Hello,
1. Launch a application.
2. System Control immediately indicates "Block."
On my W8.1 AMD system, despite the "Block" some applications remain in the Task Manager list and are able to establish an outbound connect. The CPU and network IO will both eventually drop to 0, but it is unclear if WSA has blocked these activities or the process has simply gone idle.
Does System Control "Block" eventually auto-force-terminate the process and then a scan is auto-run (should the user allow WSA time to accomplish this automatically)?
or
The user should manually "Stop Untrusted Processes" for any"Blocked" process or, alternatively, perform a manual scan?
I only ask as, in some cases, it is not clear whether the application has self-terminated or WSA force-terminated it.
In other cases, the application will remain in both Task Manager and System Control until a manual scan or "Stop Untrusted Processes" is utilized.
After a scan, the application cannot be launched - which is correct.
This leads me to think the correct course of action is to manually stop the process and then perfrom a scan... but I'd like to confirm to establish correct use.
If WSA's System Control does not auto-terminate - and the user should terminate and then run a scan - then some form of notification would be most helpful.
Best Regards,
HJLBX
Page 1 / 1
Hi HJLBX
I know what you mean and the general point of WSA notifying users when actions have been taken, where it might not be immediately obvious to the user, has come up before...more specifically in terms of when application cannot be classified as either good or bad and so WSA flags them as Undeterimed, and sets them to 'Monitoring' mode until a determination can be made.
I believe that a Feature Request was put in for that but perhaps a further one (from you) may be called for to bring this to the Development Team's notice, etc., although I would add that with any such request there should be, IMHO, inclusion of the provision of an @Advanced Setting' option to switch such notifications on or off, with a default of 'Off' (to prevent WSA from seeming to 'noisy').
I would personally have the setting set to 'Off' as I am happy with the way that WSA works but inclusion of such a function may offer less experienced users some additional information at the appropriate time.
In terms of your question...I have seen both behaviours so it may in fact depend on what else WSA has determined as part of the analysis that initiated the 'Block'...might be best to refer this to the Support Desk for clarification.
As I have said before, I am happy with the way WSA works by default but can see the value of your question.
Regards, Baldrick
I know what you mean and the general point of WSA notifying users when actions have been taken, where it might not be immediately obvious to the user, has come up before...more specifically in terms of when application cannot be classified as either good or bad and so WSA flags them as Undeterimed, and sets them to 'Monitoring' mode until a determination can be made.
I believe that a Feature Request was put in for that but perhaps a further one (from you) may be called for to bring this to the Development Team's notice, etc., although I would add that with any such request there should be, IMHO, inclusion of the provision of an @Advanced Setting' option to switch such notifications on or off, with a default of 'Off' (to prevent WSA from seeming to 'noisy').
I would personally have the setting set to 'Off' as I am happy with the way that WSA works but inclusion of such a function may offer less experienced users some additional information at the appropriate time.
In terms of your question...I have seen both behaviours so it may in fact depend on what else WSA has determined as part of the analysis that initiated the 'Block'...might be best to refer this to the Support Desk for clarification.
As I have said before, I am happy with the way WSA works by default but can see the value of your question.
Regards, Baldrick
Hello Baldrick,
Yes.
It's one of the nuances of WSA that I really haven't spent the time to "flesh-out" with some advanced utilties and additional observations.
Like you, I'm seeing what appears to be both auto-forced-termination and termination after a scan - whether manual or scheduled.
Just trying to figure it out.
Yeah. Notification regarding "Monitoring" and "Blocking" (if the user should perform a manual scan) would be very beneficial... so the user can take appropriate action relatively quickly instead of discovering a "Monitored" or "Blocked" file hours later - and the needless accumulation of excess journal data.
Thanks mate !
HJLBX
Yes.
It's one of the nuances of WSA that I really haven't spent the time to "flesh-out" with some advanced utilties and additional observations.
Like you, I'm seeing what appears to be both auto-forced-termination and termination after a scan - whether manual or scheduled.
Just trying to figure it out.
Yeah. Notification regarding "Monitoring" and "Blocking" (if the user should perform a manual scan) would be very beneficial... so the user can take appropriate action relatively quickly instead of discovering a "Monitored" or "Blocked" file hours later - and the needless accumulation of excess journal data.
Thanks mate !
HJLBX
Hi HJLBX
Why not try you had at a Feature Request on that point...you never know...it may garner some serious support and then the Developmenmt Team may consider it.
Regards, Baldrick
Why not try you had at a Feature Request on that point...you never know...it may garner some serious support and then the Developmenmt Team may consider it.
Regards, Baldrick
Reply
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.