RandomGuy

Feature Request: Rollback

Recommended Posts

I'm sure you are all very familiar with the rollback feature found in Kaspersky products. I would like this feature also implemented into Emsisoft products because it can be very useful. This feature can be very useful in 2 scenarios. Scenario 1: A malicious file is executed and starts copying itself to different parts of the drive. It then tries to send data to a malicious host which triggers an Emsisoft Anti-malware Network cloud look up. The parent file is then detected and quarantined, BUT the copies are still there. In this case, if the rollback feature is implemented, then the file would have been detected and quarantined and everything it has done (which in this case is copy itself) prior to detection will have been rolled back (deleted). Scenario 2: A ransomware file is unknowingly executed by the user. The file is fairly new and released only about 4 hours ago. It starts encrypting desktop photos and then tries to encrypt the pictures folder. This is where the behavior blocker kicks in; it stops and quarantines the file protecting the pictures folder. BUT, the encrypted files in the desktop folder stays encrypted. With a rollback feature in place, the file would have been detected and quarantined (by the behavior blocker) and the roll back feature would have unencrypted files prior to detection. This is just a suggestion that I would love to have implemented in Emsisoft products.

Share this post


Link to post
Share on other sites

Well, I know that some legitimate applications do this as well. So if a rule is in place that intercepts this behavior, legitimate applications can also be flagged. This is only a hypothetical scenario, but I see your point. Cheers!

Share this post


Link to post
Share on other sites

I think if a digitally signed/trusted application does it, there's unlikely to be an alert.  But if something unknown starts creating files, I'd hope for an alert.  If it's a valid application that one knows is ok, you allow it and never get alerted again.

Share this post


Link to post
Share on other sites

Towards the end of this video, two pieces of adware designated “Advanced System Protector” and “RegClean Pro” copied themselves everywhere on the desktop. The behavior blocker didn’t detect this action malicious and wasn’t monitoring it because it was designated as Safe by the Anti-Malware Network. This video reinforces scenario 1 and also suggests an improvement on the behavior blocker.

Share this post


Link to post
Share on other sites

That video was made 18 months ago, using EAM version 12.  There has been a myriad of improvements in EAM since that video was made.  What you are asking for will add a lot of overhead to EAM and goes beyond what an Anti-Malware is supposed to do.  We strive to keep EAM bloat free and lightweight.

Share this post


Link to post
Share on other sites

I understand the mission statement and purpose of your product. I just thought that this feature would assist in making this product an amazing Anti-Malware product. This feature should be lightweight and assists only through late BB detection. Also, Webroot’s system is a rollback feature and is among one of the lightest AV products out there.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.