WRdata folder

It will decrease - there is a maximum of 16 logs stored and they are overwritten each time another scan takes place. We're changing this to a maximum of 3 logs in the next update to prevent concern over disk size

 

Great to know the numbers, Joe! You guys (and you in particular) are doing a terrific job!

 

Also, here's another interesting find I found while conducting an on-execution test of malware samples today;

MD5: 022C6C7F0EEAE4A0223602A2BDDCE094



Why is it that the malware sample is asking me if it's allowed to connect the Internet? WSA detects is as malicious with its generics; shouldn't all potentially malicious actions made by the malicious file be aborted if that's the case? If you ask me, WSA shouldn't ask the user whether the malicious file is allowed to connect or not. The file has been found malicious, and for obvious reasons it should not be allowed to connect to the Internet.

EDIT: Forgot! Yes, heuristic is set to always warn when a "new", not trusted, file tries to connect to the Internet. However, the file is found malicious in the first place, so it shouldn't ask anyway.

 

I would want it to ask as it could be a legit program that wants access and if you know it's malware then you Block it!

TH

 

Actually, just cleaning the malicious file makes the message about connecting to the Internet disappear. So that's a very good question you ask, TH!

But, what if I clicked 'allow' about the malicious file connecting to the Internet...? Would the file still connect to the Internet in the background while waiting for my decision about removing the detected file?

In my opinion, once a file is detected as malicious, no further pop-ups should appear, since all actions from the malicious file should be stopped without prompt.

 

Argh. I'm a bit annoyed right now. I realized I posted in the wrong thread. Excuse me for any inconvenience this may have caused. I'll also post my experience in this thread too.

 

No it would not until you click on one of the buttons, lets just say you allow then it will try to download more malware and then more for WSA to clean up!

TH

 

Agreed, but still, if the file is indeed found malicious, it shouldn't be allowed to even perform those actions until I decide whether to allow/block the file. But then again, it's just my personal opinion!

 

I'm just talking about a typical Firewall it gives you a pop-up you have to either click Allow or Block such as in this case!

TH

EDIT to Add: You can also see a count down from the WSA Firewall if you let the timer run out it automatically Blocks or I could be wrong? Maybe some of Joe's wisdom needed here!

 

I get your point now!

WSA is more of a suite these days (albeit an extremely lightweighted suite). If one module detects a file as malicious, the other module shouldn't need to interfere (in this case the firewall asked for permission).

When further testing samples, this behavior is very common. Nearly all samples (most of them being trojan downloaders) are found malicious but WSA firewall asks me for permission to let them through, even when not having decided what to do with the malicious file in the first place.

 

Exactly I couldn't of said it better myself!

TH

 

Look at it again TH, it says 'allowing in' - not block! Thats bad

 

Yes, after detecting the malicious file, WSA is auto-allowing the malicious file to connect within X amount of seconds if you don't hurry up and remove the threat. At least this is what I found in my tests today.

 

Yes I thought I was wrong Thanks Dark Star 72 & shadek! But all the settings are Warn and we know that there is a bug in the first selection! It would be nice to have an Auto Block or Block All to the selection for advance users!

TH

 

What is a concern in this case, is that;

1) The file I executed was found malicious by WSA _but_ a few seconds later, before removing and blocking the malware, I get a pop-up saying WSA will auto-allow the malicious file to connect to the Internet.

2) I've set WSA to this policy;


WSA does do what I've set it to do. It warns me when the new, untrusted process tries to access the Internet. The problem is that the file before that was found malicious and remains (active?) in the background. IMO after a file is detected as malicious, ALL actions made by this file should be aborted by WSA and in particular any Internet activities.


What would be nice is an option which warns me about Internet activities like the option I've marked in the screenshot above, but does not auto-allow after X seconds and instead auto-block after X seconds! And also, if a file is malicious, the user should not be prompted anyway about Internet activities. They should be automatically blocked.

Has anyone else experienced the behavior from WSA I encountered today? I've tested against several samples and a few of them made WSA behave this way. It'd be interesting if you could share your findings!

And sorry for posting in the wrong thread to start with. It was never my intention to go this off topic, I was too tired to notice.. and when I realized I posted in the wrong thread, someone had already replied and quoted my post.

 

I've replied now in the other thread - it would be helpful to keep this discussion over there if possible so that I don't start disagreeing with myself!