Emsisoft Rollback Feature

Overview

The Rollback feature in Emsisoft Enterprise Security constitutes a robust functionality designed to safeguard the security and data integrity of your systems. It provides a dependable mechanism for reverting damage to previous states, thus mitigating potential damage from malicious activities such as from ransomware.
In simpler words, if a malware ever modifies a file, you can revert that file to one of its previous, unaffected versions.

How to enable the Rollback feature

Activating the Rollback feature is an effortless task within the Emsisoft Management Console in my.emsisoft.com. Just turn ON the EDR and Rollback at “Protection Policy”. Upon activation, the functionality empowers users to effortlessly restore files to their prior states.

Backup

The heart of the Rollback feature revolves around the Emsisoft-Backup folder. This repository serves as a secure vault for housing backup copies of your files. Whenever an incident is identified, the Emsisoft Protection captures this event and generates a backup copy of the affected file. It is important to note that only modifications from untrusted processes are backed up for their reversal. 

Rollback Disk Quota

The optimal functioning of the Rollback feature hinges on effective disk quota management. Rollback disk quota defines the maximum disk space allocated for housing backup copies, ensuring that these copies do not consume your system’s storage unnecessarily. You can allocate between 5% and 50% of your disk space and it is set at 30% by default.

Retention Time

A crucial user-defined parameter, retention time dictates the duration for which backup files remain stored in the Emsisoft-Backup folder. Upon exceeding the specified retention period, backup files that outlast this timeframe are automatically deleted. This feature serves to maintain a streamlined and uncluttered backup repository. You can choose between 12 and 72 hours of retention time and it is set to 48 hours by default.

Incident Trigger and Remediation

When an incident is generated and a backup file corresponding to this incident is present (not removed by disk quota or retention time constraints), the rollback option becomes available.

Upon selecting “Remediate Threat” in the incident section, a retention menu emerges, allowing users to specify which files should be restored, akin to retrieving data from a backup. This process is then initiated, with its subsequent status accessible in the Remediation History.

Requirements

The Rollback feature in Emsisoft Protection is a powerful tool for safeguarding your system’s integrity, it’s important to be aware of the technical requirements that influence its operation. Here a summary of what you have to take in consideration:

Backup File Location and Drive Association

If a program initiates changes on a specific drive, such as altering files on Local Disk “D:” while being located on Local Disk “C:”, the generated backup will be stored in the Emsisoft-Backup folder on the drive from which the program originated – in this case, Local Disk “C:”. This mechanism ensures that the backup file’s location aligns with the drive containing the program responsible for the process.

Minimum Disk Space Requirement

To accommodate the storage of backup files, a minimum of 6GB of free space on the relevant drive is required. This ensures that ample space is available for retaining backup copies without impinging on system performance or operation.
The backups will not be created if the available space in the disk is less than the minimum required, no matter what disk allocation you have set.

Supported Drive Format and external Drives

The Rollback functionality is streamlined to the internal structure of your system, ensuring optimal reliability and performance. It is designed to operate within the confines of your system’s internal NFTS drives and is not supported on external drives. This includes external storage devices such as flash drives.

Frequently Asked Questions (FAQs)

1. How should I balance the parameters available regarding disk allocation? By default, the Rollback feature is set to 30% of the disk space and a time retention of 48 hours, which is ideal for the majority of users. We recommend adjusting these parameters only if you’re an advanced user with specific scenarios requiring extended retention time or larger disk quotas for storing backups.
2. Is there specific malware for which rollback would kick in? Rollback is designed to address a broad spectrum of malware attacks causing system changes. It activates based on threat behaviors, not specific malware types.
3. Is there a limit to the number of rollback backups that can be stored on a drive? There’s no fixed limit. The number of stored backups is determined by disk quota settings and available space.
4. Can the Rollback feature revert changes made to system settings and configurations? Yes, Rollback can revert various changes in system settings and configurations caused by malware attacks.
5. Is it possible to manually trigger a rollback for a specific incident? Yes, incident-specific rollback can be initiated via the “Remediate Threat” process for each mapped incident. The creation of backups instead is automatic and cannot be manually executed for specific files, folders, or processes.
6. Can rollback backups be accessed or restored individually? Rollback restores all changes associated with a specific incident, rather than offering individual file restoration.
7. Does the Rollback feature affects the system’s boot-up time or the computer’s overall performance? The Rollback feature doesn’t significantly impact the system’s boot-up time or overall performance.
8. What happens if the disk quota is filled up due to excessive backup files? When the disk quota is exceeded, older backups are automatically deleted to create space for new ones.
9. Can I exclude specific files or folders from being backed up by the Rollback feature The Rollback feature is designed to capture system-wide changes. For this reason there are no file or folder exclusions.
10. How does the Rollback feature interact with different types of file encryption and compression methods? Rollback focuses on reversing changes, regardless of the encryption or compression methods employed.