Anti-Executable

There are malware that doesn't write a bit to the HDD (memory-only threats). Obviously, a reboot terminates them.
However, since today's malware writers want to engage you in a botnet or log your keystrokes, almost all malware needs to be installed and this means changes to the harddisk.

 

That's the weakness of all malwares, no matter how sophisticated they are, they change the harddisk. I only have to remove the changes and I'm clean.
In the past my computer was only clean after a re-install from scratch, now I have a guaranteed clean computer after each reboot. That's better than any scanner and any security software can promise.
It's not only about having a clean computer, also my mistakes and corrupted installations of legitimate softwares are corrected.

 

Seem to me just a marketing claim.
Bussiness is more of deceiving rather than truth now a days.
Very diplomatic answer by them, beating around the bush.

 

I thought we all know that!

As many times as u reapeat the word FROZEN SNAPSHOT .

Already doing that( I do get it but it,s not the way for me). I don,t freeze my system and still it,s good.

 

LOL. I guess that's it. Different opinions keeps this forum alive.

 

I like that line of thinking. With a program like FD-ISR and/or a dependable imaging solution, malware is NOTHING but a waste of effort for those engaged in that noble art.

Malicious coded programs are not nearly as convincing to me anymore now that immediate recovery alternatives such as FD-ISR render those efforts totally useless. I was getting bored of so much of that litter anyway that i began taking my captures and re compiling them to perform various automations on my machine, so for some of that i've made use of them for more practical purposes and productive pursuits to suit my needs. Besides i've personally experience worse problems with so-called legit programs then malware anyway. To me they've always been just a temporary nusance that wasted my time. You can flush them off easily anymore with the right solution. FD-ISR + IMAGING RESTORE!

 

Let's hope that the copy/update of FDISR is strong enough to remove all these bad changes.

Peter's test, when he changed an entire operating system from winVISTA to winXPproSP2, using copy/update, was very reassuring and convincing to me. That was a hell of a torture test.
Of course a test to clean a honeypot full of infections, would be even more convincing to me.

 

It's all good now with FDISR: we (the users of same) represent a tiny fraction of home and/or corporate users. Hence some security by obscurity.

If mals have coding to kill various 'anti' apps then it is conceivable that FDISR could be compromised.

Remember it is NOT conceived as a security tool: just the imagination and expertise of users here has resulted in that as an option.

Some users here will/may go looking for mals and use FDISR snaps to first record and observe and then recover. Possibly not as effective as VMWare but not too shabby as we have seen ( even VMWare can leak). I have no trouble seeing that any anchoring (apart for me from being a bit cumbersome) could lead to 'leaking' between snaps. FDISR is working and still safe because it remains below the radar.

We have seen how some scurity apps can hide drivers from FDISR: maybe mals could do the same. ??

If some crafty coder wants to put his mind to it then I would imagine that FDISR could be vulnerable: Raxco have confirmed this. We just haven't seen it yet.

The minute some system somewhere with some thing of serious value to a net thief, that runs FDISR, exists then the "eye of mordor" would turn that way.

At the moment our use of FDISR as a type of virtualisation container/file system is prolly very secure and we know how effective the VSS is at restoring and we like the implementation from Leapfrog. VMWare is not so different.

BUT: the price of freedom is eternal vigilance.

Just some random musings from a know nothing.
Happy in obscurity

 

Theres definitely truth in some of those statements plus where concerns software applications there's always some potential for a sudden disruption if not total disaster and not always via malware.
That's why Imaging/Cloning etc. to other external/alternative media fully defeats BOTH problems for me because the odds are 100% impossible to reach all of the backups with FD-ISR so long as their kept to METAL drives.

One thing i learned to do recently and do very well is unplug & plug in a variety of different hard drives at will and make OFFLINE changes but apply POWER SHADOW to my snapshots when working with ONLINE snaps.
Unless malware coders can physically get to my hard drives they and their noble team are entirely helpless to invite any disruptions to my choice set-up and programs.

Thanks to FD-ISR my choice configurations are safely protected and if that wasn't enough alone you should always create duplicate images of the whole picnic and store them away from the box.

Now we can see why ErikAlbert's (and other's) castle are so well kept & preserved.

 

All softwares are vulnerable and FDISR is no exception. FDISR failed already after a killdisk attack. Personally I only experienced attacks by legitimate softwares, that corrupted FDISR.
But why would I be worried about this, I find this NORMAL, because that can happen to ANY software and what applies to any software, isn't worth to talk about.

I still have Image Backup (Acronis TI now and soon ShadowProtect) to restore my system partition completely after such an attack. Other users might be worried, because they don't have an Image Backup or a never tested Image Backup, but not me.
I already thought about this long time ago, that doesn't scare me. That's peanuts, when it happens.

 

@E-A and Easter

Yes: Wise Old Australian Surfer saying:
1 - not all eggs in one basket
2 - make sure the legrope works when surfing on a shallow reef.

 

Try somebody else to scare, not me.

 

I don't harbor any fear of disappointment from FD-ISR because what's the odds KillDisk will even reach your machine unless you run it yourself, and still again if you have a good solid HIPS like i do in both System Safety Monitor plus EQSecure, the darn executable has to receive permission FIRST which isn't going to happen. First it needs a dropper to download it into your system or sent to you directly, and of course if you launch it yourself like Peter2150. My HIPS will intercept those executables/processes trying to signal Windows and IMMEDIATELY SUSPEND it while i give the command to DENY

Like others, i have more to fear from so-called legit programs that were improved over-the-line of compatibility with my set-up. That's when FD-ISR comes into play, and even if it happens to suffer some misfortune i have a complete IMAGE backup of the entire ball of wax INCLUDING FD-ISR. If needed i can uninstall FD-ISR and still preserve it's ARCHIVES then reinstall and access those same ARCHIVES and then proceed to create snaps from them.

Suddenly system disruption and/or corruption is just not as convincing as it used to be by whatever reason.

 

All the disaster posts, I've ever read in forums, including Wilders, where due to the user himself. Most of these disasters are solved by me with a simple reboot. The rest can be solved by restoring an image.
Horror stories enough but without proof, I can write those myself to get much attention in forums. Pffft.

 

We are so far OT now it hardly matters

OK
Thanks for responses to my little musings.

@E-A there was no attempt to scare you.

I know that the set-ups you all run are very secure and I absolutely do not want to get in a slanging match.

@Easter: there must be times when you are online downloading: e-mails, new apps whatever when Powershadow is not on = window of opportunity for mals: even your armaments may not get everything cf UnrealB
Obviously you would certainly recognise some problem and then the cast iron recovery programme that absolutely has no mals comes into play.

@E-A: the one unlikely time you dl something nasty in unfrozen state and then refreeze = window. Then refreeze the mal in place. Again unlikely and you have a well thought out recovery plan.

@Peter: Your testing and advice has helped me immeasurably: it's the killdisc you dont see that will get you : Then, fine , you have also got a cast iron recovery plan.

I absolutely agree that it is the wetware that is the problem most of the time.
And we all agree there is no 100% safe solution for the partition on the web, but we are all much better off now than we have been, yet across the web there is still a plague of malware and new goodies all the time.

AS i suggested the users who come here for instance: all 63,462 of them are a tiny fraction of the web. Prevx for eg has prolly 1 million users by now ?

Of course I also run various other tools and configs to protect myself and have the requisite offline .arx files and images on USB. AFAICT since an 'episode' ~ 8years ago I have not managed to get bugged by anything. In all probability highly unlikely.

I have never regretted FDISR or imaging ( heh: you know the one) for one second.

Of course

Yes.

Always appreciate the input from you all you guys, just trailing the coattails here and rambling along...

Strength in depth
Strength in the 'community'

Regards.

 

Only window of opportunity i get is when i go looking for them Otherwise email is never once been a threat for me and for the life of me boggles my mind because if you have your emails scanned in advance that makes up for the majority of any possibility, the other very tiny percentage never materializes. I can't explain it, but my email is always been safely isolated from malicious attempt. Apps on the other hand could and have carried payloads that i've downloaded but again SSM intercepts ANYTHING trying to signal my system that i recognize as unpermitted intrusion, even if, with Power Shadow in place that entry is quickly and completely eradicated and the system returns to previous state so thats that.

The ONLY! issue i fear is a hidden release or bypass of my front-line security that would carry CMOS change code. I have experienced it before. But then again the BIOS advises to Load Defalt Settings and then that threat is dismissed. (I think ) It's an area i wish i knew more about. LoL

 

A couple of questions please:

1. Is there any way to temporarily disable ExeLockdown, so a program can be added/updated. (I know this feature is available in anti-executable, not sure about ExeLockdown.)

2. How good are these programs (AE and ExeLockdown in stopping Keylogger behavior? Do they pass Firewall Leaktester Anti-Keylogger Tests?)

Thank you.

 

I'm not familiar with ExeLockdown to answer 1)

For 2): AE is not a behavior blocker, so passing Firewall Leaktester Anti-Keylogger Tests is not it's function.

It would prevent the keylogger - or any trojan or virus - from installing surreptitiously.


regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

You can turn exelockdown off from the main config screen which is accessible from the windows control panel. Install your new program and either add it to the allow list or just rescan you hdd for exe's then turn exelockdown on again.

 

Hi, folks: Between this turn off/on of exelockdown, will there be any window of opportunity for malware to execute w/o Exelockdown's protection?

 

Although I can't remember off hand the 2000/XP/2003/Vista files which I move, the 9x systems can allow AT LEAST one of user.exe, user32.exe, rundll.exe or rundll32.exe to be moved to an "isolation folder," after boot up and loading into upper memory, to ensure that absolutely NOTHING can install. Take great care in experimenting with method, otherwise you'll have to tun off your PC, go DOS and move it back. 2000-Vista are not so volatile with respect to this method.

Dave

 

Are there any glaring weaknesses to ExeLockdown that would prevent you from using it? I understand it is no longer being developed (last version 11/06).

 

If there is no other execution protection on the computer then i'd say anything is free to execute.