Webroot suspicious files supervision
Userlevel 2
Hi i am worried my security combo works very fine cfw and webroot are great and win patrol i try emet but it causes some crashes and conflicts i want to know something V kiosk from comodo only allow me to use the 70% of the apps i need to my work in research center (Sorry for aparently be presuntous) . I think maybe someone not are too bad but for me are suspicious i think of that files who i can no run in virtual enviroment ¿What about if i add the installers to weboot? Block or allow files i can put them to supervise and webroot tell me if it doings a malicious thing when the supervision ends I dont know how to works the supervision i have two hipotesis 1 It supervises behavior and system posible damanges and if some harmful action was perfomed by the software in cuestion webroot stopts. 2. Webroot constantly send the behavior of that files and installers to the cloud and when here discover that not are harmful it pass automatically to allow. I dont understand i am reading the guides but for the languaje limitation was dificult to me For example i add to supervice maxqda installer and if maxqda does something bad to my machine the supervision alerts me block or if not does nothing bad let it run and allow, and if in the future discover a bad behavior alerts me and let me to undo unwanted changues? I want to take that measure because maybe in that way i dont need comodo virtual kiosk and can give to webroot all the work to supervise my security i hope you help me to solve that solve that cuestions and always God Bless the comunity and product webroot great
Userlevel 7
Hi aktiffk
Hope that you are well? I just wonder where all these ideas come from and whether you have time to do anything else in a day but think them up...;)
Anyway, I think that I basically understand the lines that you are thinking along. Essentially, we know that if WSA places a file in 'Monitor' mode and later finds (i) that it is malware it will automatically reverse everything that the file may have done to the system since it was 'monitored' or (ii) if good it changes the 'Monitor' to 'Allow' automatically.
But what you want to know is what happens in these cases if it is the user who manually places the file in a 'Monitor' status. Does the same occur as per the above or in each of the two cases, i.e, auto reversal or auto move to 'Allow'?
Well, to be honest I thik that I know but just to make sure I will check up on this and get back to you.
However, even IF the answer is 'Yes'; manually putting to 'Monitor' does ine end working in the same way as when WSA puts a file into 'Monitor' status, the question is how do you identify the uninstaller and all the components. What I think that you are trying to do is what Windows System Restore tries to do, i.e., undo changes.
Now, this might work as you are thinking but as I do not believe that the fucntionality was designed with that in mind I thinkthat the only way to knbow would be to test it and see. Not an easy task as you would need to try many combinations of installer/install process and even if some do not all may.
I still believe that you best option in dispensing with a virtual environment (or the Comodo Kiosk) is to image before you install and then roll back to a prvious system configuration (via the image) if you find a need to go back/remove completely what has been installed. For that I use AX64 Time Machine...as I have said before, and that allows me to do this easily and quickly.
Well, I hope that helps...I will be back as soon as I have a definitive answer regaridng Auto 'Monitor' and Manual 'Monitor'/
Regards
Baldrick
Hope that you are well? I just wonder where all these ideas come from and whether you have time to do anything else in a day but think them up...;)
Anyway, I think that I basically understand the lines that you are thinking along. Essentially, we know that if WSA places a file in 'Monitor' mode and later finds (i) that it is malware it will automatically reverse everything that the file may have done to the system since it was 'monitored' or (ii) if good it changes the 'Monitor' to 'Allow' automatically.
But what you want to know is what happens in these cases if it is the user who manually places the file in a 'Monitor' status. Does the same occur as per the above or in each of the two cases, i.e, auto reversal or auto move to 'Allow'?
Well, to be honest I thik that I know but just to make sure I will check up on this and get back to you.
However, even IF the answer is 'Yes'; manually putting to 'Monitor' does ine end working in the same way as when WSA puts a file into 'Monitor' status, the question is how do you identify the uninstaller and all the components. What I think that you are trying to do is what Windows System Restore tries to do, i.e., undo changes.
Now, this might work as you are thinking but as I do not believe that the fucntionality was designed with that in mind I thinkthat the only way to knbow would be to test it and see. Not an easy task as you would need to try many combinations of installer/install process and even if some do not all may.
I still believe that you best option in dispensing with a virtual environment (or the Comodo Kiosk) is to image before you install and then roll back to a prvious system configuration (via the image) if you find a need to go back/remove completely what has been installed. For that I use AX64 Time Machine...as I have said before, and that allows me to do this easily and quickly.
Well, I hope that helps...I will be back as soon as I have a definitive answer regaridng Auto 'Monitor' and Manual 'Monitor'/
Regards
Baldrick
Userlevel 2
Thank you for tour precise and Long explication i can not express my gratitude i see a software calles sus restore who males a real snap shot of the system but i dont see a way to comtact to the developer and some one av detecta as malware because needs to reestart to undo changues
ylur soft looks fantastic as rollback x but os país versión i am paying exams to a posgrade and my disponiblemoney are _100 use if you share me x64 i will thank you very much
cómodo kiosk are cool let me use maxqda and atlas ti but hace problema whith cuantotative soft like spss Or stadistics Or transcription soft like nhc too much adawae....
the installers are simple setups stand alone in a single file for that are factible to add manual y to wsa
as you can see i am looking to use only esa and Windows fw i think are good combo?
jeje
maybe of we test it it will be too much users who want to test untrust knstallers who are obligate to use and no only on webroot sandbox to do not discart changues in chaase that not are malicious
YOU understand me the Basic user dont see the diference betwden a good Or Bad installer include testers dont know whith certainly
you understand and wait tour answer
god bless you
ylur soft looks fantastic as rollback x but os país versión i am paying exams to a posgrade and my disponiblemoney are _100 use if you share me x64 i will thank you very much
cómodo kiosk are cool let me use maxqda and atlas ti but hace problema whith cuantotative soft like spss Or stadistics Or transcription soft like nhc too much adawae....
the installers are simple setups stand alone in a single file for that are factible to add manual y to wsa
as you can see i am looking to use only esa and Windows fw i think are good combo?
jeje
maybe of we test it it will be too much users who want to test untrust knstallers who are obligate to use and no only on webroot sandbox to do not discart changues in chaase that not are malicious
YOU understand me the Basic user dont see the diference betwden a good Or Bad installer include testers dont know whith certainly
you understand and wait tour answer
god bless you
Userlevel 7
Hi aktiffk
I ihave finally managed to find out the answer what you wanted to know as to what happens in the case where it is is the user who manually places the file in a 'Monitor' status. Does the same occur as when WSA places the file in 'Monitor' status, i.e, auto reversal or auto move to 'Allow'?
Well, as I thought the answer is unfortunately 'NO'. User determinations over-ride the cloud determinations, so the file will stay monitored until the user changes it even if the cloud determination changes. And the key is that a user really has to know what they are doing hence why Support always recommened people use the defaults.
So I am afraid that your answer will not work, as there is no way to initiate the reversal of the activities that have been journalled (recorded by WSA) when monitoring is switched on.
I knw that this is probably not the answer that you were looking for but unfortuantely it is.
Despite this I hope that my response has been of assistance to you.
Regards
Baldrick
I ihave finally managed to find out the answer what you wanted to know as to what happens in the case where it is is the user who manually places the file in a 'Monitor' status. Does the same occur as when WSA places the file in 'Monitor' status, i.e, auto reversal or auto move to 'Allow'?
Well, as I thought the answer is unfortunately 'NO'. User determinations over-ride the cloud determinations, so the file will stay monitored until the user changes it even if the cloud determination changes. And the key is that a user really has to know what they are doing hence why Support always recommened people use the defaults.
So I am afraid that your answer will not work, as there is no way to initiate the reversal of the activities that have been journalled (recorded by WSA) when monitoring is switched on.
I knw that this is probably not the answer that you were looking for but unfortuantely it is.
Despite this I hope that my response has been of assistance to you.
Regards
Baldrick
Userlevel 2
Hey its a litle sad but if i monitor a file maxqda11 exe and stay monitor what happens it runs whith one restriction Or not .you say no auto allow it means the supervisión was be by my self and of something wrong happen i can block affter my evaluarion?
hey dont think if that was posible was a wonderful featire?
hey dont think if that was posible was a wonderful featire?
Userlevel 7
Hi aktiffk
In your example I would expect that WSA would react and attempt to block file that it thinks is nasty...but whether it would start a reversal of everything that the file has been doing since the user set it to 'Monitor', as it would if WSA set it to 'Monitor', that I do not know.
I suspect not otherwise WSA would be know as rollback software, which it definitively is not, if you cmpare it to Rollback Rx and the like, which are dedicated apps for that.
The other thing to remember about the 'Monitor' feature is that the journals created are in most cases cleaned out/deleted when set by WSA and then used by it to deal with a piece of malware. If monitoring is started and stopped manuall/by the user then I thinkthat the journals remain, taking up space until they are removed manually...not something that a user should do themselves unless they understand how they work/are recorded/used by WSA.
Again, apologies for not being able to give you good news/that yo wanted to hear...but I will investigate further and confirm or not the above.
Hopefully that answers your original question? :D
Regards
Baldrick
In your example I would expect that WSA would react and attempt to block file that it thinks is nasty...but whether it would start a reversal of everything that the file has been doing since the user set it to 'Monitor', as it would if WSA set it to 'Monitor', that I do not know.
I suspect not otherwise WSA would be know as rollback software, which it definitively is not, if you cmpare it to Rollback Rx and the like, which are dedicated apps for that.
The other thing to remember about the 'Monitor' feature is that the journals created are in most cases cleaned out/deleted when set by WSA and then used by it to deal with a piece of malware. If monitoring is started and stopped manuall/by the user then I thinkthat the journals remain, taking up space until they are removed manually...not something that a user should do themselves unless they understand how they work/are recorded/used by WSA.
Again, apologies for not being able to give you good news/that yo wanted to hear...but I will investigate further and confirm or not the above.
Hopefully that answers your original question? :D
Regards
Baldrick
Userlevel 2
Happy, Happy joy joy, good morning. I reestart my dream ciclye and thats are too much dificult because i have to stay awake a long long time, now yes i understad webroot no are like rooback X but i see something. When i use another av products i see only deletes infected files, i see traces on my registry or folders, very nasty. I see webroot removes all because i think if for example i supervice maxqda installer and run it maybe webroot will detect something if it do something bad, you understand me i (dont know how to say it in english) make that hipotesis and cuestion and threat because i belive too much in webroot and maybe we dont need another software as you say me many times. Some time when avast promotes his product by a publicity of "Eigth protection shields" I discuss (discutí en terminos amables) whitouth figth whith a mvps guy and we conclude thats fake because the eigth protection shields are only eigth interfaz monitor and only one or 3 areas to protect, you say the new avast only check 3 protection shields who integated the eigth ok i dnt promote avast i hate, its an example. I think maybe webroot have moe capabilities than we know in the most simple version. I see one cmodo fan dont make his homework and block it as an untrusted file (Word untrusted file) and take his laptop and show the teacher the file dont open and says "Blocked as asuspicious malware or virus file" The teacher scares too much and say him "Give me your home work latter" Comic but true, and a good example of one product can do more than we pretend or say to do.
I want to ask you two things maybe dont related to this topic or maybe yes. We are talking restoring get back time machines.
First as you know in many chases manufacturers disable the option to create system images from windows to obligate (obligar) to user to use (very nice pleonasm) their own recovery options. All we know a hard drive dont deelay 1 minute to format if you chose deep format in XP or use a third party tool to format it deelays more. But recovery options dont do that and in my case i have damanged my recovery mediai can not format machine (as always as a paranoid guy) whith a bootable media in 0 format low level format and then get rid all partitions and recreate to recovery media. Ok i know thats somethng to do in chase of extreme malware infections and are too much areas of the system who are protected where malware dificulty can enter. For example MBR or windows 100 MB partition whith reocover functions. You understand as i say you i work whith suspicious software i can be infected and because uses in a virtual enviroment, the combo goes too god, but roll back x snap shot software are good for me but i dont have, and make windows images are a great resource to restore the system to a previous malware state include solve too much other things. My manufacturer dont disable that option and works fine to restore my system in 20 minutes. I dont need update windows all goes back normal on 20 minutes. My cuestion related to this explication are that
1. Yesterday webroot blocks some nasty malware i delete from quarintine i know that are malware, dont ask me what malware but webroot saves me. That happens affter i do the image in other words image of windows dont have malware. I restore a few hours ago to test. But in the hipotetic chase i have malware active on my machine and run the image that dont format all drives because that function it was blocked it only rewirtes the drive whith old data i see i lost some programs who i installed for example angry birds or um player (Installed affter doing the image). In other words system goes back to normality and a previous state and i think its dont needed another software apart of webroot and windows images creator embebed tool and my sandbox. But in the hipotetic chase i have a virus and drive dont format : Only overwirte what happens whith that virus? stay in the mtf or what?
2.- Webroot still working good affter imaging restoration? I supous yes but if it not have to reinstall what i have to do whith the blocked files and supervised files, have to add manually? and If webroot blocked a file send to quarintine and then i delete from quarintine but in blocked files still continue appering that file are delete from my pc or not?
3.- Finally i dont partidary of piratery but as i say you i evangelize people to use webroot, all my family are using now stand alone whtith windows firewall and mbam . My cousin have emulators and games, some pirate games like Age of empires and she have to crack, never never disable webroot and he cracks sucefully (You know have much people who do that and i dont send a pm to ask you maybe helps) in the hipotetic chase that games of my cousin have a nasty virus webroot block them?. I know maybe you answer "tell your cousin dont install games" but too many people does and if your security product alerts and block malware from that I think i hope this from my security product and my cousin too. Imake a system image before he install games and i ask you the same in the previous cuestion if game are infected can she restore whith his windows image and virus get rid or stay in mtf? (Sorry i dont remember the leters but you know what i refer that zone wirten whith 1 and consideredf free space.
I hope you answer and thank you for your answers compresion i feel you like my friend, if i can i give you a software but only have security products for hispasoftware. ok mate good day and see ya
I want to ask you two things maybe dont related to this topic or maybe yes. We are talking restoring get back time machines.
First as you know in many chases manufacturers disable the option to create system images from windows to obligate (obligar) to user to use (very nice pleonasm) their own recovery options. All we know a hard drive dont deelay 1 minute to format if you chose deep format in XP or use a third party tool to format it deelays more. But recovery options dont do that and in my case i have damanged my recovery mediai can not format machine (as always as a paranoid guy) whith a bootable media in 0 format low level format and then get rid all partitions and recreate to recovery media. Ok i know thats somethng to do in chase of extreme malware infections and are too much areas of the system who are protected where malware dificulty can enter. For example MBR or windows 100 MB partition whith reocover functions. You understand as i say you i work whith suspicious software i can be infected and because uses in a virtual enviroment, the combo goes too god, but roll back x snap shot software are good for me but i dont have, and make windows images are a great resource to restore the system to a previous malware state include solve too much other things. My manufacturer dont disable that option and works fine to restore my system in 20 minutes. I dont need update windows all goes back normal on 20 minutes. My cuestion related to this explication are that
1. Yesterday webroot blocks some nasty malware i delete from quarintine i know that are malware, dont ask me what malware but webroot saves me. That happens affter i do the image in other words image of windows dont have malware. I restore a few hours ago to test. But in the hipotetic chase i have malware active on my machine and run the image that dont format all drives because that function it was blocked it only rewirtes the drive whith old data i see i lost some programs who i installed for example angry birds or um player (Installed affter doing the image). In other words system goes back to normality and a previous state and i think its dont needed another software apart of webroot and windows images creator embebed tool and my sandbox. But in the hipotetic chase i have a virus and drive dont format : Only overwirte what happens whith that virus? stay in the mtf or what?
2.- Webroot still working good affter imaging restoration? I supous yes but if it not have to reinstall what i have to do whith the blocked files and supervised files, have to add manually? and If webroot blocked a file send to quarintine and then i delete from quarintine but in blocked files still continue appering that file are delete from my pc or not?
3.- Finally i dont partidary of piratery but as i say you i evangelize people to use webroot, all my family are using now stand alone whtith windows firewall and mbam . My cousin have emulators and games, some pirate games like Age of empires and she have to crack, never never disable webroot and he cracks sucefully (You know have much people who do that and i dont send a pm to ask you maybe helps) in the hipotetic chase that games of my cousin have a nasty virus webroot block them?. I know maybe you answer "tell your cousin dont install games" but too many people does and if your security product alerts and block malware from that I think i hope this from my security product and my cousin too. Imake a system image before he install games and i ask you the same in the previous cuestion if game are infected can she restore whith his windows image and virus get rid or stay in mtf? (Sorry i dont remember the leters but you know what i refer that zone wirten whith 1 and consideredf free space.
I hope you answer and thank you for your answers compresion i feel you like my friend, if i can i give you a software but only have security products for hispasoftware. ok mate good day and see ya
Userlevel 7
Hi aktiffk
Hope that you are well?
Your posts seem to get longer and longer. I am not sure how you manage to keep all the information in your head and then get it into the post. ;)
To answer your questions the best that I can I would say the following, based on my own experience:
1. When using an image to recover to a previously used drive that you have not formatted before the recovery then I would expect any malware on the drive to be overwritten by the image restore...it of course depends on the image restore software that you use but usually if you are restore the complete image then the MBR, the MFT, etc., should be included and restored as well. That is certainly what happens when using Acronis (as I have in the past) and AX64 Time Machine (which i now use).
2. When ever I have restored an image WSA has worked as well and in the way it did when I took the image. If I have made changes since I took the image, i.e., have added to the 'Block/Allow' list, etc. then I would expect those changes to disappear and to have to put then back in manually after restoring the image.
3. As I said in the response to 1. above usually if you are restore the complete image then the MBR, the MFT, etc., should be included and restored as well, and so any virus or malware lurking on the disk should be overwritten too.
I hope that helps?
Regards
Baldrick
Hope that you are well?
Your posts seem to get longer and longer. I am not sure how you manage to keep all the information in your head and then get it into the post. ;)
To answer your questions the best that I can I would say the following, based on my own experience:
1. When using an image to recover to a previously used drive that you have not formatted before the recovery then I would expect any malware on the drive to be overwritten by the image restore...it of course depends on the image restore software that you use but usually if you are restore the complete image then the MBR, the MFT, etc., should be included and restored as well. That is certainly what happens when using Acronis (as I have in the past) and AX64 Time Machine (which i now use).
2. When ever I have restored an image WSA has worked as well and in the way it did when I took the image. If I have made changes since I took the image, i.e., have added to the 'Block/Allow' list, etc. then I would expect those changes to disappear and to have to put then back in manually after restoring the image.
3. As I said in the response to 1. above usually if you are restore the complete image then the MBR, the MFT, etc., should be included and restored as well, and so any virus or malware lurking on the disk should be overwritten too.
I hope that helps?
Regards
Baldrick
Userlevel 2
Ok but you talk about advanced soft like acronis this the Windows embebed supous i take image before infected and dont formar hd but restore system image Windows 100 Mb partition Windows pe and c: Windows i get infected affter taking i use my image stored in external hard drive sus virus dispeaar?
Userlevel 7
Hi aktiffk
An image is an image, and if it is then it is a complete copy of the disk that is imaged...if what you are restoring/writing back to the disk is not a complete copy of the disk when the 'image' was made then it is not an image. It should not matter who makes the software used if it claims that it is imaging software.
If the image is written back to the disk then it will overwrite the malware if that got onto the disk AFTER the image was taken/made.
Regards
Baldrick
An image is an image, and if it is then it is a complete copy of the disk that is imaged...if what you are restoring/writing back to the disk is not a complete copy of the disk when the 'image' was made then it is not an image. It should not matter who makes the software used if it claims that it is imaging software.
If the image is written back to the disk then it will overwrite the malware if that got onto the disk AFTER the image was taken/made.
Regards
Baldrick
Reply
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.