Quarantine > Detection Configuration

Discussion in 'Prevx Betas' started by Tarnak, Sep 18, 2012.

Thread Status:
Not open for further replies.
  1. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,875
    Yesterday, I downloaded a package to my desktop as per post #2 in > Windows XP Pro Critical Updates (after SP3)


    WSA detected the following two files:



    Automated Cleanup Engine
    Starting Cleanup at 17/09/2012 - 19:56:18 GMT

    Starting Routine> Removing c:\documents and settings\<MyName>\desktop\wsusoffline742\wsusoffline\client\updateinstaller.exe...#(PX5:

    3DEC44F4B11CF89AE3F40924FDD9040074440C6D - MD5: 0010E6CBB04DC0215A7A8BE410FF5292)...
    Deleting File> c:\documents and settings\<MyName>\desktop\wsusoffline742\wsusoffline\client\updateinstaller.exe

    Automated Cleanup Engine
    Starting Cleanup at 17/09/2012 - 19:56:45 GMT

    Starting Routine> Removing c:\documents and settings\<MyName>\desktop\wsusoffline742\wsusoffline\updategenerator.exe...#(PX5:

    3DEC44F4D71CF89A28F40A24FDD90400844DF673 - MD5: A86E772A10990CFB63FD09036B6A5F4C)...
    Deleting File> c:\documents and settings\<MyName>\desktop\wsusoffline742\wsusoffline\updategenerator.exe


    I had them scanned at Virus Total and determined that they were safe, so I removed them from quarantine.

    Now, I have noticed that they have been allowed under Quarantine > Detection Configuration, automatically.

    ScreenShot_WSA_8.0.2.6_new look_03.jpg

    I had removed the whole download package from my desktop to another another location as can be seen from the following screenshot.

    ScreenShot_WSA_8.0.2.6_new look_08.jpg







    However, I would not necessarily want WSA to now allow, automatically.

    P.S. If I hadn't gone exploring, I would have been none the wiser.
     
  2. Techfox1976

    Techfox1976 Registered Member

    Joined:
    Jul 22, 2010
    Posts:
    749
    If you remove something from quarantine, it sets it to an override of "Allow" otherwise, unless it's whitelisted in the cloud system, it will be re-detected. The allow is by file hash, not by file name/location, it just shows the last-known location of that hash. Or first known, I forget. You can right-Click on the entry to Do Things.

    Also, if you're not sure about something, VT is not always the best place to check if WSA flagged it, unless you are absolutely 100% sure it's safe. I've seen stuff that WSA flagged that VT said was clean and was originally scanned several months ago. Rescan and still clean. But inspect the file more deeply just out of curiosity and sure enough, it was bad juju. So WSA caught something that nothing else on VT caught for over a month. Never found out if anything else on VT ever caught it. Lack of threat evidence is not evidence of lack of threat. I'm giving that as a general statement, mind you, not on those files specifically, which I make no warranty as to the status of.
     
  3. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,875
    Where did they all go? o_O

    ScreenShot_WSA_8.0.2.6_new look_09.jpg
     
  4. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,875
    @ Techfox1976

    Thanks for chipping in with that info. :)

    I was hoping Joe, would have added something in reply...He has been in and out, in the forum. ;)



     
  5. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,875
    I just checked again, and they are back! ;)
     
  6. Techfox1976

    Techfox1976 Registered Member

    Joined:
    Jul 22, 2010
    Posts:
    749
    He's probably super-extra-ultra-OMFG busy as all heck since they are probably releasing the new stuff so soon.
     
    Last edited: Sep 19, 2012
  7. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Techfox is correct - it depends on the file, but it will usually be the last seen instance of it which is listed in the detection configuration window. Restoring a file from quarantine adds it as 'Allow', otherwise it would just be removed automatically instantly.
     
  8. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,875

    The only files I have restored from quarantine are the two mentioned above, and an old archive rootkit file, apispy9x.dll which I know about but will never use.

    The others on that list such as Vipre, Defensewall, Opera and $isr have never been restored (by me) from quarantine. So, can see no reason for them appearing there.
     
  9. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    As you do allot of Beta testing of many products you must have allowed them at one point because they were not known to the cloud database at the time!

    TH
     
  10. Techfox1976

    Techfox1976 Registered Member

    Joined:
    Jul 22, 2010
    Posts:
    749

    Aye. I would surmise that going to the Control Active Processes and changing something from Monitor to Allow would also make it show up there. It would be silly for it to be set to "allow" in control and "block" in overrides.
     
Thread Status:
Not open for further replies.