Archive location

Just a quick question.
I'm new to FD-ISR. While checking it out I created an archive of a snapshot. But I forgot to set the location in options. It seemed to make the archive, but I can't find it. Does it exist and if so where? A search of my system partition doesn't find anything. But I don't really know what to search for

 

Search with "*.ARX" (without the quotes). All archived snapshots have the extension .ARX, including the Freeze Storage.

In addition go to Tools / Options / Archives and provide an archive folder of your choice.
Any archived snapshot you create in this folder, will be visible in the main screen of FDISR.

The archive folder can be anywhere : another partition, another internal harddisk, external harddisk, DVD, CD.
The best way is an external harddisk, which is the safest place, if you keep it off-line.

 

Yes, I know about the archive options like I said. After posting I realised about the .arx extension. A search including hidden and system files gives no result. Space was taken up when I made the archive, so it must exist. Just can't find the file though. Any ideas? It's not important really because a location should've been set first. But just trying to make sure it isn't a bug.

 

Check this out :
1. Open Windows Explorer.
2. Click on Tools / Folder Options
3. Click on "View" Tab
4. Look for the option "Show encrypted or compressed NTFS files in color" it should be marked.

ARX-files have a blue color.

 

Thanks for reminding me archives are compressed, but I have that option checked. Still nothing. Could it be they are stored like normal snapshots if you don't set a location for archives? Not that I know much about FD-ISR yet but it's strange I can't find it.

 

After the installation FDISR has a DEFAULT folder for archives, I just don't remember the name, because I change it.
If you did a search with *.ARX on all your harddisks and you didn't find any file with the extension ARX, there is no archived snapshot. Very weird man. Did you do the search right

EDIT:
I just did a search and I found all my archived snapshots. Did you change the "Look in:"-box, where you specify the harddisk as well ?

 

Hope so. I'm a search junkie. Well I've installed FD-ISR twice now, and both times the archive location in the options was blank. I sort of did this as a test, ie, not defining a location, to see what would happen. This is XP Pro, fresh install, updated by Autopatcher.

BTW, I had a light globe appear above my head earlier and thought it could be because I was searching from within a limited account. Light bulb blew though. Trying from admin account gave no results still. Is this just some quirk with FirstDefense? Like you should set a location before creating archives? Because the options have a check box to allow setting a different location, I thought it would put them in My Documents or the admin's "Documents and Settings" folder if the box wasn't checked. But no.

 

janger,
Straight from the Help function :

I can't believe the archive folder is blank after installing FDISR, there must be a default folder, which is most probably starting with "C:\".
Creating an archive and don't find it ? Common man, that is absurd.

 

Yes it is absurd. But I don't understand First Defense's methods well yet. I read through the help but can't see any reference to a default folder. The checkbox on the Archives tab in options was not checked after installing, and the folder location was blank. It was the same on two different fresh installs of XP. First time was with FD-ISR installed after necessary software/drivers, the second I installed FirstDefense straight after XP's first boot. Can't find anything in registry to help either. And no usb drives or anything was/has been connected.

Won't post the whole log unless you want a look, but start and end:

Code:

04/11/2007 14:19:12 Copying snapshot "Secondary Snapshot" to "Archive of Secondary Snapshot"
04/11/2007 14:19:12 Preparing to copy
04/11/2007 14:19:12 Copying
04/11/2007 14:19:12 Adding "AUTOEXEC.BAT" to "Archive of Secondary Snapshot"
04/11/2007 14:19:12 Adding "boot.ini" to "Archive of Secondary Snapshot"
04/11/2007 14:19:12 Adding "CONFIG.SYS" to "Archive of Secondary Snapshot"

.....

04/11/2007 14:22:10 Finalizing folder "WINDOWS\WinSxS" in "Archive of Secondary Snapshot"
04/11/2007 14:22:10 Adding "WINDOWS\wmsetup.log" to "Archive of Secondary Snapshot"
04/11/2007 14:22:10 Adding "WINDOWS\WMSysPr9.prx" to "Archive of Secondary Snapshot"
04/11/2007 14:22:10 Adding "WINDOWS\Zapotec.bmp" to "Archive of Secondary Snapshot"
04/11/2007 14:22:11 Finalizing folder "WINDOWS" in "Archive of Secondary Snapshot"
04/11/2007 14:22:11 Finalizing
04/11/2007 14:22:11 Copied 1.24 Gb (9761 files, 625 dirs); 00:02:58.640

And there are no errors showing.

Here's the main log entries. First the archive created without setting an archive location:

Code:

11/04/07 14:19 1000 CMD> ARCHIVE "Secondary Snapshot" "Archive of Secondary Snapshot" "The secondary system image created by Getting Started." EXCLUDE *.tmp
11/04/07 14:19 1032 Copying snapshot "Secondary Snapshot" to "Archive of Secondary Snapshot"
11/04/07 14:22 1034 Copied 1.24 Gb (9761 files, 625 dirs); 2 minutes 58 seconds

And now an archive made from same snapshot, after setting a location:

Code:

11/04/07 17:14 1000 CMD> ARCHIVE "Secondary Snapshot" "Archive of Secondary Snapshot" "The secondary system image created by Getting Started." EXCLUDE *.tmp
11/04/07 17:14 1032 Copying snapshot "Secondary Snapshot" to "Archive of Secondary Snapshot"
11/04/07 17:34 1034 Copied 1.24 Gb (9761 files, 625 dirs); 19 minutes

Note the 19 minutes in the last operation was due to me changing the priority while searching for *.arx files. And yes, the latter archive is found where I expect. Remember, I said that hard drive space was taken up after the archive so it seems to have been made.

So if it's absurd the location setting was blank, then I take it you've seen what the default folder setting is? It would make it much easier

 

You can be right, but it isn't logical. As far as I remember, there was a folder, but I don't remember its name and I changed it immediately, because my archived snapshots are stored on an external harddisk.
If you are right, you have my excuses, but it's hard for me to believe that FDISR, would create archives without having a default folder. Maybe I'm confusing this with the Freeze folder.
The default folder is not a good one, that's why most users change it.
Maybe your archived snapshot is stored in the root "C:\"

However creating an archive and not find it anywhere is as good as impossible.
Do you see your archived snapshot under "Archived Snapshots" in the main screen of FDISR

 

Well what do you know? I found it.

After doing a successful restore from the so-called "lost" archive, it proved it had been made successfully. So this morning I did another search and somehow found it. They are stored in the "\$ISR\$ARCHIVE" folder.

The problem was there are special permissions for non-admins in the $ISR folder heirarchy. I never discovered this until turning off Simple File Sharing. It's interesting that despite not being given permissions to traverse or list these folders, a normal user can still get into it by entering the path directly into explorer or doing a search.

Anyway, thanks for everyones help. Much appreciated.

 

The same also applies to System Volume Information folder. Sorry i got in on this thread late but glad you finally discovered it. $M done a lot of peculiar setting of permissions for XP, thats for sure.

 

You can say that again. I still can't figure out why the archive wouldn't show up in a search yesterday. But at least I know where to look now.

Why doesn't FDISR set permissions to restrict who can access the $ISR folder?

 

Hmmm. I haven't changed any permissions and from a limited user account I can access the whole folder hierarchy as well as copy the archives from it. Deletion or modification are denied however.

 

I don't even have this folder "\$ISR\$ARCHIVE" on my harddisk [C:], I only have these subfolders under C:\$ISR :
$APP, $LOGS, $MBR, 0, 1, A + two files : $ISR and $OPT.

My "freeze storage.arx" is on my data partition [D:]
My archived snapshots are all stored on [E:], which is an external harddisk.

Maybe there is something wrong with me.

 

Well, my understanding is that FD-ISR only snaps for the single C:\ drive alone which is plenty ok with me, but it does also recognize OTHER partitions/drives too, right? I speak of the other storage locations for your .ARX 's if you change paths in the Options.

I already got some archives spread around to various partitions on same drive as well as other drives and really getting a treat from this feature. IMPRESSIVE!

Side Note: Not untill i fully get a handle on the FD freeze-mode will i use that feature, and since i'm a tried & true advocate for POWER SHADOW, it will have to continue to serve that purpose. I feel more confident when malware-hunting to let PS shadow my snapshot then taking the risk of some clever code creator to compromise FD. I don't have it in my plans just yet, if ever, to take FD (FREEZE) snapshot on a journey to the hornets nests on the web.

 

PowerShadow could be interesting for me, because PS is virtual, while FDISR is real.
PowerShadow seems to have something else, that had my attention, but I need to test this first.
Unfortunately PS's origin is Chinese and it's hard to communicate with these people, their websites and their support, if you don't understand their language. So I'm not very enthousiastic to use PS.

 

Yeah, i gave FD's freeze feature plenty of thought and came to a very good conclusion i think. I don't take anything away from it at all, but instead just felt it might be even more beneficial and prudent (for my research anyway), to place my chosen snapshot under the protective cover of PS, which leads directly to yet another thought. Why couldn't one FREEZE a snapshot, and then shadow that same FROZEN one with PS for a dual-mode type coverage from potential compromise, not that it would happen anytime soon, but why not double up protective shielding when it's available right there in front of you to use.
Mind you, most will never need to make such pursuits, but in my field of study i can't think of anything else more useful than this combination for that purpose.

 

The problem with FDISR is that everything is REAL.
A frozen snapshot is cleaned by a copy/update. Suppose this copy/update doesn't work properly, which means that your snapshot is still infected after reboot and that's what's bothering me the most.
I have no scientific proof that a frozen snapshot removes ANY possible infection.

If I was a security expert, I would do everything to prove that a frozen snapshot does NOT remove all infections, but I can't do this myself, because I'm not an expert. You have to control such a test and that requires expertise.
The test bed doesn't need to be as big as the test bed of av-comparatives.
You only need a test bed of each kind of malware type from a simple one to the most sophisticated one. One example of each type is enough.

The principle is that infection cause CHANGES in your snapshot, a frozen snapshot removes CHANGES by adding, deleting and replacing objects and that's why it will remove infections also.
If a frozen snapshot fails to remove all infections, it also means that a normal copy/update will fail too.

Peter's latest test has increased my confidence in the copy/update, but the test was not about infections.

 

You're so right Peter2150. I can't hardly believe just how useful this is become and certainly why i didn't give it the attention it deserved before now. Guess it just took reading more and more of all those glowing results users have been raving about plus your & ErikAlbert's exchanges on taking this program to task with creating/updating snaps/archives/freeze etc; and so plenty of good information (And Exciting Reads!) finally made me turn my attention this way, and i could not be any more pleased that i did.

I might be only catching on to FD now, but for me anyway, i realize theres simply no substitute for the confidence that you can take in your own machine once you try this program and experience first-hand for yourself, all it's benefits. This is a great journey to embark on, kinda like reinventing the wheel, only instead, restoring the wheel to it's former glory as many times as you choose. LoL

I now enjoy several different configurations in several (7) snapshots, 2 additionally i copy/pasted manually (dunno if that works though yet) to alternate partitions, and some archives to various locations too. I even took your advice and "stripped" one to almost bare-bones and saved as archive, then updated to snapshot and so on. Simply Incredible! I don't know quite any other way to put all this. It's consuming my attention and is actually enjoyable, like stockpiling separate O/S's for different purposes without going into so much intensive imagine/cloning (although i understand that too is important).

 

You can boot from any archived snapshot, I proved it, but it wasn't practical enough. So we ditched the idea.

 

Without drumming up too much detail which you seem to hint at as not particularly useful, would you mind explaining the part "wasn't practical enough"? I know that by default their not supposedly designed to boot from, but the very fact that you did makes for some interest even if proved not very practical. LoL