FirstDefense-ISR and Rootkit Recovery

[G1111]

Anyone have any thoughts. Can FirstDefense restore a system after a rootkit infection?

[Peter2150]

If you have a clean secondary snapshot, and you get a rootkit in your primary, why wouldn't FDISR recover. The rootkit is nothing more than files that have been installed(drivers maybe) and files modified(the registry).

When you boot into the secondary, you are using only the files in the secondary, so you would be clean. Doing a copy would replace all the infected files, and remove all the files that were added. Rootkit gone.

[G1111]

Quote:

Originally Posted by Peter2150

If you have a clean secondary snapshot, and you get a rootkit in your primary, why wouldn't FDISR recover. The rootkit is nothing more than files that have been installed(drivers maybe) and files modified(the registry).

When you boot into the secondary, you are using only the files in the secondary, so you would be clean. Doing a copy would replace all the infected files, and remove all the files that were added. Rootkit gone.

Thanks for the response. That is the whole purpose of a program like FDISR, but I wanted to see what happens in reality. If anyone has used it after getting a nasty infection like a rootkit. I am thinking of getting a program like this or Rollback Rx for my pc.

[Peter2150]

Hi G1111

Let me give you an example. I wanted to test a big name security suite for a couple of things. The big name has a reputation about being hard to uninstall. I uninstalled my firewall, and my av, and installed the security suite.

Note that before doing this I refreshed my other snapshot so it was current. After playing around I just booted to my other snapshot, did a refresh of my primary and booted back to my primary. My original firewall and av were there operational, and all traces of the security suite gone. Nothing left period.

Far as recovery, I had a system freeze occur while running a registry cleaner. I had to power reset to reboot. My system was about as messed up as one could be. I just rebooted into my secondary snapshot, and refreshed and the problem was gone, like it had never happened.

I can't say the other programs aren't good, I don't know. I do know FDISR has never let me down.

Now admittedly a FDISR snapshop is as big as the original, which is why you can boot to it and have your complete system. Are the other programs as good. I don't know.

[G1111]

Thanks for the response. Can you make the snapshot on an external hard drive with FD or does it have to be on the same HD?

[crofttk]

You can copy any FDISR snapshot to an "Archive" (compressed) on an external drive, or any other that it'll fit on. You can't boot directly into that. You would have to import it back to your system drive snapshots to boot from it. So, I keep my older snapshots archived on an external USB but always keep one or two copies of the primary snapshot on the system drive in case I need to "roll back" to one of them, and, indeed, I have had to do so.

[G1111]

Quote:

Originally Posted by crofttk

You can copy any FDISR snapshot to an "Archive" (compressed) on an external drive, or any other that it'll fit on. You can't boot directly into that. You would have to import it back to your system drive snapshots to boot from it. So, I keep my older snapshots archived on an external USB but always keep one or two copies of the primary snapshot on the system drive in case I need to "roll back" to one of them, and, indeed, I have had to do so.

Thanks for the info.

[WilliamP]

Ok FDISR experts,I have a question. What can you do with an archived snapshot on another drive? Lets say you have one on another drive and your system drive 'C' dies. Is that archived snapshot going to be any help? I have been wondering about this and I sure would like to know. I have a Dell 8400 with a 160GB SATA as my C drive. I bought an enclosure and a duplicate drive to put in it. Then I bought a SATA PCI controller . The enclosure is hooked to the PCI card. I can hot boot the enclosure. I have planned to Ghost an image to it,but I was wondering about FDISR. I do have FD and maintain 2 snapshots on my C drive . Love it.

[Acadia]

WilliamP, I do both, Ghost (actually Powerquest version 7.xx, and TrueImage version 6) and FirstDefense. Because of FirstDefense and, formerly, GoBack, I have never had to restore ANY of my images, but then again, I have never had a hard drive fail. In theory, if I am understanding things correctly (that's a big "if"), the new version of FD should help you to recover from a hard drive failure, but you would have to reinstall WindowsXP (any service pack), then reinstall FD, then simply restore your Archived Snapshot: your old system should be back good as new, BUT, I have never had to test this. I would be very interested in hearing what the other FirstDefense users have to say about this kind of recovery, that is, a total hard drive failure.

Acadia

Somewhat off topic perhaps, but I'm ready to give GoBack4 the boot (a trusted and well-behaved utility under Roxio's watch, that Symatec has really screwed-up)! I've been considering FDISR or ShadowUser as a replacement, so I was wondering if any of you considered the latter and if so, why you chose FDISR?

Thanks!

[Acadia]

Sorry, Reggie, can't answer your question as I am not familiar with ShadowUser; perhaps some of the others can.

Acadia

[pvsurfer]

It seems to me that the use of any 3rd party 'roll back' program (FDISR, ShadowUser, etc.) serves little purpose if you dilligently use an imaging program (such as Acronis TrueImage or Norton Ghost).

I may be missing something here, but why incur the performance-hit (there's got to be some) and the dedicated space required by those 'roll back' programs (on your system drive) if you can simply restore a recent image or individual files, as the situation warrants?

~pv

[G1111]

Quote:

Originally Posted by pvsurfer

It seems to me that the use of any 3rd party 'roll back' program (FDISR, ShadowUser, etc.) serves little purpose if you dilligently use an imaging program (such as Acronis TrueImage or Norton Ghost).

I may be missing something here, but why incur the performance-hit (there's got to be some) and the dedicated space required by those 'roll back' programs (on your system drive) if you can simply restore a recent image or individual files, as the situation warrants?

~pv

I have been following the threads on the latest version of Acronis True Image and it looks like there are significant problems with the new version. I was looking for a roll back program in case of being hit with a rootkit. It looks like folks here like FDISR.

[Acadia]

ONLY Goback has a performance hit. The "Instant Recovery" programs not only appear to be more reliable than the imaging programs (which I still very much believe in), but they literally only take about 5 minutes to recover your entire system from the worst of anything.

Now, as for the disk space taken up by Firstdefense ...

Acadia

[Peter2150]

Quote:

Originally Posted by pvsurfer

It seems to me that the use of any 3rd party 'roll back' program (FDISR, ShadowUser, etc.) serves little purpose if you dilligently use an imaging program (such as Acronis TrueImage or Norton Ghost).

I may be missing something here, but why incur the performance-hit (there's got to be some) and the dedicated space required by those 'roll back' programs (on your system drive) if you can simply restore a recent image or individual files, as the situation warrants?

~pv

Hi pvsurfer

I would say wrong. Serves a lot of purpose. First with FDISR, there is no performance hit. Yes there is a disk space hit.

But on using a imaging program several differences. First the is a risk factor. When you restore an image there is always a degree of risk. The first step of an image restore wipes out the disk. With FDISR at least, it's just a reboot into another snapshot. There is also a big time difference. The FDISR process never takes much more than 5 minutes.

I disk image to protect against hardware failure, but most of the things that mess me up are software related and I like FDISR for that.

Pete

[Acadia]

Quote:

Originally Posted by Peter2150

I disk image to protect against hardware failure, but most of the things that mess me up are software related and I like FDISR for that.
Pete

I used GoBack for five years, and how FD for 1 1/2 years. I have ALWAYS had other backup software, including imaging software. Please believe me, this is no exaggeration or lie, I have NEVER had to restore any backup or image in 6 1/2 years because of these "instant recovery" programs. Of course, I have never had a hard drive fail either (I'm only on my second one), and for that reason I still use two imaging programs.

With Instant Recovery programs like RestoreIt (which I have never use) and the latest version of FD, the area between the traditional recovery programs and instant recovery programs is starting to gray ... in theory, RestoreIt and FD can also save you from total hard drive failure, although I must admit I have never had to test it (and pray I never have to do so).

But these instant recovery programs, at least the two that I have tried, have NEVER let me down, and recover your system so quickly. Plus FirstDefense is almost like having a partitioning program and virtual drive program, without actually have to take the risks that those programs take.

Acadia

[pvsurfer]

Quote:

Originally Posted by Acadia

ONLY Goback has a performance hit. The "Instant Recovery" programs not only appear to be more reliable than the imaging programs (which I still very much believe in), but they literally only take about 5 minutes to recover your entire system from the worst of anything.

Now, as for the disk space taken up by Firstdefense ...

Acadia

I'm in no position to contradict your comment about 'no performance-hit', but I simply don't understand how that can be.

Btw, can you give me an idea of the typical disk space consumed by FDISR?

[Acadia]

Quote:

Originally Posted by pvsurfer

I'm in no position to contradict your comment about 'no performance-hit', but I simply don't understand how that can be.

Only GoBack is constantly "running", constantly keeping track of every single file change. FirstDefense just sits there doing nothing until you make or update a Snapshot. TrueImage and Ghost also have no performance hit until you actually use them, why should FD be any different?

Quote:

Originally Posted by pvsurfer

Btw, can you give me an idea of the typical disk space consumed by FDISR?

Every Snapshot is as big as your c:drive. If your c:drive is 5gig, and you make one Snapshot, you now have 10gig of your hard drive used. If you use the maximum allowable of ten Snapshots (like I have) you now have 50gig of your hard drive used.

Acadia

[pvsurfer]

Ok, what I didn't get was that FDISR doesn't create any kind of restore point unless you request it. ...is that correct?

And if every snapshot is as large as the C-drives used space, then I'd need a bigger drive!

[Acadia]

Quote:

Originally Posted by pvsurfer

Ok, what I didn't get was that FDISR doesn't create any kind of restore point unless you request it. ...is that correct?

Yes, correct, it does absolutely nothing until you tell it to. I suggest that you go to the Raxco site and study the faq and couple of pdf files that you can download, makes for interesting reading.

Quote:

Originally Posted by pvsurfer

And if every snapshot is as large as the C-drives used space, then I'd need a bigger drive!

No software program is perfect and this is the indeed the one glaring problem with FD, it needs gobs of disk space to be able to perform its magic.

Acadia

[pvsurfer]

Will do - but just one more question; does it require Microsoft .NET Framework (as does ShadowUser)?

[crofttk]

Quote:

Originally Posted by Acadia

... I would be very interested in hearing what the other FirstDefense users have to say about this kind of recovery, that is, a total hard drive failure.

I have NOT had a hard drive physically die on me but I certainly have had to import an archived snapshot from my external USB (3-days is the youngest on there) to restore my system once it and the one other snapshot on my system drive went south on me. Fortunately, FDISR was still operational despite the screwup.

More importantly, though, some of you may be aware of the Acronis True Image Version 9 fiasco; I was caught in the middle of that. At the time this happened I actually went for a short period without an actual backup program and damned if this didn't happen then. "Belts and Suspenders", sure, but I'm glad I still had the belt (FDISR) on at the time. So, even if my hard drive had died, I would have MUCH rather gotten the bare replacement, put on the bare XP install (what, 45 minutes ?), install FDISR and THEN recover my whole system with all programs and customizations from the archived snapshot.

Granted, if I'd had an intact backup or image besides the archived snapshot, I could have recovered with less effort with one of those.

Eventually I bagged Acronis and got Retrospect, which I'm quite happy with as a file based backup. Then I went and got a BootIt NG/Image for Windows bundle to use for imaging. Yes, believe it or not, I use 3 forms of backup.

[Acadia]

Quote:

Originally Posted by pvsurfer

Will do - but just one more question; does it require Microsoft .NET Framework (as does ShadowUser)?

No, definitely not.

Acadia

[crofttk]

Quote:

Originally Posted by pvsurfer

Will do - but just one more question; does it require Microsoft .NET Framework (as does ShadowUser)?

NOPE !

ETA: Heh, OK, I see I just echoed Acadia....oh well.

[G1111]

Just downloaded the evaluation version. Is the purchase fee one time or is there a yearly update fee?

It took about 45 minutes to create my first snapshot. After I was finished FDISR indicated there were 6 errors. The log file though does not indicate what the errors were. Do I need to reimage. I wouldn't want to use a backup with errors.