Crypto unlocking etc ?

Discussion in 'Prevx Releases' started by CloneRanger, Feb 19, 2014.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Re for eg, this thread https://www.wilderssecurity.com/showthread.php?t=360267

    If WSA is able to undo the nasty deeds, of this & other malware, it must be storing copies of Everything we do :eek: or @ least the constant changes !

    1 - Where is it storing ALL this ?

    2 - Is it encrypted ?
     
  2. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    It is not storing copies of everything on the system, only changes made from untrusted, suspicious applications. This is what is stored in the WRData folder (which is why it can grow to be quite large if an application isn't whitelisted).

    Yes.
     
  3. Esse

    Esse Registered Member

    Joined:
    May 26, 2011
    Posts:
    383
    Could this be a trigger for WSA (cloud) that it is time for someone to take a look at the specific computer (application) to deem it good or bad?
    If the MB of the WRData folder reach a certain point?

    /E
     
  4. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Currently the size of journaled data isn't reported up but I think that would definitely be worth doing.

    Thanks!
     
  5. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ PrevxHelp

    Thanx for the explanations, & good to know :thumb:
     
  6. mwb1100

    mwb1100 Registered Member

    Joined:
    Sep 28, 2005
    Posts:
    25
    The impression I get from Webroot's website is that the Journaling and Rollback feature is included only in the Business endpoint version of Webroot.

    Is that correct?

    If it's also included in the Home version of WSA, is there something in the UI that controls or monitors the journaling activity?
     
  7. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,730
    Location:
    localhost
    No, not correct. It's there also in home version. :)
     
  8. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    As fax said, it is in all versions of WSA, including Consumer. The Active Processes dialog under Utilities > System Control shows what processes are being Monitored (and therefore journaled).
     
  9. mwb1100

    mwb1100 Registered Member

    Joined:
    Sep 28, 2005
    Posts:
    25
    Nice - I'm liking what I find out about Webroot more and more every day.

    Now I need to figure out a way to test it. Maybe if I write a small program that XOR's a doc file with some random string and download that program in a .zip file from the internet? Will that cause it to be untrusted and have the journaling/rollback functionality kick in?

    If that won't work for whatever reason, is there a good way to test this? For my own curiosity, I'd like to see this in action. It'll also help me be less worried about CryptoLocker-style malware.
     
  10. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Yes, that will work - then just add the application under Utilities > Manual Threat Removal and it will revert the changes during cleanup. Let me know if you have any questions!
     
  11. Esse

    Esse Registered Member

    Joined:
    May 26, 2011
    Posts:
    383
    Do you have to go this way about it Joe?
    What happens if you just block the monitored file (app) under "Control Active Processes"?
    Or will that only block the file, not clean it up?

    /E
     
  12. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    That will only block the file, but if you run a scan, it will be detected and will be removed as expected. The "Manual Threat Removal" route is easier if your application doesn't remain resident (as it would only be shown in the Active Processes list if it is indeed an active process).
     
  13. Esse

    Esse Registered Member

    Joined:
    May 26, 2011
    Posts:
    383
    Ahh! Good to know.
    A scan will clean up whatever you block if I understand you correctly?

    /E
     
  14. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Yes, exactly (and any other copies of that file across the system as well).
     
Thread Status:
Not open for further replies.