Frozen Snapshot vs. Scanners.

[ErikAlbert]

Dear brains,
I know you all love your scanners and don't want to ditch them, but forget all that for a brief moment, when you read this thread. After that you may keep your scanners.
I also know that frozen snapshots aren't very popular, but I like to squeeze FDISR until no possibilities are left to use by me.
Any thoughts would be welcome. I'm not really interested in good comments, I prefer negative comments to prove the idea is total nonsense or partial nonsense, severe disadvantages, whatever.

Installation of malware
AS/AV/AT/AK-Scanners WITHOUT a real-time shield allow any installation of any malware and it doesn't matter, if you work with a normal snapshot or a frozen snapshot or a system partition without FDISR.
Only scanners WITH a real-time shield protect you against installations of malwares.
To avoid any conflicts, you can only use ONE scanner WITH a real-time shield and that is of course a disadvantage, because only ONE scanner prevents the installation of malwares.
So this scanner better be an advanced+ scanner or you will be even more vulnerable.

Execution of malwares
If the installation was not prevented, we have 2 possibilities :
1. The malware is activated and starts its evil job.
2. The malware is sleeping and waiting for a trigger.
Neither scanners, nor a frozen snapshot will stop this execution.

Detection of malwares
Once the scanner runs and detects malwares using blacklists/heuristics, we have 3 possibilities :
1. The malware was NOT detected.
2. The malware was detected and reported as a false/positive.
3. The malware was detected and reported as a real malware.
A frozen snapshot doesn't detect malwares, it only detects "changes".
A frozen snapshot doesn't have false positives.

Removal of malwares
After detection, the scanner will remove the malwares, usually with user assistance and we have 3 possibilities :
1. The malware is NOT removed, because it wasn't detected.
2. The malware is removed partial and that has been proven.
3. The malware is removed completely.
A frozen snapshot however will remove everything, even malwares that bypassed the real-time shield.

CONCLUSION
1. A frozen snapshot removes ALL malwares, because it considers them as "changes" and
changes are not allowed in a frozen snapshot and removed during the next reboot.
So we are talking about a 100% REMOVAL OF MALWARES and scanners don't guarantee that.
In other words you don't need scanners anymore to remove malwares.

You still need scanners to remove malwares in download objects from an unknown source,
but this has nothing to do with this thread. That's another problem.

2. Since the installation of malwares in itself is not dangerous, we have only ONE BIG problem left :
EXECUTION of malwares, that needs to be stopped.
So a frozen snapshot only needs one or more security softwares that stop the execution of malwares.
Keep also in mind ;
- that sleeping malwares aren't dangerous YET and they will be removed anyway by the frozen snapshot.
- that stopping the execution doesn't need to be 100%, because all malwares will be removed anyway by the frozen snapshot.

Having the less-knowledgeable user in mind, I have already 2 possible security softwares to stop the execution of malwares :
1. Anti-Executable.
2. Prevx1.

[dallen]

ErikAlbert,
I agree with you and also utilize the frozen snapshot technology found within FDISR. Your proposed use of FDISR is right on. I just wanted to tweak it a bit. All executables need to be prohibited because a malicious software that is allowed to execute on your system, even for a moment, can begin arbitrarily deleting data. This deletion could even affect data from other snapshots.

[Peter2150]

Hi gang

Only difference I see is I'd swap out Faronic's and Prevx1 for Online Armor and System safety Monitor.

The reason Erik is you are already totally over the head of the "less Knowledgable user", that it doesn't matter. OA gives you the anti executable and really reigns in Internet Explorer should you need it. SSM gives you excellent parent child relationships, meaning it not only controls what can run but who can run it.

Pete

[ErikAlbert]

I certainly agree with Dallen and I'm sure that Peter has the same in mind, that ALL executions need to be stopped.
Although I'm quite certain of the complete removal of malware, I'm not convinced yet that I can stop ALL executions, but I will do everything to make that also possible.
So in theory I fully agree on that, we just have to make it possible in PRACTICE.

I'm also planning to study "Online Armor" and "System Safety Monitor" more seriously as Peter suggested. I know already that they don't have any problems with FDISR, because I had both on my computer in the past.
Maybe I ditched both too quickly. Everybody makes mistakes and certainly me regarding internet and malwares, two subjects I'm not sure about anything.
I'm already very happy, I can ditch my scanners. I'm dreaming about this, since I was a member of SWI 2 or 3 years back. I just didn't know how to do it.

I admit that booting in to a frozen snapshot takes more time, but that boot-time is NOTHING compared with the total run-time of all your scanners, not even when you use only one scanner.
Another big advantage is the reassurance that your computer is clean, I never had that feeling after running all my scanners, not even after getting the messages "Congrats. No threats found."
These messages give you a fake feeling of being safe, that's a psychological trick of scanners, you feel safe in your head, but that doesn't mean your computer is safe.

I'm planning to re-install my computer anyway, not because I'm in trouble, but because I recently discovered the freeware "nLite", which looks very promising.
I didn't test it completely yet to confirm my expectations, but I was stupified by the pre-tests.
IF nLite really works, I have another dream that comes true : moving the complete folder "Documents and Settings" to my data partition [D:].

My actual separation works only for myself and not for all users, if I would have more than one user on my computer at home in a network and that was bothering me constantly. nLite is supposed to solve that problem.
Once I re-installed my computer with my new "nLite WinXPproSP2 Installation CD" + all my other applications, I will know alot more about this.

Thanks alot for the remarks and tips.

P.S.: I wonder if you can do this with RollbackRx/Eaz-fix also.
One thing that always bothered me was the baseline snapshot of RollbackRx, while FDISR doesn't have a baseline snapshot.

[Peter2150]

Hi Erik

I'd agree with everything except maybe some about the scanners. I do run Superantispyware realtime(rarely do an on demand scan) and I also run KAV 6.0 (latest beta's) and the slowdown is not noticed. KAV has fired up when on dodgy websites, as does online Armor if it has active X stuff. One of the reason's I like KAV is I can do a full system scan with it in about 1.5 minutes. Is it 100%? No. But KAV updates signatures very frequently, so it's not bad. One more protection.

Pete

[ErikAlbert]

Quote:

Originally Posted by Peter2150

Hi Erik

I'd agree with everything except maybe some about the scanners. I do run Superantispyware realtime(rarely do an on demand scan) and I also run KAV 6.0 (latest beta's) and the slowdown is not noticed. KAV has fired up when on dodgy websites, as does online Armor if it has active X stuff. One of the reason's I like KAV is I can do a full system scan with it in about 1.5 minutes. Is it 100%? No. But KAV updates signatures very frequently, so it's not bad. One more protection.

Pete

Well that will be the difference between you and me. I will try it without scanners, but we agree on stopping the execution.
The basic idea is there, but that doesn't mean I won't check this in practice. I only have to find ways to keep this "experiment" under control.
But I have time enough, malwares are still there tomorrow.

If we would do exactly the same thing, we can't learn anything from eachother either.

[Peter2150]

Quote:

Originally Posted by ErikAlbert

Well that will be the difference between you and me. I will try it without scanners, but we agree on stopping the execution.
The basic idea is there, but that doesn't mean I won't check this in practice. I only have to find ways to keep this "experiment" under control.
But I have time enough, malwares are still there tomorrow.

If we would do exactly the same thing, we can't learn anything from eachother either.

Erik, we aren't far from being on the same side. If it weren't for KAV"s ability to scan the way it does(and the paranoids say that isn't safe) then I would probably be on the same path as you.

Pete

[dallen]

I'm already doing what ErikAlbert is doing with my "Surfing" snapshot. However, within this snapshot I am still running an AV and one AS (real-time). This is probably due entirely to paranoia.

ErikAlbert,
In my opinion, you are on the right track. Personally, I think that finding a method of stopping all executable files is overkill. Furthermore, with ActiveX and other similar methods I'm not sure that you'd still be entirely theoretically safe. The real goal is to be practicably safe. In actuality, I think that ditching your scanners and using the frozen snapshot technology from FDISR is virtually safe.

[ErikAlbert]

Dallen,
Yes to stop ALL executions won't be that easy.
Don't forget that scanners were most probably the first protection of computers, so most users grew up with these scanners.
I can understand their mixed feelings, if you suddenly tell them they can ditch them in a frozen snapshot. LOL.

Keep also in mind that scanners detect and remove grosso modo the same malwares, only the differences makes them special.
So if you buy an extra scanner of the same type, you pay alot of money for only the differences, because the rest is the same.

Another big disadvantage is that you have alot of redundancy, because one scanner doesn't know what the other scanner already scanned. So each scanner starts all over again and this is a huge waste of time.
The more scanners you have, the bigger the redundancy will be, the more time the user will need to run them.

[aigle]

Why not to use ShadowSurfer free in a simple snapshot without any other thing (except firewall) and u will be more secure.
It will even stop KillDisk virus.
Not tested all this set up though. But I think it to be more secyre and no need for any anti-executable, prevx etc.

[ErikAlbert]

Quote:

Originally Posted by aigle

But I think it to be more secyre and no need for any anti-executable, prevx etc.

Instead of "I think" can't you say "I know" ? That would be more reassuring for me.

[SUPERAntiSpy]

@ErikAlbert - where do you propose users store their data? Data certainly can't be rolled back via a snapshot or all work would be lost. What if the data becomes partially infected i.e. Word Macro Virus, etc.? What if the infection lies dormant for a year and thousands of "good changes" have happened to the snapshot during daily work - if the users rolls back the original snapshot then they lose their actual data, settings, installed programs, etc.

Nick Skrepetos
SUPERAntiSpyware.com
http://www.superantispyware.com

[Reve_Etrange]

It depends on what you do with your computer I guess. If I had to use a frozen snapshot, I would have thousands of entries in my anchored data list.
And I would probably keep losing changes, because I didn't mark the file/folder as anchored yet.
But maybe I misunderstood what you meant.

RE

[Peter2150]

Quote:

Originally Posted by Reve_Etrange

It depends on what you do with your computer I guess. If I had to use a frozen snapshot, I would have thousands of entries in my anchored data list.
And I would probably keep losing changes, because I didn't mark the file/folder as anchored yet.
But maybe I misunderstood what you meant.

RE

No, for what Erik is doing you don't do any anchoring. You create a separate snapshot for the surfing, and you want to put back to some standard configuration on every reboot.

[Mrkvonic]

Hello,
One question, Erik: why would you get infected with malware in the first place?
Mrk

[aigle]

Quote:

Originally Posted by ErikAlbert

Instead of "I think" can't you say "I know" ? That would be more reassuring for me.

Ya, I wish I could!
BTW, As Nick said, I believe an AV is must in any way.

[nexstar]

Quote:

Originally Posted by ErikAlbert

P.S.: I wonder if you can do this with RollbackRx/Eaz-fix also.
One thing that always bothered me was the baseline snapshot of RollbackRx, while FDISR doesn't have a baseline snapshot.

It has been a while since I used FDISR but isn't the Rollback 'baseline' the equivalent of the 'primary snapshot' in FDISR, or is there more to it?

[ErikAlbert]

Quote:

Originally Posted by SUPERAntiSpy

@ErikAlbert - where do you propose users store their data? Data certainly can't be rolled back via a snapshot or all work would be lost. What if the data becomes partially infected i.e. Word Macro Virus, etc.? What if the infection lies dormant for a year and thousands of "good changes" have happened to the snapshot during daily work - if the users rolls back the original snapshot then they lose their actual data, settings, installed programs, etc.

Nick Skrepetos
SUPERAntiSpyware.com
http://www.superantispyware.com

Straight from the FirstDefense-ISR Help :

Quote:

Anchored Data is not frozen. Make sure any files you don't want reverted are in an anchored folder.

This means that any anchored folder in the frozen snapshot will keep its changes after reboot.
I don't have any experience with anchoring, because I store my data on another harddisk. So I don't need anchoring.
If a user wishes to keep his data on the system partition, than he has to anchor the folder(s) where his personal data is stored. For instance the folder : "C:\Documents and Settings"

Peter is familiar with anchoring and he probably knows better than me which folder(s) have to be anchored.

Peter's idea and I quote :

Quote:

Originally Posted by Peter2150

No, for what Erik is doing you don't do any anchoring. You create a separate snapshot for the surfing, and you want to put back to some standard configuration on every reboot.

is also very good and even better, because the more you anchor folders in a frozen snapshot, the more vulnerable it becomes for infections.
I use Peter's idea, because my data is somewhere else. If I want to keep something in my frozen snapshot, I only have to store it in my data partition [D:]. FDISR works only on the system partition [C:].

It depends on what the users wants. FDISR only offers possibilities and it's up to the user HOW to use them or how to combine them.

I certainly proved that a COMPLETE REMOVAL of threats is possible in a frozen snapshot and scanners try to do the same thing, but not so complete and fast as a frozen snapshot. I clean my frozen snapshot in 90-120 seconds, not even ONE scanner works so fast if it does a FULL scan.

Only the EXECUTION is a problem and needs to be stopped, but scanners don't stop the execution either.
So you need one or more security softwares to stop the execution of malwares between two reboots, once the reboot is done all threats are gone anyway.
Since Wilders is full of experts, I'm waiting for good proposals to stop the execution of malwares.
I got already 5 proposals :
1. Online Armor
2. System Safety Monitor
3. Prevx1
4. Anti-Executable
5. ShadowSurfer

[ErikAlbert]

Quote:

Originally Posted by Mrkvonic

Hello,
One question, Erik: why would you get infected with malware in the first place?
Mrk

Mrkvonic visit the forum SWI and you will see how many users are infected and begging for help to solve their HijackThis Log.
I don't work for knowledgeable users, I work for less-knowledgeable users or indifferent users.

[ErikAlbert]

Quote:

Originally Posted by nexstar

It has been a while since I used FDISR but isn't the Rollback 'baseline' the equivalent of the 'primary snapshot' in FDISR, or is there more to it?

If my memory is good, you can NOT DELETE a baseline snapshot, because all other snapshots depend on that baseline snapshot.
All snapshots in FDISR are independent units and the Primary Snapshot is just a snapshot like any other snapshot.
You can delete a Primary Snapshot, rename it, etc. it doesn't matter and it's true, because I did enough tests to prove it.

[ErikAlbert]

Quote:

Originally Posted by aigle

Ya, I wish I could!
BTW, As Nick said, I believe an AV is must in any way.

In that case Nick has to prove that a frozen snapshot is not good enough to remove ANY threat. I only need some proof and Nick is better qualified than me to prove it. I'm a newbie+++ compared with Nick.
A frozen snapshot doesn't accept any change and no change means NO CHANGE.
Even the smallest change in the settings of a software isn't accepted by a frozen snapshot.

[ErikAlbert]

Quote:

Originally Posted by Reve_Etrange

It depends on what you do with your computer I guess. If I had to use a frozen snapshot, I would have thousands of entries in my anchored data list.
And I would probably keep losing changes, because I didn't mark the file/folder as anchored yet.
But maybe I misunderstood what you meant.

RE

You probably don't understand it, because you have still your OLD configuration in mind.
I don't need any anchoring and I still can store my personal data.
You have to think logical and theoretical and start all over again and forget the past and your old ways of doing it.

[aigle]

Quote:

Originally Posted by ErikAlbert

In that case Nick has to prove that a frozen snapshot is not good enough to remove ANY threat. I only need some proof and Nick is better qualified than me to prove it. I'm a newbie+++ compared with Nick.
A frozen snapshot doesn't accept any change and no change means NO CHANGE.
Even the smallest change in the settings of a software isn't accepted by a frozen snapshot.

Ya I know. But if u save any thing while surfing then?

[aigle]

Quote:

Originally Posted by ErikAlbert

Since Wilders is full of experts, I'm waiting for good proposals to stop the execution of malwares.
I got already 5 proposals :

5. ShadowSurfer

It will not stop executables. However it will stop them from doing any harm to the system.
I suggested it as a replacement for both anti-executable and frozen snapshot( 2 in 1 and free).

[BlueZannetti]

Quote:

Originally Posted by ErikAlbert

Any thoughts would be welcome. I'm not really interested in good comments, I prefer negative comments to prove the idea is total nonsense or partial nonsense, severe disadvantages, whatever.

ErikAlbert,

On the face of it, I don't see huge issues in principle. You have a restorable snapshot as an immediate rollback/cleanup protocol and a mechanism to prevent the start of various types of non-whitelisted executables. If one tries hard, there are subtle gaps that can, in principle, be identified (e.g. potential malware scripting under an application whitelisted by AE and things along this path), but pragmatically speaking, that eventuality is so inconsequential that it is worth ignoring all together.

As I previously mentioned some time ago in other threads (for example You do NOT need any other security software... or A perfect security system?), this style of approach requires maintaining very strict discipline. That is where the problem lies for most users, they will become complacent over time, start taking shortcuts, and eventually regret it. You can maintain it won't happen, but I see it happen all too frequently in situations that lead to much more severe outcomes (namely industrial manufacturing plant accidents). These poor folks understood the risks as well, but were trying to save a couple of minutes here and there. It's no different than not booting to the "surf only" snapshot because, well, I needed to finish up quickly...

It's not that the approach is total nonsense, it's that in some scenarios that "shouldn't" happen, you may be left wide open. Personally, given the choice between say "surf only snapshot + Prevx or AE" and "KAV or NOD32 + Prevx or AE", I would still choose the latter although I recognize that both approaches will work, in principle.

Blue