Frozen Snapshot vs. Scanners.

I ditched Anti-Executable already and replaced it with Prevx1.
Anti-Executable works with FDISR to a certain security level. If I use the maximum security level of AE, then I can't copy/update snapshots without errors.
For instance AE won't allow any delete, while FDISR deletes sometimes during refreshing of the frozen snapshot, if AE is on maximum security level.
It is a normal conflict between FDISR and AE.

Prevx1 works different and has no conflicts with FDISR and I like the philosophy behind Prevx1, except the blacklist part.
I wonder how good Prevx1 really is, the theory and the way it works sounds good, but is it all true in practice ... ? That's why I installed Prevx1 in a frozen snapshot for daily use. If it fails my frozen snapshot will remove the rest.
If I want to torture Prevx1, I have to create another snapshot without freezing to see how strong Prevx1 really is. The problem for me is, how will I know for sure, that I'm infected or not AFTER the torture tests ? I can run scanners to verify this, but I don't trust them either.

 

ErikAlbert,

It should be possible to remove this issue via appropriate configuration.

What's more important, the goal or the means to achieve that goal? While one can develop conceptual arguments that blacklisting will, in principle, become operationally unwieldy at some stage (we're somewhat removed from that currently), I really don't see any issues with a combined white/black list approach.

At some point, you have to trust someone in some regard, unless you're willing to:

• rewrite the OS and all the applications you use from scratch,
• or manually inspect/integrity check your system on a very frequent basis and know what to look for,
• or relinquish a web presence altogether.

You already place a lot of trust in a lot of people in everyday life (I sure hope that airline mechanic didn't end up with any spare bolts after that latest job...), computing is no different and there is nothing wrong with that. If the trust is misplaced, that will become apparent eventually and an alternate solution can be pursued. Trying to plan for and guard against every conceivable permutation of all possible scenarios simply yields paralysis, which is a bad outcome.

Blue

 

No, you can't if you want AE on maximum security.
You can't tell FDISR not to delete objects during refreshing snapshots, that's the way how it works.
I was able to set AE on security level HIGH, but I couldn't mark the additional settings, to make it stronger.
So an approperiate configuration is possible, if you don't mark these additional settings. If you are satisfied with this, than AE isn't a problem anymore for FDISR.

I already use Prevx1 in practice, which means I accepted the blacklist part, but that doesn't mean I have to like blacklists. I can live with this, because I like the rest of Prevx1.
I like FDISR too, but that doesn't mean I like everything about it.

I don't think, you understand me completely on this subject.
After the torture tests with Prevx1, I have two possibilities :
1. I'm not infected and in that case Prevx1 did a good job.
2. I'm infected and in that case Prevx1 failed in one or more cases.
I would like to know which bad objects bypassed Prevx1 and send an email to Prevx1 about that in order to improve Prevx1.

The trouble is that I don't have any foolproof method to see if I'm infected or not.
If I have a software that gives me the differences between BEFORE and AFTER the torture tests, I'm already satisfied. It doesn't need to be a scanner.
I might use the "FDISR Activity Logs" for this, but I don't really know if they are usefull for this purpose.

 

I came a bit late onto this thread, but I have to say it's been a very interesting and informative read on the use of Frozen snapshots.

I agree that it's probably wise to have a completely separate frozen snapshot when surfing dodgy sites. However, I would probably use it for another purpose due to the current limitation of ONE frozen snapshot. I would want to use it for my main snapshot which allows me carry out my day-to-day tasks:

- browse the web (although dodgy sites would be prohibited in this snapshot), - send/receieve e-mails
- software development

Potential areas for Data anchoring are:

- e-mail mailboxes (although these can be moved to different partition)
- AV database (storage folder would probably need to be data anchored)
- data, documents, source code etc. (this is all stored on separate partition)

Primary Security Software

- AV (I use KAV 6)
- Network firewall (I use Look 'n' Stop)
- App firewall (I use SSM due to fine-grained process execution control. It also has protection against KillDisk)
- Sandboxie (for use when browsing with Frefox)

I would install KAV 6 mainly for the e-mail scanning although I would probably leave the real-time scanner enabled as a back up for when surfing. It would also be used occassionally for on-demand scans where needed. Look 'n' Stop would obviously be used for network protection (coupled with a router). SSM would be used for process control to stop any unwanted processes executing.

 

I was wondering this as well after I started using Rollback Rx in a similar frozen type state. What if I allowed something through that shouldn't have gotton through? Would it just keep infecting me since it would be anchored? How would I know it was infected unless I did on demand scan which then kinda defeats the purpose of freezing the sanpshot?

Thanks,

Chris

 

The more you anchor, the more vulnerable your frozen snapshot becomes, because the changes are kept in the anchored folders/files.
That's why I moved all my personal data to another partition [D:]

For updating security softwares, you download the updates right after reboot (= clean snapshot) and re-freeze the snapshot.
So there is a weak short period between reboot (= clean snapshot) and re-freeze in which you can be infected.
This is the very best way. Keep in mind that re-freezing is pretty fast.

If you anchor the folder of the security software, you are constantly vulnerable for infections at least in the folder of the security software.

 

Yes but like in the begining you said you were using anti executable and Prevx. I assumed you had them on the system partition? If so if you surfed the web lets say and then installed an app and AE popped up it wouldn't save your answer correct? For me Outpost answers wouldn't be saved if something popped up later in my session..

Thanks,

Chris

 

Right you have to anchor your security softwares if you want to keep the answers, because re-freezing after a long period after reboot isn't safe. Keeping the good changes in a frozen snapshot is a problem.

 

Thats what I was wondering. Thanks for your answer and I'll try it again now

Thanks,

Chris