ISR-softwares beat On Demand Scanners

@ErikAlbert

I must thank you for all the research you have done with ISR software
which certainly makes for interesting (and educational) reading.
Returnil, from what I have read here and elsewhere, seems good but
for my purposes and setup I don't think it would be of much benefit.

The trying out of new applications would be the primary reason in using
a software like Returnil (or similar), but if a reboot is required after
installation, the whole exercise would be fruitless. That's where my
ATI comes in. OK, must admit that I only image about once every 10
days on average, but it's not a train smash.

Just for curiosity's sake, how does Returnil react when protection is on
and in the ON session I decide to run as limited user ?
Also, would Windows System Restore, if a restore point is selected for
restore, be eliminated on reboot ?

Would you prefer/recommend SandboxIE as a better option for me ?
(Despite my using Opera) ?

PS. I think you should try Opera, it really is more secure.

 

when protection is on it is on no matter whether it is on permanently or just for the session. So any changes like a restore point are gone at reboot.

I think that Returnil works very well with both FD-ISR and Acronis True Image.
With FD-ISR returnil can be used on a snap shot to replace the FD-ISR feeze option and using Returnil or FD-ISR an image program such as Acronis is still needed should the system fail. I can see no place nor need for Windows System Restore - just too unstable to be trusted for me.

Regarding on demand - Using FD-ISR and or Deepfreeze/Returnil in combination with Acronis means that for me there is no need for Scanners either real time or on demand. Machines run much faster without having to run all that security.

 

What does returnil do that FD-ISR doesnt? I thought you only needed one either FD-ISR or returnil as well as an imaging progam like ATI.

 

Returnil is a security software, fd-isr is a system recovery software, they are completely different programs, designed to be used for different purposes. The fact that people have started labeling fd-isr as some sort of security solution is beginning to confuse others. In the event of a malware infection, I believe Returnil protects itself, fd-isr does not, Returnil protects the MBR, fd-isr does not. Returnil is designed to combat malware, fd-isr is designed to cleanup afterwards.

 

Erik...
That system is probably NOT clean.
It really IS that simple...get it through your head...even Microsoft...hell...ESPECIALLY Microsoft will slip something into your back door. Don't waste your time arguing the how and the why, just kinda humble yourself down a little and recognize that when you install software, you're probably going to be vulnerable as a result. That's what scanners do...they save your ass from that vulnerability. Again...ISR's are apples...Scanners are midget prostitutes...
You may THINK your set up is solid and what not...but by opening this thread in this manner and defending it in this manner...you're leading others into a fallacious line of reasoning because, as far as ISR and on demand scanners go...ISR's Don't beat scanners...I can't tell you how many times I've downloaded and installed "freeware" from their own sites or some mirrors, and ended up with something else that was also "free". So there you have it. That's the hole in your reasoning.

 

Agree with this post!

 

I have Windows plus a sandbox program installed on one of my PCs that I use to connect to the internet to do only online banking and shopping. The only things I install on it from time to time are MS security updates. Granted that PC is old and slow but I think there is no need for on-demand scanners on it.

 

Perhaps it's because I rarely download "freeware" but I have never been able to find any of the nasties. Does this mean I am clean or that I am contaminated but don't know it ? If we assume that my machines are full of sypware, viruses, trojans etc why do none of the programs that I am able to use show anything.
I could give you a very long list of programs tried which would include bitdefender, avast, antivir, superanti-spyware, a2, .avg.. rootkit revealer, fsbl and on and on. If there is a program that will find anything I have yet to find that program. I have run HIPS for months at a time and no alarm bells went off. I have been behind a firewall router for the last 4 years and my mail is checked for problems before delivery. For the last 8 months I have worked completely free on any real-time security.

So it looks like I have to assume that I am clean or assume that I am contaminated as I have been unable to find a way to determine the "truth".

Erik and I disagree on a number of issues but believe that we would both agree that in the highly unlikely event of a nasty getting on one of my machines it would be gone at reboot and that's good enough for me.

 

It is not the ISR's ability to reset things that is being debated. Rather, it is the fact that a system can be contaminated easily that makes ISR's useless. Why? Because ISR's are not security apps...they CANNOT prevent you from installing a dirty system; what ISR's do is Protect a supposedly clean system from being contaminated. Therein lies the problem...you installed Windows and you think you're clean...then you installed MSWord and you're still clean...but then you install Karen's replicator that you downloaded from her site or some mirror site, and all of a sudden...you have no idea how clean you really are. That's precisely Mrknovic's point: with every patch, update, program you put in...your chances of being clean deminishes... Never mind the fact that the more apps you put in, the more holes you have because those apps themselves are not secure. You might be happy after installing a fresh copy of Windows and MSword, but then you open some document you got sitting around and some macro gets executed because MSword is itself full of holes...Now what? And...When that happens...is your ISR gonna save your bacon or trap you in a frozen/infected system every time you boot up? Restore another "clean" snapshot and start all over installing and configuring or rightclick and run a scan?
This is just for the home computers...what about enterprises? Can ISR's really "beat" scanners there? Tell the admin to restore the whole enterprise to a previous "clean" snapshot? Lose all the data sitting around since the last snapshot?

There is no comparison...scanners do one job...ISR's do another...apples...midget prostitutes...

 

agreed - but then I personally have never suggested this. My point has more to do with "why do people assume that either a machine is contaminated or its only a matter of time before it becomes so ?"

you seem to be suggesting that it is very easy to get contaminated ?
my experience has been the opposite. Unless you do something really dumb or go looking for trouble the chances of getting contaminated are low, certainly lower than would justify the level of paranoia so often exhibited.

If I have never seen a virus nor suffered from malware over a number of years and if I have been unable to find any scanner which can find any malware why should I not see my images as clean ? how many years would I have to be clean or how many programs would have to find nothing for my images to be accepted as clean ?

If there is a scanner that I should be using I will give it a go.

 

Hello,
I have to agree here. It is rare that somethings we the cautious users do would cause us to be contaminated, but that's not to say that it doesn't happen. For example, I have replaced some of my PC games' executable files with their No-CD/DVD cracks found from popular and "seemingly reputable" sites like GameCopyWorld.com. The games work as expected for years, not a problem. But a recent wireshark analysis showed that the executable of UnrealTournament was connecting to both the game server and another obscure IP address. For all intents and purposes, my identity, credit score, etc... has not changed since 2004 when the game came out, but it just really makes me wonder. Which is the reason I am here looking for a port monitoring tool.
Also, regarding how easy it is to be infected from exploits in software and OS flaws, I believe that's a legitimate point, thats why I try to only execute what I need to execute to upgrade the system, then refreeze it immediately.

 

One more thing why FDISR is NOT a security app. Snapshots on the system can easily communicate with each other.With xplorer among others you can view content from the other snapshots,i have not tried yet but i guess its possible to modify data in the other snapshots right from the current one.I am not at home so i can't test it.

 

eniqmah,
Do you really think, that scanners do a better job, than ISR-softwares, that is close to brainwashing ?

1. A malware need to be DISCOVERED first, if that doesn't happen or too late, this malware can infect any computer world-wide and there are enough examples of this, that's why some malwares are notorious and news on TV.
Any ISR-software will remove it as a change.

2. If a malware is DISCOVERED, the anti-malware industry, needs time to create an anti-dote and update their scanners on our computers.
Meanwhile this malware has time enough to do its evil job world-wide, because there is a time gap.
ISR-softwares don't need to wait until they get the anti-dote, they remove it again as a change.

3. All scanners have a different signature database. What one doesn't detect, can be detected by another scanner. If you use only ONE scanner and it tells you "Congratulations, no threats found." Do you really believe that message, when you know that each scanner has a different signature database ?
If you believe that, it means that you WANT to believe it in your MIND, but what is in your mind is not the same as what is installed on your harddisk.
Scanners create the illusion in your mind, that your computer is malware-free.

That's why some users have a second "on demand" scanner, because they do NOT trust their main scanner, but even a second scanner can't be trusted, because it hasn't necessarily the right signatures to detect a malware.

ISR-softwares don't have that problem, because they remove malware as a change.

4. The days of the simple malwares are over, that means they are harder to detect and some scanners don't even remove it completely due to bad coding. ISR-softwares remove any change.

5. Scanners require alot of time and you have to wait for the results to remove the detected malware, if it isn't a false positive of course.
How many average users see the difference between real malware and false positives ?
They usually don't and remove them just like anything else, reported by the scanner and damage their own system. Good security. Pffft.

6. My ISR-software removes any change in less than two minuts. How much time do you spend on running your scanners ?
I use that time to restore a clean image or archive and everything is gone.
Most users don't even have such clean image or archive, because you can only create them during a fresh installation from scratch and who wants to re-install his computer.
So the only way for them is to run scanners, but that means incomplete removal.


Look at member "Long View", he is trying to find a scanner, that is able to detect SOMETHING on his harddisk, just like me, but without any success. I ran KAV, NOD32 and SAS already on my system/data partition and they didn't find anything. This is for many users already enough to think their computer is malware-free, but not for me.

Of course ISR-softwares are new, too new for most people, who have been using scanners for many years and no user is going to ditch his scanners immediately and use an ISR-software as replacement. ISR-softwares require also another way of working and that is also a problem for many users. Nobody wants to change his habits in a nick of time either.

I had a good laugh with the definitions of "What is clean or not ?", but that counts for ALL softwares and what counts for all softwares isn't worth to talk about. Even the good people spy on us and gather all kinds of information, simply because they are able to do this.

When I install Windows on an off-line computer and I take an image of this installation, I consider this as a clean image/archive. When I go on-line with this installation, then my harddisk isn't guaranteed clean anymore. I compare my harddisk daily with a clean archive and any difference is removed.
In worst case scenarios, I replace my whole harddisk with a clean image.
What can the bad guys or any malware do about this ? NOTHING and that's what I want. Try to do this with your scanners.

ISR-softwares are the future and they will become better and better. Some ISR-softwares are already better than others, but nothing can beat Image Backup/Restore softwares.

 

ErikAlbert,

I more or less went over the same ground when you started down this road some time ago. It is possible to maintain a clean system, but to do so requires an extremely high level of personal discipline and requires a conscious decision to severely restrict yourself with respect to using downloaded material (i.e. you basically can't use any).

Yes, any change not anticipated can be rolled back, but what of the changes that you have made by installing program X. One can be extremely parsimonious in installing content, but for the bulk of the population that's a pragmatically unworkable solution. At some point in time, they will need the expert analysis provided by an on-demand scan. It is as simple as that.

Nothing can beat it, when it's the applicable solution that is. However, it is not the complete solution to all problems. I do agree that it is a partial solution to many problems.

Blue

 

Hello,
I have been following this thread with interest. I agree with Mr. Albert about the efficiency of ISR's as a "removal" solution. It seems to me the following points can probably be agreed by most:
1. ISR's are better at removing "things" than scanners.
2. Scanners can tell the user if a file is malicious, ISR's can not.
3. In a stable, unchanging system, ISR's will maintain the integrity of the system much better than scanners can. But this presupposes that the system does not need to be changed at all.
4. In a system that Does Need to be changed [ e.g, via OS or program patches/updates, virus definition updates (for those like myself who still use an on-access scanners), or simple settings changes like adding extensions/bookmarks to firefox ], an ISR can not protect you while it is in unfrozen mode, but scanners can.
5. That said, a comparison between ISR's and scanners are at best difficult to do since these programs are designed to perform different things in entirely different manners and environments.

 

Does FD-ISR's Frozen Snapshot remove the object's IDs created by Kaspersky during an on-demand scan?

 

!!You wont get me!! *runs to the gate of the graveyard and tumbles over, and runs like hell*

 

I agree with you there, but would add that it'd be also easy for a skilled user just like yourself to slip up sometime if your "eye isn't quite on the ball". With so many things you do, it takes a momentary lapse to just do something that makes a hash of things. Admittedly, you have a number of other get outs to correct the "mistake", but you get what I mean.

 

This debate has been going on for a while now, and after having had an AV since the purchase of my first computer, I have uninstalled it and running with a very light system indeed (basically relying on virtualization, Opera and registry protection). This is not my final say, who knows if something untoward might happen, it's back to AV.

The choice of a security strategy is very personal, and as it's been said it depends on the type of user, its habits, how much concerned he/she is at the thought of being violated by malware.

In my opinion there's more to it than just security: It's a matter of principle.
Why should I pay for 'protection' that is not guaranteed, and furthermore I might be the next victim to supply the basic material for AVs company to analyse and produce the eagerly awaited signature?

This is a system that is feeding itself in a way that doesn't allow any optimism for the future: We are not preventing, we are playing the malware game. There are hundreds, thousands of new malware and variants produced every day, week... Who are these people writing this staggering amount of code that requires experts to produce it and experts to decode it?

Why aren't the malware writers investigated like other types of criminal activity? Afterall they are costing the world hundred of million of dollars in creating new jobs within the various security companies(Not to mention the internet scams). I'm not really rehashing the old conspiracy theory, but there's certainly a vested interest in maintaining the status quo in the malware world.

In many ways a change of attitude may not serve any real practical purpose, as most people (even at Wilders) are still figthing over which antispyware or antivirus. So basically it is more a matter of being aware of these issues.

 

Several people have said - running lite is fine but not for every one, or not to my friends. I'm not so sure that it would be all that dangerous if people in general followed this line.

Question - how does a machine get contaminated ?

(1) e-mail. All of my mail is checked for spam, viruses etc as part of the contract. Those who get mail via providers which don't check might consider changing to better mail providers.
(2) downloads - use Firefox with Dr Web add on. No need to have a real time av scanner checking the same files over and over
(3) Drive by - Use FF
(4) Scripts - FF and Noscript
(5)
(6)......


Add in a decent Hardware Firewall and a program like Deepfreeze and provided you don't go looking for trouble I would think that it it would be difficult for almost anyone to get contaminated.

Anyway a few months back I "converted" the machines used by my wife and #2 son. My accountant also agreed to co-operate as did several clients.
To date nothing to report.

The public at large believe that if you connect to the Internet for a millisecond you will be contaminated. I'm not saying that there are no risks but I am saying that those risks have been greatly exaggerated.