Crypto unlocking etc ?

Re for eg, this thread https://www.wilderssecurity.com/showthread.php?t=360267

If WSA is able to undo the nasty deeds, of this & other malware, it must be storing copies of Everything we do or @ least the constant changes !

1 - Where is it storing ALL this ?

2 - Is it encrypted ?

 

It is not storing copies of everything on the system, only changes made from untrusted, suspicious applications. This is what is stored in the WRData folder (which is why it can grow to be quite large if an application isn't whitelisted).

Yes.

 

Could this be a trigger for WSA (cloud) that it is time for someone to take a look at the specific computer (application) to deem it good or bad?
If the MB of the WRData folder reach a certain point?

/E

 

Currently the size of journaled data isn't reported up but I think that would definitely be worth doing.

Thanks!

 

@ PrevxHelp

Thanx for the explanations, & good to know

 

The impression I get from Webroot's website is that the Journaling and Rollback feature is included only in the Business endpoint version of Webroot.

Is that correct?

If it's also included in the Home version of WSA, is there something in the UI that controls or monitors the journaling activity?

 

No, not correct. It's there also in home version.

 

As fax said, it is in all versions of WSA, including Consumer. The Active Processes dialog under Utilities > System Control shows what processes are being Monitored (and therefore journaled).

 

Nice - I'm liking what I find out about Webroot more and more every day.

Now I need to figure out a way to test it. Maybe if I write a small program that XOR's a doc file with some random string and download that program in a .zip file from the internet? Will that cause it to be untrusted and have the journaling/rollback functionality kick in?

If that won't work for whatever reason, is there a good way to test this? For my own curiosity, I'd like to see this in action. It'll also help me be less worried about CryptoLocker-style malware.

 

Yes, that will work - then just add the application under Utilities > Manual Threat Removal and it will revert the changes during cleanup. Let me know if you have any questions!

 

Do you have to go this way about it Joe?
What happens if you just block the monitored file (app) under "Control Active Processes"?
Or will that only block the file, not clean it up?

/E

 

That will only block the file, but if you run a scan, it will be detected and will be removed as expected. The "Manual Threat Removal" route is easier if your application doesn't remain resident (as it would only be shown in the Active Processes list if it is indeed an active process).

 

Ahh! Good to know.
A scan will clean up whatever you block if I understand you correctly?

/E

 

Yes, exactly (and any other copies of that file across the system as well).