i seen recently this PcMag review ( http://www.pcmag.com/article2/0,2817,2470312,00.asp )
and part of that review is :
This program was the ultimate unknown—never seen by anyone before until I compiled it. Webroot naturally started monitoring its behavior. I verified that the files had indeed been encrypted. Then I used Webroot's process list to manually block the program. Webroot terminated it immediately, and a scan restored the encrypted files. What fun!
Wow ! really Webroot is perfect ! Webroot is Security ! but i dont underestand exactly how Webroot restore encrypted files? for example i am going to be infected with a Ransomware or Cryptolocker.. ok ? so what happen? what should i do for that rollback? is that Automatic? or should i do something ?:D
Best answer by Baldrick
This all relates to WSA putting a file or app into a 'Monitored' state.
If WSA put them into 'Monitored' status (as it could not determine if they are good or bad) then later it will move them from that status to either 'Blocked' (as bad), and will initiate reversal of any actions performed whilst monitored or 'Allow' (as good) as soon as its determination in the Cloud has been completed.
So in the case of encryption it will monitor what is encrypted and when the ransomware is finally identified as such then WSA will look to roll back its activity.
This previous post may help understand what 'monitoring' is, in more detail.
The user can also move an automatically monitored file/app at any time if they believe that the file is good or bad in which case the journal files associated with the monitoring are not removed (I believe) or a user can set a file/app to monitor if they are suspicious of its intentions (same outcome re. the journal files produced, as previous stated).
Finally, please see this KB Article on what happens if WSA 'misses' a virus or malware. That should further help explain the feature.
Hope that helps?