Easily bypassed

There's some reason behind why you can easily write/read the other SS with XYplorer and other explorers,if the developer wanted that the other SS to be completely locked ( in every instance completely "access denied")he did so.I gues the stuff was meant to be only as a instant system recovery,and not with security in mind,so its obvious that you can access the other SS.

 

Sorry but that doesn't convince me. The fact that FDISR isn't a security software doesn't mean you can fool around in these $ISR-folders with XYplorer.

 

I never say that,its a possibility ! on your own risk !

 

Couldn't have said it better myself. It maybe chiefly designed for immediate recovery courtesy snapshots/archives but that in and of itself lends to some pretty solid security on that front anyway, right?

 

The fact that your work snapshot has been cleaned by a rollback snapshot/archive gives you the reassurance that you got rid of any infection and that makes you feel much safer, than security softwares do, which fail sometimes.
Although it makes you feel safer, it remains recovery, just like you would restore a clean image.

A sandbox is nothing but a container of good and bad objects, caused by a sandboxed application (e.g. browser). Once you clean the sandbox, all good and bad objects are gone and that is also recovery.

Security softwares recognize bad objects by signatures (blacklists), by whitelists, by heuristics, by behavior, ... and that's why they can detect/stop/remove bad objects without touching the good objects. That is called security.
If a security software recognizes a good object as a bad object, than you have a false/positive.

 

with all this talk about terms,they are just different(or maybe not that different ?) means to get the same result,be it recovery or security you always want to have the opportunity to get back to a clean slate, ultimate goal for me is preserving my precious data,and i make means to get that right,i can buy me a new rig,but if pers. data is lost its lost forever. In FDISR i anchor "my documents"with all the personal stuff in there,so i make me a 3 way backup,i back up my documents to 2 ext.disks,and one backup from my documents is embedded in a weekly disk image.Pers. data on the ext. disks are frequently updated,in case my int.disk crashed or whatever,i restore the image and bring "my doc."current with the backup on the ext. drive.Its all about "My Documents",everyhing else i think is secundary to me.

 

Very well put Erik.

Security in this sense then can be considered as THE Front-Line for shielding/blocking, whereas recovery falls anywhere after the fact since it's NOT in any way a form of shielding; but by it's very nature of restoring, it also provides what some might consider a very different type of Security as it can secure/restore your system again to a relatively former "clean" state.

Recovery also appears subdivided into groups such as you mentioned sandboxing for one, or it could be virtualization (PS), or the more what i like to think is a more complete recovery with the likes of FD-ISR copy/updates or others may prefer Rollback Rx for example along with some others. (?)

Of course the final act of returning the system again to a fully restored condition rests with our Imaging Programs beit images or cloned alternative media & such as these. All this is usually enough to give us that sense of security with the confidence that our work/data/system is PROTECTED.

Very enlightening facts indeed!

 

Easter,
Well I still have a problem with understanding the difference between frozen snapshot (real environment) versus PowerShadow (virtual environment) regarding bad objects (= all kinds of infections).

Is a bad object less harmfull in a virtual environment, than in a real environment and if so why or does it make any difference ?
I'm only talking about a frozen snapshot versus PS without any other security softwares involved.

 

ATM, i'll pass that question over to some others who might better fill you in on exact facts rather than my theory or what i perceive to be theory derived from concepts of the two.

The reason for that being, and generally speaking from experience with only PS i could only touch on the virtual side of the matter. I still haven't got around to using the full capacity of FD-ISR with the FrozenSnapshot feature just yet and for the time being, and also because it's proven for me so very reliable & fast, Power Shadow you might say freezes or covers my unfrozen snapshot at the point in time at entering shadow-mode.

From that end though i can only speculate Erik, that virtual on the surface might appear to hold something of an advantage over a real environment where concerns "bad objects"? But isn't the end result the same? A restore from either returns, let's hope, your system state back again to a more desired state.

 

The end result is the same, that's not the problem and I can ask the question also this way without naming softwares : "Is a bad object less harmfull in a virtual environment, than in a real environment ?"

If a bad object can do less harm in a virtual environment, a frozen snapshot might be the wrong solution and I think it has been proven twice :
1. The killdisk virus was stopped in two virtual environments : PowerShadow and Sandboxie, but wasn't stopped by a frozen snapshot, which is a real environment.

2. PowerShadow and FDISR survived also this test according member "flinchlock" :
DEL /F /S /Q c:\*.* in the CMD-window in post #202 of this thread :
https://www.wilderssecurity.com/showthread.php?t=174380&page=9&highlight=powershadow
while a frozen snapshot failed in this test, done by myself.

So "normal snapshot + virtual environment" seems to be more powerful than "normal snapshot + freeze storage", which means I have to go back to the drawing board.

Sandboxie is not an interesting candidate, because it doesn't protect the whole snapshot, just sandboxed applications.
Possible candidates are PowerShadow, ShadowUser, ... is Returnil = virtual environment ?

 

Just as i initially assumed. Virtualization does hold the advantage and those results of course prove that out very clearly. That's a chief reason from the start of dealings with FD-ISR i chose to cover the snapshots with PS rather than chance having to reinstall the program again if someway corrupted.

You do have to remember though that the KillDisk virus was a test and as far as i know is not (yet) if ever would reach some epidemic proportion, but the tests clearly exposes that greater weakness than in virtualization programs. Besides, any destructive disk/partition virus would have quite a task scaling my HIPS in the first place. I put a lot of stock in HIPS because they work, even though they always require time to learn your way thru at the start.
I still occasionally and even today thanks to HIPS, was alerted to a download dropper from casually surfing the net for custom XP skins. It was of course DENIED, navigated to the Local Settings\TEMP folder and easily dispatched it off the system. Those are common occurances i've gotten used to dealing with it from some of those sites that use rotating advertisers that still are living in the 98 days of trying to hijack wmplayer or add to the start up.
HIPS knock them back but it also takes user interaction to make an informed choice, and it's not so hard a choice when you haven't even clicked a link but simply landed on a web page. The age old remote execution exploits that still plagues IE, but i learn to live with it.

On another note, more On-Topic, I never could get any version of Sandboxie to run stable on my units so i would have to select a different choice if i was searching sandboxes, so in the meantime Power Shadow Master fills the bill quite nicely thank you.

 

Yes, Returnil = virtual environment, I should have known, I even participated in the thread of Returnil.
I don't think Rollback is a good candidate, because RB = real environment as far as I know.
Returnil and PowerShadow are better candidates, because they protect the whole snapshot and do replace the freeze storage.

 

Same here. I have an issue with how Rollback Rx functions. I prefer a recovery/rollback program to afford creation of the full compliment of files and not just rely on reference to a single snapshot like in it's current form. I already experienced some anxiety moments when playing around with a partition manager disk on a Rollback drive then got BlueScreened at bootup. The best i could muster was Uninstall it (via prescreen) to the last bootable snapshot and lost whatever was forwarded after that point. Disconcerting for me with any program that leaves me no other alternative than that. FD-ISR on the other hand affords Nice archives to turn to in event ANY snapshot (Or All Of Them) become hindered in some way, including the program itself. A simple reinstall and Copy/Update to New Snapshot and total + immediate recovery is assured.

Returnil on the surface and from early indications appears a safe enough alternative to even PS due to it's MEMORY virtualization concept which needs some runs from members to fully determine the extent of it's ability.

 

Welcome to the club Pete (Rollback Rx + FD-ISR + Shadowprotect)!


Atomas31

 

This statement will probably go OT but only briefly and is chiefly directed to ErikAlbert since he expresses the most apprehensions where concerns potential threats to his overall security.

This is an age old trick from Windows 98 days but it is just as relevant today with XP and also Vista.

I used to get hammered with sudden unexpected launchings of programs when i wasn't even at the table with my PC so i decided to use some audio aid to help alert me to something going on that shouldn't.

Specifically directed toward your concerns ErikAlbert. It's not much, but it definitely can be beneficial for those who hold a very high suspicion of any possibility of an executable launching when you don't know why on earth something is activating on your PC.

NOTE: You'll be pleased to know THIS ALSO APPLIES TO SCRIPTS!

Simply enter your CONTROL PANEL and go to SOUNDS. Scroll the list. $M by default leaves this empty Apply a sound wav to Open Program. DONE!

Now anytime that ANYTHING executable including scripts is activated no matter what, an immediate Audio tone of your choice (i use a small Vista beep) will sound off.

This little very unused practice is saved my bacon countless times in the past. Just another layer of protection to keep everything honest and prevent being blind sided.

EASTER

 

ShadowProtect restores all RBRx-snapshots ?

 

I re-configured Anti-Executable and repeated the test DEL /F /S /Q c:\*.*
This time I had everything back except the FDISR-options, which were back to default.

My both snapshots were there and working, which I don't understand because my boot-to-restore doesn't cover my off-line-snapshot and the default options disabled my boot-to-restore for the on-line snapshot. So my boot-to-restore didn't save anything.
I guess the folders C:\$ISR\0,1,A weren't deleted by the DEL-command and were still there to recover my snapshots.
The different configuration of Anti-Executable prevented the deletion of some important FDISR-files and that was the reason why FDISR was able to recover both snapshots.

Regarding the killdisk-virus :
Although I couldn't test it like Peter, this virus is an unauthorized executable and doesn't have a chance in theory with Anti-Executable.

The bottom line is that Anti-Executable will save me in both cases, not my boot-to-restore.
So I stick to my boot-to-restore solution, because it saves me in other situations.

 

Looks like your AE is the ticket you been in search of all along. Forget sandboxes, IMO they only cover a "limited" area at best, IF THEY WORK; i know, i know, that doesn't help if you need to reboot to install some program if using virtualization but then that shouldn't be of concern either. Save the installer alternatively, then disengage your virtual coverage to install, of course OFF-LINE

The Boot-To-Restore solution is Ideal! (PS: But i prefer SSM to AE )

 

I agree that sandboxes are local and limited to applications and that doesn't cover everything. Besides I have DefenseWall, which is also limited to applications, but it's more userfriendly than Sandboxie. IMO DefenseWall will prevent the execution of malware better than Sandboxie, but that is just a feeling.

I prefer AE, because I understand it better than SSM.

My boot-to-restore however covers most problems and does the same job as your PowerShadow in single shadowmode. This is something I never had in the past and I don't like to lose it.

 

HIPS as in System Safety Monitor is also something we never had before, and for me anyway, even EQSecure.

HIPS are 100% responsible for greatly increasing confidence & security 4 me against forced intrusions of any sort (virus/trojans), and is proven to finally steer me completely away from any AV's which also were a huge PITA, not to mention unreliable when it came to new creations unleashed, usually in droves at a time so as to not have all of them readily available for inclusions to AV database signatures.

Virtualization such as Power Shadow was the icing on the cake, then completing the iron wall came FD-ISR and it's greatly inspiring ability to archive it's snapshots. Compliment all of this with a solid imaging program and you're pretty well COMPLETE!

It would never be the same without them.

 

Thanks Pete.

Your findings about Rollback confirms solidly my suspicions with it. While it is a fairly decent rollback app, i found it caused me some difficulties, and those type difficulties do not happen with just FD-ISR installed & running.

All i done was try to access my disk with a PARAGON recovery CD w/ Rollback installed and it bluescreened me right off the bat. I don't keep but 3 or 4 Rollback snaps but my main one that had ALL the updated material was rendered useless and unreachable, forcing me to revert back to a previous rollback snap that also deletes everything made AFTER the one you select.

Needless to say, at least from my personal perspective from actual experience (or problem encountered), Rollback is not an app i can depend on for secure recovery. FD-ISR is!!!

 

No BSOD with ATI when using Rollback with FD-ISR. I use the same setup as Pete does and have had no problems with recovering using the Linux CD. I plan to test ShadowProtect v3 when it is released.