:23.0834 Monitoring process C:Program FilesVoodooShieldVoodooShieldService.exe [3504C7F055D5E2359F7888478AC74BB7]. Type: 6 (3479)
Fri 17-10-2014 21:38:23.0850 Monitoring process C:Program FilesVoodooShieldVoodooShield.exe [3F527670FE1BFE85E4F00F7183FFEFBE]. Type: 3 (3478)
Fri 17-10-2014 21:38:23.0850 Monitoring process C:Program FilesVoodooShieldVoodooShield.exe [3F527670FE1BFE85E4F00F7183FFEFBE]. Type: 4 (3478)
Fri 17-10-2014 21:38:23.0850 Monitoring process C:Program FilesVoodooShieldVoodooShield.exe [3F527670FE1BFE85E4F00F7183FFEFBE]. Type: 6 (3478)

See the different levels and even Roy showed Level 11 so it would depend on like they said already the Behaviour is taken into account from the Cloud. I don't think they are willing to explain the many levels in public as we don't want to give the malware writers any inside info!

I hope you can understand what I'm trying to say without saying more?

Daniel

Hi David
 
If I may on this one, based on my understanding...what you say is essentially correct.
 
But the rollback feature is only available for files set to 'Monitor', but even then a file can either be set to 'Monitor' automatically by WSA based on it being unknown or manually by the user.  In either case the 'Monitor' status will cause its activities to be journalled...however, in terms of rollback based on the journalling , only when a file that has been set to 'Monitor' is deemed to be malicious will WSA rollback its activities.
 
In the case of the user set 'Monitor' statis even ifthe file is deemed to be malicious by WSA (unlikely to happen as WSA would most probably have spotted that before the user intervention) or the user  chnages the status for 'Monitor' to 'Block' no rollback will occur. Whether or not the Support Team canuse the manually initiated journalling by the user is a moot point...and I suggest that it is worth asking someone like Roy or Dan to comment/advise on this point for us all. @ @ 
 
Regards, Baldrick 

Another thing about this if the PUA came as a Bundle the Rollback might remove to the point of the installation of the program. And can go along the lines of this short video: https://community.webroot.com/t5/Webroot-Education/What-Happens-if-Webroot-quot-Misses-quot-a-Virus/ta-p/10202 but it would be nice to hear from some Webroot Threat Researchers on this or even the Developer of that feature? @ will know who!
 
Thanks,
 
Daniel 😉

As soon as you set a file to block and close the window a scan Window will pop-up and the file will be removed. Another scan will then start to verify that its been removed. We only recommend that advanced users use this screen as you can cause all sorts of trouble if you start adding windows files to block.
 
I have seen it many a times where a user has googled "SVCHost" and seen somebody has said its a virus and to remove it. Yes its a common spoofed filename but its a legimate windows file! 

Hi Daniel, thanks...but this I know other than the last part and I am sure that I have seen a thread in which it was stated that WSA setting something to Monitor and a user doing that does not have the same end result in terms of the rollback...hence why Webroot do not recommend  (at least as I understand it, but perhaps incorrectly) that users set files to Monitor.
 
@ Roy...I think that it was in one of your post in a thread a good few months ago where I thought this was said...can you by any chance recall this and advise as to whether what I am saying is a delusion or not?
 
Many thanks
 
 
 
Baldrick

Yeppers I agree in the case of the OP it would not rollback because it's after the fact! @ can we get some info on the SafeStart Sandbox could a user run a program inside the sandbox to test programs and use it to remove all traces of the program like in the case of testing a program to see if you want to keep it or not? http://www.webroot.com/En_US/SecureAnywhere/PC/WSA_PC_Help.htm#C10_SystemControl/CH10c_UsingSafeStart.htm
 
Daniel ;)
 

@ wrote:

@ wrote:

Setting to block does initiate a roll back. In a previous reply, I tested the rollback with a not well known application called Focus Writer (simple word type program). I made a doc on the desktop from Focus Writer, set the process to block, and my file dissappeared due to the rollback procedure.

I guess my question is now: 
When does the journaling start?
Ex: I install a PUA app. Its gets auto set to Monitor. Does journaling start after the installation or before?
If it is before, then the above test I did didn't work because the rollback procedure did not delete the installation files of Foucs Writer, only the changes the program did after installation.
Thanks!

Journalling should start when an Unknown process enters memory and is Monitored. 
 
Only the changes made by the monitored process will be journalled, so only those changes would be rolled back.
 
Using what you saw  with Focus Writer as an example, journalling and rollback worked as would be expected. The Monitored file was the Focus Writer application file, which created the document, so the change of the created document was rolled back. Since that process did not create the installation files, those files would not be deleted.
 
If you wanted to remove the installation files, you would need to go to Manual Threat Removal, and select the installation file for Focus Writer. If the installer was monitored and journalled, the changes made by the installer would rolled back. 
 
-Dan
 

Yes, thank you. That clears it up. I didn't know about Manual Threat Removal also.

@ wrote:

@ wrote:

@  In the event that the user changes the status from Monitor to Block, what would happen at that point?
Thanks :)

At that point the file would be determined Bad on the local machine, and the active process would be terminated. On a scan the cleanup/rollback process would start and any changes made by that file after it was set to monitor would be rolled back along with the generic cleanup routine.
 
-Dan

Perfect.. thanks!
 
I was in grave error above on my first reply then... I did not think the rollback would be automatically triggered.  Thank you VERY much for the clarifications @  and @   I do appreciate it!  
 
I know very well to NOT advise a general user to blindly go about blocking files... it is very dangerous if they happen to tag a Windows file... but at the same time I think it important that the more advanced users and members here have a GOOD understanding of it.  I did not..... 
 
I am not sure if I have a good understanding now, but at least it is a lot better than where I was yesterday at this time 🙂

Thanks DanP!  I THINK I am starting to understand it a lot better....  :)

Another question. Does 'monitor' limit program access?

I just did a short test with a peice of odd software that I have in my collection (DVR program). WSA marked it for monitor. I then chose "block", scan/delete the file...but no rollback of the installation. I am guessing that Webroot will not rollback the program/folders/files/registry ...etc, but only the files created/changed AFTER installation of the program. I'm confused now lol.
 
 
UPDATE: I did another short test using a program called Focus Writer:
 
http://gottcode.org/focuswriter/
 
WSA marked as monitor, I open the program...create a doc and saved to desktop, blocked progam...scan/delete and during cleanup phase the file that I created dissapeared. So WSA doesn't delete the installed files of the program, only what it CREATES after installation. I guess ;P
 
So if you come across a computer with PUA/riskware/scareware ...etc., I'm glad that I can block, scan/delete, then uninstall the program to know that any changes done to the system (wallpaper change, homepage change, default search changed ...etc) would be rolled back (if the changes were done after installation...i'm not sure if changes during installation are rolled back). I guess a dev would have to answer when the journaling process starts.