SolarWinds EDR Rollback | SolarWinds MSP

The key technology behind Rollback is VSS. This is a feature from Microsoft Windows Operating Systems. VSS is capable of maintaining multiple copies of volumes or computer files, even while they’re in use. 

How does this work? It’s roughly akin to taking a digital photo, which has a time and date stamp—VSS is no different. It creates a digital image of the entire system at a specific interval and time, and stores it so it can be used to overwrite a corrupted endpoint. VSS gives the end user a mirror image of their system pre-attack. It’s a powerful technology put to even more powerful use in rollback.

Sounds great, you think, and maybe resource intensive. Good news—it’s not. VSS is highly efficient. When it moves files to the temporary location, it does so in an incremental fashion. It only moves files that have changed since the last snapshot. 

For those who are wondering, VSS was introduced in Microsoft Windows XP/Server 2003, and has been available in every version of Windows since. Rollback is included in agents for Windows Vista/Windows Server 2008 R2 and onward. At this time, it’s not supported on Mac OS and Linux.

Why rollback?

Simple—one click can infect your entire network. Our Ransomware Rescue infographic goes into great detail about this scourge and how to help prevent it, but consider the following statistics found in the document:

  • 16.2 days is the average amount of downtime businesses experienced at the end of 2019 due to ransomware attacks
  • 1 business every 11 seconds is the predicted frequency businesses will fall victim to a ransomware attack by 2021
  • $20 billion is the predicted cost of damages due to ransomware in 2021

Rollback: cost benefit analysis

At this point, you’re probably thinking, “I’m sold. What does this feature cost?” While EDR does cost a bit more than traditional MAV, it’s important to consider what you gain in functionality as opposed to incremental cost. 

We’ve said it before, and it bears repeating: there’s a place in organizations for both MAV and EDR, depending on use cases. But if you fall into the latter camp for the reasons delineated at the beginning of this article, consider what costs more: a bit more per seat for EDR or four to six hours to reimage an infected endpoint. The cost goes up by orders of magnitude if you support a large organization. And don’t forget—downtime is the most critical cost of all. When employees aren’t working, productivity and profits follow a parallel path. EDR can negate all of this.

Rollback in action

A ransomware attack is simple in its intent, but extraordinarily complex in its execution. To that end, we’ve created a demo video that simulates a ransomware attack and shows you how the rollback feature works. It’s a great look at how an attack unfolds and how Rollback wins the day, undoing the damage. 

Some things are too good to be true. The rollback feature isn’t one of them. Being able to provide your customers incredible peace of mind and bolster their security—especially when predatory attacks on businesses are on the rise—is huge. Learn more about SolarWinds EDR here, or contact your account representative. You’ll be glad you did.


Michael Tschirret, Sr. Product Marketing Manager, EDR