Cyberhawk and FDISR copy/update errors

Discussion in 'FirstDefense-ISR Forum' started by Longboard, Dec 9, 2006.

Thread Status:
Not open for further replies.
  1. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    Have had CH on one of my snapshots for a look+see: all good
    Went to copy to another snapshot and got some errors see attached

    All of these are Novatix drivers.
    Retried:same errors.

    Disabled CH: retry: no errors.
    Interesting.
    Wonder if theses files are protected in some way from VSS?

    Anybody else have similar, or do I need to give Raxco a call?

    Regards.
     

    Attached Files:

  2. Cyberhawk Support

    Cyberhawk Support Registered Member

    Joined:
    Oct 26, 2006
    Posts:
    140
    Location:
    Boulder, CO
    Hi Longboard,

    Thanks for bring this issue to our attention. We were able to reproduce in-house, this appears to be related to the security hardening in Cyberhawk. What I suspect is happening is FDISR is attempting to change the attributes for the CH drivers. I sent a question to Raxco's support inquiring about the error message to see if they can shed some light on what FDISR is attempting to do and what the error means.

    Thanks!

    Armando
    Novatix Corporation
     
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,045
    I am sure that's what is going on. I know with ProcessGuard, if you didn't disable it, FDISR couldn't copy the settings files.

    If you can disable Cyberhawk, try that. That will tell you.
     
  4. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    TO Novatix thankyou
    Look forward to what unfolds

    Hey Pete I think you are right: see the OP
    Raxco support has sent some new copy engines for me to test
    Interesting that FDISR has no issues with other HIPS so far ??
    Wonder how SSM, DW, Prosecurity et al might go?

    CH has popped up a couple of times so far so something is working

    I"ll let you know.

    Great response from both companies.
    No "it's not our fault it's theirs" crapola.
     
    Last edited: Dec 12, 2006
  5. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    OK :thumb:
    Raxco sent me a new copy engine and I redid the copy/update
    No errors

    How 'bout dat? :)

    I wonder how many custom copy.exe are out there. ??

    I'll let Novatix know.

    Just one more little prob o_O
    My Hosts file seems to have been wiped after copy/update and direct boot to back-up snapshot.
    Also gone when I direct booted back to Primary. :doubt:

    More e-mails for christmas.
     
  6. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    fyi I know that Comodo Firewall isn't a pure HIPS but the latest beta has access/modification protection of some Comodo files and Firstdefense can not copy those files to a snapshot. But by disabling a rule in Comodo will release the protection and Firstdefense can copy everything belonging to Comodo.

    So I guess if Cyberhawk (or other HIPS with this kind of protection) doesn't have a option to "unprotect" itself temporarily, then one has to disable Cyberhawk/other HIPS during creation/updating of the snapshot. As Peter2150 says.
     
  7. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    OK
    Fixed :)
    Couple of e-mails back and forth

    FDISR now copies snaps with CH enabled and disabled: No errors.
    Nil other software errors currently
    Direct boots and boots from PreBoot to any snap without probs.
     
  8. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    I was revisiting this thread because I am reviewing CH
    Sukarof's post was interesting.

    Any issues with other HIPS apps?

    PrevX: No issue so far.
    SSM?
    DWall?
    OA

    Sandbox issues
    GES?
    Bufferzone?
    Greenborder?
    I suppose it must be those apps that try and protect themselves ??
    Suspect we would have heard by now

    oopps I have just been through some of the other threads and seen exactly that so: trash this thread. LOL
     
  9. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,045
    No issues with Prevx1, or OA. I also had no issues with SSM when I was using it. I always disable KAV so I don't know about it's self protection.
     
  10. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    I guess this thread and a couple of others serve to remind us that with FDISR (and any other utility That may use VSS) there is a potential problem.

    Really Leapfrog or Raxco should probably make a list of more than there is on the web site or make some more specific guidelines.

    It's not that almost anything we have found is not fixable with their help or otherwise but it might simplify some problems that have been found. ??

    From the website this was all I could find.
     

    Attached Files:

  11. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    ANd this
     

    Attached Files:

  12. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,045
    I discovered another gotcha, wHen using FDISR with VSS. I installed ShadowProtect which uses VSS. First copy/Update I did with FDISR, I sat and watched wided eyed as FDISR, merrily deleted every file in the target snapshot. It was a repeatable error. Solution was to change FDISR back to RSS.
     
  13. Minimax2000

    Minimax2000 Registered Member

    Joined:
    Jun 11, 2006
    Posts:
    204
    Location:
    Switzerland
    No problems with SSM 2.3.0605, Outpost Firewall 4.0 and Dr. Web in conjunction with FD-ISR.

    Frank
     
  14. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    :eek: :eek: :eek: :eek: :eek:
    Holy shite.
    Could you elaborate a bit
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,045
    Nothing to elaborate on. I when I started the copy/update FDISR merrily started deleting the files in the target snapshot. First time, my chin almost hit the floor. Reset to RSS and fixed it. Reset back to VSS and it did the same thing. It only happened once I installed Shadowprotect with it's vss service.

    Frankly I like FDISR much better with RSS anyway
     
Thread Status:
Not open for further replies.