Toolwiz Time Freeze

[aladdin]

Quote:

Originally Posted by Scoobs72

Really? So, a sophisticated piece of malware like Zeus - are you claiming that Rollback RX cannot protect from it?

Rollback Rx cannot protect from any malware and/or viruses, whether these malware and/or viruses are sophisticated or non sophisticated.

Best regards,

KOR!

P.S. Rollback Rx has neither an anti-virus nor a malware engine!

[Scoobs72]

Quote:

Originally Posted by King of Rapture

Rollback Rx cannot protect from any malware and/or viruses, whether these malware and/or viruses are sophisticated or non sophisticated.

If you are suggesting that you cannot rollback a system when you get hit by any type of malware, regardless of its sophistication then that is utterly untrue. Where rolling back to a previous snapshot may not work is with malware that modifies the MBR or performs low level disk access.

[aladdin]

Quote:

Originally Posted by Scoobs72

If you are suggesting that you cannot rollback a system when you get hit by any type of malware, regardless of its sophistication then that is utterly untrue. Where rolling back to a previous snapshot may not work is with malware that modifies the MBR or performs low level disk access.

By the time you discover the virus or malware whether it is sophisticated or non sophisticated, you might not have a clean snapshot to rollback to.

Even programs like Acronis True Image or Acronis Disk Director, if they are uninstalled with let say Total Uninstall, can break Rollback Rx.

Has happen to me before!

Best regards,

KOR!

[Scoobs72]

Quote:

Originally Posted by King of Rapture

By the time you discover the virus or malware whether it is sophisticated or non sophisticated, you might not have a clean snapshot to rollback to.

Glad you agree with me then. Rollback RX could recover your system as long as:
1. You still have a clean snapshot
2. The malware was not of the MBR-modifying or direct disk access type

Quote:

Originally Posted by King of Rapture

Even programs like Acronis True Image or Acronis Disk Director, if they are uninstalled with let say Total Uninstall, can break Rollback Rx.

I would never uninstall programs such as those with Total Uninstall - you're just asking for trouble. Don't blame Rollback RX for that.

Bottom-line - Rollback RX is not a solution designed to protect you from malware, but depending on the type of infection you have, you have a reasonable chance of being able to recover a previous snapshot.

[aladdin]

Quote:

Originally Posted by Scoobs72

Glad you agree with me then. Rollback RX could recover your system as long as:
1. You still have a clean snapshot
2. The malware was not of the MBR-modifying or direct disk access type

Rollback Rx is super duper "System Restore", like "System Restore" Rollback and its "Snapshots" are useless if the "Restore Points" contain viruses and/or malware.

Quote:

Originally Posted by Scoobs72

I would never uninstall programs such as those with Total Uninstall - you're just asking for trouble. Don't blame Rollback RX for that.

Why?

Does Rollback Rx advises as such to their regular users about uninstalling programs as I mentioned with Total Uninstall?

Can you provide some kind of links on this from HDS?

Best regards,

KOR!

[CyberMan969]

Guys, when I said "unsophisticated malware" I meant malware that do not modify the MBR and that are not aware of the existence of LV or of RX and its snapshots. There are a lot of crude malware out there which wouldn't have a clue that the system they have infected contains snapshots. Infections by such malware on RX or CTM systems can be easily undone just by restoring an older snapshot, for as long as the malware hasn't modified the MBR. It has happened to me in the past when I was testing CTM and RX with basic malware. All it took to get rid of them was to restore an older snapshot at next reboot, and all 'dumb' malware were history.

Of course CTM and RX cannot protect against malware. Protect is the wrong word to use when we talk about LV and snapshot apps. But such solutions can most definitely undo most 'dumb' infections. This is an absolute fact proven by empirical data, and as such it is non-debatable.

BTW King, the CTM and RX snapshots are hidden in a much better way than the simple Windows restore points. Not even the OS is aware of their existence, so it is highly unlikely that any unsophisticated malware would ever know that there are snapshot data stored on the disk's free space.

[ichito]

Quote:

Originally Posted by CyberMan969

Protect is the wrong word to use when we talk about LV and snapshot apps.

Sorry but I have a little bit another view of this...LV give us unrealistic-artifical system...it's something like fantom in which we can work and which can be of course infected. All unwanted changes exist only inside this "box"...and they can exist only as long as we want to allow this. One move...one push on the button "power off" and we still can be glad of clear healthy system.
Of course is the protection.

[umbrapolaris]

after reading those 12 pages , i can say SD is still better

[rrrh1]

Looks like it has been updated to:

1.8.6.0

Still no info about changes on the main page...

rrrh1 (arch1)

[CyberMan969]

V 1.9.0.0(June 20 2012)

•Enhanced MBR protection
•Start the protection when driver is loaded
•Add protection to the password file
•Fixed the rename bug for File Locker.
•Added one more virtulization engine to the kernel

Still no RAM usage for the virtualization cache... How hard can it be??

OK guys, anyone willing to throw some malware to it, see if it works?

[ichito]

Quote:

Originally Posted by CyberMan969

OK guys, anyone willing to throw some malware to it, see if it works?

The test will be soon...I hope
BTW...it was also v. 1.8.7 beta...quote from forum TTF

Quote:

1) Locked the password file, not allow user to delete it when TTF is in frozen mode.
2) Start the TTF frozen mode in the kernel. the early version is started by Win32 APP.
3) Add extend protection to MBR. (Need your testing for more MBR virus. )
4) Toolwiz Care now can not start/stop the timefreeze mode of TTF. Amri Hidayat reported this as a password bug for TTF, because he can stop the TTF protecion with Toolwiz Care and he did not need any password.

http://forums.toolwiz.com/topic/tool...ta-is-released

[ichito]

OK...test for version 1.9.0.0 is ready. Unfortunately the result is still bad for TTF in protection against TDSS. Toolwiz again should to do something with this.
-http://www.youtube.com/watch?v=OLh9UKmP2YE-

[The Shadow]

Quote:

Originally Posted by ichito

OK...test for version 1.9.0.0 is ready. Unfortunately the result is still bad for TTF in protection against TDSS. Toolwiz again should to do something with this.
-http://www.youtube.com/watch?v=OLh9UKmP2YE-

Interesting (and very sad) ....btw ichito, judging from your Wondershare Time Freeze test it doesn't do any better!

Can any LV program successfully contain the latest TDSS variants within its virtual space (infection-free on reboot)?

[ichito]

In the inner test of SG BufferZone passed anti-TDSS test but it was in February 2011. I don't know some other latest similar test.

[TomAZ]

I'm not familiar with BufferZone. Is it similar in function to Sandboxie? Can you use it to test new software then get rid of it with a reboot, or isn't it that type of virtualization app?

[CyberMan969]

Anyone knows where can I can find a recent sample of TDSS or any similar rootkits? I have an older computer that I want to use as a test machine for LV software.

[ichito]

Quote:

Originally Posted by TomAZ

I'm not familiar with BufferZone. Is it similar in function to Sandboxie? Can you use it to test new software then get rid of it with a reboot, or isn't it that type of virtualization app?

BZ is similar to Sandboxie but has more features...it's more similar to SysWatch (old name - Safe'n'Sec). It's not LV app like Shadow Defender, Returnil, Wondershare Time Freeze or TTF.

[SLE]

Quote:

Originally Posted by The Shadow

Can any LV program successfully contain the latest TDSS variants within its virtual space (infection-free on reboot)?

From the light virtualisation programs Shadow Defender is still the only one that is successfull against TDL type rootkits.

[The Shadow]

Quote:

Originally Posted by SLE

From the light virtualisation programs Shadow Defender is still the only one that is successfull against TDL type rootkits.

Yes, tests conducted during 2010 - 2011 pretty well proved that. I bought SD based on those tests and have been using it on both of our PCs (on-demand). But I don't know if that's still true!


@ ichito, do you know of any tests that disprove or update the LV-rootkit tests that were performed 2 years ago?

TS

[SLE]

Quote:

Originally Posted by The Shadow

But I don't know if that's still true!

I can't speak for the actual Toolwiz (but ichito showed), but for Returnil, Wondershare etc. it is still true, I testet some weeks ago.

Returnil moderator here often claims their product protects, but that is only true if AE blocks the sample (not always in default settings) or AV signatures exist. But from virtualisation part Returnil is not successful against TDL3/4.

@CyberMan969: You can use every TDL3 and TDL4 sample if you wanna test, just allow execution. The behaviour is the same, real new ones aren't there.

[CyberMan969]

Quote:

Originally Posted by SLE

I can't speak for the actual Toolwiz (but ichito showed), but for Returnil, Wondershare etc. it is still true, I testet some weeks ago.

Returnil moderator here often claims their product protects, but that is only true if AE blocks the sample (not always in default settings) or AV signatures exist. But from virtualisation part Returnil is not successful against TDL3/4.

@CyberMan969: You can use every TDL3 and TDL4 sample if you wanna test, just allow execution. The behaviour is the same, real new ones aren't there.

I couldn't find any samples to download at all. Any links? Thanks in advance!

[The Shadow]

Quote:

Originally Posted by CyberMan969

I couldn't find any samples to download at all. Any links? Thanks in advance!

-http://contagiodump.blogspot.com/2012/02/purple-haze-bootkit.html-

[ichito]

Quote:

Originally Posted by The Shadow

I bought SD based on those tests and have been using it on both of our PCs (on-demand). But I don't know if that's still true!

@ ichito, do you know of any tests that disprove or update the LV-rootkit tests that were performed 2 years ago?

It's still true I've mentioned earlier in other places of forum about those tests but "all together now"
Returnil
-http://www.youtube.com/watch?v=dt3-y39FckA
WTF
-http://www.youtube.com/watch?v=dI-MdSIUtiY&feature=relmfu
SD
-http://www.youtube.com/watch?v=QFYHDMiot6U
Now about WTF

Quote:

Originally Posted by The Shadow

btw ichito, judging from your Wondershare Time Freeze test it doesn't do any better!

I dont know if I understand you correctly...in my opinion WTF passed the test - of course system was crashed but after rebooting it was healthy and clean.

[Night_Raven]

According to the performed tests Toolwiz Time Freeze basically withstands TDSS. Yes, the file system is there but the rootkit itself is not so this is basically a "pass", not "fail", since the file system is harmless without the active rootkit. If I recall correctly the same thing happened during my tests of Returnil System Safe.

[Arcanez]

Quote:

Originally Posted by ichito

It's still true I've mentioned earlier in other places of forum about those tests but "all together now"
Returnil
-http://www.youtube.com/watch?v=dt3-y39FckA
WTF
-http://www.youtube.com/watch?v=dI-MdSIUtiY&feature=relmfu
SD
-http://www.youtube.com/watch?v=QFYHDMiot6U
Now about WTF

I dont know if I understand you correctly...in my opinion WTF passed the test - of course system was crashed but after rebooting it was healthy and clean.

so WTF and SD seem to have to exact same results from malwarebytes. So did WTF withstand those rootkit infections? Would have been nice if they added another hitman pro scan to see if there's any difference.