How does jurnaling work on removable storage? Let's say: 1. PC is infected with an "not clasified yet" virus 2. The virus is changing files on my external Hdd 3. After 1 day I disconnect my hdd 4. After 2 days the virus is clasified as "Virus" and deleted 5. On the 3-rd day I connected back my hdd, with modified files In this scenario, the virus is gone, how the jurnaling will repair my external hdd?
Great news! In the scenario you describe, you're either perfectly fine regardless, or screwed no matter what you use. Possible cases: 1: File infector. Besides being disgustingly rare anyway (you'd have to work really hard to get one), journalling doesn't come into play on cleaning up file infectors so it would act like a normal AV. 2: Dropping malware portions Everything it drops is either going to be 100% inert when the drive is plugged back in because everything pointing to it was reversed, or it will be discovered as a descendant of the original infection when the drive is plugged back in. 3: Damaging legitimate files You're out of luck. It wouldn't be repaired. BUT... It would never be repaired with any other AV program out there either. AND... The average response time to determine something is minutes to 1-2 hours, not "two days". However the damage to legitimate files would also trigger behavioral detection and cause it to be detected long before you disconnected the drive or it could do substantial damage. The concept of repair by journalling is actually unique to the Webroot platform, since "repair" anywhere else actually means "Undo changes it made to executables (based on rules that may not be accurate for the specific infection so you might need to reinstall those things anyway) and delete extra stuff it dropped places". It can't be perfect. Nothing can. But it has the chance to repair your MP3s that a piece of malware has messed up, which no other AV has even the capability of. -AND- it knows to remove the registry entry that would auto-run the malware written to your external and now disconnected drive despite the fact that the file is not there, while other AV would not be able to tell the registry entry itself is bad without looking at the file it's pointing to. So like I said, either you're perfectly fine with Webroot or Anything Else in that case, or you're screwed regardless of what you're using. ^.^
Well said Techfox1976! And yea the nasty file infector the little buggers had me one of those many years ago. TH