How secure are the snapshots?

With all the trojans on the loose, I was wondering if anybody knew if the snapshots in the $ISR folder were readable. Thanks for any and all responses to such a stupid question .
SourMilk out

 

A snapshot has the same vulnerability as a system partition without FDISR and without any security software you will be infected for sure. Even a frozen snapshot doesn't protect you, it only removes all changes during reboot.

I don't know, if ONE malware is able to infect ALL snapshots or at least more than one snapshot. As long malwares infect only the current snapshot and remain there, I don't see a problem. Infected snapshots can be removed, refreshed and recreated with clean archived snapshots.
It's difficult to prove this, when FDISR-users secure their snapshots with several security softwares. Most malwares will be removed this way without infecting anything.

I have an off-line snapshot on my system partition. If that snapshot ever gets infected, I have the proof that malwares can infect more than one snapshot, because my off-line snapshot can only be infected via my on-line snapshot and I consider this as impossible until the opposite is proven.
I have only one weak moment in creating my CLEAN archived snapshots and images, I have to be on-line very shortly to activate winXPproSP2 and I hate M$ for that. The MVP's of M$ still don't know that internet is full of threats.

 

Hi,folks: This is a concern. Snapshots including normal, frozon or even achieve are designed to work independently, like a cell. If one fails, the others come to rescue. In theory, it is ideal. Has the perimeter permeability been look at? If there are tiny holes existing w/ these border. How secure are malwares to be contained within frozon snapshot? What if with a very slight chance these evils sneak thru, the entire system will be in big limbo. Just few thoughts

 

Theoretical everything is possible, but I like to see some proof instead of words and horror stories.
When this ever happens we can report it to Raxco.
Raxco will probably tell us that FDISR isn't designed for that and that FDISR is not a security software.
So it's up to us to protect our snapshots as good as possible.

 

thats not a stupid question at all.

i dont think users know how "secure" one snapshot is from other snapshots, would be best to wait/ask developers.

i would like to know as well.

 

I certainly don't depend on FDISR and Raxco already admitted that FDISR isn't foolproof, which is logical, because there always will be a brilliant malware-writer somewhere in the world that is able to compromise snapshots.
I depend on my 100% clean archived snapshots and clean images, because they have been created off-line and are only used for restoration.
Once my clean computer is back on-line, I consider it as possible infected.

 

Hi folks: Hi Erik, I assume you have archieve snapshot stored at a different partition, not at the same partition where primary, frozen snapshots are. In this case, should malwares compromise frozen snapshot and subsequently permeate into other ones, all the damages will be containted within that partition. This is logical. And FD-ISR is still somewaht foolproofed.

 

who here depends on fdisr anyway. again, the question is, "how secure" is the lock on the inactive snapshots

 

Nobody is able to tell that for certain and I already explained this in my previous post.

 

there is a good answer.thnx

 

Wow! Thanks people for all the great answers. I just got back from grocery shopping and checked the forum. I never thought I would so many responses.

Maybe Leapfrog could introduce encryption to the snapshots or their storage. One could probably encrypt an ARX folder on another partition/drive as a safety device.

Thanks to all again.

SourMilk out

 

Well I'm still trying all kinds of things with FDISR after 6 months, this is quite an interesting software, while ATI is such a bore.

 

Well I took care of that 6 months ago. I have :
1. Special clean backup files for restoration only.
2. Special clean archived snapshots for restoration only.
3. Daily system partition backup files for backup and restoration = harddisk 1
4. Daily data partition backup files for backup and restoration = harddisk 2
5. Daily archived snapshots for each snapshot.
All stored on an off-line external harddisk and not on CD/DVD's. = harddisk 3

I might be a newbie in internet/malware stuff, but I'm not stupid.
I don't even care anymore when something happens to my system/data partition.

 

Tested indeed and it works. I've spent enough time on restoring any possible disaster scenario. I'm prepared, more than most users ever will.
Now I have to continue with finding the right softwares to protect my computer in order to reduce the possible disaster scenarios to the absolute minimum.

 

Just something to think about...

As discussed in another thread, there is a shareware file manager called xyplorer that can access inactive snapshots without making any changes to permissions. Please be aware that doing any of the actions I am about to describe may damage your snapshots.

I was able to do the following:

1) Access an inactive frozen snapshot and copy data out of it into the active snapshot. This data that I copied was data that would have been lost if I booted into the frozen snapshot since had been created recently and was not in an anchored location.

2) Copy files into an inactive snapshot and have them be present when I booted into that snapshot

3) Copy the software registry hive out of an inactive snapshot into an active snapshot. Once the hive was in the active snapshot, I was able to load it, modify it, then copy it back into the inactive snapshot. To test, I disabled a few autoruns and added a few. When booting back into that inactive snapshot, my changes took effect.

4) It seems like it would be easy to copy any of the hives from the active snapshot into an inactive snapshot, though I have not tried it.

I did run into a few instances of Windows wanting to do a chkdsk when rebooting, and actually had ISR get confused about which snapshot was frozen. Usually I have a snapshot called "Alpha" frozen. While testing, I was making changes to my snapshot called "Beta." I booted back into Alpha after testing #3 above and noticed that it didn't revert to my frozen state. I checked, and somehow Beta was listed as frozen and Alpha was not.

So how likely is it that a given malware will be aware of isr and cause damage to other snapshots? I would guess that it is not very likely.
How hard would it be for a given malware to cause damage or spread to inactive snapshots? Looks like it wouldn't be too much trouble. Just use the same methods that xyplorer uses to access the snapshots.

 

I agree with Peter. You are raping FDISR by using xyplorer to change the contents of snapshots and this could cause problems sooner or later.
That it can be done, doesn't mean you can do it without risks.
You are not supposed to be there, otherwise FDISR would have offered functions to do this.

 

I'm innocent. I never recommended tools like xyplorer and fsutil, I didn't even know these tools.
My advice : stick to the functions of FDISR to do the job.

 

Just want to add it has a free version as well.

 

I performed the tests I mentioned as tests. I do not utilize xyplorer or any other method to access inactive snapshots. It was merely a test to see what could be done and to address the question of how secure the snapshots are.

I do disagree, however, with the idea that you shouldn't do something just because the software doesn't provide the functionality on its own. If we followed that logic, then we wouldn't be using ISR in the first place, as obviously Windows itself wasn't designed to have multiple snapshots. On the other hand, using tools such as fsutil or another program to create hard links is merely using the built in functionality of the operating system. Is it for everyone? Of course not. Neither are many of the utilities discussed at Wilders. If understood and used correctly, however, these functions can extend the power of ISR.

C

 

Thank you for testing this cthorpe.
I always thought this type of access was possible and it is nice to have it confirmed.
It is unlikely that malware would include this specific type of cross snapshot file infection, but as you have shown, it is not difficult either.

 

Hi Pete,

Where did Raxco acknowledge that cross snapshot file infection/modification is possible?

The why is to prove whether FIDSR has some magical barrier that would prevent malware from spreading from one snapshot to another.
The why is also to prove whether FDISR could be used as a primary line of protection from malware instead of its normally associated place as a secondary or tertiary line of protection (system recovery when primary lines fail).
I knew in theory there was no substantive barrier between snapshots and that it is not meant as a primary line of defense, but it is important to prove it and now it has been.