NOD32 and OA are being replaced with Norton 360 Premier. What is the proper method to install Norton on a Win7x64 system? (Added: Norton is not being placed on my system, I regretted doing so over a decade ago and additional research showed I would regret it again. Currently, only Webroot Secureanywhere Antivirus is installed.)
Webroot can be initially disabled but a reboot caused an upgrade of ESET to go really, really, bad. I would like to avoid this problem on the Win7 system.
The community is being asked because supports final answer was; "the Webroot software you own from us is a full antivirus suite meaning that is all you need, so you do not need to antivirus applications."
(edited to indicate change of mind)
Page 1 / 1
To my knowledge it's best to uninstall WSA and install Norton and reboot and then install WSA again and make sure you have a copy of your keycode as you will need it on install and ignore any pop-ups from Norton that says to remove WSA as in this https:///t5/Introduce-yourself-to-the/New-To-This-Site/m-p/14014#M668and it's the users personal preference to use another AV with WSA but it's true that you don't need to.
HTH,
TH
EDIT: And Welcome to the Webroot Community Forums. ;)
HTH,
TH
EDIT: And Welcome to the Webroot Community Forums. ;)
Hey ExpertNovice,
The last response you received from the support system was:
"In this situation our software does not conflict with other antivirus, so there is no reason to shut down or remove the Webroot software. Our software is a lot different than other antivirus programs out there, we are cloud security and we do not conflict with any other antivirus or firewall programs out there.
Can you send us a message from the computer in question so we can get its logs?"
The technician was trying to collect logs to continue the investigation. I am wondering if perhaps you had contacted someone who had claimed to be Webroot? You can reply to your support ticket and I would be happy to take over and send instructions for gathering logs.
Thanks TripleHelix for your suggestions! Please try these instructions and reply to your support ticket if you need further assistance and I will be happy to help.
The last response you received from the support system was:
"In this situation our software does not conflict with other antivirus, so there is no reason to shut down or remove the Webroot software. Our software is a lot different than other antivirus programs out there, we are cloud security and we do not conflict with any other antivirus or firewall programs out there.
Can you send us a message from the computer in question so we can get its logs?"
The technician was trying to collect logs to continue the investigation. I am wondering if perhaps you had contacted someone who had claimed to be Webroot? You can reply to your support ticket and I would be happy to take over and send instructions for gathering logs.
Thanks TripleHelix for your suggestions! Please try these instructions and reply to your support ticket if you need further assistance and I will be happy to help.
Very recently, I installed Norton 360 Premier and shortly thereafter I installed WSA. I did receive one error message from Norton, advising me to uninstall WSA, which I ignored. The error message has since vanished and I have seen no other evidence of conflict between the two programs.
I installed both programs so that I could compare and contrast them, and as long as there is no conflict between the two, the simultaneous installation of both would not appear to be harmful or disruptive. In the short time I have had to compare the two programs, I have found that the scan time using WSA is much faster than the scan time using Norton.* I have also found that the backup of my C drive with WSA took less backup space than the backup of my C drive with Norton.
I also like the linkage of the web community directly with the WSA console. Merely open the WSA console and you can click on the web community link. I don't believe Norton offers this feature.
I also found dealing with WSA tech people easier than dealing with Norton tech people, and the wait time generally is not as long with WSA as it is with Norton.
Let us know if you discover other differences once you install both programs.
* A full system scan with Norton takes me more than two hours; a scan with WSA takes me about two minutes.
I installed both programs so that I could compare and contrast them, and as long as there is no conflict between the two, the simultaneous installation of both would not appear to be harmful or disruptive. In the short time I have had to compare the two programs, I have found that the scan time using WSA is much faster than the scan time using Norton.* I have also found that the backup of my C drive with WSA took less backup space than the backup of my C drive with Norton.
I also like the linkage of the web community directly with the WSA console. Merely open the WSA console and you can click on the web community link. I don't believe Norton offers this feature.
I also found dealing with WSA tech people easier than dealing with Norton tech people, and the wait time generally is not as long with WSA as it is with Norton.
Let us know if you discover other differences once you install both programs.
* A full system scan with Norton takes me more than two hours; a scan with WSA takes me about two minutes.
RMW,
The method Webroot uses to scan and what it scans will, of course, make for a faster scan. I used to not be worried about such things as I went from 1981 until 2007 without a virus (started with BBS, Source, & Compuserve). At that time I was researching the real cause of the housing crash (have since learned that even the NY Times warned of this issue in 1999!) and a virus/whatever caused me to reformat and reinstall my system. Now, I run with the best protection I can get.
Thanks for your response!
The method Webroot uses to scan and what it scans will, of course, make for a faster scan. I used to not be worried about such things as I went from 1981 until 2007 without a virus (started with BBS, Source, & Compuserve). At that time I was researching the real cause of the housing crash (have since learned that even the NY Times warned of this issue in 1999!) and a virus/whatever caused me to reformat and reinstall my system. Now, I run with the best protection I can get.
Thanks for your response!
TripleHelix,
Kudos. That is exactly what I asked Support in my initial question.
Thank you!
Kudos. That is exactly what I asked Support in my initial question.
Thank you!
If you wish to use Norton,that is of course your choice.You might want to make exceptions in norton for WSA just to be safe.I have had nothing but headaches with Norton in years past with dreadful false positives.Removing wsa first and then reinstalling wsa was the right advice from Triple Helix.Like i said,you will want to be sure to make exceptions within Norton for WSA to minimize any possible problems.I wish you better luck than i had with it.
MikeR,
The first and last response from support stated I didn't need another antivirus program or a firewall. Based on the first response from support, logs had been sent. Later they got logs from my wife's computer (not sure how). Her computer has no issue.
The only question asked in the request to support was; "So, should I uninstall Webroot, install ESET, and reinstall Webroot or what?" Their third response failed to get an answer and logs had apparently been submitted so I simply gave up. Until now.
Thanks for responding.
The first and last response from support stated I didn't need another antivirus program or a firewall. Based on the first response from support, logs had been sent. Later they got logs from my wife's computer (not sure how). Her computer has no issue.
The only question asked in the request to support was; "So, should I uninstall Webroot, install ESET, and reinstall Webroot or what?" Their third response failed to get an answer and logs had apparently been submitted so I simply gave up. Until now.
Thanks for responding.
superssjdan,
I agree about Norton, once Symantec took over, and swore never to put another Norton or McAfee product on my computer due to their invasiveness. However, I am very concerned about having any downtime from such issues. They could cost us dearly at this time. I was running Webroot (antispyware) ESET NOD32 (antivirus) and OnlineArmor (firewall). The latter two have gotten weaker. Bitdefender was going to be installed but it appears to be weaker than Norton so I will, reluctantly, install Norton.
As you say, I hope my decision is not bad. Webroot as a second line of defense will give me a bit more comfort as perusing community discussions shows that Webroot handles some issues that Norton does not and vice versa.
ExpertNovice, you may want to take a look at a product called East-Tec Eraser 2012 as a further means of securitizing your system. E-Tec is a slow scan but it offers some interesting security features. Since I am aware of no apparent conflict between them, I see no problem employing a suite of security programs (i.e., WSA, Norton 360, and East-Tec) to give you peace of mind.
RMW,
Thanks for the suggestion. It doesn't seem to handle any of the problems I'm trying to avoid such as a virus, worm, trojan, malware, spyware, etc. Am I missing something?
Thanks for the suggestion. It doesn't seem to handle any of the problems I'm trying to avoid such as a virus, worm, trojan, malware, spyware, etc. Am I missing something?
I would just make absolutely certain that you want to go the norton route before you actually do it as it really really gunks up the machine as it doesnt uninstall very clean even with the removal tool.I found tons of crap left behind on my wife's pc.The combo i use to great effect is WSA complete along with admuncher and Privatefirewall.Not that i have ever been big on most testing,but Privatefirewall performed extremely well on the matousec proactive security challenge.Marrying a firewall like that with WSA is all you would ever need honestly.Another good combo is the WSA,windows firewall,and MBAM Pro(really good with zero day threats).The choice is yours.Wish you the best of luck in whatever you choose.My advice would be to do an image based backup to an external drive before making any changes,that way you can always go back if you do not like the results.Don't pay for a thing until you've trialed things first.
No, I don't think you are. I think you are adequately covered with WSA and Norton 360 (and I am still not certain whether Norton 360 is necessary). However, I ran East-Tec before I installed Norton and WSA. East-Tec cleared out a lot of garbage on my computer that had been there for years, that had survived all sorts of scans from different kinds of software I've employed over time. After the first East-Tec scan (which took more than four hours) my machine's performance improved measurably. I then installed Norton 360, then WSA. My machine is running superbly now, and all of the many glitches I've experienced over the years are gone. You may want to give it a try. Cnet rates it highly and I believe there is a 15 day trial period, which I took exhaustive use of before purchasing.@ wrote:
RMW,
Thanks for the suggestion. It doesn't seem to handle any of the problems I'm trying to avoid such as a virus, worm, trojan, malware, spyware, etc. Am I missing something?
RMW,
Thanks for the info. Cleaning up sounds like a good idea so East-Tec will be tried. Another piece of software you might consider is Sandboxie. While no amount of protection is perfect, given the range of massive offshore government attacks to kiddie attacks, it seems we must strive to become more secure or be prepared to rebuild.
PS. After following a couple of other threads it appears I will stick with OnlineArmor Premium; meaning Norton won't be installed. I guess more research to see if Bitdefender should be used in place of ESET. (The plan is to take advantage of Webroot's cloud-based-scan-at-execution along with a local-based-scan-everything package.
Thanks for the info. Cleaning up sounds like a good idea so East-Tec will be tried. Another piece of software you might consider is Sandboxie. While no amount of protection is perfect, given the range of massive offshore government attacks to kiddie attacks, it seems we must strive to become more secure or be prepared to rebuild.
PS. After following a couple of other threads it appears I will stick with OnlineArmor Premium; meaning Norton won't be installed. I guess more research to see if Bitdefender should be used in place of ESET. (The plan is to take advantage of Webroot's cloud-based-scan-at-execution along with a local-based-scan-everything package.
Final comment concerning decisions,
I have read about Webroot's off-line protection. It still seems to me that if the laptop is not connected to the internet some protection is lost. Webroot Secureanywhere purports to clean up damage once reconnected but I'm unclear as to how it restores deleted or modified files or corrects a computer that can no longer connect or even boot. My one infection (2007 pre-protection) kept trying to connect so I installed the air-wall (removed the ethernet cable).
Like with anything new I prefer to wait for longer-term, out-of-the-lab, real-life evidence. Please note that I am sticking with Webroot. 😃
I have read about Webroot's off-line protection. It still seems to me that if the laptop is not connected to the internet some protection is lost. Webroot Secureanywhere purports to clean up damage once reconnected but I'm unclear as to how it restores deleted or modified files or corrects a computer that can no longer connect or even boot. My one infection (2007 pre-protection) kept trying to connect so I installed the air-wall (removed the ethernet cable).
Like with anything new I prefer to wait for longer-term, out-of-the-lab, real-life evidence. Please note that I am sticking with Webroot. 😃
ExpertNovice, please let us have your feedback after trying East-Tec Eraser 2012. I tested it exhaustively for 15 days before making the purchase. The tech support is very good. I believe it is only one person who responds, but she is quite helpful and tech savvy. I'm aware that East-Tec is used by a number of government agencies, like the Justice Department, for securitization applications. I really don't need it for that. I like its "wipe" feature, which stripped a lot of gunk from my computer and eliminated some glitches. It is a slow process, but worth it, imho. If you do a full scan and "wipe," be prepared for it to take 4-6 hours. Good luck.
Insofar as removing Norton, I may well follow your lead. However, at present, I have experienced no conflicts, so I'll stick with Norton for the time being. As I detect other differences between Norton and WSA, I'll post to this site. I still consider Norton good software, but I'm inclined, at the moment, to think WSA is better. It sure is faster! :D
Kudos to WSA for its tolerance permitting discussion of other products on this site.
Insofar as removing Norton, I may well follow your lead. However, at present, I have experienced no conflicts, so I'll stick with Norton for the time being. As I detect other differences between Norton and WSA, I'll post to this site. I still consider Norton good software, but I'm inclined, at the moment, to think WSA is better. It sure is faster! :D
Kudos to WSA for its tolerance permitting discussion of other products on this site.
I will reply to you directly as we have already wandered too far off topic! Despite that, thanks for all the info.
After another review I will replace ESET with BitDefender, keep OnlineArmor, and (of course) keep Webroot Secureanywhere.
As for the Kudos to WSA, I heartily concur. if we have trampled their policies I will not take offense if they remove the offending posts. The basic post would, hopefully, remain.
After another review I will replace ESET with BitDefender, keep OnlineArmor, and (of course) keep Webroot Secureanywhere.
As for the Kudos to WSA, I heartily concur. if we have trampled their policies I will not take offense if they remove the offending posts. The basic post would, hopefully, remain.
Have a look at this Video and I hope it answers some of your concerns! ;)@ wrote:
Final comment concerning decisions,
I have read about Webroot's off-line protection. It still seems to me that if the laptop is not connected to the internet some protection is lost. Webroot Secureanywhere purports to clean up damage once reconnected but I'm unclear as to how it restores deleted or modified files or corrects a computer that can no longer connect or even boot. My one infection (2007 pre-protection) kept trying to connect so I installed the air-wall (removed the ethernet cable).
Like with anything new I prefer to wait for longer-term, out-of-the-lab, real-life evidence. Please note that I am sticking with Webroot. :D
TH
Interesting video. Which, unfortunately, leads to one comment and one question.
The video shows added files and registry entries being deleted but doesn't show deleted or modified files being restored. The summary states; "Webroot's unique journaling and rollback functionality will perfectly clean up any infections" but doesn't state that deleted or modified files will be restored.
However, at 4:33 into the video the woman states; "every single change the virus makes to my PC is recorded. So if at a later date the file is classified by Webroot as bad all the changes will be perfectly reversed." This means replaced and deleted files will be perfectly restored. Perfect means 100% of the time. For this to be accurate Webroot archives any file, including binaries, if they are to be deleted, killed, replaced, modified, or in anyway impacted by a monitored file and every single change will be rolled back once the file is set to "Block." Changes a safe program or that we manually make in the interim will be retained. That is quite a feat!
How does Webroot handle the following?
** a virus is "missed"
** it sets itself to auto-execute at startup. (it is set to be Monitored)
** Initially it does nothing if an internet connection is detected
** Once unconnected it disables Webroot and deploys the payload
** Webroot won't execute at the next restart even if connected to the internet
The woman is Webroot Secureanywhere vesrion 8.1.229. My version is only 8.0.2.27 with no update available. Not an issue. I'm only reporting the difference. Perhaps she 8.0.1.229 or is running an alpha or beta version.
Remember that from 1980/1981 until 2007 I had never been infected by anything until searching for the true culprits of the bank collapse due to the housing markets. (They are planning to do it again!) Since then there have been a few attempts across several machines, all while investigating or researching. Between "safe" browsing and very low odds of being targeted I still want extra protection.
Thanks.
The video shows added files and registry entries being deleted but doesn't show deleted or modified files being restored. The summary states; "Webroot's unique journaling and rollback functionality will perfectly clean up any infections" but doesn't state that deleted or modified files will be restored.
However, at 4:33 into the video the woman states; "every single change the virus makes to my PC is recorded. So if at a later date the file is classified by Webroot as bad all the changes will be perfectly reversed." This means replaced and deleted files will be perfectly restored. Perfect means 100% of the time. For this to be accurate Webroot archives any file, including binaries, if they are to be deleted, killed, replaced, modified, or in anyway impacted by a monitored file and every single change will be rolled back once the file is set to "Block." Changes a safe program or that we manually make in the interim will be retained. That is quite a feat!
How does Webroot handle the following?
** a virus is "missed"
** it sets itself to auto-execute at startup. (it is set to be Monitored)
** Initially it does nothing if an internet connection is detected
** Once unconnected it disables Webroot and deploys the payload
** Webroot won't execute at the next restart even if connected to the internet
The woman is Webroot Secureanywhere vesrion 8.1.229. My version is only 8.0.2.27 with no update available. Not an issue. I'm only reporting the difference. Perhaps she 8.0.1.229 or is running an alpha or beta version.
Remember that from 1980/1981 until 2007 I had never been infected by anything until searching for the true culprits of the bank collapse due to the housing markets. (They are planning to do it again!) Since then there have been a few attempts across several machines, all while investigating or researching. Between "safe" browsing and very low odds of being targeted I still want extra protection.
Thanks.
Great question. Let's assume for a moment that some piece of malware is not yet classified as Bad and is allowed to write to the drive. It is immediately flagged as Unknown, and all actions it takes are journaled. When the threat is eventually categorized as Bad, the journaling is used to roll back the actions of the malware.
The next thing you'd like to propose is the auto-execution at startup. That would likely be with a different package it dropped on the system, which is also being journaled. Ok, let's grant that it's set to run at startup.
I think you're suggesting in the next step that the malware breaks the internet connection. A malicious action like that would most likely be picked up heuristically. This, in fact, would be part of the "payload" you're talking about in the next step, which is also a reversed-order scenario. An attempt to disable Webroot entails that code to accomplish this would already be running, and that code would already be subject to review and potential sandboxing actions by Webroot before it's allowed to proceed. It would be stopped before it could do what it's trying to do. The threat would run into WSA's self-protection shield, which would prohibit the threat from shutting it down.
If it had somehow managed to break your internet connection (this is a big "if"), the malware trying to shut down Webroot would have presented another heuristic opportunity to detect and remediate the threat, which will trigger a rollback and a repair of your LSP chain, WinSock entries, and whatever else the malware disrupted to kick you offline.
In addition to that, just because a threat breaks your ability to get online via a browser, it does not mean it has shut down all other avenues for WSA to connect to the internet to receive updates. A redirector is a prime example. You're still connected to the internet. It's just sending you somewhere you don't want to go. There is very little incentive for malware to break your connection entirely. These days, it's usually trying to force you to buy something or send you places you don't want to go. That requires at least a base level of access.
Let's assume it broke something more important though. There are methods built into the program that will attempt to circumvent this malware tactic. A browser is "dumb" code that doesn't anticipate for malware closing the door on how it normally gets online. So if it fails to get online, the browser doesn't do anything about it. WSA, on the other hand, is "smart" code that knows malware wants it offline, and it takes measures to stop this from happening and to get around it even if standard methods are disrupted. With this circumvention, even if heuristics somehow missed the threat (another big if), WSA will could still ultimately receive a cloud classification of "Bad" for the malware and act accordingly.
The next thing you'd like to propose is the auto-execution at startup. That would likely be with a different package it dropped on the system, which is also being journaled. Ok, let's grant that it's set to run at startup.
I think you're suggesting in the next step that the malware breaks the internet connection. A malicious action like that would most likely be picked up heuristically. This, in fact, would be part of the "payload" you're talking about in the next step, which is also a reversed-order scenario. An attempt to disable Webroot entails that code to accomplish this would already be running, and that code would already be subject to review and potential sandboxing actions by Webroot before it's allowed to proceed. It would be stopped before it could do what it's trying to do. The threat would run into WSA's self-protection shield, which would prohibit the threat from shutting it down.
If it had somehow managed to break your internet connection (this is a big "if"), the malware trying to shut down Webroot would have presented another heuristic opportunity to detect and remediate the threat, which will trigger a rollback and a repair of your LSP chain, WinSock entries, and whatever else the malware disrupted to kick you offline.
In addition to that, just because a threat breaks your ability to get online via a browser, it does not mean it has shut down all other avenues for WSA to connect to the internet to receive updates. A redirector is a prime example. You're still connected to the internet. It's just sending you somewhere you don't want to go. There is very little incentive for malware to break your connection entirely. These days, it's usually trying to force you to buy something or send you places you don't want to go. That requires at least a base level of access.
Let's assume it broke something more important though. There are methods built into the program that will attempt to circumvent this malware tactic. A browser is "dumb" code that doesn't anticipate for malware closing the door on how it normally gets online. So if it fails to get online, the browser doesn't do anything about it. WSA, on the other hand, is "smart" code that knows malware wants it offline, and it takes measures to stop this from happening and to get around it even if standard methods are disrupted. With this circumvention, even if heuristics somehow missed the threat (another big if), WSA will could still ultimately receive a cloud classification of "Bad" for the malware and act accordingly.
Great post Jim thanks for the very informative answers! 😉 I think we need to add to the Tribal Knowledge Base.
Daniel
Daniel
JimM,
I think you're suggesting in the next step that the malware breaks the internet connection
Incorrect. If the incorrect assumption leads to a different scenario please revise. BTW, it should be obvious that I am, er, uh, stupid, about malware. :D
I am suggesting that the malware is installed while connected or from a USB while not connected. (The latter is even better.) The malware is designed to initially CHECK for an internet connection and, if found, to do nothing else.
Later, the laptop is started without connectivity. (Very common when we travel.) At this point the malware detects the lack of connectivity (no cloud), installs the actual payload, and disables WSA
Later, when the laptop is started with connectivity. WSA does not execute and is unable to log the actions or clean the malware.
So if it fails to get online, the browser doesn't do anything about it. WSA, on the other hand, is "smart" code that knows malware wants it offline, and it takes measures to stop this from happening and to get around it even if standard methods are disrupted.
This suggests that WSA does not require a connection for scanning and detection. I was under the impression that, being cloud based, that was a requirement.
There was no mention of how a deleted or replace file would be restored.
I think you're suggesting in the next step that the malware breaks the internet connection
Incorrect. If the incorrect assumption leads to a different scenario please revise. BTW, it should be obvious that I am, er, uh, stupid, about malware. :D
I am suggesting that the malware is installed while connected or from a USB while not connected. (The latter is even better.) The malware is designed to initially CHECK for an internet connection and, if found, to do nothing else.
Later, the laptop is started without connectivity. (Very common when we travel.) At this point the malware detects the lack of connectivity (no cloud), installs the actual payload, and disables WSA
Later, when the laptop is started with connectivity. WSA does not execute and is unable to log the actions or clean the malware.
So if it fails to get online, the browser doesn't do anything about it. WSA, on the other hand, is "smart" code that knows malware wants it offline, and it takes measures to stop this from happening and to get around it even if standard methods are disrupted.
This suggests that WSA does not require a connection for scanning and detection. I was under the impression that, being cloud based, that was a requirement.
There was no mention of how a deleted or replace file would be restored.
BTW, I'm not being antagonistic or accusatory. I'm just trying to understand and, as stated, I'm really stupid when it comes to malware (which is a term I'm using to mean everything bad, from tracking cookies to trojans, including stuxnet.)
Thanks for being patient with me and for the excellent responses from so many!
Thanks for being patient with me and for the excellent responses from so many!
"If the incorrect assumption leads to a different scenario please revise."
The entry point being a USB device wouldn't change the scenario negatively, but it does add an additional point at which WSA could potentially locate and deal with the threat. WSA has a USB shield, specifically designed to deal with that type of threat, offline and behavioral shields to deal with threats without a cloud connection, and the self-protection shield I mentioned earlier to stop a malicious unknown from tampering with WSA itself. So again, the example cannot actually occur when the hypothetical threat cannot actually disable WSA.
"This suggests that WSA does not require a connection for scanning and detection. I was under the impression that, being cloud based, that was a requirement."
No, that's not a requirement. "Cloud-based," does not necessarily entail that the cloud is a requirement for it to function. The optimal state is of course that the device is connected to the internet so that the cloud database can tell WSA "We classified this one already. Deal with it as either Good or Bad." However, WSA is capable of making determinations heuristically without consulting the cloud if necessary.
"There was no mention of how a deleted or replace file would be restored."
Any action the Unknown program is making is logged. That would include actions taken on existing files. Those edits are reversed because the actions themselves are journaled and can basically be rewound. As a change is being made (file is changed or deleted), the existing data is encrypted and stored by WSA. If the Unknown that did the change gets marked as Good, the stored data copy is deleted after a while since it wouldn't be needed. If the Unknown is discovered to be Bad, the stored data is used to roll back the changes.
Or to use a fun analogy, it's kind of like how transporter buffers work in Star Trek. Transporter A reads the data from the object to be transported, and Transporter B writes that information to the world. Transporter B might transport the object (copy it), beam it out into space (delete it), or beam a pile of goo onto the transporter room floor (edit it). WSA is like the buffer in the middle, which can save the pattern. If Transporter B ends up malfunctioning, the pattern can still be pulled out of the buffer to rematerialize the proper object. Luckily, since we're talking about computer files and not people, we don't have to deal with things like the metaphysical problems of being a copy either! 😃
The entry point being a USB device wouldn't change the scenario negatively, but it does add an additional point at which WSA could potentially locate and deal with the threat. WSA has a USB shield, specifically designed to deal with that type of threat, offline and behavioral shields to deal with threats without a cloud connection, and the self-protection shield I mentioned earlier to stop a malicious unknown from tampering with WSA itself. So again, the example cannot actually occur when the hypothetical threat cannot actually disable WSA.
"This suggests that WSA does not require a connection for scanning and detection. I was under the impression that, being cloud based, that was a requirement."
No, that's not a requirement. "Cloud-based," does not necessarily entail that the cloud is a requirement for it to function. The optimal state is of course that the device is connected to the internet so that the cloud database can tell WSA "We classified this one already. Deal with it as either Good or Bad." However, WSA is capable of making determinations heuristically without consulting the cloud if necessary.
"There was no mention of how a deleted or replace file would be restored."
Any action the Unknown program is making is logged. That would include actions taken on existing files. Those edits are reversed because the actions themselves are journaled and can basically be rewound. As a change is being made (file is changed or deleted), the existing data is encrypted and stored by WSA. If the Unknown that did the change gets marked as Good, the stored data copy is deleted after a while since it wouldn't be needed. If the Unknown is discovered to be Bad, the stored data is used to roll back the changes.
Or to use a fun analogy, it's kind of like how transporter buffers work in Star Trek. Transporter A reads the data from the object to be transported, and Transporter B writes that information to the world. Transporter B might transport the object (copy it), beam it out into space (delete it), or beam a pile of goo onto the transporter room floor (edit it). WSA is like the buffer in the middle, which can save the pattern. If Transporter B ends up malfunctioning, the pattern can still be pulled out of the buffer to rematerialize the proper object. Luckily, since we're talking about computer files and not people, we don't have to deal with things like the metaphysical problems of being a copy either! 😃
Thanks for the information! Quite informative.
As for the file deletion or replacement.
For changes made to a file a delta file would be a good method. (I managed a change control product called ChangeMan that used delta files).
For deletions a delta file is essentially a copy of the file.
For overlaying with a different file a delta file would contain both additions and deletions which most likely means both files are maintained in the delta file. That would be interesting to see in action! (No, I don't want to test on my system, especially with any malware. :D)
As for the file deletion or replacement.
For changes made to a file a delta file would be a good method. (I managed a change control product called ChangeMan that used delta files).
For deletions a delta file is essentially a copy of the file.
For overlaying with a different file a delta file would contain both additions and deletions which most likely means both files are maintained in the delta file. That would be interesting to see in action! (No, I don't want to test on my system, especially with any malware. :D)
Reply
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.