I have just been testing Geswall against 22 unknown malware threats. I ran each one in isolated mode, then terminated the process. What I am left with are several newly created files in c:\, c:\windows\system32\, c:\program files\ and 5 new registry entries into \CurrentVersion\Run\. Also, one of the executed malware apps managed to remove itself after executing. I was under the impression that Geswall should stop applications writing to \Run\? Secondly, is the a rollback feature like in DW?