Solved

wrdata folder



Show first post

88 replies

Userlevel 7
Badge +34
I will be careful - the eight I've just deleted all related to software that I had already removed from my PC!
 
As you say this thread is a great example of how we can all learn from the more senior members of the community and I really appreciate all the time and effort that they put in.
Userlevel 7
Badge +55
I'm sorry everyone in reality no one should be in the WRData Folder that's why it's in a hidden area so I always tell users to: https://community.webroot.com/t5/Webroot-SecureAnywhere-Internet/wrdata-folder/m-p/124026#M2962 to be safe as it would be very upsetting to see someone make a mistake and trash there system in case WSA is monitoring any Malware IMO go through support!
 
Daniel 😉
Userlevel 7
Badge +7
You are very welcome Nemo.  It was trial and error for me but it helped me to read posts from other senior members like TripleHelix and Baldrick.  Just play it safe and only delete what you are sure of, knowing that it is always a gamble to some extent.
 
Dave  
Userlevel 7
Badge +34
Thank you Dave - the fog has finally lifted for me regarding the db files and I have now been able to delete eight old ones, leaving just one. I know that one is safe but I will just see how long WSA keps monitoring before it deletes it automatically. 😃
Userlevel 7
Badge +7
?, ?,
 
I keep tabs on WRData directory several times a week.  It doesn't take long and you can put a shortcut on your desktop to go right to it.  Sometimes I go days and days without any new db files being added.  By checking frequently it never grows to more than two or three .db files at most.  I can almost tell you when I am going to have them and what they are without even looking at the WRLog or Scan log.  For me, it is pretty much a one to one relationship to new or updated apps that I have had an active role in causing.  I do a quick check to verify I am on the right track, run the process of verifying the files as I mention in my other post, and if they are ok, I delete the .db files and don't look back.  If I can't tell for sure I leave the files for a while to see what WSA determines.  So far it has worked for me.
 
Dave
Userlevel 7
Hi BradKilmer
 
That sounds about right but as has been said earlier in this thread you need to be very careful as in amongst the files being monitored there could be ones that genuinely need to be because they are 'undetermined' as to whether good or bad.
 
If you delete the journalling file for one of these and then WS determines that the file is bad, if you have deleted the associated 'dbnnnn.db' file then WSA will be unable to roll back any nefarious actions that the file/app may have been able to take in your system whilst being monitored, and so you will have lost a very useful facility.
 
Personally I would also add in a check for a list of files/apps, i.e., a control list if you will, that you know are good, i.e., the ones you are creating and only delete 'dbnnnn.db' files if the app in the EXE path matches one of the ones in your control list.
 
Just a thought.
 
Regards, Baldrick
Userlevel 2
I think I see what I need to do; I'm going to write a clean-up app to automate this process.
 
Let me know if you think the following steps sound OK:
 
  1. Load the WRLog.log file
  2. Scan for all of the 'Monitoring process' lines
  3. Extract the EXE path and (NNNN) information into a data table
  4. Compare EXE path info to Off-Limits-Folder list (to build list of NNNNs to delete)
  5. Delete all dbNNNN.db files in deletion list.
 
Userlevel 7
I am afraid that currently here is not. I believe that there is however a Feature Request for that specific functionality and that it may be with us soon...but presently there is no indications on timescales.  All that we know is that "This one is in the works and is waiting on QA testing currently."
 
Please see here for more details on this.
 
Regards, Baldrick
Userlevel 2
I had a look in the WRLog.log and saw that the bulk of the activity is centered around the repeatedly changing EXE files in my working folders (every time I compile a new EXE, more activity). 
 
The perfect solution to this problem would be to allow me to specify my working folder tree to be off-limits to WSA scans; I never install 3rd party software into my working folder tree and some days I recompile my apps dozens of times.
 
Is there a way to specify an off-limits folder?
 
Thanks
Userlevel 7
Badge +7
Thanks ?,  I'm all for faster and better. :D
 
Dave
Userlevel 7
Hi D_J
 
But of course...I forgot about that way of doing things. :@
 
I am still looking for the Registry entries approach as that gives an even faster way of determining what is what and when I refind it I will advise back.
 
Regards, Baldrick
Userlevel 7
Badge +7
Good Morning ?, this is good info about the registry.  
 
I also check my wrdata folder from time to time, especially after installing new apps.  I have had good luck saving a scan log and searching for the xxxx in the dbxxxx.db to see what is lurking about.  
 
I know you are already aware but for BradKilmer's interest, it will look like this :  Thu 2015-09-10 07:39:12.0568 Monitoring process C:Program Files (x86)Common FilesAdobeAdobeGCClientAdobeGCClient.exe [40AE8622D89D27C4F704A324CA82AA70]. Type: 3 (XXXX)
 
From that, I can check the file against VirusTotal and or other means of verifying authenticity and determine if it is safe to delete the .db file, uninstall the app, or wait and see what WSA will ultimately do.  
 
Just one more way.
 
Thanks,
Dave 
Userlevel 7
Hi BradKilmer
 
Welcome to the Community Forums.
 
As you are technical there is another way that avoids the uninstall/reinstall, which involves the review of the 'dbnnnn.db files in the C:ProgramdataWRDATA folder, and then the deletion of selected ones of this file type.
 
This is not ideal but it does avoid the uninstall/reinstall and also preserves to some extent the rationale for those files; as you may have surmised from the thread these files are the journal files produced when WSA sets a file/app to 'Monitor' and so are important in case WSA has detected a suspicious or an as yet undetermined (in terms of goodness/badness) file/app and then determines it is bad and then needs to roll back its activities, etc., in which case the relevant 'dbnnnn.db' file is required.
 
The problem is that we cannot easily tell which 'dbnnnn.db' relates to which file/app in the system (there is a way by looking in the Registry but I have lost my notes on that...must try to find them) so the best thing to do is to (i) check all places in WSA where files could be set to 'Monitor', decide whether they are OK or not (and if in doubt leave them as such), (ii) try to work out roughly when a file/app that is set to 'Monitor' was so set & (iii) then go to the C:ProgramdataWRDATA folder and carefully delete all 'dbnnnn.db' files that are either prior to a certain period, i.e., say more than 2 weeks old, on the basis that WSA should have been in a position to sort out if the journal is required or not, or delete everything except for the 'dbnnnn.db' files that are circa the dates that you believe that you 'Monitored' files/apps may have started to be monitored, etc.
 
The above may seem more convoluted that an uninstall/reinstall, but I have found that it seems to work well, and does give you a better chance of keeping 'dbnnnn.db' files that may be needed; after all an uninstall/reinstall should clear all the files in that folder regardless of whether they are needed or not.
 
I hope that something in the rambling reponse above is of assistance?
 
Regards, Baldrick
Userlevel 2
I think the observation about new apps causing the extreme growth of the WRData folder is correct... I'm a (really busy) programmer, and my WRData folder contains 189 GB... Oddly, the Size On Disk is 177 GB (I guess that's the compression).
 


 
I'm going to try that uninstall/reinstall suggestion, but it sure would be nice to be able to clear this in a more civilized manner.
Userlevel 7
Badge +55
Hello it's best if you Submit a Support Ticket as that tells me you have lots of unknown files that need to be whitelisted! Also they will let you know how to clean up the WRData folder afterwards.
 
Thanks,
 
Daniel 😉
Badge +1
Hello there,
I'm on windows 8.1 and my wrdata folder is above 6GB. This issue isn't solved yet? any help appeciated...
 
Userlevel 2
Badge +3
Hi,,
Its been awhile since I posted, but I have learned not to reinstall or install over the top of a beta program,,,simply check for updates and let the program update itself. This will not increase the siae of the wrdata foldeer contents.
snake
Userlevel 2
Badge +3
Baldrick,,
I agree!
 
snake
Userlevel 7
Hi Snake

You could be on to something here as I am/have been a beta tester for some apps I use (including WSA :D)...so there is communality. And if you add this to what Kit has said about jumping "...on the update before it was common enough to be known-good,..." which fits the beta testing profile, then that would explain the size 'issue' experienced by some. ;)

I also suspect that new version of a known-good app will have different hash key, not yet flagged as good...hence the detection of 'suspicious' files, etc.
 
Regards
 
 
Balders
Userlevel 2
Badge +3
Baldrick,,
I have figured out the  deal about data being retained in my wrdata folder. I am a tester for beta programs. When I install a new beta release like firefox , opera, chrome or any program that is still in beta, a large data file is retained until I delete it. I dont know if this helps, but it is what is happening with my system.
Snake
 
 
 
Userlevel 7
Hi Kit
 
Thanks for the comprehensive reponse.  I susepct that I am indeed one of those who jumps on a latest update or release (I run RB Rx which means that if I find an issue I can very quickly roll back to pre the install)...so I suppose I am at the  cutting edge...as you say...:D.
 
Will take a look as you have suggested but suspect that I will most probably uninistall/reinstall to 'clean' the folder.
 
Regards
 
 
Balders
Userlevel 7
No, seriously, I do not think that I run "...a lot of things that are highly uncommon and so are not known-good in the system" but then again...I might but do not know it.
 
Ah, yes, I suppose I should clarify.  If you install an update so quickly that it hasn't had a chance to become known-good, that counts.  If you use specialized utilities that are uncommon for "Average People" (Mom, Dad, Grandma) to use, that also counts.  The db#### files are per process or PE, so for example, installing a new version of Cygwin packages the moment they come out can result in a few dozen of them. 
 
If you are concerned about the files, then you can look at your scan logs to see what is marked as [u], and the section after the scan logs for mentions of things being monitored, since any of them that execute will create or add to a db#### file.  If they are things that were not transient (for example, if you see the installer for Flash being monitored, you probably just jumped on the update before it was common enough to be known-good, which means you were at the cutting edge of technology 🙂 ), simply opening a support ticket and mentioning that you have a lot of unknown items being monitored can get the data to the Threat Research team to look at.
 
Unfortunately, I'm not completely certain myself what the dst files are, so I'll have to check on that when I get back to the office.  The dba through dbp files are the normal configuration databases, and also include cleanup actions taken and the quarantine contents.
Userlevel 7
Hi Kit
 
Have 42 db#### & 6 ace files...so where do I get my 'cool dude' badge? ;)
 
No, seriously, I do not think that I run "...a lot of things that are highly uncommon and so are not known-good in the system" but then again...I might but do not know it.
 
Any suggestions as what I should upload to Support, etc., so that they can check on it?  Or is there no point?
 
Incidently, I also have a number of db# (where # is between 'a' and 'p') and some dst## files (but not many).  Is the presence of these also significant?
 
Regards
 
 
Balders
Userlevel 7
Any db#### files are journalling information.  If you are able to delete these while the agent is running, that's actually bad.  I'll see if we can get more information about the handling of this data over time, but in general when you see a lot of these, it usually means that you're running a lot of things that are highly uncommon and so are not known-good in the system.
 
If you see a lot of ace files, that means a lot of stuff has been cleaned up.  Either there is a lot of infection stuff going on, which is bad, or you're scanning a lot of real malware to "test things".  In any case, the "Average" user does not get a large quantity of files in WRData.  Only people who are either testing against Malware or who are advanced enough to be running a lot of lesser-known or frequently-updated software that is not quickly tagged as Known-Good in the cloud system will get a large WRData folder. 
 
Hmmm... Does that mean that the size of that folder is like a badge of honor indicating how much cool obscure stuff you run?  XD
Userlevel 7
Nice one Snake, will certainly look at that angle.

BTW...have not found that because I use RB Rx; so I try software and if I decide not to keep it I rollback to a prior install snapshot, which effectively negates any change in the WRDATA folder.

But good tip.

Cheers

Balders

Reply

    Cookie policy

    We use cookies to enhance and personalize your experience. If you accept or continue browsing you agree to our cookie policy. Learn more about our cookies.

    Accept cookies Cookie settings