Introducing AX64 Time Machine - hybrid imaging/snapshot software

Discussion in 'backup, imaging & disk mgmt' started by Isso, Jan 18, 2013.

  1. waylo

    waylo Registered Member

    Joined:
    May 18, 2014
    Posts:
    42
    I'd like to report that Xeroweight support has helped with the uninstall issue. The solution in this case was ensure flashback.exe was not running as a process, rename the flashback.exe to something else, then run the standard uninstall.

    Hope this helps anyone else.

    (I do have Revo but for some reason it didn't detect Flashback as an installed program, probably because the standard uninstall program was already run--but didn't finish. I have only the freeware version).
     
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    THat is something they should fix. Ensure the process isn't running, and rename shouldn't be necessary.

    I am testing the latest beta and it is all working. Just not sure it's speed is that good for me.
     
  3. dagrev

    dagrev Registered Member

    Joined:
    Jan 9, 2012
    Posts:
    214
    Location:
    USA
    I tested 698 (correction) and the speed was great but I have boot problems after a restore. It even slowed down booting in general for some reason, even not completing the boot process at times. Had to restore with MR6 and will wait for more fixes.
     
    Last edited: Dec 6, 2015
  4. timmy

    timmy Registered Member

    Joined:
    Mar 24, 2005
    Posts:
    140
    Difficulty encountered here with the latest version, ending in 698, was that after a restore there was a screen "inaccessible boot device." Restarted the machine and tried again, same problem. Had to use the Reflect, as the fellow above did, to restore to a previous image.
    Am guessing is just a local thing on this machine, but not sure now whether to remove the program or not. Advice in these pages about renaming the .exe file to something else appreciated, and should help with uninstall, which likely will have to do. Very sad, and will miss it, hope for better days.
     
    Last edited: Dec 6, 2015
  5. waylo

    waylo Registered Member

    Joined:
    May 18, 2014
    Posts:
    42
    What part of the process is slower for you? I could swear the merging and first baseline took a bit longer than I recall, but maybe it was because I was working with very large snapshots rather than the usual merge of smaller snapshots.
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    The problem relates to the design using the tracking file. This is not unique to FB. If you use it like I used to use ShadowProtects Continuous Incrementals and just let it run and do it's thing it's fine. But I don't use my system that way. Example. Take macrium Incremental 2 minutes, same for FB. Then do an image restore in FB. After that FB time went to that of full image, 19 minutes, and Macrium Incremental was 2.5 minutes. C: drive is 152 gb. So on average my image/restore times become a lot higher then Macrium.
     
  7. TheRollbackFrog

    TheRollbackFrog Imaging Specialist

    Joined:
    Mar 1, 2011
    Posts:
    4,945
    Location:
    The Pond - USA
    What Pete describes is normal due to the design of FlashBack. Since it uses a "tracking file" to monitor the changes on the surface of the disk, when this tracking file gets "out of sync" with the main system, it must be re-established. It will get out of sync when a restoration is done so on the first INCREMENTAL following that restoration, it must scan the whole active FileSystem to re-establish the status of its tracking file. Although it only produces a normal sized INCREMENTAL during that operation, it must do the full scan to re-establish the tracking file.

    It does this same function whenever it believes the main FileSystem has been altered. So... whenever an external OS (WinPE, Linux, FrogOS :rolleyes: ) accesses that FileSystem, even it it doesn't make any real changes to the files in that FileSystem, it leaves a fingerprint that someone has been there. FlashBack sees that fingerprint change and decides it must re-establish its tracking file just to be safe... Voila! another slow INCREMENTAL on the next snapshot.

    Due to its design, this phenomena is not experienced by Macrium Reflect.
     
    Last edited: Dec 8, 2015
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Froggie. Thanks for adding clarity to my ramble.

    Pete
     
  9. TheRollbackFrog

    TheRollbackFrog Imaging Specialist

    Joined:
    Mar 1, 2011
    Posts:
    4,945
    Location:
    The Pond - USA
    Clarity!?!? Yuu must bee reeding sumwhun els... :geek:
     
    Last edited: Dec 8, 2015
  10. dagrev

    dagrev Registered Member

    Joined:
    Jan 9, 2012
    Posts:
    214
    Location:
    USA
    Been having a second go at 698. After install my black with blue windows (Win 10 early boot screen) is lingering for about 2-5 minutes not 2-3 seconds, even upon simple reboot with no restore involved. Second observation this time is that everything seems to be slower than before with AX64. Logs and info sent to Iurie.
     
    Last edited: Dec 8, 2015
  11. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Dagrev

    Why still play with 693, when they have 698?

    Pete
     
  12. dagrev

    dagrev Registered Member

    Joined:
    Jan 9, 2012
    Posts:
    214
    Location:
    USA
    Sorry, I keep putting the wrong version (it's on an old email exchange from Iurie.) I'm using 698.
     
  13. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Now that I can relate to. :)
     
  14. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,388
    I am curious about FrogOS - I bet this would be a ripper :thumb:
     
  15. StevenG

    StevenG Registered Member

    Joined:
    May 28, 2014
    Posts:
    47
    Hi Guys-

    I have 3 machines I want to install AX64TM on:
    • One with Windows 10;
    • One with Window 8.1;
    • And one with Windows 7.
    All are single drive machines. They may have more than one partition (C for system/others for data).

    Is there a stable version?

    I am looking for a set and forget solution that can be called upon in an emergency if the user screws something up.

    Thanks for any input you can give...

    Regards,
    SteveG

    PS - I have not been reading this thread for a while, and it looks like a lot has happened. That being said, based on the last 10 pages, it seems there are still issues.
     
  16. Chamlin

    Chamlin Registered Member

    Joined:
    Aug 8, 2006
    Posts:
    449
    Yes, still issues. I wouldn't say it's stable across all systems/platforms. A lot of us have usable versions, but some are stable using an iteration of v1, others using a build of v2. It's an experiential crapshoot at this point. There may be a stable version coming soon, but we're still playing with betas, with varying degrees of success.

    My stable version is 2.0.0.665 and it's been that way for a while. Tomorrow? Which is why, though not as simple, I also use Macrium Reflect.
     
  17. Chamlin

    Chamlin Registered Member

    Joined:
    Aug 8, 2006
    Posts:
    449
  18. manolito

    manolito Registered Member

    Joined:
    Apr 23, 2013
    Posts:
    407
    Malware which infects the MBR is not new at all. Any decent image based backup software will also backup the MBR, so if you do a full restore of a known clean backup this will also restore a clean MBR.

    Exceptions are backup programs which only restore the sectors which have changed since the last backup (at this point mainly Macrium 6 and AX64/Flashback). But with both programs you can specify to do a full restore also. If you are really paranoid you can also completely wipe your HDD (overwrite every single byte with a value of 0 or some other value) before making a restore.


    Cheers
    manolito


    P.S.
    All modern HDDs contain some hidden space which is only accessible by software owned by the maufacturer of this HDD. In theory a virus could infect these areas, but since access to these areas is different for different manufacturers, such a virus would have to be highly specialyzed.
     
  19. StevenG

    StevenG Registered Member

    Joined:
    May 28, 2014
    Posts:
    47
    Thanks, that is what I surmised.

    Can you tell me what system 2.0.0.665 is stable on for you? (ie: Win 8/10/7,etc)
     
  20. TheRollbackFrog

    TheRollbackFrog Imaging Specialist

    Joined:
    Mar 1, 2011
    Posts:
    4,945
    Location:
    The Pond - USA
    As Mab has stated, a MBR refresh will eliminate the active nature of the infection.

    MBR infections tend to infect in two different ways. The entire infection is located in the MBR, or the MBR provides linkage to, usually, an unallocated area of your storage device where the real bad code is located. If you neuter the MBR (refresh it to a normal state), both situations are dealt with. In the 2nd case the bad code is still resident out in that unallocated area but now there is no way to gain access to it.

    The next issue to be dealt with is that left over hidden code in the unallocated areas needs to be expunged. I would think that applications that can directly access your storage volumes (not through the Windows allocation structures) can easily do that by sanitizing those unallocated areas of the storage device. Those apps can easily see your partition tables in the MBR/EFI areas so they know where the unused space is. Of course, if they're allowed to do this on a Rollback protected system, it'll probably be trash when the process is complete... but that's what happens when you don't play by the rules. Rollback, for sure, is what your article calls a "BOOTkit" but is supposed to be friendly... apps chasing down BOOTkits and leftover unallocated DATA will not be so kind to these types of offerings.
     
    Last edited: Dec 9, 2015
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    In Macrium the MBR is always restored, in FB you have to specifically check the mbr to restore it.
     
  22. TheRollbackFrog

    TheRollbackFrog Imaging Specialist

    Joined:
    Mar 1, 2011
    Posts:
    4,945
    Location:
    The Pond - USA
    The problem with MBR restoration by imagig apps is you just don't know when that system became BOOTkitted. Many of these infections don't come alive for a while after they're installed... giving your imager plenty of time to image infected MBRs. It's going to be hard to figure out how far back to go in your imaging history to insure the restoration of a clean MBR.

    The only way this can really be dealt with is to fingerprint the MBR and check that fingerprint everytime the system is BOOTed... sounds like an easy thing to do but probably isn't. If it's done in some standard way, the infector will learn that easily and probably substitute the fingerprint. If you encrypt the fingerprint... that's much harder to do.

    I'm sure SECURE BOOT systems deal with this in a reasonable way...
     
  23. StevenG

    StevenG Registered Member

    Joined:
    May 28, 2014
    Posts:
    47
    Hi Froggie-

    Long time no see! Hope all is well with you.

    Kind of confused with this post... I have several systems using Rollback, Commodo Time Machine, RestoreIT, and GoBack... All of them have been successful in removing MBR infections with no additional procedure.

    Are you saying they would somehow be leaving the bad code somewhere?

    I cannot see that unless the code infects their small portion of the drive, which seems highly unlikely (at least today).

    SteveG
     
  24. TheRollbackFrog

    TheRollbackFrog Imaging Specialist

    Joined:
    Mar 1, 2011
    Posts:
    4,945
    Location:
    The Pond - USA
    Hi Steve! You are correct if the infection vector initiates from inside of a protected Windows system. Rollback, for instance, won't let any process change its MBR if the change attempt happens under that protected OS. The infector will go through the process without error but Rollback will keep its own BOOTkitted MBR clean.

    If any of these shenanigans occur outside of the protected system (WinPE/Linux-based software, etc.), all bets are off... the system is not protected during those processes. And as I said above, imagers can carry around compromised MBRs through many imaging operations before the System or its user finds out its been infected. It would take a while to determine at which point the imaged MBRs were actually uncompromised.

    A fairly easy example of compromising the MBR can be done as follows...

    Install a pre-BOOT program option into the BCD, set that app as the DEFAULT and tell the BCD to skip the menu. This can all be done under any protected System and it won't look like an abnormal process... just done in the background.

    The next restart, the system will not load the OS, it will load the new DEFAULT app (with no menu offered) and run it. Since this process runs in its own environment (no protected Windows, no Native NT API level), it can merrily change the MBR (and anything else) to its heart's desire, then BOOT back into the normal Windows (protected or otherwise) system following the necessary modifications.

    I don't know the infection vector of the example offered but I do know there are plenty of ways to get your hands on items like the MBR. As I said earlier, SECURE BOOT may protect most systems against these types of low level intrusions.
     
  25. Chamlin

    Chamlin Registered Member

    Joined:
    Aug 8, 2006
    Posts:
    449
    My system is Win 7 Pro. So is my laptop, also running 2.0.0.665 successfully...so far. You'll notice the tenuous disclaimers. That should speak volumes. I think I've also seen other Win 7 users have issues with the build. The only way I go about this is to install, and test it with different scenarios.

    And If you're installing for people who don't know what they're doing, then I'd highly recommend reading through the...oh say...last 20 pages of this thread. That will give you a heads up of many of the issues, AND, workarounds when needing to uninstall...I think.

    Yet, I still like it!
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.