Copy/Update vs. On Demand Scanners

Discussion in 'FirstDefense-ISR Forum' started by ErikAlbert, May 6, 2007.

Thread Status:
Not open for further replies.
  1. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    FDISR doesn't replace all security softwares, but it can replace any on demand scanner.

    On demand AV/AS/AT/AK/AR-scanners are normally used to scan your computer one time a day, because you can't run it constantly.
    If this scanner detects a malware on your system, it means that this malware has been on your system for quite some time (the period between two scans) and could have done its evil job already, that's too late.
    Using an on demand scanner once a week is absurd, because if it finds a malware, it means that this malware has been on your system during 1 upto 7 days, time enough to execute itself.

    The copy/update function of FDISR does EXACTLY the same thing + extra advantages :
    - copy/update has no missing signatures like on demand scanners, so no incomplete removal.
    - copy/update has no false/positives like on demand scanners, so no possible system damage.
    - copy/update replaces ALL on demand scanners, while on demand scanners have to run one by one.
    - copy/update is much faster, than the total scan time of ALL on demand scanners.

    The MAIN AV/AS/AT/AK/AR-scanners are only useful, if they have a real-time shield, because that real-time shield will protect you during the period between two scans or two copy/updates.
    If they don't have a real-time shield, they have the same function as on demand scanners and therefore worthless as real-time protection.

    Conclusion : if the source snapshot of a copy/update is clean, you don't need
    - on demand AV/AS/AT/AK/AR-scanners anymore.
    - main AV/AS/AT/AK/AR-scanners WITHOUT real-time shield anymore.

    If you don't agree with me, challenge me.

    PS: this has nothing to do with frozen snapshots, I'm talking about NORMAL snapshots and frozen snapshots are in fact the same as normal snapshots and what has been said counts for frozen snapshots also.
     
    Last edited: May 6, 2007
  2. EASTER.2010

    EASTER.2010 Guest

    EricAlbert, you bring up some very important differences AND advantages like you say based on FACT! No one will ever get an argument from me over that about FD-ISR feature of snapshots.
    The list above even takes me aback because most PC users even today have taken for granted for so long to relying on On-Demand scanners that so long as obvious forced entries are removable for them that they have escaped enough.

    FD-ISR begs to differ and proves how advantageous it really is in the face of On-Demands. For me FD-ISR in this instance almost mirrors as an imaging solution even though it's in reality a formidable rollback recovery app that also can step up in so many other ways even more useful and certainly more complete than On-Demand scanners as you so vividly and rightly point out.
     
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    For me there is a big flaw in your argument Erik.

    I will update my FDISR archive tonight before I shutdown. Then I will work all day tomorrow. Depending on what I do on each of the machines, by the end of the day tomorrow, I might not want to set them back to the way they are tonight. Hence I will run a quick scan with KAV and then refresh the FDISR archive.
     
  4. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    You are right Peter and I know why.
    I use copy/update from archive to snapshot to keep my snapshot clean.

    You use copy/update from snapshot to archive to keep your archive up-to-date and your data is also included.
    In order to keep your archive clean, you have to scan your snapshot first.
    So my theory doesn't work in your case. :)
     
  5. tradetime

    tradetime Registered Member

    Joined:
    Oct 24, 2006
    Posts:
    1,000
    Location:
    UK
    Hi Erik, your arguement / point, does have a lot of merit, though I can imagine it may upset some thinking, not to worry, As Peter has pointed out however like most things it will not suit everyone, for me I am not sure, but you have definitely given me something to consider, I will have to monitor my activities over a couple of days with a view to adopting this type of regime to see if it is practical or not. I can immediately see that if practical it brings a significant difference to the way I look at security.
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    Actually Erik's idea is a good one if you machine is static from day to day. Even excluding data which I could deal with my machine isn't.

    The beauty of FDISR is there is a bunch of ways to use it that are totally different. They just don't all work for everyone.
     
  7. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Yes, it requires ALOT OF THINKING, if you want to deviate from the standard usage of snapshots.

    I have two things :
    1. A freeze storage (= archive) of my on-line snapshot, that is based on an OFF-LINE installation,
    which means that this archive is guaranteed clean.
    2. A frozen snapshot, which I daily use, while I'm connected to the internet.

    My freeze storage is a very powerful tool to keep my system partition 100% CLEAN, MALWARE-FREE and TROUBLE-FREE.
    I only need to reboot, when something bad happens and I have my perfect system back in 100 seconds.
    I don't want to give up my freeze storage easily.

    The problem is, that I can't copy/update from frozen snapshot to freeze storage at least NOT on-line, because that would possibly infect my freeze storage and I don't want this to happen.

    That's why I don't want any security software based on blacklists, because they all need DAILY updatings of signatures ON-LINE and if I want to keep these updatings, I have to copy/update from frozen snapshot to freeze storage and that's what I don't want. :)
     
  8. tradetime

    tradetime Registered Member

    Joined:
    Oct 24, 2006
    Posts:
    1,000
    Location:
    UK
    Provided one adopts a strict routine, I think the risk of infection can be dramatically reduced. At first boot each day I boot to my secondary snapshot and copy / udate to the primary, this removes anything picked up online yesterday, then I boot to my primary and immediately update my anti-virus and copy / update my secondary. The window of opportunity for infection I believe is very small. All my surfing takes place sandboxed as sandboxie works for me.
    If you have any thoughts, ideas to improve on this please feel free to comment.
     
  9. twl845

    twl845 Registered Member

    Joined:
    Apr 12, 2005
    Posts:
    4,186
    Location:
    USA
    This is a little off topic, but I'd like to share a realization I had. I'm sure most have had this occur to them already, but for my fellow newbies, I think that you should do an update/copy of your secondary snapshot immediately BEFORE you install any software or download. That way if the new app doesn't work out, you can boot to a completely updated secondary snapshot to get rid of the offending app. :)
     
  10. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Yes that's one of the methods, I described in this thread :
    https://www.wilderssecurity.com/showthread.php?t=170989
    I only used an archive instead of secondary snapshot. Archives are safer and then your secondary snapshot can be a stripped down snapshot, like Peter has.
     
  11. tradetime

    tradetime Registered Member

    Joined:
    Oct 24, 2006
    Posts:
    1,000
    Location:
    UK
    Bear with me here Erik, but why would an archive be safer than the secondary snap in this situation?

    ...and yes I believe my practice cam more or less from what you outlined in that post, certainly I read that post and liked the idea.
     
  12. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Archives are usually stored on an off-line external harddisk or at least on another partition of an internal harddisk and that is always safer, than a secondary snapshot that is constantly exposed to internet.
     
  13. tradetime

    tradetime Registered Member

    Joined:
    Oct 24, 2006
    Posts:
    1,000
    Location:
    UK
    Ok understand now, in my case I have not partition my drives, and use no external drives, maybe something I should look at going forwards. I've always stayed away from external drives as from what I have read they have a woeful failure rate/ Lack of a partition, I'd just have to put down to inexperience / ignorance :(
     
  14. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I used partitions on my external harddisk, not anymore but it was possible. Until now it never failed.
    If you ever buy one, make sure it's big enough, which will give you enough elbowroom to manipulate your internal harddisk(s). Sometimes several images are also handy for reinstalling your system from scratch, like CLEAN images and DAILY images.
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    Hi Tradetime.

    The concept of updating secondary snapshot or an archive before a software install is almost a religion here. Every now and then I get lazy and don't bother and.....(you can fill in the blanks)

    The question of why an archive as opposed to a snapshot. For me simple disk space. My primary snapshot is a bit over 16gig. My secondary is slightly under 4gig. So when I image the total is 20gig. If I went with two full snapshots I would be imaging 32gig. Plus the archive works just as well as the snapshot, in fact it is much quicker.

    Pete
     
  16. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    Restoring to known good images and or snapshots makes more sense to me than
    either real time or on demand security software.

    Every so often I do run an on demand just for fun. Today I tried NOD 32 - and as expected it found nothing. So I just restored to Yesterdays full image with Acronis. On another machine I would have used FD-ISR. Same basic concept.
     
  17. tradetime

    tradetime Registered Member

    Joined:
    Oct 24, 2006
    Posts:
    1,000
    Location:
    UK
    Ok thanx for the views, some more food for thought :) Still early days for me with FD
     
  18. flinchlock

    flinchlock Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    554
    Location:
    Michigan
    can't or won't?

    Or to ask another way, the program itself will not allow it (or it does not have that option), or it is just a matter of personal choice?

    I am not criticizing your methods. You have very strong ideas of what you want a program to be, it makes it hard for me to determine if it is a technical reason or not.

    Mike
     
  19. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I can do it, but I don't want to do it, because it will possibly infect my freeze storage and that would be the end of my clean, malware-free and trouble-free system partition. I want to solve each problem caused by myself, the bad guys or the good guys with a simple reboot, EXCEPT problems that corrupted FDISR or a harddisk crash.
    These two problems will be fixed by restoring an IMAGE.
     
    Last edited: May 7, 2007
  20. flinchlock

    flinchlock Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    554
    Location:
    Michigan
    OK... no problem... :D :D

    Mike
     
    Last edited: May 11, 2007
  21. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I have no problem with positive critism, on the contrary, because it can improve my methods.
    So please break it down, if you can. :D
     
Thread Status:
Not open for further replies.