- How do I figure out which journaling db in WRData corresponds to which program being journaled?
- How do I "Allow" journaled applications that are not currently running?
- How do I see what applications I have manually Allowed which are not currently running? Is this data stored in the registry like the ID Shield information appear to be?
- When do the WRDataJoural registry keys get updated? Is this a reliable source of information yet? What happens if I delete these keys?
- In what situations would WSA wait for user input to clean up an infection when all the program settings are set to do everything automatically and not tell the user anything?
- Does removing entries from Application Protection have any enduring affect or are they immediately repopulated without prejudice?
- What are the pruning settings for WRLog.log, if any?
- What are the exact abilities and functions of the filtering extension, especially as it compares to the local HTTP inspection engines of your competitors? Please be extremely specific.
- What abilities if any does WSA or its infrastructure have in reevaluating a Good detirmination of a file?
Solved
Technical questions about journaling and other
Best answer by Shawn
Hello Explanoit!
Let me take a stab at these very excellent questions...
1. How do I figure out which journaling db in WRData corresponds to which program being journaled?
HKLMSOFTWAREWow6432NodeWRDataJournal shows entries for journaled processes and lists the MD5. These entries line up with dbxxxxx.db files in WRDATA. once a file is determined or overridden, journaling stops.
2. How do I "Allow" journaled applications that are not currently running?
We will only journal a file that is unknown. If you do not want a file journaled or monitored, please create a override based on MD5 first.
3. How do I see what applications I have manually Allowed which are not currently running? Is this data stored in the registry like the ID Shield information appear to be?
Monitoring takes place in the background so there is no visibility into this but whitelisted or overridden files are not journaled anyways.
HKLMSOFTWAREWow6432NodeWRDataJournal shows entries for journaled processes and lists the MD5. These entries line up with dbxxxxx.db files in WRDATA and are purged every so often as long as the file has been determined.
4. When do the WRDatajournal registry keys get updated? Is this a reliable source of information yet? What happens if I delete these keys?
These are updated any time an unknown enters the system and monitoring begins. If you delete a key that is currently linked to a db file, you will end the monitoring and lose all previous roll back info. The agent will start journaling it again but will start from where it got lost.
5. In what situations would WSA wait for user input to clean up an infection when all the program settings are set to do everything automatically and not tell the user anything?
I cannot think of any...Folks???
6. Does removing entries from Application Protection have any enduring affect or are they immediately repopulated without prejudice?
I am not sure there is an easy way to remove entries from Application Protection.Uninstall/reinstall...???
7. What are the pruning settings for WRLog.log, if any?
Development does have measures in place to try to keep the size of WRData to a minimum. Excessive monitoring of files is a common cause of this, and having support determine these or creating overrides if you are comfortable doing so is best practice.
8. What are the exact abilities and functions of the filtering extension, especially as it compares to the local HTTP inspection engines of your competitors? Please be extremely specific.
Currently the business product is utilizing a legacy PhishCheck feature which is due for EOL very soon. The replacement will be a BrightCloud implementation which is proving to be very effective on the consumer end of things.
More specifics to come on this as development gets closer to release, STAY TUNED!
9. What abilities if any does WSA or its infrastructure have in reevaluating a Good determination of a file?
I have seen good determined files get blocked by ID Shield, FW, heuristics, etc...
It all has to do with how high your settings are for heuristics and what the file is attempting to do. The WSA agent compares every PE file on the system against a LARGE set of rules before and during execution, if any part of that behavior matches a rule, it will be handled appropriately.
Whew... Nice work Explanoit! I know you will have some followup questions which we appreciate. You just let me know if anything in the above needs further clarification. More to come on webfiltering as it is changing almost weekly...
Thanks again!
View originalLet me take a stab at these very excellent questions...
1. How do I figure out which journaling db in WRData corresponds to which program being journaled?
HKLMSOFTWAREWow6432NodeWRDataJournal shows entries for journaled processes and lists the MD5. These entries line up with dbxxxxx.db files in WRDATA. once a file is determined or overridden, journaling stops.
2. How do I "Allow" journaled applications that are not currently running?
We will only journal a file that is unknown. If you do not want a file journaled or monitored, please create a override based on MD5 first.
3. How do I see what applications I have manually Allowed which are not currently running? Is this data stored in the registry like the ID Shield information appear to be?
Monitoring takes place in the background so there is no visibility into this but whitelisted or overridden files are not journaled anyways.
HKLMSOFTWAREWow6432NodeWRDataJournal shows entries for journaled processes and lists the MD5. These entries line up with dbxxxxx.db files in WRDATA and are purged every so often as long as the file has been determined.
4. When do the WRDatajournal registry keys get updated? Is this a reliable source of information yet? What happens if I delete these keys?
These are updated any time an unknown enters the system and monitoring begins. If you delete a key that is currently linked to a db file, you will end the monitoring and lose all previous roll back info. The agent will start journaling it again but will start from where it got lost.
5. In what situations would WSA wait for user input to clean up an infection when all the program settings are set to do everything automatically and not tell the user anything?
I cannot think of any...Folks???
6. Does removing entries from Application Protection have any enduring affect or are they immediately repopulated without prejudice?
I am not sure there is an easy way to remove entries from Application Protection.Uninstall/reinstall...???
7. What are the pruning settings for WRLog.log, if any?
Development does have measures in place to try to keep the size of WRData to a minimum. Excessive monitoring of files is a common cause of this, and having support determine these or creating overrides if you are comfortable doing so is best practice.
8. What are the exact abilities and functions of the filtering extension, especially as it compares to the local HTTP inspection engines of your competitors? Please be extremely specific.
Currently the business product is utilizing a legacy PhishCheck feature which is due for EOL very soon. The replacement will be a BrightCloud implementation which is proving to be very effective on the consumer end of things.
More specifics to come on this as development gets closer to release, STAY TUNED!
9. What abilities if any does WSA or its infrastructure have in reevaluating a Good determination of a file?
I have seen good determined files get blocked by ID Shield, FW, heuristics, etc...
It all has to do with how high your settings are for heuristics and what the file is attempting to do. The WSA agent compares every PE file on the system against a LARGE set of rules before and during execution, if any part of that behavior matches a rule, it will be handled appropriately.
Whew... Nice work Explanoit! I know you will have some followup questions which we appreciate. You just let me know if anything in the above needs further clarification. More to come on webfiltering as it is changing almost weekly...
Thanks again!
Reply
Rich Text Editor, editor1
Editor toolbars
Press ALT 0 for help
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.