If a snapshot is infected by a virus or trojan, will other sanpshots be infected too? Because i have one snapshot without any antivirus installed, seems to be infected by a trojan, that start automatically with windows. I booted to the other sanpshot, in which is kaspersky installed, and i see the same autostart item in the startup control panel:ouch:

{QUOTE-> If a snapshot is infected by a virus or trojan, will other sanpshots be infected too? Because i have one snapshot without any antivirus installed, seems to be infected by a trojan, that start automatically with windows. I booted to the other sanpshot, in which is kaspersky installed, and i see the same autostart item in the startup control panel:ouch: <-QUOTE}

They possibly can be infected. Depends on what the trojan is. If you have the original FDISR, keeping an archive on another disk is much better. But even then it would be good if you have an image you could restore and then use the archive.

Pete

{QUOTE-> If a snapshot is infected by a virus or trojan, will other sanpshots be infected too? Because i have one snapshot without any antivirus installed, seems to be infected by a trojan, that start automatically with windows. I booted to the other sanpshot, in which is kaspersky installed, and i see the same autostart item in the startup control panel:ouch: <-QUOTE}
I knew in advance that this could happen, it's just a matter of time and it has been discussed in the past at this forum. It happened to you, it will happen to me also.
That's why this kind of event is included in my security/recovery setup and will be fixed when it happens.

It happened to me last year - I caught a virus on one snapshot that hooked in to my other snapshots, and no matter which I booted to, the virus activity was present. Not all can/will do that, but some surely can.

Thanks,
Chrome

Greetings All,

The ISR technology shares the same NTFS partition for all snapshots. This means that the NTFS file structure and the MFT is open for file lookup and attack. We try to "hide" the non-active snapshots, but a crafty virus may get through. I recommend keeping archives of your important snapshots. I use ISR for my first line of defense, then a BMR or archives for hardware or corruption issues.

I believe also, SOMEONE CORRECT ME IF I AM WRONG, if you were using the Freeze feature with the "Archive half" of the Freeze moved to another hard drive, that you would have removed the virus and recovered "cleanly" upon reboot.

Acadia

Restoring an IMAGE is indeed the best solution to recover from a malware attack, BUT images can be infected also, if you discover the malware too late.

That's why I have two sets of images :

A. A clean set of images, that contains a fresh installed Windows + Applications, that has hardly been on-line or "used". I have a clean image of each needed snapshot.
I keep that clean set up-to-date with the latest versions and converted each image to an ARCHIVE and that is the base for actual system partition.
So my clean setup has this :
1. One clean off-line image (.spf) + clean off-line archive (.arx)
2. One clean on-line image (.spf) + clean on-line archive (.arx)
This also means that ShadowProtect is #1 in my clean setup and that I can re-create my clean archives at any time and as many times I want.

B. A daily set of images and archives, which is created with my clean set of images and archives.
1. One daily image (.spf) of both snapshots, created via my clean archives.
2. One daily off-line archive (.arx)
3. One daily on-line archive (.arx) + Freeze Storage (.arx)
This set isn't important to me, because I can re-create it over and over again via my clean set.
I only use this set to work and play and I consider this set as possibly infected, because it is constantly on-line.
Of course I try to avoid infections by using a frozen snapshot and security softwares that kill the execution of malware immediately.

Don't think that this is hard labor or difficult, it's nothing more than mouse-clicks and WAIT until it is finished.

My clean archives contain also an "UNUSED" system partition and that cleans my computer completely during each reboot, without using registry/history/junk cleaners and without the danger and incompleteness of all these cleaning softwares.

This was only possible with FDISR and no other ISR-software can reach that level with the same convenience, otherwise I would have replaced the dead FDISR with a life ISR-software already, because I don't like softwares with no future on my computer.
So my feelings for FDISR are very MIXED. I can't even recommend it anymore to other users, because I'm talking about a dead cow and that makes me feel ... ridiculous.

You are correct, since freeze restores from an archive, the virus would be removed. This is the case as long as the NTFS/MFT was not damaged from the virus.

{QUOTE-> ... because I don't like softwares with no future on my computer. <-QUOTE}
Why not? Older automobiles can be the most enjoyable automobiles to drive even though no one is selling them any more and parts can be hard to find.

Acadia

{QUOTE-> Why not? Older automobiles can be the most enjoyable automobiles to drive even though no one is selling them any more and parts can be hard to find.

Acadia <-QUOTE}
I don't and can't agree, a number of things could be improved in FDISR to make it even better and that will never happen.
As I said before, I'm not a fan of FDISR, but I can't replace it with RollbackRx either and softwares like Returnil, etc. is not even an option, I want to consider.

Hmmmm, then maybe Returnil is a better product, at least for the protection part of it anyway, since Returnil also protects the MBR.

Acadia

{QUOTE-> Hmmmm, then maybe Returnil is a better product, at least for the protection part of it anyway, since Returnil also protects the MBR.

Acadia <-QUOTE}
True, so what ? Destructive malware, like Killdisk, Robodog, Robotdog, ... are killed by Anti-Executable immediately as an unauthorized executable.
Keep in mind that all these malware, were tested without AE, otherwise they couldn't even run the tests.

Regarding possibilities Returnil is nothing but an optional feature "Freeze" in FDISR and that's all. Even that optional feature is stronger in FDISR, than Returnil, because FDISR has "Freeze Previous", which doesn't exist in neither Returnil, nor DeepFreeze, ShadowDefender, PowerShadow, etc.
That is the reason why Returnil and the rest, can't handle softwares that require a reboot during the installation.

{QUOTE-> Even that optional feature is stronger in FDISR, than Returnil... <-QUOTE}
How can that be if Returnil protects the MBR but FDISR does not?

Acadia

{QUOTE-> How can that be if Returnil protects the MBR but FDISR does not?

Acadia <-QUOTE}
Good question. Maybe Leapfrog forgot it or it wasn't technical possible. I can't be the judge of that, I'm not a programmer.

But the MBR question is the only way that I see Returnil as being superior to FDISR, in all other aspects, in my opinion, the edge goes to FDISR (the original, of course). 8)

Acadia

{QUOTE-> But the MBR question is the only way that I see Returnil as being superior to FDISR, in all other aspects, in my opinion, the edge goes to FDISR (the original, of course). 8)

Acadia <-QUOTE}
Here I agree and I'm not going to replace FDISR with Returnil, just because of the MBR. FDISR is still the king of possibilities and no ISR-software is able to beat FDISR, not even the latest ones.
Everything what is better in the other ISR-software, can be added in FDISR also, but that never happened and will never happen.
Until now my MBR was never destroyed and even when it happens, it's not a disaster, because I know what to do.

As someone who is personally experienced this virus attack where ALL my snapshots/archives were rendered disabled except only two i could boot into from a total of 9, i would have been in a deep muddy pool of doo doo had i not FIRST saved those same snapshots archives to another internal disk JUST FOR THIS PURPOSE!

I accidently let a file infector slip past without my HIPS on and it did a great deal of disruption to say the least. I was able to salvage enough good programs from other snapshots only to remember i already archived those snapshots to a SAFE PLACE and unplugged the internal.

I eventually was forced to wipe the entire 200Gb drive, one partition at a time, reformatted and reinstalled FD-ISR and then just connect to this saved archive HD, and FD-ISR returned EVERYTHING! right back again as it was before the virus.

I'd venture to say that my net program loss was less than 2% since those i had not done a Copy/Update to the SAVE ARCHIVES disk yet, so FD-ISR turned a most destructive situation into one that wasn't so critical afterall.

The most IMPORTANT! chore for any FD-ISR (Genuine) user is to FIRST! archive to an alternative media for emergency purposes just like this.

{QUOTE-> Greetings All,

I recommend keeping archives of your important snapshots. I use ISR for my first line of defense, then a BMR or archives for hardware or corruption issues. <-QUOTE}

What is BMR?

{QUOTE-> What is BMR? <-QUOTE}

I would assume a bare metal restore.

Yes, BMR is Bare Metal Restore
http://en.wikipedia.org/wiki/Bare-metal_restore

Thanks for asking. I am sure that others are wondering as well. I should have spelled that one out.

{QUOTE-> ... then a BMR or archives ... <-QUOTE}
... "or archives", I like that. Almost four years of using FDISR and I have never had to use any of my three disk imaging programs because FDISR was always there. 8) (Yes, Erik, I know, I know, I depend too much on FDISR, but sometimes life preservers really do float better than anything else to be found in the water!)

Acadia

{QUOTE-> ... "or archives", I like that. Almost four years of using FDISR and I have never had to use any of my three disk imaging programs because FDISR was always there. 8) (Yes, Erik, I know, I know, I depend too much on FDISR, but sometimes life preservers really do float better than anything else to be found in the water!)

Acadia <-QUOTE}

Uh Hem

I resemble those remarks ;D

saved archives equal saved from depending solely on my backup images :thumb:

In fact when i got popped, that's why i was so concerned since i didn't make a backup image for that drive which was bit, ENTER.......FD-ISR Archives!! to the rescue!!

@Todd:
{QUOTE-> Yes, BMR is Bare Metal Restore
http://en.wikipedia.org/wiki/Bare-metal_restore

Thanks for asking. I am sure that others are wondering as well. I should have spelled that one out. <-QUOTE}

Good, you still watching.
Any chance of an FDISR boot disc to pop those external archives back on a wiped disc?

I'm just so lazy...;)

(or; if not in the LEapfrog pipeline, can/could you give suggestions as to how to get FDISR in a PE disc)
just goes back to the lazy thingy again..

Fact is, after I got hit with that virus that hooked in to all my snapshots- it got me thinking, that sometimes it's good to have that true partition with a light install of an operating system. So, I created a small partition and installed windows into it basically with just a virus scanner- that way, if I ever got hit with a similar virus again, I could just boot to that partition, do a virus scan through my isr's, and kill it. If i'd done that before, instead of losing my snapshots and having to restore from archives, everything would've been good to go from that point.

Moral: it's always good to have an operating system on it's own partition, regardless...

Thanks,
Chrome

{QUOTE-> Fact is, after I got hit with that virus that hooked in to all my snapshots- it got me thinking, that sometimes it's good to have that true partition with a light install of an operating system. So, I created a small partition and installed windows into it basically with just a virus scanner- that way, if I ever got hit with a similar virus again, I could just boot to that partition, do a virus scan through my isr's, and kill it. If i'd done that before, instead of losing my snapshots and having to restore from archives, everything would've been good to go from that point.

Moral: it's always good to have an operating system on it's own partition, regardless...

Thanks,
Chrome <-QUOTE}

Maybe i'm missing something but i'ld guess that an all invasive virus can also hit your special partition. ???

{QUOTE-> Maybe i'm missing something but i'ld guess that an all invasive virus can also hit your special partition. ??? <-QUOTE}
I agree with you. A separate partition = Windows + AV, doesn't make any difference. Like a malware can infect all snapshots, there is also malware that can infect all partitions.
You have to work with clean images and clean archives, stored on an off-line external HDD.
Anything what is constantly on-line is vulnerable and that's why you need something clean off-line to get back in business.

well actually albert, you silly goose, i keep that partition hidden- in the event that a virus infects my snapshots, i will boot to my acronis disk director cd, unhide the partition, boot to it, and hence use the virus scanner to kill the malevolent offender attacking my isrs- what say ye? :thumb: :thumb:

{QUOTE-> well actually albert, you silly goose, i keep that partition hidden- in the event that a virus infects my snapshots, i will boot to my acronis disk director cd, unhide the partition, boot to it, and hence use the virus scanner to kill the malevolent offender attacking my isrs- what say ye? :thumb: :thumb: <-QUOTE}
Still not good enough, because the cleaning of all your other partitions and snapshots is based on an AV. You depend too much on scanners and when they tell you "0 threats found", you believe it.
The AV, you use, might not even find the malware, because it isn't discovered yet and what then ? Wait for a signature ?

{QUOTE-> Still not good enough, because the cleaning of all your other partitions and snapshots is based on an AV. You depend too much on scanners and when they tell you "0 threats found", you believe it.
The AV, you use, might not even find the malware, because it isn't discovered yet and what then ? Wait for a signature ? <-QUOTE}

well in all good honesty, scanning plays only a granular role in my security schema- i use avast server, which doesn't employ heuristics, so i augment it's very good signature based approach with an ids, mamutu. online armor serves the role of classical h.i.p.s, along with the complementing and sometimes overlapping h.i.p.s. of the antileak control module of AGNITUM firewall, the true best...

i also have a portable, full updatable version of the kaspersky scanning engine, with due respects, just to double check behind avast...

superantispyware full, no resident, but one scheduled weekly scan, just for the hell of it...

opera 9 via proxomitron, sandboxed...

all unnecessary services turned off, all unrequired autostarts disabled, has my machine running like a hungry lean serengeti lion...

several bmr images via acronis image server, as well as many fdisr snaps, of varying configs- with the failsafe os installed on hidden partition, for virus killing in event my fdisr gets infected.

howd that do albert? you've any other questions? i'll gladly indulge you.

Thanks,
Chrome

{QUOTE-> well in all good honesty, scanning plays only a granular role in my security schema ~snip~ as well as many fdisr snaps, of varying configs- with the failsafe os installed on hidden partition, for virus killing in event my fdisr gets infected.
<-QUOTE}
Wouldn't clean images and clean archives, stored on an off-line external HDD have been easier to set-up...and cheaper...and less over-kill...and left nothing to chance??? It's like 1/2 the police force protecting your house and the other 1/2 protecting the first half. It's just an observation, not a judgement...

{QUOTE-> Wouldn't clean images and clean archives, stored on an off-line external HDD have been easier to set-up...and cheaper...and less over-kill...and left nothing to chance??? It's like 1/2 the police force protecting your house and the other 1/2 protecting the first half. It's just an observation, not a judgement... <-QUOTE}

Good observation !! the simpler the better. :thumb:

{QUOTE-> Good observation !! the simpler the better. :thumb: <-QUOTE}
My favority motto : "Simplicity is always brilliant."

Is it possible to create a snapshot on another partition or external hard drive??

{QUOTE-> Is it possible to create a snapshot on another partition or external hard drive?? <-QUOTE}
No, that is not possible, but you can store archives anywhere.

If you have FDISR archive on another internal drive and in addition to that want to have a stored copy of a certain snapshot on an external usb drive, use "Export", if the usb happens to be in FAT 32 use "split if needed", the copying is the same as to the "archive" in speed and only minor size difference in compression...

{QUOTE-> If you have FDISR archive on another internal drive and in addition to that want to have a stored copy of a certain snapshot on an external usb drive, use "Export", if the usb happens to be in FAT 32 use "split if needed", the copying is the same as to the "archive" in speed and only minor size difference in compression... <-QUOTE}

That's how i practice matters anymore myself with FD-ISR archives, they keep 100% Safe with a fully unplugged internal after archiving to that disk which saves me really from even having to turn to my image backup, so with BOTH images & archives saved, theres double the rescue preserver in event of any serious trouble with main system operations.

I'm not sure how reliable they still are but i even have archived to DVD since i haven't accessed them in many months.