ISR-softwares beat On Demand Scanners

Discussion in 'other software & services' started by ErikAlbert, Sep 29, 2007.

Thread Status:
Not open for further replies.
  1. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    Sign on barroom wall: "In God we trust. All others pay cash."

    Trust everything but... scan every download and always lock your car, even in your own garage. ;)
     
  2. Huupi

    Huupi Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    2,024
    its a bit off topic but don't forget the entrance, like a hardware NAT/Firewall Router as a first measure.I many cases its all you need to get most nasties.
     
  3. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,213
    Hello,
    Nasties have nothing to do with firewall. Firewall controls traffic. Execution of nasties is local, on your machine, way past the router. At best, firewalls can block incoming noise, which either router or a normal software firewall will do easily.
    Mrk
     
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Many good points.

    I also don't install something on my machines unless it's from a trusted source, and it is rare I want to look at a dodgy attachment, but on occasion I do. But when I decided to drop scanning stuff it was because of a layered approach.

    1. For my normal stuff, like every day work, and visiting wilders,and a few other safe sites, I just basically rely on Sandboxie. I delete the sandbox when done.

    2. If I am going to surf a bit further afield, I will fire up Returnil. Reboots don't bother me.

    3. I also am running OA and Prosecurity, which combined are quite lite on all of my machines.

    4. If I am really going to hang out there, in terms of opening an email, or visiting a website, that I really have questions about, or want to install something questionable, then I climb into the VM machine, which also has the same software setup.

    5. Finally, If I resort to no.4, and I have a reason to consider what I am doing really suspect, as an extra step I update my FDISR archives, and image the system before doing it.

    So far this has worked well. May sound complicated, but isn't for me. For most of my friends though I'd recommend a good AV.

    Pete
     
  5. Huupi

    Huupi Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    2,024
    I say in my message "its a bit off topic" and hence saying as a first measure to prevent reaching your rig in the first place.All other suggestions done have meaning but a NAT/FIREWALL ROUTER is a nice complement, but i guess you surely disagree.
     
  6. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,741
    Location:
    UK
    Going back to EricAlbert's topic re: on-demand scanner and ISRs, I have to admit I don't use the on-demand scanner I have very much, mostly relying on the real-time capabilities of the AV.

    Taking the real-time monitor into the equation, if I didn't use that at all and just used the ISR as implied here, I can see the benefit as one could argue all you need do is rollback to a previous state assuming that is clean. But then how would you know it is if you don't use an on-demand scanner or a real-time one?

    I use FD-ISR and use data anchoring. If I didn't use a scanner, I can see the danger of using data anchoring as whatever snapshot I go to, there could be the possibility of carrying virii through. But then I DO use a scanner in real-time mode so I think it negates that point.

    I still think there is a case for using an AV scanner alongside ISR technology.
     
  7. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I know my "Freeze Storage.arx", which cleans my on-line snapshot, is clean, because :
    1. it has been installed off-line with very short internet connections, just long enough to activate or update softwares via internet.
    2. I also scanned my clean images with KAV, although that wasn't really necessary.
    So my "Freeze Storage.arx" and archives are clean.

    After each reboot my frozen On-line Snapshot = Freeze Storage.arx = clean on-line snapshot, without using any main scanner or on demand scanner and that takes less than 2 minuts.
    My Freeze Storage = WHITELIST of every object that is installed in my on-line snapshot.

    I have two kinds of archives of my on-line snapshot :
    1. Clean On-line Archive, that is based on an initial installation and used "for restoration only".
    2. Daily On-line Archive, which I consider as possible infected, because it has been on-line too long.
    If I ever think that my on-line snapshot is really infected, than I copy/update from my Clean On-line Archive to my frozen snapshot and re-create my Freeze Storage.arx and I'm back in business with a very clean system.
     
    Last edited: Sep 30, 2007
  8. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    Using DeepFreeze or Returnil I feel no need for real time AV HIPS etc but every few weeks I run an AS or AV just to check and nothing ever shows up. So my vote goes to ISR + On demand and throw out the real time programs.
     
  9. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Question to Eric: (anyone else feel free to drop their thoughts too)

    What is so different between a FreezeStorage.arx then Power Shadow's shadow-mode after a reboot. I mean, since the entire drive, including any patitions (if you choose) are virtualized and so released from anything added during that particular session, wouldn't the end result be the same? That is "Clean"?

    Just to confirm, as an added precaution couldn't you be even better assured of a 100% clean return from the "live" internet interaction or any other local programs activity when you ALSO virtualize that same FreezeStoraged snapshot, in this case via FD-ISR program?

    A lot of good and useful points have been made here.

    Further, i second Long View's practice of doing away with any realtime scanners although as a purely personal choice i do on occasion still employ the use of On-Demand scans, if nothing else, just to assure my own eyes that my personal research habits haven't led me to click on some find that may or may not pose a security or system risk to my machine.

    But unlike Long View, i already dismissed realtime scanners/AV's when i discovered HIPS are more than adequate to intercept a rogue communication to the system from a malware. ISR's just raised the bar of confidence for me even more when i seen how well FD-ISR handled matters of immediate recovery.

    Thanks fellows.
     
  10. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Big difference. With the freeze in FDISR, you can decide to un freeze, install something reboot, and see how it is, etc. Then if you don't like the results you can do a previous freeze, reboot, and presto. Only previso is you don't delete your freeze.arx file. In Power shadow, you don't have that kind option.

    Pete

    PS for my purposes though returnil/powershadow,etc is better because the reboot is faster. (I think)
     
  11. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    This is how I understand it:
    FD-ISR is basically a copy/update machine. It's closer to image backup software than to "shadow" software. You can see this in the use of VSS
    The Frozen Snapshot function is an extension of this copy/update functionality and nothing more. On reboot, FD-ISR compares the Frozen Snapshot with the Freeze Storage (an archive) and adds/modifies/replaces objects.
    Any damage to FD-ISR (FD-ISR isn't protected against direct/indirect attacks) will destroy its copy/update mechanism/engine.
    Shadow softwares work in a different manner. When you enter shadow mode, they build a copy of the current state of the filesystem. Then, they use that copy to govern all disk-related work. When a new file is created, it's written to free space and an entry is placed in the fake filesystem table. When a file is deleted, it's only deleted from the fake filesystem table. When you exit shadow mode, the fake filesystem is dumped and the real filesystem never knows of files added/modified/deleted. Also, shadow softwares protect their driver/service against intentional/unintentional attacks/deletion.
    This explains why:
    - You need to reboot to exit of shadow mode. The real filesystem can not be loaded until the OS boots.
    - Forensic tools can recover files written during shadow mode. They are really written to disk, but they lost their entries in the MFT when you exit shadow mode. The real MFT never sees them, so it (correctly) reports those files as free space.
    - FD-ISR is slower than shadow software to restore the clean session. Shadow softwares only dump the fake MFT while FD-ISR is busy copying/moving/updating objects from Freeze Storage to Frozen Snapshot.
    - FD-ISR is beaten by Erik's deadly commands :p
    Code:
    DEL /F /S /Q C:\*.*
    - Shadow software which doesn't cover low-level disk access (bypassing MFT) are beaten by Killdisk.
     
    Last edited: Sep 30, 2007
  12. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    All ISR-softwares keep your harddisk clean, IF you use them right.
    My system partition is also clean after reboot, only the method is different. Virtual environment is just another method of keeping your system partition clean. If you put ISR aside, than you can do alot more with FDISR than with PowerShadow. I stopped combining FDISR with other ISR-softwares, because that doesn't work, if you have more than one snapshot to recover.
    I stick to FDISR and wait until another and (much) better software appears on the horizon. :)
     
  13. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,381
    Location:
    West Yorkshire, UK
    Nice comparision.

    I know the value of having a quick restore (though in my case an almost upto date image).

    You mentioned software, but how do both solutions handle changes/infections to data files (which could be a payload to infect software) ?


    Do ISR restore every reboot, if not when do you choose (eg how do you know your infected to reboot or dumb average user) ?

    A risk with ISR-software not mentioned is restoring over legitimate changes, eg a software update.

    Also, don't forget that ISR and on-demand can be complimentary to each other, depending on usage patterns of machine.
     
  14. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,381
    Location:
    West Yorkshire, UK
    I wish MS would make their OS secure ;) we wouldn't have to worry about recovery and repair :D
     
  15. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    ISR = Immediate System Recovery, not Immediate Data Recovery.

    Data is for me an entire other problem and isn't discussed in this thread.
    I was always talking about my system or system partition, not data or data partition.

    My ISR restores my system partition every reboot, unless I don't want it.
    I don't understand your question between brackets.
    I don't need to know if I'm infected or not, because my freeze storage cleans my on-line snapshot during each reboot.
    Most dumb average users know how to reboot their computer and that cleans their computer, if they use ISR-softwares.

    That is also an interesting subject for a new thread : "ISR-softwares and how to keep the good changes, without keeping the bad changes."
    This is also a very vulnerable moment, but COMMON for ALL ISR-softwares, not just FDISR.

    The same counts for excluding objects, FDISR calls it anchoring.
    The more you exclude, the more holes you create for malwares.
     
    Last edited: Sep 30, 2007
  16. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,381
    Location:
    West Yorkshire, UK
    Hi,

    Thanks for answering my questions.

    How does the average user know to reboot ? Should they reboot daily just in case, or when they think they have a problem, do we rely on the fact that most people reboot regulrarly ?
     
  17. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I have the habit to reboot my computer regularly and I have often no reason to reboot at least not for malware.

    My off-line snapshot has no internet connection, I turned it OFF in Windows, except when I really need to activate or update a software, especially activations forced me to have brief internet connections.
    This is the snapshot where I do all my work and hobbies without any disturbance.

    My frozen on-line snapshot is for long internet activities and where I do most of experiments, like trying new softwares for example.
    It happens regularly, that my on-line snapshot gets corrupted by these experiments and then I have to reboot to fix it.
    For instance a frozen BSOD, a software that doesn't work anymore, ...
    I never ask myself, why did it happen ? how can I fix it ? can Wilders fix it ?
    I just reboot and all my problems are gone in 2 minuts.

    I remember two times, where my reboot failed to recover my system, but I knew in advance that this would ever happen.
    This can only happen when FDISR itself gets corrupted, but that's peanuts too.
    In that case, I restore an image with my Recovery CD of ShadowProtect and that takes 9 minuts.

    And yes, I never know if I'm infected or not, unless I can see it when things have been changed.
    I really wonder how other users, know IMMEDIATELY that their system is infected by a small change on their harddisk. I only can see this when one of my security softwares sends me a message, like Anti-Executable.

    Any malware that passes through all my security softwares like butter, will remain unnoticed on my harddisk, UNTIL I reboot or restore a clean image.
    Users usually see only malwares on their harddisk after running scanner(s) at the end of the day.
    I don't even see these malwares, because I clean my computer during reboot behind the WELCOME screen of Windows and I don't have to worry about removing false positives, because they don't exist.

    I do this already more than 6 months and because I don't trust my own method, I ran KAV, NOD32, SAS and a few other scanners recently to verify, if I was still clean. They didn't find anything.
    I don't consider this as an absolute proof that my computer is CLEAN, not even after running 50 scanners, but it's a good indication, that my computer MIGHT be clean.
    If I want a guaranteed clean computer, I restore one of my clean images/archives, stored on my off-line external harddisk.

    I still have an unprotected data partition, I can't do it all at once, but the thinking never stops.
     
    Last edited: Oct 1, 2007
  18. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,213
    Hello,

    I think your paragraph 1 is a serious problem that you should address. Not the issue of knowing if you're infected or not, but the fact you fear this situation in such a fatalistic manner.

    There's not reasonable reason to be infected, unless you go crazy all over the Internet, downloading every possible executable and installing it. But since I know you're not doing this + you use Firefox, the chances of you getting infected are very very low.

    And if something does manage to "slip in" it's a simple matter of checking your system. Not every infection will be some matrix-style thingie. Usually, you'll see extra processes, extra services, increased load, unexpected behavior. And if you get infected by something so magical, it never shows up - well, it doesn't really matter then? If you're infected so to say, but this does not impact you in any possible way, you can safely say you're not infected, don't you think?

    Computers are no magic and you do not need 50 scanners. 1-2 are more than enough. If you use any two of the leading products and they give you a clean bill, plus the habit, plus the way you use the machines, there's really no reason to maintain the armageddon approach.

    Absolute proof? Well, if you really wanna go wild, then how can you be sure that your scanners did not infect you? Or that MS is spying on you? Or that Windows has a backdoor? Or that all companies are conspiring to keep certain infections hidden? What then? How can you be sure that the very copy of Firefox you use was not tampered on the server just moments before you downloaded and installed it?

    But the truth is - you don't consider any of the above as reality, so you're happy with these choices and you run them and trust them, including the offline Windows - you trust Billy boy don't you and his WGA?

    So, take one step further and consider your system simply not infected and things will be so much simpler.

    Mrk
     
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi MRK

    Excellent point. Your posts are one of the reason's I've gone the way I have. You can load up to the point you need a separate computer to run all the security stuff. Thanks for your posts.

    Pete
     
  20. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Mrkvonic,

    I'm not worried about the spying of legitimate softwares, including Windows.
    My bank, my supermarket, my government, my neighbors, ... spy on me too, but they don't do this to hurt me intentionally. So let them spy.

    I'm worried about malicious software with bad intentions, installed on my harddisks, like any other member at Wilders.
    I simply don't trust security softwares to keep my computer clean and there is nothing wrong with that, because it has been proven over and over again, that security softwares fail too much.
    Image Backup softwares never failed on me, but ISR-softwares aren't perfect either.

    So when I restore a clean image, I feel much better than running 1-2 scanners.
    After reinstalling my computer in September, I finally have those clean images, including clean FDISR-archives. And yes it will be more simple for me now, than ever before.
    Restoring my computer in 2 or 9 minuts is alot faster, than scanning my computer with ONE advanced+ scanner.

    I don't even understand the purpose of your post or what you are trying to tell me.
    I don't have 30+ security softwares on my computer, that is complicated.
    I don't waste my time on running scanners, that is time-consuming and INCOMPLETE.
    I only have security softwares to stop the execution of possible installed malware, until they are removed during reboot.
    What is more simple, than a normal reboot to accomplish this.

    When I daily read all these posts at Wilders with minor or big problems, which could have been avoided, then I'm happy with my simple solution. Visit Malware Forums, that is the real world and just a fraction of it. :)
     
    Last edited: Oct 1, 2007
  21. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,213
    Hello,

    Erik, your approach is a good one. But the underlying problem is that you believe you have a clean snapshot while you so much fear that your working environment is infected. In practice, you have a complete lack of paranoia in one case and a complete paranoia in the other.

    Therefore, you should either assume no snapshot can be really clean or they all are, within reasonable human doubt.

    Think about it - you installed programs. But how can you be sure these are clean? What is the lowest level of trust you go down to? Windows install? Hell, how can you be sure?

    In reality, without inspecting the OS itself to the bones, using Linux live CD with tons of forensics, plus network sniffer and such, you won't really ever be sure...

    Like Frankie used to say, Relax ....

    Cheers,
    Mrk
     
  22. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    If I can't trust the legit softwares anymore, I better stop using computers.
    You have to trust something, otherwise I would be paranoia.
    I just know that scanners aren't complete in removal of malware. So I use a clean image to replace them.
    If that clean image is full of spyware of legitimate companies. So be it, I can't do much about that.
    I remove at least the bad stuff that is installed AFTER my clean image is used on-line on a daily base. That's more than I ever had in the past and sufficient enough for me.
    Paranoia is for people who don't think in the right proportions anymore, I don't have that problem, otherwise I would have 100+ security softwares on my computer and watch my computer constantly as a hawk. :)
     
  23. djg05

    djg05 Registered Member

    Joined:
    Apr 6, 2005
    Posts:
    1,565
    Would an alternative way be to use Linux for browsing and email, then boot to Win with you connection unplugged.

    Mrk. Maybe you can confirm if it is safer to connect to your bank through Linux rather than Win.
     
  24. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    Erik - sorry if I'm being too pedantic in taking you literally but as a member at Wilders I would say I'm fairly relaxed about malicious software. I sit behind a hardware firewall router, use Firefox, my e-mails are checked my my mail provider and I see no reason for any real time protection. I have taken reasonable steps to check that I am clean and as a working practice I proceed as though I'm clean. I guess it helps that I have never seen a virus nor suffered from any anything more dangerous than a cookie. I have little confidence that
    AV AS HIP will provide me with any useful additional protection.
     
  25. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,213
    Hello,

    Erik, who to trust, exactly!

    And how can you tell legit spy from illegit spy? How can you tell? What defines the criteria? Media? Companies themselves? You? And if it's you, what do you use to determine?

    Claria / Gator is a legit company, they have smart people in suits. That does not mean their practices are legit. Enron was a legit company and look what they did. What about DiamondCS. They had the famous Process Guard and one they took off without a word to their customers.

    If you really wanna ask yourself who is legit, then the answer is bodiless non-profit organizations - usually the open-source and free world of Linux.

    djg, it really does not matter. If you know your machine is ok, then connect any which way you want. It really is not important. Furthermore, take into account that bank security is more than just your browser.

    Example:
    My bank does not allow most of operations without a special token.
    My bank requires ID for most money transfers - and requires that you be present at the bank. So even if someone takes someone's credentials, password etc - the customer is safe.
    All transactions are fully reversible etc.

    Check your bank. If it's a clown show, then switch to a normal bank. If they don't value your money as their own, run away.

    Mrk
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.