Cannot Data Anchor some files/folders

I have been trying to use Eriks philosophy of using a Frozen Snapshot, but trying to make it as easy to use for everyday usage. The main problem AFAICS with using a frozen snapshot is that program settings/data are not saved and always revert back to the frozen settings/data on reboot. Because of this I've been moving all data/settings to a separate partition where possible. However, I have run into a problem with using Kaspersky Anti-Virus 6. It's possible to move most of the settings to a separate partition, but it's not possible to move four data files (used for determining if files have already been scanned) which reside in the system32\drivers folder. This location is currently hard-coded by Kaspersky so I have made a feature request to allow them to be moved. In the mean time, I tried to Data anchor these four files but FD-ISR won't allow me to.

I can understand why it's normally a bad idea to data anchor any files/folder in the WINDOWS folder and below, but don't understand why there is no way to over-ride this limitation (eg. an option "Allow data anchoring of sensitive folders" which is disabled by default) to allow data anchoring if the user needs to. This is another case of bad design where you limit what the user can do for good reason, without giving them the option to over-ride when required.

This makes it hard to work with the Frozen Snapshot philosophy for day-to-day usage, at least when using KAV 6.

 

Do you "refreeze" your frozen snapshot to keep the updatings or do you "unfreeze and freeze" the frozen snapshot

 

Anchoring allows you to update softwares in frozen snapshot, but when malware target your anchored objects, you will be infected.

An alternative for anchoring is unfreeze and freeze, but that isn't 100% safe either and you have to do it this way :
1. Reboot (= clean snapshot)
2. Update your softwares.
3. Unfreeze and freeze (not refreeze)
4. Reboot.
But there is a weak period between these two reboots. You have to ask yourself : "Is updating softwares safe or not, when you don't do any other online activity ?"

 

I'm trying to move ALL settings/data, including AV databases, which change regularly to a separate partition. This way, I don't have to worry about data anchoring or re-freezing, but simply use my system as normal with the added benefit of a frozen system partition. A Set-And-Forget system

However, there are currently a few files which I cannot move due to the path being hard-coded in the apps. I have submitted feature requests for any apps which suffer from this problem. Until these requests are implemented I was looking to data anchor these files, but cannot due to a limitation of FD-ISR.

 

I didn't try this yet, because I knew in advance that this could become a problem. It is normal that some softwares aren't designed for this, because the developer didn't expect that users ever wanted to do this.

 

My reasonings is that I don't need scanners anymore in a frozen snapshot.
I only need two kinds of security softwares in my frozen snapshot :
1. Softwares that PREVENT INSTALLATION of malwares, the very best protection (1st layer)
2. Softwares that BLOCK EXECUTION of possible installed malwares (2nd layer)
I don't need softwares to REMOVE malwares, because my frozen snapshot takes care of that, more reassuring and much faster than any full scan. (3rd layer).

Of course this is very difficult for users, who only trust the classic protection.
Even when they use a frozen snapshot they still stick to their old security setup.

 

Just had confirmation from grnic on the Kaspersky forum that they can't move the fidbox files I was referring to, because Microsoft says they have to be there as part of the certification program.

I guess I'll probably go with the 2 snapshot solution as Pete mentions, although I'm trying out Rollback Rx as well at the moment.

 

You will have the same problem with RollbackRx, only the method will be different, but RB is faster and that might reduce the pain. Keep us posted.

 

What about making a hard link using fsutil? I haven't used this myself, but it seems like it should work. I have used the junction tool from sysinternals to do whole directory hard linking to move hard coded configurations and profiles off my frozen drive.

Example of fsutil:

If I wanted to retain C:\Windows\system32\drivers\somedriver.dll I could move the driver to another location on the C drive and then do

fsutil hardlink create C:\Windows\system32\drivers\somedriver.dll C:\Newlocation\somedriver.dll

Then I could anchor C:\Newlocation\somedriver.dll (or anchor the whole folder if all you have in it is those four files)

Please make sure you have a backup snapshot in case this causes problems.

C

 

Sounds promising. I'll give it a go.

 

Good point Pete! I was originally thinking of anchoring the fidbox files when using a Frozen snapshot, which I was thinking would work ?

Regarding your usage of FD-ISR... would I be right in thinking that when you have a problem with your primary snapshot you boot into your secondary snapshot, and Copy/Update from this to your primary, then reboot back into your primary snapshot ?

How often do you Copy/Update from your primary to your secondary, and do you do it on a schedule ?

Also, when doing a bare metal restore I take it your IFD image already has FD-ISR installed on it, and you then restore from an archived FD-ISR snapshot ?

Apologies if you've answered these before but I'm feeling a bit lazy