Jurnaling and removable storage

Discussion in 'Prevx Releases' started by topor, Jan 9, 2013.

Thread Status:
Not open for further replies.
  1. topor

    topor Registered Member

    Joined:
    Dec 24, 2012
    Posts:
    18
    How does jurnaling work on removable storage?

    Let's say:

    1. PC is infected with an "not clasified yet" virus
    2. The virus is changing files on my external Hdd
    3. After 1 day I disconnect my hdd
    4. After 2 days the virus is clasified as "Virus" and deleted
    5. On the 3-rd day I connected back my hdd, with modified files


    In this scenario, the virus is gone, how the jurnaling will repair my external hdd?
     
    topor, Jan 9, 2013
    #1
  2. Techfox1976

    Techfox1976 Registered Member

    Joined:
    Jul 22, 2010
    Posts:
    749
    Great news!

    In the scenario you describe, you're either perfectly fine regardless, or screwed no matter what you use.

    Possible cases:
    1: File infector.
    Besides being disgustingly rare anyway (you'd have to work really hard to get one), journalling doesn't come into play on cleaning up file infectors so it would act like a normal AV.

    2: Dropping malware portions
    Everything it drops is either going to be 100% inert when the drive is plugged back in because everything pointing to it was reversed, or it will be discovered as a descendant of the original infection when the drive is plugged back in.

    3: Damaging legitimate files
    You're out of luck. It wouldn't be repaired.
    BUT...
    It would never be repaired with any other AV program out there either.
    AND...
    The average response time to determine something is minutes to 1-2 hours, not "two days". However the damage to legitimate files would also trigger behavioral detection and cause it to be detected long before you disconnected the drive or it could do substantial damage.

    The concept of repair by journalling is actually unique to the Webroot platform, since "repair" anywhere else actually means "Undo changes it made to executables (based on rules that may not be accurate for the specific infection so you might need to reinstall those things anyway) and delete extra stuff it dropped places". It can't be perfect. Nothing can. But it has the chance to repair your MP3s that a piece of malware has messed up, which no other AV has even the capability of. -AND- it knows to remove the registry entry that would auto-run the malware written to your external and now disconnected drive despite the fact that the file is not there, while other AV would not be able to tell the registry entry itself is bad without looking at the file it's pointing to.

    So like I said, either you're perfectly fine with Webroot or Anything Else in that case, or you're screwed regardless of what you're using. ^.^
     
    Techfox1976, Jan 9, 2013
    #2
  3. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,275
    Location:
    Ontario, Canada
    Well said Techfox1976! ;) And yea the nasty file infector the little buggers had me one of those many years ago. :ouch:

    TH
     
    Triple Helix, Jan 9, 2013
    #3
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...