Solved

wrdata folder

  • 5 February 2012
  • 88 replies
  • 15049 views


Show first post

88 replies

Userlevel 7
Any db#### files are journalling information.  If you are able to delete these while the agent is running, that's actually bad.  I'll see if we can get more information about the handling of this data over time, but in general when you see a lot of these, it usually means that you're running a lot of things that are highly uncommon and so are not known-good in the system.
 
If you see a lot of ace files, that means a lot of stuff has been cleaned up.  Either there is a lot of infection stuff going on, which is bad, or you're scanning a lot of real malware to "test things".  In any case, the "Average" user does not get a large quantity of files in WRData.  Only people who are either testing against Malware or who are advanced enough to be running a lot of lesser-known or frequently-updated software that is not quickly tagged as Known-Good in the cloud system will get a large WRData folder. 
 
Hmmm... Does that mean that the size of that folder is like a badge of honor indicating how much cool obscure stuff you run?  XD
Userlevel 7
Hi Kit
 
Have 42 db#### & 6 ace files...so where do I get my 'cool dude' badge? ;)
 
No, seriously, I do not think that I run "...a lot of things that are highly uncommon and so are not known-good in the system" but then again...I might but do not know it.
 
Any suggestions as what I should upload to Support, etc., so that they can check on it?  Or is there no point?
 
Incidently, I also have a number of db# (where # is between 'a' and 'p') and some dst## files (but not many).  Is the presence of these also significant?
 
Regards
 
 
Balders
Userlevel 7
No, seriously, I do not think that I run "...a lot of things that are highly uncommon and so are not known-good in the system" but then again...I might but do not know it.
 
Ah, yes, I suppose I should clarify.  If you install an update so quickly that it hasn't had a chance to become known-good, that counts.  If you use specialized utilities that are uncommon for "Average People" (Mom, Dad, Grandma) to use, that also counts.  The db#### files are per process or PE, so for example, installing a new version of Cygwin packages the moment they come out can result in a few dozen of them. 
 
If you are concerned about the files, then you can look at your scan logs to see what is marked as [u], and the section after the scan logs for mentions of things being monitored, since any of them that execute will create or add to a db#### file.  If they are things that were not transient (for example, if you see the installer for Flash being monitored, you probably just jumped on the update before it was common enough to be known-good, which means you were at the cutting edge of technology 🙂 ), simply opening a support ticket and mentioning that you have a lot of unknown items being monitored can get the data to the Threat Research team to look at.
 
Unfortunately, I'm not completely certain myself what the dst files are, so I'll have to check on that when I get back to the office.  The dba through dbp files are the normal configuration databases, and also include cleanup actions taken and the quarantine contents.
Userlevel 7
Hi Kit
 
Thanks for the comprehensive reponse.  I susepct that I am indeed one of those who jumps on a latest update or release (I run RB Rx which means that if I find an issue I can very quickly roll back to pre the install)...so I suppose I am at the  cutting edge...as you say...:D.
 
Will take a look as you have suggested but suspect that I will most probably uninistall/reinstall to 'clean' the folder.
 
Regards
 
 
Balders
Userlevel 2
Badge +3
Baldrick,,
I have figured out the  deal about data being retained in my wrdata folder. I am a tester for beta programs. When I install a new beta release like firefox , opera, chrome or any program that is still in beta, a large data file is retained until I delete it. I dont know if this helps, but it is what is happening with my system.
Snake
 
 
 
Userlevel 7
Hi Snake

You could be on to something here as I am/have been a beta tester for some apps I use (including WSA :D)...so there is communality. And if you add this to what Kit has said about jumping "...on the update before it was common enough to be known-good,..." which fits the beta testing profile, then that would explain the size 'issue' experienced by some. ;)

I also suspect that new version of a known-good app will have different hash key, not yet flagged as good...hence the detection of 'suspicious' files, etc.
 
Regards
 
 
Balders
Userlevel 2
Badge +3
Baldrick,,
I agree!
 
snake
Userlevel 1
Badge +5
Hello there,
I'm on windows 8.1 and my wrdata folder is above 6GB. This issue isn't solved yet? any help appeciated...
 
Userlevel 7
Hi Brad
 
I am looking forward to it.
 
Regards, Baldrick
Userlevel 7
Hi Brad
 
A good point well worth pointing out for those who might be confused or unsure. And use of this utility is very much on the basis that the user is warned that it could cause issues with the installation of WSA on their system, requiring a reinstall at the very least.
 
Regards, Baldrick
Userlevel 2
OK, keep me posted on your decision. I did some further work on it this weekend but didn't get it finished to my satisfaction quite yet. I will squeeze in some more time as I am able. If the development team wants to do this themselves, I understand; I'm not trying to step on anyones toes here, but I had to do something to reclaim that space on my HD (and I wasn't going to pick through 3900 files manually).
 
FYI, Here is an updated shot of the main window; the list is sorted by total size of db files associated with each exe, the blue db items are to be left alone, the red db items are to be recycled, the gray db items are referenced in the log but do not exist on disk.
 


 
There is now also a filter which allows the user to show only excluded exedb files and also db files which are associated with exes which have been deleted (marked with the (FILE NOT FOUND) suffix):
 


 
If something similar could be added to WSA, that would be great; otherwise, I'm going to be using this.
Hello, I'd just like to say that just this morning I had 20GB free of my 250GB SSD and after installing an update to an application of mine Webroot kept complaining about it and I had to allow access. However after this my HDD kept decreasing in size to only 700MB left and I discovered my WRData folder to be over 46GB in size. I want to know what can be cleared from this folder.
Thanks for the information. I wish there was a way to tell webroot where to store these DB files because this took up almost the entirety of my SDD

Reply