Jurnaling and updated applications

Discussion in 'Prevx Releases' started by topor, Jan 10, 2013.

Thread Status:
Not open for further replies.
  1. topor

    topor Registered Member

    Joined:
    Dec 24, 2012
    Posts:
    18
    How does jurnaling work on updated applications?

    Let's say:

    1. PC is infected with an "not clasified yet" virus
    2. The virus is changing 1 registry on an application
    3. After 1 hour the application would update itself and the affected registry is replaced with new good /updated one (for updated application)
    4. After 2 hours the virus is clasified as "Virus" ,deleted, and old registry restored

    In this scenario, the virus is gone, but the jurnaling just made the updated application unusable.

    Now imagine that the application is part of boot sequence for Windows ........
     
    Last edited: Jan 10, 2013
  2. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    Is there a problem all you do is hit and disappear and don't reply to the answers for a noobie to the forums? :blink:

    TH
     
  3. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    WSA repairs the boot sequence of Windows and replaces registry entries with known good values. If malware has modified the values for some application (a third party program, not the OS) WSA will restore it to its previous known good state. There wouldn't really be any reason for malware to just change random application registry values, but in this case, it would be no worse off as you would now have legitimate values rather than malware-modified values.
     
  4. Techfox1976

    Techfox1976 Registered Member

    Joined:
    Jul 22, 2010
    Posts:
    749
    Also stands again that this kind of damage would not be "fixed" by any other antivirus either. Either the updated valid program broke the malware, or the malware would re-break the updated application. So either the malware is broken or the application is broken with another AV anyway.

    Either way, since the last change is made by a trusted application (the updated application), the journalling wouldn't change it since it was already "repaired" by a trusted application.

    That being said, the case you describe is what is known as a nonsensical theoretical. It describes a case that has never happened in reality and that there is no reasonable likelihood of happening in reality and there is no reasonable manner by which it could legitimately be induced to happen.
     
  5. Techfox1976

    Techfox1976 Registered Member

    Joined:
    Jul 22, 2010
    Posts:
    749
    TH:
    After a feeling surfaced, a quick forensic analysis across existing internet presence shows that it's just cladiu's new account, so it's not much to worry about.
     
  6. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    That was my thought by the hit and run!

    TH
     
  7. ProTruckDriver

    ProTruckDriver Registered Member

    Joined:
    Sep 18, 2008
    Posts:
    768
    Location:
    "Here on Wilders"
    LOL, I was thinking the same. I guess he can start all over again bashing Webroot with a different name.
     
  8. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    There's no proof at this time only an assumption.

    TH
     
  9. PC_Fiddler

    PC_Fiddler Registered Member

    Joined:
    Aug 18, 2012
    Posts:
    167
    Location:
    Yorkshire - UK
    I think it's nice to have another WSA user on the forum, it's been pretty quiet around here recently anyway :argh:
     
  10. PC_Fiddler

    PC_Fiddler Registered Member

    Joined:
    Aug 18, 2012
    Posts:
    167
    Location:
    Yorkshire - UK
    Looking on the forum there is another thread regarding 'journalling', I think maybe topor might be having a bit of a wind-up & teasing us by deliberately misspelling it 'Jurnaling', on both threads - Still he/she is new to Wilders so no offence intended ~
     
    Last edited: Jan 12, 2013
Thread Status:
Not open for further replies.