Best Hardening Tool

Useful links. Useful advice. Thank you Innerpeace.

 

Hi Erik, can you please put this into normal words?
I would like to know what kind of security software you have in realtime running inside or beside your snapshot/image ..

you got to have somekind of scanner? or maybe you can tell us something regarding your surfing habits? ... I'm not throwing any stones at you but you seem to me that you rather have safe sex? just kiddin' ... ... you are a safe surfer?

 

Your welcome Travellinman. I have them bookmarked in FF to open all tabs at once for easy access. Good luck.

 

Hint Hint: look at his sig

 

This is MY PERSONAL VISION on security and I still consider this as a personal unfinished experiment, but what I did until now is proven in practice.
I still practice safe surfing, but I want to get rid of it. I want my freedom back on the internet in step mode.

1. If you install your computer from scratch and off-line, your harddisk has a clean, malware-free and trouble-free Windows, FDISR and TWO snapshots with all your legitimate Applications. Before I go on-line, I take an clean ARCHIVE of my off-line snapshot and on-line snapshot and a clean IMAGE.
The off-line snapshot is not important, because that snapshot has no internet connection.
The on-line snapshot is the troublemaker, but I have a clean, malware-free and trouble-free version of that
on-line snapshot stored in an ARCHIVE, lets call it "AS2 ON-LINE.arx" (= Archived Snapshot #2 ON-LINE)

2. I freeze my on-line snapshot which means that FDISR creates a file "Freeze Storage.arx" and I replace that "Freeze Storage.arx" with the file "AS2 ON-LINE.arx".
I can do this because the file "Freeze Storage.arx" is also an ARCHIVE, just like "AS2 ON-LINE.arx" is an ARCHIVE.

3. Each time I reboot FDISR does an automatic copy/update from "AS2 ON-LINE.arx" to my frozen snapshot.
a. Each object that exists in my frozen snapshot and doesn't exist in "AS2 ON-LINE.arx" is REMOVED in my frozen snapshot, because that object doesn't belong in my frozen snapshot. Such an object might be an infection.
b. Each object that doesn't exists in my frozen snapshot and exists in "AS2 ON-LINE.arx" is ADDED again in my frozen snapshot, because something (a possible infection) removed that legitimate object.
c. Each existing object that changed in my frozen snapshot and isn't the same anymore as in "AS2 ON-LINE.arx" is REPLACED in my frozen snapshot with the original object from "AS2 ON-LINE.arx".
d. Each existing object that didn't change in my frozen snapshot, remains on my frozen snapshot.

After doing all this, my frozen snapshot is EQUAL to AS2 ON-LINE.arx.
In other words, I have my clean, malware-free and trouble-free on-line snapshot back.
This happens during EACH reboot in about 100 seconds on MY computer and BEFORE Windows starts.
-----------------------------------------------
Let's compare the usage of scanners and a frozen snapshot.
Scanners run usually one time a day and detect/remove infections, but scanners have several problems :
- missing signatures (+ zero-day), which means that possible infections aren't removed.
- heuristic failures, which means that possible infections aren't removed.
- false/positives, which will be removed by a newbie and cause possible system damage.
- redundacy, because most scanners have a big number of the same signatures.
- scanners require a daily updating, sometimes more than once.
- one scanner isn't enough so you need more of them, alot of users run 5-10 scanners.
- the total scan-time of all these scanners is most probably longer than 100 seconds.

Because scanners run only one time a day and a reboot is usually also one time a day, there is no difference between both in usage, although I reboot at least two times a day : morning and noon.

My freeze storage is nothing more than a complete whitelist of EACH object on my system partition [C:].
By comparing my freeze storage with my frozen snapshot, I remove any change on my harddisk, because each snapshot is another version of my system partition.
So my REBOOT is my SCANNER, but my REBOOT is ALOT BETTER than all scanners together.
--------------------------------------------------------
I noticed that a few members consider a frozen snapshot as something bad, because it's to them the end of freedom. That is totally wrong and the word "frozen" is probably the reason why they think this.
I still can try, see and test any new thing on my frozen snapshot, like in a normal snapshot.
If I don't want it, which happens very often, I reboot and it's complete gone as if it was never there and without leftovers (crap).
If I want it, which happens very rare, I re-freeze my frozen snapshot and that takes only seconds or minuts, depending on the volume of the new software.

I recently deleted 300MB (Applications) on purpose in my frozen snapshot as a test.
After reboot those 300MB were back in 120 seconds as nothing happened.
--------------------------------------------------------
Do users still need scanners ? YES YES YES, but not me.
The only usefull thing for me is the real-time shield of a scanner, but I'm trying to replace that with other softwares.

At this moment, I have three security softwares : Look'n'Stop, Anti-Executable and DefenseWall.
Are these three software foolproof ? NOOO, but I don't care, because any mistake of these three softwares, will be corrected on reboot, because I replace my on-line snapshot with a fresh one.
Of course I will try to make my security as good as possible, but it's not my priority #1.
Why do I need still security software ? Security software react IMMEDIATELY, my frozen snapshot reacts only on REBOOT.
So the period between TWO reboot (= TWO scannings) is vulnerable for infections and I have to stop the installation/execution of infections as much as possible, because these infections have too much time (4-8 hrs) to do their evil job.
---------------------------------------------------------
Is FDISR vulnerable ? YES, just like any other software.
That's why I have Image Backup, to solve that problem.

That's my security in a nutshell and it still needs to be polished, but those are small insignificant details.
Am I satisfied now ? NO, I still want more, but I can't do it all at once and I'm not in a hurry either.

 

@ Erik

Your setup is an interesting one. While unorthodox it seems to work (at least for you), and that's all that really matters. As described by you it seems to be fairly foolproof, however upon closer inspection I see an instance of potential vulnerability. As you said yourself:

As a thought experiment let's suppose that you find software that you like and want to keep so you decide to do a re-freeze of your frozen snapshot so that the software remains after reboot. How can you be sure that no malware snuck in during this time? Or what if the software you decided to keep ends harboring some type of malware? Then the frozen snapshot you just modified and re-froze is no longer secure, and you could henceforth be using an infected system. To me this seems entirely plausible, but perhaps I am misunderstanding some aspect of your setup. Just figured I'd mention this to alert you of this vulnerability or in the case that I'm mistaken to better understand your setup myself.

Regards,

TypicallyOffbeat

 

LOL - Well worth repeating.

 

You can accomplish the same thing with Microsoft's Shared Computer Toolkit. Although it only works with XP. Another weakness of either tool is if you get online, get infected then visit your bank or other financial or sensitive information site, your information could be stolen. Rebooting won't help save you in that situation. You still need 'scanners' and other defenses to protect between reboots. At least I would .

I like the idea Eric's setup and the Microsoft SCT (which is free). With the SCT's disk protection you can also install software on one of the images and reboot as many times as you want and when you decide to keep or dump the software/changes, it is discarded or saved to the second image. My take on the security would be to scan the heck out of the first/trial image before saving to the second. It also has many options for user restrictions also. Although it comes off as only being for public computers, home users could find it useful. Either tool does take some setting up which is why I'm still learning more about the necessary steps. More information in the link below about the SCT.
http://www.dslreports.com/forum/remark,15352689

I don't know a heck of a lot about advanced malware, but I understand it can really be nasty. I recently read a thread about how the experts recommend formatting the hard drive with some malware infections. I have also heard that some malware can affect lower levels of the disk (I'm not sure what that means, but it can't be good) I'm also not convinced that a reboot with the above tools would fix a bad infection that uses unorthodoxed methods.

 

Hey man, don't rely so much in software to harden Windows. Just read carefully the info given in here:

http://labmice.techtarget.com/articles/winxpsecuritychecklist.htm
http://www.malwarehelp.org/Malware-Prevention-Hardening-Windows-Security1.html
http://www.tweakhound.com/xp/xptweaks/supertweaks1.htm


One more thing never access the Internet as Admin (open a Limited Account), similar to Linux as not running as root.

GL.

 

I will put it this way. Lots of users download a file and then they scan the downloaded file with one or more scanners.
How many scanners are you going to use to scan this file : 1?, 5? 10? 15? 20? All? A difficult question isn't it ?
If these scanners don't find anything, they ASSUME the file is clean, because their scanners told them and they WANT to believe this. Is the file really clean ? It might contain an unknown virus.

If I download the latest version of FDISR from the official website Raxco, is that a 'dangerous' download ?
If I download Anti-Executable's User Manual (.pdf) from the website Faronics, is that a 'dangerous' download ?

I download alot of stuff in my frozen snapshot out of curiosity, but I'm not planning to keep it.
I have all the softwares I need to do my job and hobbies and if I find one, I will ask for it.
All the softwares, I use, have been mentioned at Wilders and have been used already by many members.
Are these softwares and updatings suddenly 'dangerous', because I have a crazy security setup ?

Most average users have only one partition [C:] and when they download a software, they try it and want to get rid of it by using its uninstaller, which usually leaves leftovers behind on their harddisk.
After a month their harddisk is full of leftovers + undetected infections. Is that good ?
I ENJOYED at least my temporary installations, while they have all the misery and wasted time to clean the mess.
Is that normal and efficient ? Maybe YES, because everybody does it and what everybody does is GOOD and NORMAL.

They use all kinds of softwares for their registry : cleaning, backup, editing, ...
I don't need all that stuff, because my registry is clean after each reboot.
I have alot of advantages which other users don't have and they spend alot of time to fix their problems, but that is considered as NORMAL.
History cleaning is also done after reboot without using CCleaner.
I solve all my problems in my system partition with a simple reboot, except two problems : a corrupted FDISR and a harddisk crash. These two problems are fixed with restoring a clean IMAGE.

When all these users write down honestly, what they have to do and how much time they spend to keep their system partition clean, malware-free and trouble-free, then we will talk again. My readings of disaster posts prove the opposite.

 

.

I see the benefit of that with FD-ISR and applaud the confidence in it of course, although POWER SHADOW accomplishes the same thing with a reboot, except if you want to keep an newly INSTALLED program you would have to first Move the installer off the partition and then install it after exiting shadow-mode.

Make that XP with SP2. I tried to install with only SP1 and it refused. I know, i know, it'll be argued till the moon goes blue again that every XP system should keep up to date with $M's patches but i'm in the minority that still doesn't trust $M when it comes to fixing things, especially security related, and i have never had either an issue or intrusion with SP1 so long as it remains convered with security apps. Same applies to SP2. I venture to say XP plain unpatched would enjoy the same safe protection.

There are many more advantages & uses for registry apps then just malware removals you know, but that point is still well taken & clear in that you are looking at it from a strickly manner of retaining the system in the same exact state as it was before it went Online AFTER it goes OffLine.

From that perspective yes you're assured a new fresh start every time without having to regularly spend the time it takes to dealing with the most basics such as removing history etc.

 

You forgot something. PowerShadow doesn't allow you to install and try a software, that requires a reboot during its installation.
FDISR has no problem with this and you still can keep your freeze storage untouched.

 

Yes, but you always forget that average users are my target, who don't even know what a registry is.

 

@ Erik

I think you somewhat misunderstood what I was trying to say. My point was that there is an instance of vulnerability in your setup, one that doesn't necessarily revolve around 'dangerous downloads' as you put it, as obviously there are other ways to get infectected, especially if like you mentioned you return to 'unsafe' computer usage. Regardless of the means of the potential infection, my point was simply that there is the potential that your frozen snapshot that you use all the time might be infected. It would serve you well to realize this and address it accordingly as you see fit, rather than having a false sense that you are 'guaranteed clean' after each reboot. Granted your setup has significantly less vulnerabilities than do most setups, but that isn't my point. Don't take this as an affront to your setup or what you're trying to do, I'm simply making an observation.

Regards,

TypicallyOffbeat

 

That's hardly a problem for most average users and besides, isn't this really just reaching for straws to make that single distinction between them an argument for or against what is a very dependable virtualization program?

If you really do support safety then when installing some new program which requires a reboot, you would want to do that OFFLINE anyway now wouldn't you?
So the fact you can't install an app which requires a reboot in Power Shadow but you can with FD-ISR strikes down any support for that type comparison IMO, but that's how i see it anyway.

 

Yes, but I only return in "unsafe" mode after disabling internet, then I do changes and then I re-freeze my frozen snapshot and enable internet again.
I have an icon on my desktop to disconnect from internet in 2 clicks and 1 click to enable internet again.
So in practice, it's very difficult to get infected even in unsafe mode.
Of course everything is possible in theory, but I think alot of users have more chance to get infected than me.
I'm not offended at all and I'm glad you are telling this. I will remove the word guaranteed in my signatures.

 

Yes, It's only for SP2. I believe it's a bullying tactic. My machine came with SP2, so I guess I'm lucky. I don't apply patches when they come out unless it's an urgent problem. I usually go by askwoody.com advice. Since most patches concerns programs that I don't run, I think I'm safe. Lately the patches do more damage than the vunerabilities. I remember you stating that you have SP1, but with your security setup, I believe your fairly safe .

@eric How do you ensure that an image you update/revise is malware free? Say your testing software and want to keep it permanently, what ensures that your new image is 'clean' before saving it? My personal view would be to scan it with multiple updated scanners. It's not 100% either and would take some time, but the peace of mind would be nice. I'm not criticizing, I'm looking for opinions as that is one of my concerns that I have before I try SCT.

 

All my softwares are legitimate software on CD or downloaded from their homepage.
If you consider legitimate softwares as infected, then my frozen snapshot is indeed infected.
All the software I daily use are known products at Wilders and I have all the softwares I need for work and hobbies.

Why would I download an unknown software and install it permanently.
I download and install many softwares, just to see them, not to keep them and I only have to reboot to get rid of them without leftovers.
I'm not a collector of softwares, I only use softwares I really need.

If I ever find a usefull software, I download it, try it as long as needed, ask Wilders if necessary, then :
- turn off internet,
- unfreeze
- disable Anti-Executable
- install the software
- enable Anti-Executable
- turn on internet
- refreeze
- reboot
This is only for my on-line snapshot, my off-line snapshot is like a computer without internet.

As long I don't need new software, I have a good life on my computer, compared with the past.
I don't do anything anymore to maintain my computer, except reboot, work and backup and one monthly defrag.
When something happens, I don't need to know the cause and I don't need to know how to fix it, just reboot.

Now I'm looking for softwares to stop the installation/execution of malware.
I don't know anything about malware and anti-malware, so I depend on Wilders as usual, but I never write disaster posts at Wilders.

 

I agree that downloading only known and tested programs is advisable. I still scan new updates and all downloads with at least 3 scanners, even updates to my security programs. Maybe I'm just a little paranoid. Better to be safe than sorry.

I think what attracts me to this type of program is the ability to try new stuff and surf to where I want. I'm still learning about my defenses and will probably always have at least a couple real-time apps running no matter what setup I'm using. We seem to be taking opposite approaches to the same solution. To be honest, I have no idea yet how vulnerable I am running FF w/noscript as a LU via drop my rights behind a NAT router, updated software and many services disabled. I'm willing to bet my paranoia is unwarranted. I have only had one virus in 2001 that spread to thousands of files and that's when I woke up. My machine was hosed and I reinstalled. I find it very interesting all the different approaches that users take or don't take for protection. Thanks for your reply. Cheer, innerpeace

 

That is the main attraction too of FDISR and you still can work like you do now with all your security softwares. My approach is probably too new and is still not finished, but it keeps me busy. I'm more a thinker, than a worker.

 

Like me Plus you also have that unique uncanny knack for driving a point home hard & long enough untill the right answers finally surface.

I like it when no stone is left unturned.