Cannot Data Anchor some files/folders

Discussion in 'FirstDefense-ISR Forum' started by Defenestration, Oct 26, 2006.

Thread Status:
Not open for further replies.
  1. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,086
    I have been trying to use Eriks philosophy of using a Frozen Snapshot, but trying to make it as easy to use for everyday usage. The main problem AFAICS with using a frozen snapshot is that program settings/data are not saved and always revert back to the frozen settings/data on reboot. Because of this I've been moving all data/settings to a separate partition where possible. However, I have run into a problem with using Kaspersky Anti-Virus 6. It's possible to move most of the settings to a separate partition, but it's not possible to move four data files (used for determining if files have already been scanned) which reside in the system32\drivers folder. This location is currently hard-coded by Kaspersky so I have made a feature request to allow them to be moved. In the mean time, I tried to Data anchor these four files but FD-ISR won't allow me to.

    I can understand why it's normally a bad idea to data anchor any files/folder in the WINDOWS folder and below, but don't understand why there is no way to over-ride this limitation (eg. an option "Allow data anchoring of sensitive folders" which is disabled by default) to allow data anchoring if the user needs to. This is another case of bad design where you limit what the user can do for good reason, without giving them the option to over-ride when required.

    This makes it hard to work with the Frozen Snapshot philosophy for day-to-day usage, at least when using KAV 6.
     
  2. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Do you "refreeze" your frozen snapshot to keep the updatings or do you "unfreeze and freeze" the frozen snapshot o_O
     
  3. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Anchoring allows you to update softwares in frozen snapshot, but when malware target your anchored objects, you will be infected.

    An alternative for anchoring is unfreeze and freeze, but that isn't 100% safe either and you have to do it this way :
    1. Reboot (= clean snapshot)
    2. Update your softwares.
    3. Unfreeze and freeze (not refreeze)
    4. Reboot.
    But there is a weak period between these two reboots. You have to ask yourself : "Is updating softwares safe or not, when you don't do any other online activity ?"
     
    Last edited: Oct 26, 2006
  4. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,086
    I'm trying to move ALL settings/data, including AV databases, which change regularly to a separate partition. This way, I don't have to worry about data anchoring or re-freezing, but simply use my system as normal with the added benefit of a frozen system partition. A Set-And-Forget system :)

    However, there are currently a few files which I cannot move due to the path being hard-coded in the apps. I have submitted feature requests for any apps which suffer from this problem. Until these requests are implemented I was looking to data anchor these files, but cannot due to a limitation of FD-ISR.
     
  5. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I didn't try this yet, because I knew in advance that this could become a problem. It is normal that some softwares aren't designed for this, because the developer didn't expect that users ever wanted to do this.
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,041
    Hi Defenestration

    The Freeze function may not be the best for many users. I don't use it. Erik's application is good for him. But the KAV problem you are experiencing is one of the reason's why. I can also tell you from being involved with the Kaspersky beta's for quite a while, that the is probably very little prospect to getting them to make the location of those files optional, and for good reason. They want to protect them.

    I would suspect for your use just keeping two snapshots you can work with might work better.

    Pete
     
  7. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    My reasonings is that I don't need scanners anymore in a frozen snapshot.
    I only need two kinds of security softwares in my frozen snapshot :
    1. Softwares that PREVENT INSTALLATION of malwares, the very best protection (1st layer)
    2. Softwares that BLOCK EXECUTION of possible installed malwares (2nd layer)
    I don't need softwares to REMOVE malwares, because my frozen snapshot takes care of that, more reassuring and much faster than any full scan. (3rd layer).

    Of course this is very difficult for users, who only trust the classic protection.
    Even when they use a frozen snapshot they still stick to their old security setup.
     
  8. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,086
    Just had confirmation from grnic on the Kaspersky forum that they can't move the fidbox files I was referring to, because Microsoft says they have to be there as part of the certification program. :(

    I guess I'll probably go with the 2 snapshot solution as Pete mentions, although I'm trying out Rollback Rx as well at the moment.
     
  9. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    You will have the same problem with RollbackRx, only the method will be different, but RB is faster and that might reduce the pain. Keep us posted. :)
     
  10. cthorpe

    cthorpe Registered Member

    Joined:
    Jun 30, 2006
    Posts:
    168
    Location:
    Texas
    What about making a hard link using fsutil? I haven't used this myself, but it seems like it should work. I have used the junction tool from sysinternals to do whole directory hard linking to move hard coded configurations and profiles off my frozen drive.

    Example of fsutil:

    If I wanted to retain C:\Windows\system32\drivers\somedriver.dll I could move the driver to another location on the C drive and then do

    fsutil hardlink create C:\Windows\system32\drivers\somedriver.dll C:\Newlocation\somedriver.dll

    Then I could anchor C:\Newlocation\somedriver.dll (or anchor the whole folder if all you have in it is those four files)

    Please make sure you have a backup snapshot in case this causes problems.

    C
     
    Last edited: Oct 29, 2006
  11. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,086
    Sounds promising. I'll give it a go. :)
     
  12. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,041
    Guys keep in mind Eirk is doing something somewhat unique.

    The freeze function is intend as a school might use it. Mainly to set it back to a specific state at the end of the day. For most users just using two normal snapshots and the copy/update is a better option. Trying to make the freeze option something it isn't and then moving all sorts of things around to make it work is akin to scratching your left ear with your right hand. Just cause the feature is there doesn't mean you have to use it.
     
  13. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,041
    Hi Defenestration

    Just dawned on my it wouldn't make any sense to anchor the fidbox data files even if you could. I could be sneaky and see if you can figure out why, but I won't. The reason:

    KAV of course uses them for the ISWIFT technology to keep track of what has been scanned. It uses the NTFS security descriptors to determine both if a file has changed and been moved. So if you scan in snapshot A, and then go to snapshot B and scan with the same Fidbox data base, it will see all the files as moved, rescan and redo the data base. Going back and forth between snapshots and scanning would negate the point of even having those files.

    Since I only use two snapshots, and always uses the secondary for purpose of either saving myself, or dodgy surfing, I just doing scanning in my primary.

    Pete
     
  14. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,086
    Good point Pete! :cool: I was originally thinking of anchoring the fidbox files when using a Frozen snapshot, which I was thinking would work ?

    Regarding your usage of FD-ISR... would I be right in thinking that when you have a problem with your primary snapshot you boot into your secondary snapshot, and Copy/Update from this to your primary, then reboot back into your primary snapshot ?

    How often do you Copy/Update from your primary to your secondary, and do you do it on a schedule ?

    Also, when doing a bare metal restore I take it your IFD image already has FD-ISR installed on it, and you then restore from an archived FD-ISR snapshot ?

    Apologies if you've answered these before but I'm feeling a bit lazy :blink:
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,041
    Regarding my usage you are right. Also sometimes if I really don't think I will want to keep something, I will just boot to the secondary snapshot, do it there, and then boot back to primary and do a copy/update

    I generally refresh(copy/update) my secondary every night, or just before I am going to do something that the outcome might be questionable,

    As to images for bare metal restore. I do have a couple of early images with one snapshot and just FDISR installed, and I have restored them and then restored the system with the FDISR archives. But my current images are of the disk as is, both snapshots and FDISR.

    Pete
     
Thread Status:
Not open for further replies.