I deleted by mistake all log files in WRData folder including its sub-folders (Pkg, Sync, wrUrl). :S
From the nature of log files I don't think it should cause troubles but you never know and hence I rather ask. BTW, WSA including Backup&Sync and Password manager works fine.
How it could happen, easily ... I created a custom rule in CCleaner and forgot to exclude WRData folder. :@
Thanks for your thoughts.
Already have an account? Login
Login to the community
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.
So If I correctly understand in other words it does mean that WSA will behave like after the clean installation, i.e. it will be journaling all executable actions to create a new baseline.
Will WSA re-create all logs again?
It seems that these log files re-created itself in WRData folder:
However Sync folder is still empty even if I have run backup & sync. No log files. Strange.
Tue 2013-11-26 12:24:59.0408 Scan Results: Files Scanned: 1, Duration: 1s, Malicious Files: 0
Tue 2013-11-26 12:24:59.0689 Scan Finished: [ID: 28 - Seq: 28]
Tue 2013-11-26 12:25:41.0345 Saved the product log to C:Documents and SettingsAdministratorDesktops.log
Tue 2013-11-26 12:27:03.0877 Scan Results: Files Scanned: 20060, Duration: 2m 11s, Malicious Files: 0
Tue 2013-11-26 12:27:04.0205 Scan Finished: [ID: 27 - Seq: 2147000000]
Wed 2013-11-27 03:00:18.0383 Begin passive write scan (26 file(s))
Wed 2013-11-27 03:00:20.0071 End passive write scan (26 file(s))
Wed 2013-11-27 03:00:28.0602 Begin passive write scan (26 file(s))
Wed 2013-11-27 03:00:29.0289 End passive write scan (26 file(s))
Wed 2013-11-27 03:00:35.0477 Begin passive write scan (26 file(s))
Wed 2013-11-27 03:00:42.0774 End passive write scan (26 file(s))
Wed 2013-11-27 13:25:03.0866 Scan Started: [ID: 29 - Flags: 1575/0]
Wed 2013-11-27 13:26:58.0417 Scan Results: Files Scanned: 16283, Duration: 1m 54s, Malicious Files: 0
Wed 2013-11-27 13:26:58.0605 Scan Finished: [ID: 29 - Seq: 2147000000]
Thu 2013-11-28 14:17:14.0148 Saved the product log to C:Documents and SettingsAdministratorDesktopslb4.log
I then shutdown the client and deleted everything from the Wrdata folder:
Thu 2013-11-28 14:18:47.0554 Begin Installation
Thu 2013-11-28 14:18:47.0616 Installation successfully completed (WSAINSTALL.EXE/0)
Thu 2013-11-28 14:18:47.0663 >>> Service started [v18.104.22.168]
Thu 2013-11-28 14:18:48.0757 User process connected successfully from PID 4016, Session 0
Thu 2013-11-28 14:18:49.0069 Protection enabled
Thu 2013-11-28 14:18:51.0116 Connecting to 45 - 45
Thu 2013-11-28 14:18:58.0476 Saved updated configuration
Thu 2013-11-28 14:19:01.0054 Saved updated configuration
Thu 2013-11-28 14:19:07.0351 Loading package: 4/16777230
Thu 2013-11-28 14:19:08.0710 Saved updated configuration
Thu 2013-11-28 14:19:16.0319 Saved updated configuration
Thu 2013-11-28 14:19:18.0038 Saved updated configuration
Thu 2013-11-28 14:19:19.0163 Saved updated configuration
Thu 2013-11-28 14:19:19.0601 Protection disabled by the user
Thu 2013-11-28 14:19:19.0601 Saved updated configuration
Thu 2013-11-28 14:19:20.0929 Protection enabled
Thu 2013-11-28 14:19:20.0929 Saved updated configuration
Thu 2013-11-28 14:19:27.0382 Scan Started: [ID: 1 - Flags: 551/48]
Client did its first scan and created a new set of logs. Its pretty much clean installation so I would advise not cleaning the folder 🙂 I dont use the backup feature so I cant comment on it, support would know more about it than I would.
So you mentioned that it is not a total loss due to the data on the Webroot side regarding detections: so that leads me to ask to what extent will recovery from a threat detected following the loss of the log in which the changes were first journaled be affected?
Awesome thread here guys... I am learning a lot sitting back reading!
OK now it is clear what I originally asked ... is it safe to clear *.log files from WRData folder and whether they will be automatically re-created? My so far findings is that all *.log files will re-occure except log files in Sync sub-folder.
Maybe someone of Webroot more accustomed to Backup & Sync features can shed more light.
As for if the journaling information being removed we can use the database (as a reference) to see what that infection has done in the past so we can manually repair system damage (i.e if an infecton or indeed a legimiate program has disabled a windows service etc) or point the client in the direction of dropped threats. If its a brand new threat that we havent seen before (its rare to run into this situation as we normally see threats in the wild before our customers) we may have to connect to have a look.
Very interesting. Thanks!
By this it is confirmed that ALL LOG FILES (*.LOG) in WRData folder including its sub-folders will resume itself. So if you mistakenly or purposely (but I don't recommend it) delete log files the WSA function and your protection isn't compromised and these log files will recreate on their own.
HOWEVER, to keep a sense of log files, i.e. to store history of actions what is necessary to troubleshoot many issues, IT IS HIGHLY RECOMMENDED TO KEEP ALL LOG FILES THAT WSA CREATES.