Anyone have any thoughts. Can FirstDefense restore a system after a rootkit infection?

If you have a clean secondary snapshot, and you get a rootkit in your primary, why wouldn't FDISR recover. The rootkit is nothing more than files that have been installed(drivers maybe) and files modified(the registry).

When you boot into the secondary, you are using only the files in the secondary, so you would be clean. Doing a copy would replace all the infected files, and remove all the files that were added. Rootkit gone.

{QUOTE-> If you have a clean secondary snapshot, and you get a rootkit in your primary, why wouldn't FDISR recover. The rootkit is nothing more than files that have been installed(drivers maybe) and files modified(the registry).

When you boot into the secondary, you are using only the files in the secondary, so you would be clean. Doing a copy would replace all the infected files, and remove all the files that were added. Rootkit gone. <-QUOTE}

Thanks for the response. That is the whole purpose of a program like FDISR, but I wanted to see what happens in reality. If anyone has used it after getting a nasty infection like a rootkit. I am thinking of getting a program like this or Rollback Rx for my pc.

Hi G1111

Let me give you an example. I wanted to test a big name security suite for a couple of things. The big name has a reputation about being hard to uninstall. I uninstalled my firewall, and my av, and installed the security suite.

Note that before doing this I refreshed my other snapshot so it was current. After playing around I just booted to my other snapshot, did a refresh of my primary and booted back to my primary. My original firewall and av were there operational, and all traces of the security suite gone. Nothing left period.

Far as recovery, I had a system freeze occur while running a registry cleaner. I had to power reset to reboot. My system was about as messed up as one could be. I just rebooted into my secondary snapshot, and refreshed and the problem was gone, like it had never happened.

I can't say the other programs aren't good, I don't know. I do know FDISR has never let me down.

Now admittedly a FDISR snapshop is as big as the original, which is why you can boot to it and have your complete system. Are the other programs as good. I don't know.

Thanks for the response. Can you make the snapshot on an external hard drive with FD or does it have to be on the same HD?

You can copy any FDISR snapshot to an "Archive" (compressed) on an external drive, or any other that it'll fit on. You can't boot directly into that. You would have to import it back to your system drive snapshots to boot from it. So, I keep my older snapshots archived on an external USB but always keep one or two copies of the primary snapshot on the system drive in case I need to "roll back" to one of them, and, indeed, I have had to do so.

{QUOTE-> You can copy any FDISR snapshot to an "Archive" (compressed) on an external drive, or any other that it'll fit on. You can't boot directly into that. You would have to import it back to your system drive snapshots to boot from it. So, I keep my older snapshots archived on an external USB but always keep one or two copies of the primary snapshot on the system drive in case I need to "roll back" to one of them, and, indeed, I have had to do so. <-QUOTE}

Thanks for the info.

Ok FDISR experts,I have a question. What can you do with an archived snapshot on another drive? Lets say you have one on another drive and your system drive 'C' dies. Is that archived snapshot going to be any help? I have been wondering about this and I sure would like to know. I have a Dell 8400 with a 160GB SATA as my C drive. I bought an enclosure and a duplicate drive to put in it. Then I bought a SATA PCI controller . The enclosure is hooked to the PCI card. I can hot boot the enclosure. I have planned to Ghost an image to it,but I was wondering about FDISR. I do have FD and maintain 2 snapshots on my C drive . Love it.

WilliamP, I do both, Ghost (actually Powerquest version 7.xx, and TrueImage version 6) and FirstDefense. Because of FirstDefense and, formerly, GoBack, I have never had to restore ANY of my images, but then again, I have never had a hard drive fail. In theory, if I am understanding things correctly (that's a big "if"), the new version of FD should help you to recover from a hard drive failure, but you would have to reinstall WindowsXP (any service pack), then reinstall FD, then simply restore your Archived Snapshot: your old system should be back good as new, BUT, I have never had to test this. I would be very interested in hearing what the other FirstDefense users have to say about this kind of recovery, that is, a total hard drive failure.

Acadia

Somewhat off topic perhaps, but I'm ready to give GoBack4 the boot (a trusted and well-behaved utility under Roxio's watch, that Symatec has really screwed-up)! I've been considering FDISR or ShadowUser as a replacement, so I was wondering if any of you considered the latter and if so, why you chose FDISR?

Thanks!

Sorry, Reggie, can't answer your question as I am not familiar with ShadowUser; perhaps some of the others can. :-\

Acadia

It seems to me that the use of any 3rd party 'roll back' program (FDISR, ShadowUser, etc.) serves little purpose if you dilligently use an imaging program (such as Acronis TrueImage or Norton Ghost).

I may be missing something here, but why incur the performance-hit (there's got to be some) and the dedicated space required by those 'roll back' programs (on your system drive) if you can simply restore a recent image or individual files, as the situation warrants? ???

~pv

{QUOTE-> It seems to me that the use of any 3rd party 'roll back' program (FDISR, ShadowUser, etc.) serves little purpose if you dilligently use an imaging program (such as Acronis TrueImage or Norton Ghost).

I may be missing something here, but why incur the performance-hit (there's got to be some) and the dedicated space required by those 'roll back' programs (on your system drive) if you can simply restore a recent image or individual files, as the situation warrants? ???

~pv <-QUOTE}

I have been following the threads on the latest version of Acronis True Image and it looks like there are significant problems with the new version. I was looking for a roll back program in case of being hit with a rootkit. It looks like folks here like FDISR.

ONLY Goback has a performance hit. The "Instant Recovery" programs not only appear to be more reliable than the imaging programs (which I still very much believe in), but they literally only take about 5 minutes to recover your entire system from the worst of anything.

Now, as for the disk space taken up by Firstdefense ... ::)

Acadia

{QUOTE-> It seems to me that the use of any 3rd party 'roll back' program (FDISR, ShadowUser, etc.) serves little purpose if you dilligently use an imaging program (such as Acronis TrueImage or Norton Ghost).

I may be missing something here, but why incur the performance-hit (there's got to be some) and the dedicated space required by those 'roll back' programs (on your system drive) if you can simply restore a recent image or individual files, as the situation warrants? ???

~pv <-QUOTE}

Hi pvsurfer

I would say wrong. Serves a lot of purpose. First with FDISR, there is no performance hit. Yes there is a disk space hit.

But on using a imaging program several differences. First the is a risk factor. When you restore an image there is always a degree of risk. The first step of an image restore wipes out the disk. With FDISR at least, it's just a reboot into another snapshot. There is also a big time difference. The FDISR process never takes much more than 5 minutes.

I disk image to protect against hardware failure, but most of the things that mess me up are software related and I like FDISR for that.

Pete

{QUOTE-> I disk image to protect against hardware failure, but most of the things that mess me up are software related and I like FDISR for that.
Pete <-QUOTE}
I used GoBack for five years, and how FD for 1 1/2 years. I have ALWAYS had other backup software, including imaging software. Please believe me, this is no exaggeration or lie, I have NEVER had to restore any backup or image in 6 1/2 years because of these "instant recovery" programs. Of course, I have never had a hard drive fail either (I'm only on my second one), and for that reason I still use two imaging programs.

With Instant Recovery programs like RestoreIt (which I have never use) and the latest version of FD, the area between the traditional recovery programs and instant recovery programs is starting to gray ... in theory, RestoreIt and FD can also save you from total hard drive failure, although I must admit I have never had to test it (and pray I never have to do so).

But these instant recovery programs, at least the two that I have tried, have NEVER let me down, and recover your system so quickly. Plus FirstDefense is almost like having a partitioning program and virtual drive program, without actually have to take the risks that those programs take.

Acadia

{QUOTE-> ONLY Goback has a performance hit. The "Instant Recovery" programs not only appear to be more reliable than the imaging programs (which I still very much believe in), but they literally only take about 5 minutes to recover your entire system from the worst of anything.

Now, as for the disk space taken up by Firstdefense ... ::)

Acadia <-QUOTE}
I'm in no position to contradict your comment about 'no performance-hit', but I simply don't understand how that can be.

Btw, can you give me an idea of the typical disk space consumed by FDISR?

{QUOTE-> I'm in no position to contradict your comment about 'no performance-hit', but I simply don't understand how that can be. <-QUOTE}
Only GoBack is constantly "running", constantly keeping track of every single file change. FirstDefense just sits there doing nothing until you make or update a Snapshot. TrueImage and Ghost also have no performance hit until you actually use them, why should FD be any different?

{QUOTE->
Btw, can you give me an idea of the typical disk space consumed by FDISR? <-QUOTE}
Every Snapshot is as big as your c:drive. If your c:drive is 5gig, and you make one Snapshot, you now have 10gig of your hard drive used. If you use the maximum allowable of ten Snapshots (like I have) you now have 50gig of your hard drive used.

Acadia

Ok, what I didn't get was that FDISR doesn't create any kind of restore point unless you request it. ...is that correct?

And if every snapshot is as large as the C-drives used space, then I'd need a bigger drive!

{QUOTE-> Ok, what I didn't get was that FDISR doesn't create any kind of restore point unless you request it. ...is that correct? <-QUOTE}
Yes, correct, it does absolutely nothing until you tell it to. I suggest that you go to the Raxco site and study the faq and couple of pdf files that you can download, makes for interesting reading.

{QUOTE-> And if every snapshot is as large as the C-drives used space, then I'd need a bigger drive! <-QUOTE}
No software program is perfect and this is the indeed the one glaring problem with FD, it needs gobs of disk space to be able to perform its magic.

Acadia

Will do - but just one more question; does it require Microsoft .NET Framework (as does ShadowUser)?

{QUOTE-> ... I would be very interested in hearing what the other FirstDefense users have to say about this kind of recovery, that is, a total hard drive failure. <-QUOTE}I have NOT had a hard drive physically die on me but I certainly have had to import an archived snapshot from my external USB (3-days is the youngest on there) to restore my system once it and the one other snapshot on my system drive went south on me. Fortunately, FDISR was still operational despite the screwup.

More importantly, though, some of you may be aware of the Acronis True Image Version 9 fiasco; I was caught in the middle of that. At the time this happened I actually went for a short period without an actual backup program and damned if this didn't happen then. "Belts and Suspenders", sure, but I'm glad I still had the belt (FDISR) on at the time. So, even if my hard drive had died, I would have MUCH rather gotten the bare replacement, put on the bare XP install (what, 45 minutes ?), install FDISR and THEN recover my whole system with all programs and customizations from the archived snapshot.

Granted, if I'd had an intact backup or image besides the archived snapshot, I could have recovered with less effort with one of those.

Eventually I bagged Acronis and got Retrospect, which I'm quite happy with as a file based backup. Then I went and got a BootIt NG/Image for Windows bundle to use for imaging. Yes, believe it or not, I use 3 forms of backup.:P

{QUOTE-> Will do - but just one more question; does it require Microsoft .NET Framework (as does ShadowUser)? <-QUOTE}
No, definitely not.

Acadia

{QUOTE-> Will do - but just one more question; does it require Microsoft .NET Framework (as does ShadowUser)? <-QUOTE}
NOPE !

ETA: Heh, OK, I see I just echoed Acadia....oh well.

Just downloaded the evaluation version. Is the purchase fee one time or is there a yearly update fee?

It took about 45 minutes to create my first snapshot. After I was finished FDISR indicated there were 6 errors. The log file though does not indicate what the errors were. Do I need to reimage. I wouldn't want to use a backup with errors.

{QUOTE-> Just downloaded the evaluation version. Is the purchase fee one time or is there a yearly update fee?

It took about 45 minutes to create my first snapshot. After I was finished FDISR indicated there were 6 errors. The log file though does not indicate what the errors were. Do I need to reimage. I wouldn't want to use a backup with errors. <-QUOTE}

Open the log file and click on the plus and you will see a record of every action. From that you can identify the errors. If you run Process Guard, and don't disable it, there are two of your errors.

Pete

No, there is no yearly subscription fee. I would contact Raxco tech support about the errors, it is unusual for there to be errors, at least for me.

Acadia

{QUOTE-> No, there is no yearly subscription fee. I would contact Raxco tech support about the errors, it is unusual for there to be errors, at least for me.

Acadia <-QUOTE}

Thanks - I may try another image and see if the errors persist and then contact tech. support. Thanks for the response.

Do you have the very latest build of FD, released just a couple of weeks ago? It fixed one bug that did indeed produce errors, although FD still was able to function OK without fouling up your system. If all of your errors are from that particular bug, then FD is still OK to use but you definitely need to double check with tech support if you continue to receive errors with the latest build, because build number 166 should produce no errors.

http://www.raxco.com/support/windows/updates.cfm#FDISR

Acadia

{QUOTE-> Thanks - I may try another image and see if the errors persist and then contact tech. support. Thanks for the response. <-QUOTE}It wouldn't hurt to run a boot-time CHKDSK /F on your system drive before you try again.

{QUOTE-> It wouldn't hurt to run a boot-time CHKDSK /F on your system drive before you try again. <-QUOTE}

I get a lot of errors that are due to timing issues related to copying image files such as jpg, gif, png, etc. The files get copied but FD tries to verify too soon, doesn't get a response and counts that as an error. I've reported this to Raxco (about 3 months ago) but haven't seen a 'fix' yet.
It is tedious to scan for 'error' and read the messages, I almost go blind.
One way to reduce the lines to review is to perform the copy, then wipe the logs then perform the copy again (then check the logs which are smaller because not much has changed since the first copy).

Valid errors occur if, for example, you haven't disabled Process Guard Protection, which prevents FD from copying the pghash.dat and pguard.dat files, so you should check the log. However, if I haven't installed anything new, I get the same # of errors on the image files and if that stays constant, then I don't bother checking.

Jim

Thanks for the responses but after playing with it today (and the cost after the evaluation period is over) I decided to unlaod it. Scan times were long (about 45 minutes). There was no manual available in the evaluation copy (that I could open). There were also errors in each of the scans. ProcessGuard would not initialize after I rebooted from an imaged copy (but I did not disable it before the scans). Anyhow, thanks for the responses.

{QUOTE-> Thanks for the responses but after playing with it today (and the cost after the evaluation period is over) I decided to unlaod it. Scan times were long (about 45 minutes). There was no manual available in the evaluation copy (that I could open). There were also errors in each of the scans. ProcessGuard would not initialize after I rebooted from an imaged copy (but I did not disable it before the scans). Anyhow, thanks for the responses. <-QUOTE}
How big is your c: drive? Mine is about 2.4GB and it takes about 7 minutes to create a new snapshot. To refresh a snapshot takes a few seconds because only changed and new objects are copied to the target and deleted objects are removed from the target. You should probably 'anchor' objects like your outlook.pst so it's not copied, siince this is data, not a program, and can be available in every snapshot. Other data objects should be in a different (d:?) partition so that the snapshots are just for your OS and application programs.
As I said, PG needs to be disabled to have it's critical files copied and PG won't work if you didn't. This isn't difficult. The image errors are annoying, but so is putting on seatbelts in the car, but, like seatbelts, FDISR provides important protection that far outweighs the 'inconvenience'.

{QUOTE-> How big is your c: drive? Mine is about 2.4GB and it takes about 7 minutes to create a new snapshot. To refresh a snapshot takes a few seconds because only changed and new objects are copied to the target and deleted objects are removed from the target. You should probably 'anchor' objects like your outlook.pst so it's not copied, siince this is data, not a program, and can be available in every snapshot. Other data objects should be in a different (d:?) partition so that the snapshots are just for your OS and application programs.
As I said, PG needs to be disabled to have it's critical files copied and PG won't work if you didn't. This isn't difficult. The image errors are annoying, but so is putting on seatbelts in the car, but, like seatbelts, FDISR provides important protection that far outweighs the 'inconvenience'. <-QUOTE}

JW - It is around 8 GB worth of data. I am sure I did not follow the needed procedures to make the program work properly. I wish I could get a hold of the manual to read what steps I need to take, etc. beforehand. Obviously I missed exiting PG first, probably should have done the same to UnhackMe and maybe a few other resident programs. May try this one again (FDISR) someday. I like the idea. Right now I back up all my data and things I can't lose to an external HD. I don't back up the enitre HD though. One question is when you boot into a snapshot, do you have to keep rebooting into the same snapshot. That is how would you dump the original HD contents if the original was corrupted or infected or on the next reboot does it take you to the snapshot you selected (I am sure there is a way to do this I just am unaware of the procedure)? Also are AV scans 2X, 3X as long based on the number of snapshots you keep? Did do a CHKDSK /F and corrected 2 errors. Thanks for the responses.

{QUOTE-> One question is when you boot into a snapshot, do you have to keep rebooting into the same snapshot. <-QUOTE}
When FD is working properly you can boot into any Snapshot at any time. If you want to recover from a mistake of some kind that you made on a particular Snapshot, you would boot into a pristine Snapshot and use it to update the muffed up Snapshot. Then you can reboot back into the original Snapshot and it will be as good as new. Whenever you use one Snapshot to undate another, both Snapshots are then identical. So if you use a good Snapshot to udate a bad Snapshot, both Snapshots would now be good.

Acadia

{QUOTE-> When FD is working properly you can boot into any Snapshot at any time. If you want to recover from a mistake of some kind that you made on a particular Snapshot, you would boot into a pristine Snapshot and use it to update the muffed up Snapshot. Then you can reboot back into the original Snapshot and it will be as good as new. Whenever you use one Snapshot to undate another, both Snapshots are then identical. So if you use a good Snapshot to udate a bad Snapshot, both Snapshots would now be good.

Acadia <-QUOTE}

Acadia - How would you make your default (boot) snapshot your main one so that on reboot you don't have to <Enter> F1 again to enter the same or other snapshot. That is if I reboot (F1) to a snapshot I know is good and want to make that one my default or permqanent so I don't have to keep rebooting using FD (an entering F1)?

{QUOTE-> Acadia - How would you make your default (boot) snapshot your main one so that on reboot you don't have to <Enter> F1 again to enter the same or other snapshot. That is if I reboot (F1) to a snapshot I know is good and want to make that one my default or permqanent so I don't have to keep rebooting using FD (an entering F1)? <-QUOTE}
Whatever Snapshot you are in when you shut your system down, you will be in that Snapshot the next time that you turn your system on. Whenever you enter into a Snapshot it is as if the other Snapshots cease to exist; that Snapshot becomes your one and only c:drive. All Snapshots have equal weight and importance, you can choose any Snapshot that you want to use as your normal booting Snapshot; if you are in that Snapshot when you shut down, you will be in that Snapshot when you reboot. You can enter another Snapshot either by the F1 reboot method, or using the option to do so in the FD-ISR program itself.

Acadia

G1111, there is a pdf manual that you can look at or download here, look for the FirstDefense-ISR User Guide:
http://www.raxco.com/support/windows/SupportOptions.cfm?product=fdisr&ProductVersion=fd

This is for the older version of FD but the older version of FD is identical to the newer version in the way that those particular features work. Downloading the pdf at the above link will give you a good heads up on many of the features of the new version; the way those old features work has not changed.

Acadia

Thanks Acadia - That clears it up. I will also download the manual.

Are AV scan times longer (depending on how many snapshots you have saved)?

From FD website:
"There are interoperatiblity issues with Kapersky Anti-Virus 5.0 and FirstDefense. If you have KAV 5.0 installed, then FirstDefense is not supported on your system."

I am currently using KAV 5.0 personal. May have to wait for this to be resolved until I try FD-ISR again or switch to NOD32 when my KAV subscription expires.

{QUOTE-> Thanks Acadia - That clears it up. I will also download the manual.

Are AV scan times longer (depending on how many snapshots you have saved)?

From FD website:
"There are interoperatiblity issues with Kapersky Anti-Virus 5.0 and FirstDefense. If you have KAV 5.0 installed, then FirstDefense is not supported on your system."

I am currently using KAV 5.0 personal. May have to wait for this to be resolved until I try FD-ISR again or switch to NOD32 when my KAV subscription expires. <-QUOTE}
Ok, be EXTREMELY careful if you have both KAV 5.0 and FD on your system. In version 5.0, KAV uses the Alternate Data Streams when you do a full system on-demand scan. The ADS hoses the Master Boot Record setup for the FD program -- I KNOW FROM PERSONAL EXPERIENCE.

As I understand it, you can still use KAV on your system if you turn off the ADS feature somewhere in the options, or something like that. There are a couple of folks here who use KAV and FD with the ADS turned off. I personally made the switch to NOD, but that is just my personal preference, plus I got pissed at KAV tech support for ignoring my pleas for help when their product hosed my MBR.

Scan times may be longer depending upon which AV that you are using. Yes, my scan times are unfortunately much longer with NOD as it scans all 10 of my Snapshots; picture scanning your c:drive 10 times consecutively. Norton and I believe McAfee did not scan all snapshots. Also, TrojanHunter and Spy Sweeper will scan all Snapshots. I use Spy Sweeper's Smart Sweep option to avoid that. AdAware and Spybot do not scan all 10 Snapshots. Good luck.

Acadia

{QUOTE-> Ok, be EXTREMELY careful if you have both KAV 5.0 and FD on your system. In version 5.0, KAV uses the Alternate Data Streams when you do a full system on-demand scan. The ADS hoses the Master Boot Record setup for the FD program -- I KNOW FROM PERSONAL EXPERIENCE.

As I understand it, you can still use KAV on your system if you turn off the ADS feature somewhere in the options, or something like that. There are a couple of folks here who use KAV and FD with the ADS turned off. I personally made the switch to NOD, but that is just my personal preference, plus I got pissed at KAV tech support for ignoring my pleas for help when their product hosed my MBR.

Scan times may be longer depending upon which AV that you are using. Yes, my scan times are unfortunately much longer with NOD as it scans all 10 of my Snapshots; picture scanning your c:drive 10 times consecutively. Norton and I believe McAfee did not scan all snapshots. Also, TrojanHunter and Spy Sweeper will scan all Snapshots. I use Spy Sweeper's Smart Sweep option to avoid that. AdAware and Spybot do not scan all 10 Snapshots. Good luck.

Acadia <-QUOTE}

Thanks Acadia - You need to turn ADS (Kavichs) off when you install KAV. I believe to disable it you need to uninstall and you can get rid of them during the uninstall process. There is also a KAVICHS cleaner tool at Kaspersky's website. I still have a few of them on my machine (they show up in a RootkitRevealer scan). I wasn't concerned about them, but would have to clear those out if I reinstalled FDISR. That may explain some of the errors in the snapshots I created.

{QUOTE-> There is also a KAVICHS cleaner tool at Kaspersky's website. <-QUOTE}
The ADS remover at Kaspersky did not work for me, I had to use another, the program that RejZor created.

Acadia

{QUOTE-> The ADS remover at Kaspersky did not work for me, I had to use another, the program that RejZor created.

Acadia <-QUOTE}

I'll have to check that one out. Do you have a link?

{QUOTE-> I'll have to check that one out. Do you have a link? <-QUOTE}
No, sorry, I don't. As you are probably aware, he's a very regular member here, just send him a PM.

Acadia

Hi Guys

I am running KAV 5.0 on one machine with FDISR. Yes you do need to install it with the Istream turned off. I used KLStream.exe from the kav website to clean the machine. Works best if in the C:\ root directory.

The new KAV 6.0 which is currently in beta uses a different database technology which works great with FDISR. I like it cause a full scan on my machine takes about 1:15 minutes, but then scans after that take about 4 minutes.

Also I've watch and KAV scans the root $isr directory, program and logs directory, but doesn't scan the other snapshots.

@G1111 Aside from disabling process guard, I would also disable your AV when you use FDISR. It will run much faster. Also I would recommend if you are going to consider one snapshot as a "default" I would make the primary one built by FDISR when you installed it. This is your original C:\ drive.

Pete

{QUOTE-> Hi Guys

@G1111 Aside from disabling process guard, I would also disable your AV when you use FDISR. It will run much faster. Also I would recommend if you are going to consider one snapshot as a "default" I would make the primary one built by FDISR when you installed it. This is your original C:\ drive.

Pete <-QUOTE}

Thanks for the comments and answers everyone. I put this back on my list to try again. I see the need for a recovery program even though I have a lot of security running.

{QUOTE-> Only GoBack is constantly "running", constantly keeping track of every single file change. FirstDefense just sits there doing nothing until you make or update a Snapshot. <-QUOTE}Although it should be mentioned there are two FD files running in Task Manager, namely ISRMonitor.exe and ISRService.exe. However, they are very small in size, around 450k and 590k respectively.