FD-ISR with Virtualization app ?

Discussion in 'FirstDefense-ISR Forum' started by Perman, Feb 28, 2007.

Thread Status:
Not open for further replies.
  1. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi, folks: Up until mid of last year, I used FD-ISR ; two different sanpshots with different security setups, and it worked very well for me. And later of that year, I uninstalled FD-ISR, replaced it w/ DeepFreeze, it works very well for me too. Now, I am contemplating an idea to pair them up. I like DF-ISR being able to provide me two different setups(just like having two PCs) and DF being able to supply me a solid sense of security. Has someone had similiar experience and like share it w/ us? (any virtualization app, such power shadow or shadowuser etc?). Any downside do you know? Thanks.
     
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    My only question would be why bother. I accomplish the same thing with FDISR.

    I have one primary snapshot. My secondary snapshot is a stripped down version just for a place to boot. I also keep a current(you could keep two) archives of primary. Updating the archive takes literally a minute. Same coming the other way. So if I want to do any questionable surfing, I update the archive. Then when done, I boot to the secondary, and update the primary from the archive and then boot back. Just simpler than having two p rograms that potentially can bump heads.

    Pete
     
  3. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi, folks: hi, peter, thanks for the valuable advice. Let me recap what you advised; I have a primary, an archive 0f primary, and a striped down secondary. Prior to any questionalbe surfing, I would update in archive snapshot, and use primary SH to surf. When it is done, instead of rebooting to primary(may be infected), I would boot into secondary, and from there refresh primary with updated archive. I think it is a smart plan. However, I do have a security concern, namely, how secure is this primary SH? (1), are all system files protected and included in those snapshots? (2)If not, suppose the PC got infected for any reason while surfing using primary SH, would these malwares somehow spread over to system files which are not included in snapshot and shared the same partition w/ all other SHs. I have had an regretable incident where an unknown trojan made its way into system files and infected all those files during rebooting. I have a doubt that $ISR file contains system files(c:/WINDOWS), because the size of $ISR is not the same as one used before creating SH, i.e the total size of used disk space is 10 GB, and the size of primary SH ($ISR) could somewhere less than that; if I remember correctly. I know for the fact that DP can secure the whole drive, and can erase anything after rebooting. Is is exactly the reason for me to come up w/ such a crazy idea to pair them up. Any advice most welcomed.
     
  4. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Perman,

    I trialed Faronic's Anti-Executable in a frozen snapshot for awhile and it worked to a certain level.
    I couldn't run AE on its maximum security, because I had troubles with the automatic restore of the frozen snapshot, which is in fact a copy/update.
    AE on its maximum security doesn't allow copying of certain files anymore.
    So I had to unmark a few settings, but not too many.

    I'm not happy with my frozen snapshot, because it doesn't work like I expected. All my problems with it are caused by security softwares, but I'm not in the mood to figure it out. I have other interests at the moment.

    Wilbertnl tried ShadowUser in a normal snapshot and that worked also, but I never heard anything about it after that.

    I think you better do these experiments yourself, if you really want to see if it works or not and share the results with other members.

    One thing is sure : FDISR is NOT a security software and any on-line snapshot is vulnerable for malware of any kind.
    I don't consider restoring a snapshot to it's original state as security. FDISR detects changes, not malware.
    An image backup software isn't a security software either.
     
    Last edited: Feb 28, 2007
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    No doubt while doing dodgy surfing the primary snapshot might get infected, and when I do dodgy stuff, I actually run more of my security stuff. But I would say the secondary snapshot, or the archive, really aren't much at risk, so even if the primary snapshot got infected odds are the secondary is okay. Updating the primary from the archive should restore the state of the machine at the time of the primary, and wipe out any infection.

    Pete
     
  6. SourMilk

    SourMilk Registered Member

    Joined:
    Mar 31, 2006
    Posts:
    630
    Location:
    Hawaii
    A bit off topic but I have successfully used FD-ISR rss and ShadowSurfer together. I tried DeepFreeze once a year ago and it didn't like my Nvidia chipset. If you can be satisfied with ShadowSurfer, then I would suggest you try the pairing.

    SourMilk out
     
  7. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    FDISR is one of the fastest software to clean your computer and it doesn't really matter how you do it, rollback snapshot, archived snapshot or frozen snapshot, because they are all variants of COPY/UPDATE.
    If it is done right we are talking about a 100% removal of malware, much better and faster than any group of scanners and without false positives.

    But your computer is still vulnerable between two COPY/UPDATES and that's why you need security softwares in each online snapshot :
    - to stop the installation of malware.
    - to stop the execution of malware.
    FDISR only takes very good care of the REMOVAL of malware, because FDISR considers them as CHANGES.
    FDISR doesn't recognize BAD CHANGES (= malware), that's why FDISR also removes the GOOD CHANGES, like security updatings, ...

    In order to keep the GOOD CHANGES you normally have to copy/update your rollback snapshot, archived snapshot or freeze storage and if your primary/work snapshot is infected at that moment your rollback snapshot or archived snapshot or freeze storage will also be infected. That is IMO a problem.
     
    Last edited: Feb 28, 2007
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    The last situation is where the real software has to be working. That is the software between your ears.

    During the work day, I have my security software on but at a lower level. I don't do anything remotely risky.

    Then afterwards if I am going to go to stuff that might be risky, I first refresh my archives. Then I crank up the security software and have at what ever I want to do. Once I stop whatever I am doing on line, I then reboot to my secondary to refresh the primary. Anything that might have gotten into the primary, is out of play once the boot into the secondary starts. So I would consider the risk during reboot very minor if one uses his/her head.
     
  9. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I fully agree with your post, because that's the only way to reduce the risk to an absolute minimum.
    You must have alot more faith in your security softwares than me, because I consider my computer as POSSIBLE infected, once I go on-line.
    That's not because I'm paranoid, but it's a fact that none of these security softwares are perfect. So the possibility of getting malware is always there.
    If I ever get infected, my on-line snapshot will be the cause, not my off-line snapshot. :)
    The only thing I really trust are my clean images/snapshots created when my computer was still off-line and I keep those apart from my daily images/snapshots.
     
  10. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    I do in a way Erik. During the day, my "online" consists of 2 softwares, connected to a data server for financial data, Outlook getting email, and visiting Wilders and the Online Armor forum. While doing that, I have KAV on,PRevx1 on in family mode, SSM on in learning mode, and Online Armor with Firewall (beta) on.

    Then if I want to get frisky in the evening, I first update my FDISR archive, switch Prevx1 to expert mode, turn off learning mode in SSM, and fire up SuperAntispware to run real time. Then I do what ever online stuff I want to, and when done, I boot to secondary, and refresh primary, wiping out anything that may have happened.

    So far so good.
     
  11. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Peter, if I can't solve my problems with my frozen on-line snapshot, I will use the method, you described.
    The only reason why I didn't use that method are the missing on demand schedules and schedules are safer to use.
    I use on demand schedules in ATI also : no mistakes in source/target and easy to start.
    Frozen snapshots are even better, they work full automatic.
    Unfortunately frozen snapshots and security softwares don't go together very well. The problems aren't severe, but very annoying.
     
Thread Status:
Not open for further replies.