Can someone please explain...

So wait, does restoring snapshots or system images wipe these types of viruses??

Does returnil utilize and construct a system image of the underlying OS or does it utilize a buffer area on the dis to save changes?

I think theres a big difference

 

You are a little vague about what you mean exactly.

None the less, an image is a "whole picture" of the partition/drive. Restoring an image replaces whatever is on the disc with what is in the image. So anything, virus or desired data, is gone.

Snapshots, like what rollback software uses, is much the same. The difference is, AFAIK, that snapshots you can save a state and rollback or rollforward. Suppose that yesterday you made a snapshot of the system with no virus. Tommorrow you make another snapshot with the virus. You would be able to choose to load either image. Obviously then yesterdays snapshot would leave you in a clean state, and tommorrows snapshot would leave you in an infested state. The idea is to keep a clean snapshot to go back to, then deleting (if you desire) the snapshots that are 'tainted'.

I don't use rollback software too much, but believe most of them operate this way. Someone who uses them all the time might correct some of that though.

Sul.

 

Ok let me try and clarify;

1. Does system resotration with imaging software guarantee a clean system after running safesys and tdss?

2. If LV software supposedly relies on imaging and runing the default OS as a disposable image then why could they not disinfect the system in practice?

3. From what I understood is that LVs use disk cache buffer rather than imaging -- please feel free to correct me if Im wrong

 

Simplistic view...

1. Done properly, yes, they should.
2. Because it's not an imaging based approach. It's not a disposable image.
3. LV's use various schemes that are basically some form of redirection to a transient location. Go below the level at which redirection is achieved, and you simply don't have that needed redirection anymore.

Blue

 

You can either take a "picture" of your partition from within Windows or outside Windows.

If you work within Windows, using driver-based redirection, then, as has been demonstrated, the possibility exists that the driver's redirection can be bypassed, the underlying partition modified permanently, and your restore points compromised. The risk generally lies in executing stuff with administrator privileges while your actions are being redirected.

If you work outside Windows (I use BootIt NG), the partition "picture" you choose to restore is identical to the one you created.

 

You are right.

 

Just one theory...

What´s up if the malware is on memory and it detects that certain components have been removed from disk and the malware installs them again before the imaging solution reboots?

 

Well, one would have to ask this question then, how is malware going to stay in memory when a reboot is needed to get into an environment that you can restore an image with? Using Macrium, I boot into a PE type environment (bartPE, Win7RescuePE or Linux). In order for there to be an issue, I would imagine that the malware should somehow defeat the loading of the PE.

When you boot with an optical media, how can this happen? Impossible?

When you boot from image file located on hdd, is it possible for boot code to contain a malware? I use GRLDR but might use boot.ini (NTLDR) or BCD. Technically the boot loader is already touched before the PE actually loads. Do malwares effect these situation? If so, then perhaps it is loaded into memory during this point, and stay resident into the PE environment.

One thing should be certain, using traditional disc/partition images, and booting from optical/other media than hdd then frees you of this scenario.

Question then, if you get an MBR, can it survive when the image replaces the MBR with that of the image? Is FDISK needed? Never thought about it till now, but perhaps the imaging software like Macrium that will replace the MBR with what is in the image is a bonus feature. I do it anyway.

Sul.

 

Is required to boot Macrium Reflect from a PE type environment to restore an image or can be restored from an already booted system?

 

Well, if you want to restore the current OS drive, then yes. Restoring a data partition or currently active but NOT booted partition/drive, then you can do it from within the booted OS. At least, that is how I have always done it. Maybe you can do it from within the booted OS, I don't think so though.

Sul.

 

Re. Macrium,you can only restore the active system drive from the boot cd or rebooting and initiating from the Windows boot menu (Pro version only).