This thread is about Sandboxie ONLY. So please, stick to the subject.
You don't have to tell me how good or bad Sandboxie is. So no emotional outbursts or comments regarding Sandboxie, because these comments don't make me any wiser.
You don't have to tell me that Sandboxie causes some troubles on certain computers, all softwares have that in common and that doesn't make me any wiser either.
I don't want any comparision with other softwares either, this is about Sandboxie, nothing else.

I only want to know HOW Sandboxie works, in other words the philosophy behind Sandboxie. I'm using Sandboxie for two days, so I'm certainly not an experienced user of Sandboxie, but Sandboxie seems to love my total system so far.
The bottom line is : I want to figure out, if Sandboxie is worth my time to LEARN it in detail and use it in my frozen snapshot as a protection in the period between two reboots.
This thread might also be usefull for potential users and for discussions, but first I like to know if I understand the concept of Sandboxie and I would like to have an answer to my questions.
---------------------------------------------------------------------------------------------------
As far as I understand Sandboxie works like this, if I'm wrong please correct me :

1. You can choose which application has to run sandboxed or NOT.
Weird question : what happens when Look'n'Stop (my actual firewall) is sandboxed ?
It seems to me you have to decide carefully which application will be sandboxed or not.
What are the general rules to run an application sandboxed or not ?

2. Once an Application is sandboxed :
a. It can only read objects on the REAL harddisk
b. All write operations are done in a Transient Storage Area, called SANDBOX and NEVER on the REAL harddisk.

3. This means to me that the SANDBOX can contain GOOD and BAD objects.
a. If I download IZARC37.EXE, which is a GOOD object, the file will be written and stored in the SANDBOX under the right folder, that looks like the real folder, but is in fact a folder in the SANDBOX.
If I want to keep IZARC37.EXE, I assume, I have to copy/paste this file FROM the SANDBOX TO the real folder.
When I clean the SANDBOX : the file IZARC37.EXE will be removed, but is still stored in the real folder.
If I don't want to keep IZARC37.EXE, I just clean the SANDBOX and everything is gone.

b. If I download TROJAN.EXE, which is a BAD object, the file will be written and stored in the SANDBOX just like a GOOD object.
If I doubleclick TROJAN.EXE inside the SANDBOX, the TROJAN will be executed, BUT whatever the TROJAN writes, it will be kept inside the SANDBOX and won't affect the real harddisk.
If I clean the SANDBOX, everything what the TROJAN.EXE did, will be GONE forever.

Conclusion : if the user doesn't know the difference between GOOD and BAD objects, he still can infect his own computer by moving the bad objects to his real harddisk.
----------------------------------------------------------------
If the above is all TRUE, I assume that I can use Sandboxie to LEARN what a BAD object can do to my computer, because each write operation of the BAD object will be visible in the SANDBOX. Am I right about this ?

Thanks in advance for your co-operation. :)

1. Yes you choose. It only sandboxes (virtualizes..) what you want, or what you specifically assigned. Your FW is not sandboxed.
General rules? I don't know how to answer, you sandbox what you want to completly isolate from your system. Mostly browser, messenger, like that. Every change, download, etc. goes to the virtual container, the sandbox. Registry changes go to fake registry, files to fake file system...
To retrieve what you want, you define what folders you want monitored, and assine them to the "Quick Recovery". In the GUI, Configuration-Sandbox Settings-Set Automatic Cleanup options. Should be really simple to use. You add folders here, and choose how you want it to run. If you tick "automatically delete contents..", when you close the browser or whatever, if anything is in those folders, you'll be asked if you want to check them, using "Quick Recovery".
I could go on and on, but this is waste.

No post can explain better than SandboxIE's site:
http://www.sandboxie.com/index.php?HelpTopics
Read Getting Started, all the way down to FAQ. You'll read it easy. And understand. Trust me.

2. Yes. But you can set what folders are not to be allowed read.

3.
a. yes. It's you in control of what you keep. When you delete the sandbox, everything you didn't copy to the real file system, and left there, is deleted (or erased, if you want to associate an eraser to SandboxIE).

b.exactly.

Conclusion: yes.
----------
{QUOTE->
If the above is all TRUE, I assume that I can use Sandboxie to LEARN what a BAD object can do to my computer, because each write operation of the BAD object will be visible in the SANDBOX. Am I right about this ?
<-QUOTE}

Sort of. You sure can look at everything that was writen to the sandbox. And only changes made exist, so it can be useful for that.

From what i read in your post, you don't want to miss the FAQ, and this (http://www.sandboxie.com/index.php?DetectingKeyLoggers).

But i really think you can/should read the whole site:) . Skip the fuctions you don't care, and it won't take you much time. It's a good read.:thumb:

Why would you want to run your firewall sandboxed?

I think it also depends on how you define what a bad object is. Does a bad object always have to write to the hard-disk or change registry entries? If you download a password stealer program and run it, it can still do its damage even though it may not have written files to the hard-disk or modify the registry. A firewall program may or may not catch it when it sends out data.

Hi Erik

I am posting in this format as I am a bit lazy.

As far as I understand Sandboxie works like this, if I'm wrong please correct me :

1. You can choose which application has to run sandboxed or NOT.
Weird question : what happens when Look'n'Stop (my actual firewall) is sandboxed ?
It seems to me you have to decide carefully which application will be sandboxed or not.
What are the general rules to run an application sandboxed or not ?

Yes you can chose what is sandboxed. You wouldn't want to run a firewall sandboxed. What you really want to run sandboxed is applications that download from the web, or something like winzip if you have occasion to be suspicious of the contents. I run Opera and IE sandboxed, and chose not to run my email clients sandboxed. If an Email were to have an attachment I am curious about, I would leave it alone in Outlook, and go on the web, and use the web based email to check it out.

2. Once an Application is sandboxed :
a. It can only read objects on the REAL harddisk

It can also read files in the sandbox.

b. All write operations are done in a Transient Storage Area, called SANDBOX and NEVER on the REAL harddisk.

Yes. Although you can specify exceptions.

3. This means to me that the SANDBOX can contain GOOD and BAD objects.
a. If I download IZARC37.EXE, which is a GOOD object, the file will be written and stored in the SANDBOX under the right folder, that looks like the real folder, but is in fact a folder in the SANDBOX.

YES

If I want to keep IZARC37.EXE, I assume, I have to copy/paste this file FROM the SANDBOX TO the real folder.
When I clean the SANDBOX : the file IZARC37.EXE will be removed, but is still stored in the real folder.
If I don't want to keep IZARC37.EXE, I just clean the SANDBOX and everything is gone.

No you normally don't have to copy paste. First there is an automatic clean and recover which I don't use. There is a manual recover which allows you to easily recover files to where you placed them or even choose another location. Should you select the delete sandbox option, if there are recoverable files, you will first be given a recovery option.

If I chose a non standard download area like my D: drive, then I might have to copy and paste.

b. If I download TROJAN.EXE, which is a BAD object, the file will be written and stored in the SANDBOX just like a GOOD object.

Yes it will.

If I doubleclick TROJAN.EXE inside the SANDBOX, the TROJAN will be executed, BUT whatever the TROJAN writes, it will be kept inside the SANDBOX and won't affect the real harddisk.
If I clean the SANDBOX, everything what the TROJAN.EXE did, will be GONE forever.

Correct.

Conclusion : if the user doesn't know the difference between GOOD and BAD objects, he still can infect his own computer by moving the bad objects to his real harddisk.

This is true. No substitute for thinking
----------------------------------------------------------------
If the above is all TRUE, I assume that I can use Sandboxie to LEARN what a BAD object can do to my computer, because each write operation of the BAD object will be visible in the SANDBOX. Am I right about this ?

It should be.

Erik you are protected to a degree, as Sandboxie won't let you install a service. For instance when I tried installing KAV in the Sandbox when it tried to install a service it couldn't so the install failed and KAV rolled it back. Online Armor let me install, but once I tried to start it, it couldn't start it's service so it failed. Deleted the sandbox and everything was gone.

Pete

{QUOTE-> Why would you want to run your firewall sandboxed? <-QUOTE}
I didn't ask that question out of stupidity. I would never sandbox my firewall. I just put it extreme, because I like to know what Sandboxie-users make decide to sandbox an application or not, which doesn't seem to be clear in Sandboxie.
Where is the limit of usefull sandboxing ? What is absurd in sandboxing ?
It seems to me, I have to figure it out myself. :)

{QUOTE-> I like to know what Sandboxie-users make decide to sandbox an application or not, which doesn't seem to be clear in Sandboxie. <-QUOTE}
You should sandbox applications which may be used to install/download/execute malware. For the most part, browsers, mail clients, IM clients are the usual target for sandboxing. IMO, mail clients shouldn't be sandboxed if you read mail as only-text and discard unknown/unrequested mails/attachments. On the other hand, attachments which you trust can be saved to disk and executed inside the sandbox.
You can also run a sandboxed copy of Word/Excel/Powerpoint/PDF viewer if you suspect that some document may have dangerous macros/scripts embedded.
{QUOTE-> What is absurd in sandboxing ? <-QUOTE}
Installing apps which require:
- Kernel drivers.
- Register of service.
- Add autostart entries to registry.

Thanks you guys. At first sight, Sandboxie seems to be good for immediately usage and it can be usefull in the future, when I want to know, what a malware exactly writes on my computer.
If I execute the malware for real in my frozen snapshot, I can check the Detailed Log, if FDISR removed the same bad objects during a copy/update FROM Freeze Storage.arx TO frozen snapshot. At least that's what I hope. :)

Lucas,
OK. I got the picture. Thanks.

{QUOTE->
....You can also run a sandboxed copy of Word/Excel/Powerpoint/PDF viewer if you suspect that some document may have dangerous macros/scripts embedded. <-QUOTE}
Part of the beauty of Sandboxie is that you should be able to open sandboxed files with native programs, and the launched app will automatically run the file sandboxed.
i.e.: If I download/open a .pdf file (whilst browsing sandboxed), my pdf reader will automatically launch and open up the file in a sandboxed environment.
The same should apply to most app.s.

Sandboxie, or a sandbox interrupts the flow of processed information to the hard disk. The concept of a sandboxie is to keep the overall integrety of your machine security while not having to harden the controls and loosing useful function.

Some problems found with Sandboxie are that it needs to reduce conflict with third-party software and elimanate malfunctions such as system and program crash/lock-up as soon as it started and when closing. That said versions and fixes come regularly and Sandboxie has an active community.

Things to learn and of interest are SandboxieIni and Portable Sandbox.

When I have some more time I'll come back to this thread.:)

What I like about Sandboxie is that it also works on my second harddisk = my data partition [D:], which isn't protected by FDISR.

One thing i still didn't figure out: what completes SandboxIE. Right now, despite the whole arsenal installed (:) ), i'm only running active CPF, SandboxIE and Antivir.

With SandboxIE, i have what i want to have. But because i'm hooked, as you guys, i look for what completes it, like - if malware runs inside the sandbox, it can still do something, like recording my Wilders password :) .

What completes what SandboxIE lacks???

Using Sandboxie reduces the need to have antispyware programs etc. So I am running also it with Comodo and have also Avira AntiVir. Though Avira is not of course much needed with Sandboxie.
I like the fact that CPU usage from my security programs is zero.

{QUOTE->
With SandboxIE, i have what i want to have. But because i'm hooked, as you guys, i look for what completes it, like - if malware runs inside the sandbox, it can still do something, like recording my Wilders password :) .

What completes what SandboxIE lacks??? <-QUOTE}
Recording the password doesn't sound dangerous to me, unless it SENDS the password to the thief, that is dangerous.
If the recorded password is still in the sandbox, it will be removed once you clean the sandbox. Recording and sending are different actions.

{QUOTE-> Using Sandboxie reduces the need to have antispyware programs etc. So I am running also it with Comodo and have also Avira AntiVir. Though Avira is not of course much needed with Sandboxie.
I like the fact that CPU usage from my security programs is zero. <-QUOTE}
:) Great minds..
{QUOTE-> Recording the password doesn't sound dangerous to me, unless it SENDS the password to the thief, that is dangerous.
If the recorded password is still in the sandbox, it will be removed once you clean the sandbox. Recording and sending are different actions. <-QUOTE}
That's a very good point. Malware won't have privileged access, and easily detected by Comodo. Or is it?
But as i'm thinking of turning off certain features in Comodo, i would still like to know the answer, not envolving the firewall. You know, i got to install something;D

{QUOTE-> Recording the password doesn't sound dangerous to me, unless it SENDS the password to the thief, that is dangerous.
If the recorded password is still in the sandbox, it will be removed once you clean the sandbox. Recording and sending are different actions. <-QUOTE}
You have to think of Sandboxie as a "one-way" valve,
Stuff cannot be written TO harddrive, but stuff can be READ (accessed) from HD and potentially sent out.
Per Erik's observation above: Any nasties on your system will simply and completely go away upon shutdown.
{QUOTE-> What completes what SandboxIE lacks <-QUOTE}
Merely good outbound protection. Be it good firewall/HIPS, warning if anything should attempt to "phone home".

Addendum to prior post.
Although Sandboxie does allow you to surf with virtual impunity, some common sense browsing procedures should keep you quite secure.
For instance: If I do any online banking / security trading, upon completion I DO NOT instantly start browsing various crack / porn sites.
Common sense dictates shut down browser (thus hopefully clearing any sensitive data in memory), re-open browser, THEN browse the dark side.

{QUOTE->
For instance: If I do any online banking / security trading, upon completion I DO NOT instantly start browsing various crack / porn sites.
Common sense dictates shut down browser (thus hopefully clearing any sensitive data in memory), re-open browser, THEN browse the dark side. <-QUOTE}
My on-line banking isn't so dangerous anymore since my bank created recently a very complicated login procedure, which is explained in this thread :
http://www.wilderssecurity.com/showthread.php?t=169704
Even a malicious keylogger is worthless with such a login procedure.
Thanks for the other explanations, all bits help. :)

{QUOTE-> My on-line banking isn't so dangerous anymore since my bank created recently a very complicated login procedure.... <-QUOTE}
My bank also has all sorts of high technological security stuff as well.
Call me old fashioned / overly paranoid, but it's no big deal after online banking to simply close browser, re-open.
My K-Meleon takes <1.5 seconds to open. :)

Regards

Kind of off topic, but the question is about sandboxie...
Is there anyway of viewing the sandoxed 'virtual' registry?

argus tuft :
{QUOTE-> Is there anyway of viewing the sandoxed 'virtual' registry? <-QUOTE}
You could dump the sandboxed registry held in registry.dat within the data folder. Sandboxie also creates values in the real registry in memory.

Erik :
{QUOTE-> What I like about Sandboxie is that it also works on my second harddisk = my data partition [D:], which isn't protected by FDISR. <-QUOTE}
You can also create and use a sandbox across machines portable sandbox (http://www.sandboxie.com/index.php?PortableSandbox).

You can tweak SB via SandboxieIni for example block drivers (http://www.sandboxie.com/index.php?BlockDrivers) is a setting in SandboxieIni (http://www.sandboxie.com/index.php?SandboxieIni).

Gave Sandboxie a trial by fire last night.

Downloaded DFK - Threat Simulator by Morgud. Ran it on my VM machine.

First pass I disabled all security software, and ran it. Geesh, did it take hold of the machine. I rebooted and it even created it's own password protected account. I was able to boot back to my account and ran a KAV scan. It found some 29 different malware.

I reset the machine back to it's pretest state, and ran another pass, this time Sandboxing the first exe that starts the whole thing. Also had security software totally disabled. While it was able to seemingly take parts of the machine, Sandboxie by blocking some of the service installs prevented some of the stuff from getting in. I rebooted, and the DFK account wasn't there. Once back in, I deleted the sandbox and did a KAV scan and the machine was clean.

Did a third test same way, only before rebooting, I just terminated all sandbox processes, which made the apparent effects of the take over go away, and then deleted the Sandbox. Again a KAV scan showed clean.

So while there were some visible effects, in fact Sandboxie alone protected me from the threat simulater. Very impressive.

Pete

{QUOTE->
So while there were some visible effects, in fact Sandboxie alone protected me from the threat simulater. Very impressive. <-QUOTE}
Sounds very encouraging to me Peter. Another step forward in my plans. I'm getting closer and closer every day to what I really want. :)

{QUOTE-> Sounds very encouraging to me Peter. Another step forward in my plans. I'm getting closer and closer every day to what I really want. :) <-QUOTE}


What I really like is no complicated worries about where I save files I download, and no reboots to clean up. If I was using a frozen snapshot for just surfing, I think it would be bye bye frozen snapshot.

{QUOTE-> What I really like is no complicated worries about where I save files I download, and no reboots to clean up. If I was using a frozen snapshot for just surfing, I think it would be bye bye frozen snapshot. <-QUOTE}
I'm not going to ditch my frozen snapshot. I don't trust any of my security applications, not even Sandboxie and I still have other weapons, if my frozen snapshot ever fails, which has to be proven first.
My whole security is partial based on restoration, the ultimate weapon against any infection. I only need more time to polish it. :)

An extreme test for FDISR, would be a honeypot and then try to clean that honeypot with a clean snapshot. ;D
Unfortunately, none of the security people are interested to do such a test, they prefer to test scanners to prove how many infections they MISSED and how many false/positives they reported. That doesn't interest me, because I know this already. ::)

{QUOTE->

An extreme test for FDISR, would be a honeypot and then try to clean that honeypot with a clean snapshot. ;D
Unfortunately, none of the security people are interested to do such a test, they prefer to test scanners to prove how many infections they MISSED and how many false/positives they reported. That doesn't interest me, because I know this already. ::) <-QUOTE}

Isn't converting A Vista snapshot, into an XP snapshot using an FDISR archive enough of a test for you.;D

{QUOTE-> Isn't converting A Vista snapshot, into an XP snapshot using an FDISR archive enough of a test for you.;D <-QUOTE}
That test was also extreme and successful, but that's not the same as removing any kind of infection, from simple infections to the most sophisticated hidden infections.

{QUOTE-> That test was also extreme and successful, but that's not the same as removing any kind of infection, from simple infections to the most sophisticated hidden infections. <-QUOTE}

Same principle. Okay I will screw up my system with DFK Threat Simulator, a bit later.

{QUOTE-> Same principle. Okay I will screw up my system with DFK Threat Simulator, a bit later. <-QUOTE}
Is DFK Threat Simulator such a good collection of infections, that EACH TYPE of infection is included. ?

{QUOTE-> Is DFK Threat Simulator such a good collection of infections, that EACH TYPE of infection is included. ? <-QUOTE}

Google it, and read the description. Sure makes a mess of the system, albeit with defanged stuff. Also comes with an uninstaller which I didn't bother with using.

{QUOTE-> Google it, and read the description. Sure makes a mess of the system, albeit with defanged stuff. Also comes with an uninstaller which I didn't bother with using. <-QUOTE}
I'm sure it will make a mess of your system, but this is nothing but a "good" theoretical test.
Nevertheless, I will try it myself one day, when I'm ready.

I remember the BBC Honeypot and they admitted, that this honeypot couldn't be cleaned with the classical security softwares. The honeypot had to be re-installed from scratch to clean it completely.
If FDISR is able to clean such a honeypot, I would feel more comfortable.

{QUOTE-> I'm sure it will make a mess of your system, but this is nothing but a "good" theoretical test.
Nevertheless, I will try it myself one day, when I'm ready.

I remember the BBC Honeypot and they admitted, that this honeypot couldn't be cleaned with the classical security softwares. The honeypot had to be re-installed from scratch to clean it completely.
If FDISR is able to clean such a honeypot, I would feel more comfortable. <-QUOTE}

No matter how bad it is, it is still just files. Do you have a link to the BBC Honeypot.

Pete

{QUOTE-> No matter how bad it is, it is still just files. Do you have a link to the BBC Honeypot. <-QUOTE}
I was too lazy to look it up, but here it is :
http://news.bbc.co.uk/2/hi/technology/5414502.stm
http://news.bbc.co.uk/1/hi/technology/6035455.stm
These are the threads at Wilders about the BBC Honeypot :
http://www.wilderssecurity.com/showthread.php?t=150254&highlight=Honeypot
http://www.wilderssecurity.com/showthread.php?p=854479#post854479

{QUOTE-> I was too lazy to look it up, but here it is :
http://news.bbc.co.uk/2/hi/technology/5414502.stm
http://news.bbc.co.uk/1/hi/technology/6035455.stm
These are the threads at Wilders about the BBC Honeypot :
http://www.wilderssecurity.com/showthread.php?t=150254&highlight=Honeypot
http://www.wilderssecurity.com/showthread.php?p=854479#post854479 <-QUOTE}

I found them, but since I sit behind a router, I can't really do a honeypot test. To much of a physical cabling mess to get around it. But I may play with some live malware in my VM machine.

{QUOTE-> I found them, but since I sit behind a router, I can't really do a honeypot test. To much of a physical cabling mess to get around it. But I may play with some live malware in my VM machine. <-QUOTE}
OK. Peter, it doesn't really matter, I was only trying to tell you that such a honeypot would be a very extreme test too.
Your VISTA--->XP test was also very extreme, that's why I believe it will remove any infection as well, BUT I would feel more comfortable, if it also cleaned a HEAVY INFECTED honeypot without any failure.

IBK (av-comparatives) has also an enormous test bed to test all these Anti-Virus softwares, so his test bed is also a very extreme test for FDISR. (hint) ;D

A while ago I was listening to a 'Security Now!' episode about sandboxing applications over at GRC.com and I remember Steve Gibson comparing different sandboxing applications and coming to the conclusion that SandboxIE was one of his favorite in the way in which the programs were designed.

Some may find this episode interesting:

http://www.grc.com/SecurityNow.htm#55

Is he using FDISR or u want him to push this way?

I think he was hinting that FDISR has yet to let down av-comparatives ;D

lol...

{QUOTE-> Is he using FDISR or u want him to push this way? <-QUOTE}
No why would I do that ? He only has to test FDISR, not keep it.
Maybe he will enjoy it, doing something else for a change.

Well Sandboxie causes the first error on my computer, never had that before.
Suddenly a popup window appears on my desktop, when I want to open Firefox :

Direct OCR Error (= Popup Window Title)

An error with Direct OCR caused a memory conflict in your open applications. Please restart Windows.

It happened several times today.

OCR, is that Optical Character Recognition and relating to a document scanner software?

Had a look around SB's forum and couldn't find anything related.

{QUOTE-> OCR, is that Optical Character Recognition and relating to a document scanner software?

Had a look around SB's forum and couldn't find anything related. <-QUOTE}
I posted the problem at SB's forum. I wait for an answer, if I ever get one. :)

{QUOTE-> ...Security Now!' episode about sandboxing applications over at GRC.com... <-QUOTE}
I think if i remember he said you cannot trust Sandboxie for security only privacy and that you could leave no trace behind on a machine when using it.
True, for one Sandboxie can hold browser related, cache etc, so when you delete the sandbox the byproducts such as history disappears, but Sandboxie is more than that - and files can be undeleted.

{QUOTE-> :
....Direct OCR Error
An error with Direct OCR caused a memory conflict in your open applications.... <-QUOTE}
Are you running Omnipage?
{QUOTE-> I posted the problem at SB's forum. I wait for an answer, if I ever get one. <-QUOTE}
I don't think you'll have to wait long. Developer Tzuk is very active there.

Franklin and BobD,
Thanks for the info you gave me, because it did ring a bell.
I posted this problem at SB-forum in my post "Direct OCR Error" and gave them more info concerning my all-in-one printer and the software of this printer installed a bar called "Canon Easy-WebPrint" and this bar could be the problem.
Firefox doesn't have this bar, but I switched often between Firefox and MSIE, while I was running Sandboxie.
I'm waiting for a reply of Tzuk and if necessary, I'm going to uninstall this bar and see if there is an improvement. I'm almost 100% sure that this bar IS the problem.
Sandboxie is alot more important to me than this bar, which I don't use in practice.

I've started testing some real malware to see how well I am protected both against the malware and myself. Programs I commonly run are SSM OA, KAV and sandboxie. Then also as Erik challenged recovery.

I started with Killdisk, and this thing is about as nasty as it gets.

Both OA and SSM block it providing I am smart enough to not let it run. KAV even without PDM flat wouldn't let it run. Even when I said skip to it's alert of a virus it wouldn't let it run. I finally had to disable it.

When I ran Killdisk inside the sandbox, it failed. Sandboxie effectly protected me against it. Excellent.

THen I ran it an let it do it's evil deed to check on recovery. On reboot all I got was a fatal partition error. FDISR is out of the picture. Then I tried a simple restore with Shadow Protect and it also failed. I had to run DiskPart to delete the messed up partition that killdeed left behind. Then I was able to restore the Shadow Protect image.

This test also showed just how effective VMware machines are. I took a vm snapshot before the test, and while in the damage state of the disk, revert to the snapshot. Everything was perfect.

Pete

{QUOTE->
THen I ran it an let it do it's evil deed to check on recovery. On reboot all I got was a fatal partition error. FDISR is out of the picture. Then I tried a simple restore with Shadow Protect and it also failed. I had to run DiskPart to delete the messed up partition that killdeed left behind. Then I was able to restore the Shadow Protect image.
<-QUOTE}
If I zero my harddisk instead of using DiskPart, will ShadowProtect recover my harddisk ?

{QUOTE-> If I zero my harddisk instead of using DiskPart, will ShadowProtect recover my harddisk ? <-QUOTE}

If by zero it you mean format it no. I tried that first. I had to go in and use Diskpart to delete the partition.

BTW, neither Acronis True Image or Disk Director could do anything with until DiskPart was run. This is indeed one nasty dude.

But the bright side Sandboxie stopped it cold.

Always learning something. I thought SP would recover from something like that..
Peter: what is it that stops SP from recovering from that specific situation?

{QUOTE-> If by zero it you mean format it no. I tried that first. I had to go in and use Diskpart to delete the partition.

BTW, neither Acronis True Image or Disk Director could do anything with until DiskPart was run. This is indeed one nasty dude.

But the bright side Sandboxie stopped it cold. <-QUOTE}
Zero is not the same as format. According Western Digital, my zero program results in a NEW harddisk.
I always use that program when I reinstall from scratch.

The clean program of PartDisk overwrites EVERYTHING with zeroes. So there is no difference with my program.

Well, my problem of "Direct OCR Error" seems to be gone, since I removed the bar "Canon Easy-WebPrint" in MSIE.
Tzuk was glad, I could solve it this way.

Hi Peter, I am not sure but long ago when I tried Killisk I did not need to use DiskPat. I simply formated and installed XP by booting from XP CD( if I remember well I am not sure), can u check it?
Did u tried it against Freezed snapshot and ShadowUser/ Surfer/ PowerShadow etc?

{QUOTE-> Always learning something. I thought SP would recover from something like that..
Peter: what is it that stops SP from recovering from that specific situation? <-QUOTE}

It leaves a really screwed up partition table out there. SP see's it as a fat16 partition and it does there restore but can't set the partition active. Afterwards when you look you still don't see anything. Once you delete the bad partition then SP had no problem.

I tell you that is one nasty piece of work. Handy to have either a windows CD which has the recovery console, or a Bartpe disk which also has DiskPart on it.

Clearly prevention is the best way.

{QUOTE-> Hi Peter, I am not sure but long ago when I tried Killisk I did not need to use DiskPat. I simply formated and installed XP by booting from XP CD( if I remember well I am not sure), can u check it?
Did u tried it against Freezed snapshot and ShadowUser/ Surfer/ PowerShadow etc? <-QUOTE}

I suspect that using the install of XP would have by default started with a clean slate. I was testing restore from an image, so slightly different.

None of the other programs above would have survived. Anything that required the c drive for recovery was toast. The drive was toast.

Peter,
Thanks for the testing, I knew how nasty killdisk was, but I was never worried about it. Now we know for sure what to do in such disaster scenario.
And Sandboxie did a very good job and that is also good to know.

{QUOTE-> It leaves a really screwed up partition table out there. SP see's it as a fat16 partition and it does there restore but can't set the partition active. Afterwards when you look you still don't see anything. Once you delete the bad partition then SP had no problem.
<-QUOTE}
One last question: so SP doesn't restore the partition table, only MBR?
Shouldn't a program like this restore everything for a working OS?
I'm sorry if these Q's look really dumb.. ;D but this seems like a disaster for a "disaster recovery program".

{QUOTE-> I suspect that using the install of XP would have by default started with a clean slate. I was testing restore from an image, so slightly different.

None of the other programs above would have survived. Anything that required the c drive for recovery was toast. The drive was toast. <-QUOTE}
I suspect ShadowUser/ Surfer etc might survive( I read here on forums but not sure).
Eaz_fix has survived here too.

{QUOTE-> One last question: so SP doesn't restore the partition table, only MBR?
Shouldn't a program like this restore everything for a working OS?
I'm sorry if these Q's look really dumb.. ;D but this seems like a disaster for a "disaster recovery program". <-QUOTE}
Your reasoning isn't so bad at all. I would also expect from the Acronis Rescue CD, that it would restore an image from my external harddisk without troubles, no matter what is on my harddisk.

Of course it is standard procedure for me, to zero my harddisk and then restore an image after a malware attack, but this has nothing to do with what happened.

Digressing a bit here if I may, but one of my primary reasons for liking this software (enough to register), is it's convenience, aside from all the security benefits (and they are substantial).
Before SandboxIE, I was constantly turning cookies on/off (depending on site visiting), as well as Java, JavaScripting, etc. Made me crazy.
OK, I'm at Wilders, cookies on. Browsing elsewhere, cookies off. Other trusted sites, damn, they're not rendering correctly, Java/JavaScript on.
Constantly clicking permission stuff depending where on the web I was.
At the end of sessions, I was constantly reviewing, subsequently selecting/deleting cookies, as well as clearing history, etc.
Ahhhh....With SandboxIE, I find the browsing experience much more relaxed.
Cookies, Java, JavaScripting, all ON.
Browsing done, close browser, EVERYTHING gone.
Simplistic approach. I like simple.

{QUOTE-> One last question: so SP doesn't restore the partition table, only MBR?
Shouldn't a program like this restore everything for a working OS?
I'm sorry if these Q's look really dumb.. ;D but this seems like a disaster for a "disaster recovery program". <-QUOTE}

Hi Pedro

It does when the disk is totally blank, but Killdisk leaves things screwed up and you first get to a clean disk. By the way it wasn't just shadowprotect, but Acronis couldn't even tell the disk was there, and I couldn't do anything with that either.

{QUOTE-> Your reasoning isn't so bad at all. I would also expect from the Acronis Rescue CD, that it would restore an image from my external harddisk without troubles, no matter what is on my harddisk.

Of course it is standard procedure for me, to zero my harddisk and then restore an image after a malware attack, but this has nothing to do with what happened. <-QUOTE}

See comment above. It would have, but I suspect you still would have had to do diskpart first to get to a blank drive.

{QUOTE-> I suspect ShadowUser/ Surfer etc might survive( I read here on forums but not sure).
Eaz_fix has survived here too. <-QUOTE}

I may download trials and try.

{QUOTE-> Digressing a bit here if I may <-QUOTE}
Actually, you're not :) , and i also agree with you. Everything is in one place, where i can get rid of in a click or two.
I also have everything on, except cookies (go figure). With Opera, the few sites i want cookies for, i enable it for them.

I usually open all my trusted sites outside the sandbox with all my login details saved in FF's cache and password manager.

Then everytime I empty the sandbox and start a new FF sandboxed browsing session the login details are resandboxed and retained hence speeding things up.

I have set CCleaner not to clean FF as emptying the sandbox gets rid of all other unwanted cookies and cached sites that are picked up in any browsing session.

{QUOTE->
It does when the disk is totally blank, but Killdisk leaves things screwed up and you first get to a clean disk. By the way it wasn't just shadowprotect, but Acronis couldn't even tell the disk was there, and I couldn't do anything with that either. <-QUOTE}
Thanks for the info. :thumb:
I realize by your tests/details (thanks btw) that most if not all would fail, but still i suppose SP should restore everything anyway. It holds how the HD was formatted, files, MBR et al, it should restore the information it holds on the HD when the image was taken.

Peter,
You don't need a blank drive to restore an image, the image just restores over the existing harddisk. I've done this so many times. The contents of harddisk doesn't matter at all during a restoration.
If the CD didn't work after the killdisk, it means that CD isn't good enough.

The question is : if you didn't had DiskPart, would the CD have restored your harddisk or not ?

{QUOTE-> Peter,
You don't need a blank drive to restore an image, the image just restores over the existing harddisk. I've done this so many times. The contents of harddisk doesn't matter at all during a restoration.
If the CD didn't work after the killdisk, it means that CD isn't good enough.

The question is : if you didn't had DiskPart, would the CD have restored your harddisk or not ? <-QUOTE}

Okay. For grins I am going to image with ATI in bart and see what happens.

{QUOTE-> Okay. For grins I am going to image with ATI in bart and see what happens. <-QUOTE}
OK. That's good enough for me, but restore right after killdisk without using DiskPart. This should work properly, otherwise there is something wrong. After all not every user has DiskPart or any other zero program.

After that you can use DiskPart to be sure that everything is gone and restore again.

PS: I thought Acronis CD didn't work on your computer due to mouse problems ?

{QUOTE-> OK. That's good enough for me, but restore right after killdisk without using DiskPart. This should work properly, otherwise there is something wrong. After all not every user has DiskPart or any other zero program.

After that you can use DiskPart to be sure that everything is gone and restore again.

PS: I thought Acronis CD didn't work on your computer due to mouse problems ? <-QUOTE}

It doesn't. I have ATI in a Bartpe CD.

Okay, the test results are in. First I did an image with Acronis from the bartpe CD

@aigle I tried Shadowsurfer, ran killdisk while in shadowmode: Killdisk killed it dead

Then tried Eazfix. Built several snapshots, and move around them, and finally from the 3rd one I ran Kill disk. Eazfix fought back but ultimately lost. Killdisk shut the system down, but this time, it started reboot. Eazfix ran thru defragging all the snapshot, then optimized space, and then failed with the bad partition error. So then I moved on to the restore tests.

Booted to barte after the eazfix kill, and started to restore with ATI. Everything looked okay, so I stopped short of restoring and fired up Shadowprotect. Everything looked normal so I tried restore, and it worked just as we'd expect. Picture Peter scratching his head;D

Then it occured to me that this was the first time I'd tried a restore without the new FDISR which moved it's preboot code to the partition table. So I decided to take two more shots at it without eazfix, once with FDISR uninstalled, and once with it installed. First try was with no FDISR.

I killed the disk and then proceeded to try the restore. First I started with ShadowProtect and when I saw the condition I'd seen as bad, I stopped and fired up Acronis. Normally when I'd select the image location I'd see C: primary and D: secondary. What I saw was C: local disk, and D: secondary. I selected the image from the D: drive, and moved on. I was able to select the right disk from the image, but when it came time to select the target the only choice even showing was the D: drive. C: drive was not there, hence no restore possible.

Erik if this puzzles you bear in mind that Killdisk's purpose is to really mess you up, and it trashes the partition table in a way that the imaging software, can't get past it to do it's thing. You are right that the average user would be in a world of hurt. Puzzlement is the difference with Eazfix.

Pete

{QUOTE->
Erik if this puzzles you bear in mind that Killdisk's purpose is to really mess you up, and it trashes the partition table in a way that the imaging software, can't get past it to do it's thing. You are right that the average user would be in a world of hurt. Puzzlement is the difference with Eazfix. <-QUOTE}
Yes it puzzles me indeed, that you couldn't restore an image with an ATI/SP Recovery CD, right after a killdisk attack.

The Acronis Rescue CD is able to restore an image on a ZERO-ED harddisk, which is even worse than killdisk, because there is nothing anymore on a zero-ed harddisk.
BUT it can't restore an image after a killdisk attack, that is SOOO UNLOGICAL.

That makes any Recovery CD of any image backup software WORTHLESS after a killdisk attack. That is almost UNBELIEVABLE for me.
I'm very disappointed in this, I hope that somebody of ShadowProtect is able to explain this to me, because this will be my next Image Backup Software. Pffft.

{QUOTE-> Yes it puzzles me indeed, that you couldn't restore an image with an ATI/SP Recovery CD, right after a killdisk attack.

The Acronis Rescue CD is able to restore an image on a ZERO-ED harddisk, which is even worse than killdisk, because there is nothing anymore on a zero-ed harddisk.
BUT it can't restore an image after a killdisk attack, that is SOOO UNLOGICAL.

That makes any Recovery CD of any image backup software WORTHLESS after a killdisk attack. That is almost UNBELIEVABLE for me.
I'm very disappointed in this, I hope that somebody of ShadowProtect is able to explain this to me, because this will be my next Image Backup Software. Pffft. <-QUOTE}

Erik you are missing the point. First of all it's not just Shadowprotect. Also it's not a normal situation, in the partition has been deliberately damaged in a way that prevents SP,ATI and I suspect all the rest of the imaging programs from figuring out what is going on.

If they see no partition, or a good partition they can deal with it, but this one has been deliberately and purposely damaged. Therefore it has to be deleted. Once deleted both programs can do a restore. Remember you aren't dealing with a failure, but a deliberately malious piece of work.

Diskpart, and an image restore is still one heck of a lot better than reinstalling windows. At least now we know what's going one and how to deal with it. Far better then to be struck and have no machine to do research with.

{QUOTE-> That makes any Recovery CD of any image backup software WORTHLESS after a killdisk attack. That is almost UNBELIEVABLE for me.
I'm very disappointed in this, I hope that somebody of ShadowProtect is able to explain this to me, because this will be my next Image Backup Software. Pffft. <-QUOTE}
I can,t believe this as well.

Peter two Qs for u.

1- Are u doing all this on VM? If yes, then I will suspect the results might be different on real hardware. VMs can,t be 100% real many times.

2- When u failed with ATI and SP, did u try to insert an XP CD and see if it allows u to reinstall XP( without running DiskPart as I think I did like this in the past( but not sure). If XP CD allows a reinstall of windows then it might be OK for a normal user.

3- What is disk part?

{QUOTE-> I tried Shadowsurfer, ran killdisk while in shadowmode: Killdisk killed it dead <-QUOTE} Scarry. I am still doubtfull as I know very well that SS/ SU protects MBR.
{QUOTE->
Then tried Eazfix. Built several snapshots, and move around them, and finally from the 3rd one I ran Kill disk. Eazfix fought back but ultimately lost. Killdisk shut the system down, but this time, it started reboot. Eazfix ran thru defragging all the snapshot, then optimized space, and then failed with the bad partition error. <-QUOTE}
Here is the flaw. When u reached Eaz-Fix pre-boot screen, did U try to restore just to the last snapshot taken before running KillDisk? I have done it and EAZ-FIX boots into all snapshots OK. U just loose ur curent working state, nothing else by KillDisk. I am very much sure.

{QUOTE->
Then it occured to me that this was the first time I'd tried a restore without the new FDISR which moved it's preboot code to the partition table. <-QUOTE} {QUOTE-> Preboot code is moved from MBR to PBR. As I know partition table is part of MBR. So preboot code is moved after partition table. It,s my understanding. Am I correct?
Then it occured to me that this was the first time I'd tried a restore without the new FDISR which moved it's preboot code to the partition table.So I decided to take two more shots at it without eazfix, once with FDISR uninstalled, and once with it installed. First try was with no FDISR.

I killed the disk and then proceeded to try the restore. First I started with ShadowProtect and when I saw the condition I'd seen as bad, I stopped and fired up Acronis. Normally when I'd select the image location I'd see C: primary and D: secondary. What I saw was C: local disk, and D: secondary. I selected the image from the D: drive, and moved on. I was able to select the right disk from the image, but when it came time to select the target the only choice even showing was the D: drive. C: drive was not there, hence no restore possible.
<-QUOTE}
Sorry as I did not understand it at all. Also where is the try with FDISR.

{QUOTE-> Erik you are missing the point. First of all it's not just Shadowprotect. Also it's not a normal situation, in the partition has been deliberately damaged in a way that prevents SP,ATI and I suspect all the rest of the imaging programs from figuring out what is going on.

If they see no partition, or a good partition they can deal with it, but this one has been deliberately and purposely damaged. Therefore it has to be deleted. Once deleted both programs can do a restore. Remember you aren't dealing with a failure, but a deliberately malious piece of work.

Diskpart, and an image restore is still one heck of a lot better than reinstalling windows. At least now we know what's going one and how to deal with it. Far better then to be struck and have no machine to do research with. <-QUOTE}
Maybe this is normal to you. I don't accept this. Period. Hopefully member "grnxnm" can explain this to me how that is possible. This is not normal.
A Recovery CD has to write any image over a harddisk, no matter what happened to that harddisk. That is its job.
Only a physical damage is an acceptable reason and that didn't happen.

{QUOTE->
Of course it is standard procedure for me, to zero my harddisk and then restore an image after a malware attack, but this has nothing to do with what happened. <-QUOTE}
What does it mean? To ZERO the HD?

{QUOTE-> Digressing a bit here if I may, but one of my primary reasons for liking this software (enough to register), is it's convenience, aside from all the security benefits (and they are substantial).
Before SandboxIE, I was constantly turning cookies on/off (depending on site visiting), as well as Java, JavaScripting, etc. Made me crazy.
OK, I'm at Wilders, cookies on. Browsing elsewhere, cookies off. Other trusted sites, damn, they're not rendering correctly, Java/JavaScript on.
Constantly clicking permission stuff depending where on the web I was.
At the end of sessions, I was constantly reviewing, subsequently selecting/deleting cookies, as well as clearing history, etc.
Ahhhh....With SandboxIE, I find the browsing experience much more relaxed.
Cookies, Java, JavaScripting, all ON.
Browsing done, close browser, EVERYTHING gone.
Simplistic approach. I like simple. <-QUOTE}
Very well said Bob!:thumb:
Sandboxes keep u trouble free.

{QUOTE-> What does it mean? To ZERO the HD? <-QUOTE}
For me it means that the whole harddisk is overwritten with "0" from the first possible byte to the very last possible byte of the harddisk. In other words you have a NEW harddisk with nothing than zeroes instead of data.
I zero my harddisk for only one reason : to remove any trace of infections.
This is done by a special program of course, provided by Western Digital. It takes 20 minutes to zero my harddisk of 74gb

I zero my harddisk always when I install manually from scratch or when I restore a CLEAN image, which was created during an off-line installation.
I don't zero my harddisk, when I restore an image that has been on-line. I consider on-line images as possible infected, which doesn't necessarily mean that these images are really infected.

{QUOTE-> For me it means that the whole harddisk is overwritten with "0" from the first possible byte to the very last possible byte of the harddisk. In other words you have a NEW harddisk with nothing than zeroes instead of data. <-QUOTE}How does it differ from a format?
I zero my harddisk for only one reason : to remove any trace of infections.
I zero my harddisk always when I install manually from scratch or when I restore a CLEAN image\ <-QUOTE}It,s ur choice but i am sure it is useless due to two reasons:

1- No malware will survive image restore/ format. So u might be just torturing ur HD or urself.
2- When u restore an image, u restore every thing, incluging ur file system etc, so no use of zero/ formatting HD before image restore?

I am not an aexpert. Correct me i I am wrong.

{QUOTE-> How does it differ from a format?
I zero my harddisk for only one reason : to remove any trace of infections.
I zero my harddisk always when I install manually from scratch or when I restore a CLEAN image\It,s ur choice but i am sure it is useless due to two reasons:

1- No malware will survive image restore/ format. So u might be just torturing ur HD or urself.
2- When u restore an image, u restore every thing, incluging ur file system etc, so no use of zero/ formatting HD before image restore?

I am not an aexpert. Correct me i I am wrong. <-QUOTE}
I'm not an expert either, I consider myself as a newbie+.
Did you never read about the erase methods in clean programs, these programs overwrite your free space 7 times or more to be sure it's clean ?
I'm not that crazy, but I like my disk zeroed before I reinstall it.

The popular CCleaner allows you to overwrite a free space 7 times. There must be a reason for this type of erasure.

Eric! that is done for privacy reasons not to delete malware.
I really surprize when people use such Erasers just to delete the software/ malware etc? Very strange indeed.

{QUOTE-> Eric! that is done for privacy reasons not to delete malware.
I really surprize when people use such Erasers just to delete the software/ malware etc? Very strange indeed. <-QUOTE}
Ask the experts, not me, but they are never there when you need them. ;D
Keep in mind that Peter wasn't even able to restore his image after a killdisk attack without having a zero program.

That is still debatable. Let him answer my Qs I posted above for him.
BTW, now u giving a logic that does not fit in ur scenario at all!

{QUOTE-> Ask the experts, not me, but they are never there when you need them. ;D
<-QUOTE}Never saw any expert etc advising to use Erase methods for uninstalling software/ deleting malware.
For privacy it,s OK. But i never mind that too. There is nothing so secret on my PC and I don,t think some one spying on me.

{QUOTE-> Never saw any expert etc advising to use Erase methods for uninstalling software/ deleting malware.
For privacy it,s OK. But i never mind that too. There is nothing so secret on my PC and I don,t think some one spying on me. <-QUOTE}
This problem doesn't interest me.
I'm more concerned why a recovery cd couldn't restore an image after a killdisk attack.

Let,s wait for Peter. What he has more to say!

{QUOTE-> Let,s wait for Peter. What he has more to say! <-QUOTE}
I don't agree with Peter, I'm waiting for an answer of grnxnmn, who is the right person to ask and if he doesn't know, he knows people who can give him an answer.

I was referring to my Qs.

Bob D :
{QUOTE-> ...Before SandboxIE, I was constantly turning cookies on/off (depending on site visiting), as well as Java, JavaScripting, etc...With SandboxIE, I find the browsing experience much more relaxed...Browsing done, close browser, EVERYTHING gone. <-QUOTE}
Exactly Bob D!
A whole better experience in browsing relaxing those permissions and a feeling of calm on the whole. Also no lose in usability, there is no trade-off in usability like in some programs and settings, (look at hardening, Vista and UAC.) Sandboxie is one of those nice programs that does not sacrifice user experience. You have still gotta be careful as to something like phishing scams but SB isnt a cure all.

Sorry for straying from the topic, but since zeroing the HD has been brought up, welcome to the world of forensics.

Keep in mind this link is almost two years old, but please pay particular attention to MattyMoose's and perfectcoding's posts:

http://www.webmasterworld.com/forum105/227.htm

{QUOTE-> I can,t believe this as well.

Peter two Qs for u.

1- Are u doing all this on VM? If yes, then I will suspect the results might be different on real hardware. VMs can,t be 100% real many times.

2- When u failed with ATI and SP, did u try to insert an XP CD and see if it allows u to reinstall XP( without running DiskPart as I think I did like this in the past( but not sure). If XP CD allows a reinstall of windows then it might be OK for a normal user.

3- What is disk part? <-QUOTE}

1 Yes on a VMware virtual machine. Pretty doggone real. FDISR,shadowsurfer, Eazfix all run on it. Tell something you think won't be real.

2. Did not try Installing XP. I can give it a try.

3. DISKPART is windows Disk partitioning utility. It was easy to just remove the faulty partition.

{QUOTE-> Maybe this is normal to you. I don't accept this. Period. Hopefully member "grnxnm" can explain this to me how that is possible. This is not normal.
A Recovery CD has to write any image over a harddisk, no matter what happened to that harddisk. That is its job.
Only a physical damage is an acceptable reason and that didn't happen. <-QUOTE}

I have ask grnxnm about this, but don't put it all on them. Remember Acronis also was unable to handle the problem. I doubt any of the others would be able to either.

{QUOTE-> Scarry. I am still doubtfull as I know very well that SS/ SU protects MBR.

Here is the flaw. When u reached Eaz-Fix pre-boot screen, did U try to restore just to the last snapshot taken before running KillDisk? I have done it and EAZ-FIX boots into all snapshots OK. U just loose ur curent working state, nothing else by KillDisk. I am very much sure.


Sorry as I did not understand it at all. Also where is the try with FDISR. <-QUOTE}

Hi Aigle

1. Apparently from the error I get after running Killdisk it isn't the MBR that is attacked directly, but the partition table.

2. On Eazfix an interesting question. I'll try that again, and see if I can do that.

3. I didn't try the FDISR installed test, as I was trying to see if maybe now that FDISR was installing into the partition table was a factor. I was looking to see a different result without FDISR, and when it failed the same way, the test with FDISR would have been redundant.

Paragon Disk Manager maybe. It can image/restore and partition. So maybe.
(Yes, i realize Acronis has programs for that too)

This is really a bit off topic but relates to the recovery discussion.

I understand and agree with Erik's concern, but I think it relates to how the imaging software works. The SP log gives some insight, that I don't get with Acronis, but I suspect the workings are somewhat simliar.

Both softwares give the option of restoring mbr, whether you delete the partition first or not. Typically I when I do a restore, the first thing I do is delete the volume. This step is optional. What one does here might well be a function of whether you are restoring the whole disk or one partition out of many. Once I delete the volume, before I can commence the restore a new partition has to be created. SP allows several options, but the one I use takes the partition info from the image. The data is then restored. At the end of the restore, the mbr is restored and the partition set active.

I am guessing that what is happening to both programs is that because the partition table has been specifically damaged in a certain way, neither program can delete it, and thus it messes up the restore process. Again problem for both programs, and I'd bet also for paragon. Just don't have time to test that.

The reason I called on grnxmn is two reasons. First I am working with SP, but mainly I am confident we can get an answer. Erik care to pose the problem to Acronis.

Pete

Wow, interesting issue. If I understand this correctly, killdisk is screwing up the partition table such that it causes problems with imaging tools. Most image tools when they replace the MBR do not touch the partition table portion of the MBR but rather only the code portion. They leave the partition table portion up to partitioning tools.

This issue should be resolvable with the current version of the ShadowProtect Recovery Environment using the following technique:

1) boot the recovery environment on the killdisk-affected system
2) within the recovery environment, run the Tools | Partition Table Editor and zero out ALL of the partition table entries and save this change - WARNING - ONLY DO THIS IF YOU ARE WILLING TO LOSE ALL INFORMATION ON THAT PHYSICAL HARD DISK - I AM ONLY PROVIDING THESE INSTRUCTIONS UNDER THE ASSUMPTION THAT YOU HAVE BACKUP IMAGES OF YOUR VOLUMES
3) back in the recovery environment GUI, refresh
4) restore your backup images - when you restore you'll see that the disk is now blank/empty (has no partitions) and you'll be creating new partitions as you restore volumes to that disk.

If these steps don't work, then it's possible that you may need to reboot (and boot back into the recovery enviornment) on step 3, and then proceed to step 4.

A note on diskpart.exe - this is Microsoft's text-mode partitioning tool. It can be used to create/delete basics and dynamic volumes on MBR and GPT disks. It is not a disk-zeroing/wiping app. If you use diskpart.exe to delete all partitions on a particular disk then you are zeroing out the partition table portion of the MBR sector, but not zeroing out the disk itself.

Little further update.

The fix posted by grnxmn indeed works. He explained to me that the problem was that all of the imaging programs use microsoft calls when working with the partition tables. If there is a error in the table, then the MS call returns and error, and hence the vendor software returns an error or fails.

It has been added to the Shadowprotect list of things to do, as something that does need a more user friendly solution. No time table off course.


@aigle. I have to get back to work, but will do those last two test items later.

@erik Do you want to stir the pot at Acronis?

Pete

{QUOTE->
The fix posted by grnxmn indeed works. He explained to me that the problem was that all of the imaging programs use microsoft calls when working with the partition tables. If there is a error in the table, then the MS call returns and error, and hence the vendor software returns an error or fails.
<-QUOTE}
That I can understand. I didn't expect that this problem was easy to fix.
Nevertheless, it's a challenge to fix it, especially when it has never been done before.
I also have lots of problems at work, that need to be fixed and seem to be impossible at first sight.
Looking at a problem from different angles often solves the problem. I always separate problems from one another, when they have nothing to do with eachother. I always split big problems in smaller problems, which are easier to fix. Etc. etc. etc. I do this all the time at work.
Of course at work, I know what I'm talking about. At Wilders I'm not so sure, my knowledge of Windows, Internet, Malware is rather poor, it only gets better every day, but rather slow.


{QUOTE->
It has been added to the Shadowprotect list of things to do, as something that does need a more user friendly solution. No time table off course.
<-QUOTE}
I have no problem with time. I would have a problem, if it was completely ignored by StorageCraft.
As long it is on the list of things to do, I'm satisfied, even when it takes 10 years to fix it.
I'm not an animal, although I might sound like an animal sometimes. Diplomacy was never my strength and I can't talk in English, like I do in Dutch.
If you can tell people, that ShadowProtect even restores your system after a killdisk attack or any other destructive malware attack, you give them another good reason to buy ShadowProtect.

{QUOTE->
@erik Do you want to stir the pot at Acronis?
<-QUOTE}
LOL. I already ditched ATI in my mind. I still use it, because I'm waiting for ShadowProtect Desktop v3.0.
My experience with ATI is that it doesn't listen to users. So when I talk about this at the Acronis Forums, I'm talking to a wall, they will thank me for choosing Acronis True Image and that's it.
I read the posts at their forums, I read the wish-list, I see the results and I'm not satisfied.
So why would I spend my time on ATI ? I prefer to spend my time on the very best. :)

Erik you are priceless, in a great way.

At least as it stands now Shadowprotect does have a solution, although not a clean one. The partition table editor is truly a dangerous tool, but even I can change all the number to zero. Once that was done, and a reboot, and then the restore worked.

Another option for repairing your MBR after malware has trashed it is to use the Microsoft's FixMBR (http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/bootcons_fixmbr.mspx?mfr=true) app (available in the Recovery Console).

One last thing and then back to malware.

I went back and retried with EazFix, and Aigle is right, it does indeed survive the killdisk attack. I suspect the reason is Eazfix doesn't really use the windows file system. Very interesting.

{QUOTE->
At least as it stands now Shadowprotect does have a solution, although not a clean one. The partition table editor is truly a dangerous tool, but even I can change all the number to zero. Once that was done, and a reboot, and then the restore worked. <-QUOTE}
Indeed NOT a clean one, not really a solution for housewives. These women need a RECOVERY button and nothing more than that.
I only hope that StorageCraft does at least some brainstorming to fix this problem. They must have good programmers to make such a reliable image backup software, so why not a little step further than the usual stuff. :)
Nevertheless nice testing Peter !!!

{QUOTE-> One last thing and then back to malware.

I went back and retried with EazFix, and Aigle is right, it does indeed survive the killdisk attack. I suspect the reason is Eazfix doesn't really use the windows file system. Very interesting. <-QUOTE}
Yes indeed interesting, but it doesn't change anything for me. A malware like killdisk doesn't infect my hardware components. As long that doesn't happen I can recovery from any disaster. So killdisk is peanuts. Case closed.

I'm trying Sandboxie (finally back OT ;D) now and Sandboxie killed killdisk.
Sandboxie seems to do a good job. It doesn't need to be perfect, my frozen snapshot will kill the rest. :)

Peter,
Does killdisk attack other harddisks than [C:] ???

{QUOTE-> Peter,
Does killdisk attack other harddisks than [C:] ??? <-QUOTE}

Doesn't appear to. I have a second hard drive on my virtual machine, and it didn't bother it at all.

{QUOTE-> Erik you are priceless, in a great way.

At least as it stands now ShadowProtect does have a solution, although not a clean one. The partition table editor is truly a dangerous tool, but even I can change all the number to zero. Once that was done, and a reboot, and then the restore worked. <-QUOTE}

Beneficial study and test Peter2150, thanks for that. More and more from experiences like this and from others who experience completely satisfied results with SP encourages a serious turn to Shadow Protect (V.3) as the top of my shopping list when the time comes.

{QUOTE-> One last thing and then back to malware.

I went back and retried with EazFix, and Aigle is right, it does indeed survive the killdisk attack. I suspect the reason is Eazfix doesn't really use the windows file system. Very interesting. <-QUOTE}
Did u tried XP install CD?

{QUOTE-> Did u tried XP install CD? <-QUOTE}

Hi Aigle

No, as I ran out of time. Also I figure anyone with the CD and who has the knowledge to use it, could easily run either Diskpart, or fixmbr to solve the problem. Diskpart from the XP CD was my first solution and it did work.

Pete

This thread took an interesting turn !!:o

Maybe there could be a new thread:
"How to recover with imaging after HD is Zeroed"
or some such and contributions could be made form users of all the tools.

If I might suggest to Peter and grnxnhm: a sticky re methods may not be a bad idea at Storagecraft forums.

I'll be doing a little checking on my own about some other tools ;)
( of course until I thought about it; it would never happen to me :-X )

To get back to Sandboxie: Stops KillDisk as we all know.
Just play in the pizza. :)

Any other sandboxes stop killdisk to anyones knowledge?

EDIT: thanks to Aigle: http://www.wilderssecurity.com/showthread.php?t=148690

very eye opening thread! i can't believe that shadow surfer/user failed against killdisk (this is not encouraging). but awesome to see that ezfix wasn't phased (aside from the current snapshot, confirming aigle's earlier test). did anyone try powershadow vs killdisk? that would be an interesting test.

{QUOTE-> very eye opening thread! i can't believe that shadow surfer/user failed against killdisk (this is not encouraging). but awesome to see that ezfix wasn't phased (aside from the current snapshot, confirming aigle's earlier test). did anyone try powershadow vs killdisk? that would be an interesting test. <-QUOTE}

Let me repeat, just use caution. This isn't a simulation, but a very nasty trojan. My hunch is Powershadow would go down.

{QUOTE-> Let me repeat, just use caution. This isn't a simulation, but a very nasty trojan. My hunch is Powershadow would go down. <-QUOTE}Ya, as both seem to be very similar.

{QUOTE-> LOL. I already ditched ATI in my mind. I still use it, because I'm waiting for ShadowProtect Desktop v3.0.
My experience with ATI is that it doesn't listen to users. So when I talk about this at the Acronis Forums, I'm talking to a wall, they will thank me for choosing Acronis True Image and that's it.
I read the posts at their forums, I read the wish-list, I see the results and I'm not satisfied.
So why would I spend my time on ATI ? I prefer to spend my time on the very best. :) <-QUOTE}You got that right, Erik....I am in the same boat. I am waiting for a ShadowProtect 3 with HIR, then I will switch. The only reason I have not already done so, is that I use the Universal Restore function 4 or 5 times a year.

{QUOTE-> One last thing and then back to malware.

I went back and retried with EazFix, and Aigle is right, it does indeed survive the killdisk attack. I suspect the reason is Eazfix doesn't really use the windows file system. Very interesting. <-QUOTE}
After I saw EAZFix mentioned I am thinking of trying it out and have been reading up on it.Do you think it is a good program or would FDISR be better.
{QUOTE-> Problem
When installing EAZ-FIX on a system that has an active antivirus program, you are prompted with a warning that a virus is attempting to infect your boot sector or master boot record (MBR). The setup process is interrupted.

Cause

Because EAZ-FIX setup modifies the computer's MBR during setup, some antivirus programs mistake it for a boot sector virus.

Resolution
To avoid this, disable your antivirus software before installing EAZ-FIX, then re-enable it after the installation is completed or some anti virus software provides the option to go ahead modify the MBR. Select YES to continue. <-QUOTE}
http://kb.eazsolutions.com/article.php?id=023

{QUOTE-> After I saw EAZFix mentioned I am thinking of trying it out and have been reading up on it.Do you think it is a good program or would FDISR be better.

http://kb.eazsolutions.com/article.php?id=023 <-QUOTE}

It's only a personal opinion, but I am more comfortable with FDISR. A lot of folks are having success with EAZFix, but I am nervous about them using a kernel level driver, and a completely different file system. Stuff can break kernel level drivers far easier, so that just makes me edgy. Also they don't support Raid 0 and I use that. FDISR is fine with Raid.

Pete

{QUOTE-> After I saw EAZFix mentioned I am thinking of trying it out and have been reading up on it.Do you think it is a good program or would FDISR be better.

http://kb.eazsolutions.com/article.php?id=023 <-QUOTE}
Same program as RollbackRx http://www.horizondatasys.com. I use it in conjunction with FDISR. If I could only have one, it would be First Defense, but the two of them working together are an amazing combination.

{QUOTE-> Same program as RollbackRx http://www.horizondatasys.com. I use it in conjunction with FDISR. If I could only have one, it would be First Defense, but the two of them working together are an amazing combination. <-QUOTE}


Wow, that's a great combo. I'd agree that FDISR is a bit better because of the flexibility of the product. However using rollback rx inside a snapshot sounds fun. Amazing it works. I'll have to see about adding that. I'm having a good time with powershadow and Fdisr combo that is proving to be just what I need. Adding rollback into that mix seems like an overwhelming amount of possibilities. heheheheh

{QUOTE-> Ya, as both seem to be very similar. <-QUOTE}


Peter just tested powershadow against killdisk and powershadow won. That's good news for a free product eh?

{QUOTE-> Wow, that's a great combo. I'd agree that FDISR is a bit better because of the flexibility of the product. However using rollback rx inside a snapshot sounds fun. Amazing it works. I'll have to see about adding that. I'm having a good time with powershadow and Fdisr combo that is proving to be just what I need. Adding rollback into that mix seems like an overwhelming amount of possibilities. heheheheh <-QUOTE}I really doubt that you can use Rollback with PowerShadow. They both use the MBR, I think.

{QUOTE-> Peter just tested powershadow against killdisk and powershadow won. That's good news for a free product eh? <-QUOTE}

That's especially good news on this end since i been consistently using Power Shadow to cover my current snapshots when OnLine. That result only shores up confidence another several notches again. LoL

Good Job.:thumb:

{QUOTE-> Peter just tested powershadow against killdisk and powershadow won. That's good news for a free product eh? <-QUOTE}

dear lord, so easter2010 was right after all concerning the awesomeness of poweshadow :D man now i gotta download powershadow.

ps did peter mention what version of powershadow he tested?

{QUOTE-> Peter just tested powershadow against killdisk and powershadow won. That's good news for a free product eh?
<-QUOTE}
Mm, nice one Pete:thumb: Is there a post?

{QUOTE-> very eye opening thread! i can't believe that shadow surfer/user failed against killdisk (this is not encouraging). but awesome to see that ezfix wasn't phased (aside from the current snapshot, confirming aigle's earlier test). did anyone try powershadow vs killdisk? that would be an interesting test. <-QUOTE}

I can believe it because i was often dependent on ShadowSurfer for some time untill i tired of it seizing up in shadow-mode with no remedy. Not long after i dismissed it and gave up Chuck57 appeared on the scene with the introduction of Power Shadow. I jumped all over it in hopes it would rescue my confidence in this type of virtualization app and boy did it ever!

Now we have confirmation that it even shields against KillDisk which effectively raises the bar of confidence even higher if not the highest!

{QUOTE-> Mm, nice one Pete:thumb: Is there a post? <-QUOTE}

Right here Meriadoc!

http://www.wilderssecurity.com/showpost.php?p=1000288&postcount=16

{QUOTE-> I really doubt that you can use Rollback with PowerShadow. They both use the MBR, I think. <-QUOTE}Correction... PowerShadow does not use/change the MBR.

I am 100% sure that PowerShadow (2.6 & 2.8.2) did not change my MBR... I use BootMagic (8.0) and that menu did not change.

Here is the XP/W2K boot process...
1) BIOS loads MBR
2) MBR starts %SystemDrive%\ntldr
3) ntldr reads %SystemDrive%\boot.ini and puts up the boot menu
4) selecting a XP/W2K choice from menu causes ntldr to run %SystemDrive%\ntdetect.com to get hardware info
5) ntldr then loads %SystemRoot%system32\ntoskrnl.exe and %SystemRoot%system32\hal.dll
.
.
.

Of those five critical XP/W2K startup files, only boot.ini changed:


timeout=30
default=multi(0)disk(0)rdisk(0)partition(2)\windows

[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\windows="microsoft windows xp professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\windows="Single shadow mode for microsoft windows xp professional" /noexecute=optin /fastdetect [b]/SHADOWSYSTEM
PowerShadow added a 2nd boot choice with the "/SHADOWSYSTEM" parameter.

After searching all files on my C: drive, the entire registry, and all of the Internet, I have no idea how that additional parameter is passed to whatever program... I am assuming the ShadowService is probably called. (Update: yes, the word "SHADOWSYSTEM" is in ShadowService.exe)

Side note: FD-ISR v3.20 Build 202, "Pre-boot code moved from the Master Boot Record to the Partition Boot Record. (http://www.leapfrogsoftware.com/support_info/updates)"

Mike

UPDATE: PS version 2.8.2 also does NOT does not use/change the MBR.

{QUOTE-> Mm, nice one Pete:thumb: Is there a post? <-QUOTE}

It was version 2.6 the trial. I did post about it in the leapfrog forum, as I did the test in context of FDISR

How about a bit more praise for Sandboxie. http://forum.crystalxp.net/uploads/post-386-1127687954.gif

A 250 kb download, a meg install and it stops killdisk.http://www.beatlelinks.net/forums/images/smilies/jail.gif

Geez, is that genius or what?

{QUOTE-> How about a bit more praise for Sandboxie. http://forum.crystalxp.net/uploads/post-386-1127687954.gif

A 250 kb download, a meg install and it stops killdisk.http://www.beatlelinks.net/forums/images/smilies/jail.gif

Geez, is that genius or what? <-QUOTE}

I gotta agree. Other virtualization products seem to have taken the limelight in this forum for whatever reason, but sandboxie is a lean, mean, and inexpensive application. It is certainly deserving of some kudos.

{QUOTE-> How about a bit more praise for Sandboxie. http://forum.crystalxp.net/uploads/post-386-1127687954.gif

A 250 kb download, a meg install and it stops killdisk.http://www.beatlelinks.net/forums/images/smilies/jail.gif

Geez, is that genius or what? <-QUOTE}

I totally agree. Of all the approaches I like Sandboxie best. I guess some folks have had problems running it, but I love it.

Love Sandboxie. It's a great application.

I seem to be the only one here who had problems with PS. It didn't work well for me. I think it was down to a conflict with another program I was running at the time. Tried it twice and had issues both times.

Sandboxie is versatile, light as a feather and has never let me down. It's a real gem; I rarely surf without it and it will be on my box for a long while yet.

:) :) :)

:thumb: Been using Sandboxie since version 2.64, in fact still using 2.64 as it works great and have read some problems with newer versions. I think it's a great application, has caused me no problems whatsoever.:thumb: :thumb: :thumb:

Sandboxie here +++ :thumb:

So light
so configureable
Do what YOU want when YOU want to. STill own your own box.
Support good

{QUOTE->
I really doubt that you can use Rollback with PowerShadow. They both use the MBR, I think. <-QUOTE}

I can also verify that flinchlock is correct since i'm testing Rollback Rx 8 right now with Power Shadow and experiencing no conflicts or otherwise similar issues of concern.

{QUOTE-> I can also verify that flinchlock is correct since i'm testing Rollback Rx 8 right now with Power Shadow and experiencing no conflicts or otherwise similar issues of concern. <-QUOTE}That is good to hear.

I just suspected that they were both using the MBR. I have not tested it and I should not have commented as I have not used Power Shadow because it will not support RAID. Sorry if I mislead anyone.

Silver

{QUOTE-> I can also verify that flinchlock is correct since i'm testing Rollback Rx 8 right now with Power Shadow and experiencing no conflicts or otherwise similar issues of concern. <-QUOTE}

Something conflited with PowerShadow when I tried it a little while ago.
Always thought it was Rollback Rx,as that was posted by someone here.
Tring Sandboxie now,so far so good.

I still keep Sandboxie 2.64 installer handy for use on another different configuration if i choose to use it but due to difficulties i had with Sandboxie i found Power Shadow more than makes up for that.

I used to think it odd but not anymore, what one program works great for some users, others will have nothing but issues. That's just the nature of particular software in combo with others plus the system itself.

Snoopfree for one example. No matter what i always experienced a BSOD because of snoopfree's driver conflicting with one of my programs. It might even be something as little considered as a registry scanner or a windows GUI customizing app. I tried over a stretch of several versions to no avail.
I was going to buy it for keylogging protection since it was so highly popular and regarded but it just would not run right.

After seeing a lot of siggys with snoopfree and their recommending it, again i went to try it. By this time it had gone "freeware" too. Finally, the program (driver) actually worked without any issues at all and i still use it to this very day and haven't experinced a single problem even when i was piling on the HIPS and other security apps & monitors.

Go figure.