The ErikAlbert Approach - A test

I suggest you use XP access permissions to restrict access to non-system drives when doing these sort of tests. Especially when you try it with file-infector malware that leave behind a considerably bigger mess than benign autorun.inf files.

 

I done a similiar test while connected to a hard drive x 2 partitions when unleashing a vicious file infector. It was a piece of cake for the virus to jump the fence and modify ALL exe's in the other partition too. Very agressive and destructive but limited since NOD32 was able to salvage at least a snapshot or 2, but for the most part FD-ISR was 0wned.

That's the reason i then went with PS Security afterwards to not only lock but "hide" the other partition against any potential of a repeat of this time-consuming cruelty.

As sour & awful as things appeared after having been compromised, a simple plug in of another safe-keeping alternate drive which stores it's updated snapshot archives completely restored everything back to it's original state again.

FD-ISR while not an image app certainly could fool me, it's archives served just the same as Images and shortly thereafter everything was easily back to full working order again.

Amazing work this ingenious FD-ISR program. Something malicious can break it it to bits rendering ALL your snapshots junk, but by keeping your "clean" archives safely away someplace else, is nothing short of life preserver when problems try to destroy your system with it.

 

Its definitely a big hole in fd-isr. It would be nice to have some kind of protection for snapshots and archives. I know rollback has protection against malicious disk activities, it would be nice to see some in fd-isr.

 

Peter,
Thanks for the test. You forgot one thing. I will change my D in E for the test.

I lock my Data Partition [E:] with PC Security, when I go on-line or do some 'dangerous' testing in my on-line snapshot, because I know that my data partition is very vulnerable due to infections in my system partition (on-line snapshot).
That's why I isolate any infection in my system partition and what can a malware do there ? It can damage and even corrupt my system partition, but I have that back in 9 minuts, that is at least 2 x faster than a full scan with any advanced+ scanner.
Most malware don't destroy my system partition, they do changes and those are removed during boot-to-restore. Thanks for proving this and you also proved that my theoretical assumption was correct : infections can hurt my data partition, while other users were telling me that this doesn't happen.

So the virus would have infected my harddisk [C:], but not my locked harddisk[E:], which makes any reading, writing or stealing impossible.

 

Hello,


In terms of protecting the snapshots, using Deepfreeze is the answer, since it protects the entire C drive. (I've tried destroying the snapshots while Deepfreeze was on, and couldn't).
As far as protecting the other drives on the computer, an access-protection program should do the job. In my case, my AV (Mcafee VSE 8.5i) has the User-defined drive/folder protection feature and it allowed me to block all access to non-system drives - except for specified programs. So far as I know, no known breaches. Would love to get my hands on that bug Pete. PM me if you would.

 

To me DeepFreeze is not the answer, because DF is just a simple boot-to-restore solution, while FDISR does ALOT MORE than just a boot-to-restore.
The fact that FDISR protects only one partition is solved with PC Security.
It's not my fault that the development of FDISR has been frozen since I bought it and that FDISR is now terminated, because HDS considers FDISR as a threat for RollbackRx and that's why FDISR must be terminated.

In post #11 of this thread, I explained how much more FDISR can do, try that with DeepFreeze.
https://www.wilderssecurity.com/showthread.php?p=1126999#post1126999

 

Well AFAIK hole or no hole, FD-ISR stands up mighty in what it was designed for in the first place, Immediate System Recovery. Heck, it can even do that even after it's been virus attacked. That's the absolute beauty of Modularity and FD-ISR impliments recovery in part due to it's modular abilities as well as normal restoration from a simple Copy/Updata to snapshot from archive. I've yet to see any software completely fool-proof although you can garrison up a few enough apps to make your system, including FD-ISR 100% fail-safe! I already tested and experienced that. Everything else with other features i consider an additional major bonus in what FD-ISR does, and so easy & quick.

The fact that FD-ISR permissions are tied to Windows is your hole, and for me anyway, that hole was a saving grace in disguise. With XYPloyer it's simple to navigate "access denied" $ISR folders/files and salvage programs, data etc. You can even move them about to your heart's content.

What happen for me was deliberate of my own doing on purpose, any file infector virus or even KillDisk wouldn't make it past my front line HIPS, or Sandbox, or Power Shadow for that matter.

 

This also proves that you can't trust F-prot as scanner or any other scanner either, because it didn't remove the autorun.inf file and that's why I lock my data partition, when I go on-line or do dangerous tests and why I don't use scanners anymore.
Boot-to-restore and locking are doing a much better job than security softwares and that's why security software have a second place on my computer.
It's not the first time that scanners fail to remove everything, because the days of the simple malware are over.

PS.: system.exe ? This one has no chance to do anything with AE on board.

 

There are many malware that infect multiple partitions along with addition of autorun files to them.

Even more dangerous are file infectors which will overwrite any exe files on all partitions and a make lot of copies of themselves that will surive FDISR.

 

Peter

do you have the capability of testing this with 2 drives ? I keep OS and Programs on C: and data on D: but with D: being a different physical drive.
from what you have said using a different physical drive might be no better than partitions ?

Deepfreeze could, of course, be used with FD-ISR to provide complete protection. As with any other such solution the question though is how to save data ? it is all well and good having Deepfreeze lock C: D: E: and F: or using another program to lock the data drive - provided you never want to save anything. As soon as you open to save problems come back.

Can bad things left on D: do any harm ? can they do anything at all from D: ?
If the bad thing is an exe then would it not be restricted to launching itself to operate from C: only to die open reboot ( that is if freezeing C

Upon reflection my only other comment is that it seems best to continue as I have in the past and to not have anything to do with Viruses or Spyware.
If you lie down with dogs you get fleas has always been my family moto.

 

Interesting test Peter, I can almost feel my paranoia levels elevate is the virus actually capable of doing anything on your data partition after the system partition has been cleansed. What I mean by that is, when it initially invades, it sets itself up in the system and as you have shown also places parts of itself into other partitions, but if the system partition is protected either by fdisr, or returnil, reboot will clear the system partition, Is whats left elsewhere, whilst undesireable, actually capable of doing anything?

 

I've read recently a disaster post at Wilders, where a user lost 3 non-system partitions, cleaned by a virus. I knew this already without Peter's test, because it is obvious and logical that this can happen. If a malware can damage a system partition, why not a data partition or any other partition.
That's why installed PC Security to lock my data partition, the one Peter forgot in his test, otherwise his partition [E:] would still be malware-free.
The main thing is that an archive can remove malware and that is enough for me.
I'm only asking myself : does an archive really removes everything ? That's why I have my Zero Tool ready.

 

Yes I can understand that, strictly speaking, but that is not my question. My belief, right or wrong is that most malware must install on your machine to do it's work, now when the system partition is cleansed the malware wherever else it may reside on whatever partitions or drives is no longer installed, so is it still harmfull? Cleaning the system partition to my mind is like cutting off the head

 

Since I´m not an user of FD-ISR, I won´t comment anything regarding the methodology or its result. However, as for AE which I`m using myself, I personally regard it as a defence against unsolicited execution of files. As soon as you have accepted the file, executed or not, AE will loose its importance for defending your system against that file which Peter2150 remarked. So using a process monitor/guard behind AE could be useful.

/C.

 

I can't answer that question. If I knew what a virus can do or not can do by itself and what it needs to do something bad, then it would be alot easier for me.

 

Absolutely a good test and good to know, particularly for me as when I setup my new machine one of the options I am considering is to have a second OS on another drive, so there is perhaps a great deal of risk there for me, certainly to be considered.

 

ROFL, you and me both Erik. You are not alone

 

I have argued many times that it is far more difficult to get contaminated than many think, that most of the so called security programs are so called for a reason. To this must be added that the most likely source of a contamination is from a friendly source. Freezing C: can only provide a certain degree of protection C: has to be opened to update and change. Locking D: E: or W: likewise only protects data only so long as no new data is added. Once the door is open anything can happen.

As to AE I find it comic that such a program can so easily be defeated by the user but isn't that the case with all security programs ?

 

The user is always the weakest link and makes any security program useless, if he doesn't use them right or doesn't follow the basic rules.
That Peter had to disable or uninstall AE to make this test possible is enough for me to keep AE.