FDISR and Shadowsurfer

Discussion in 'FirstDefense-ISR Forum' started by Peter2150, Feb 4, 2006.

Thread Status:
Not open for further replies.
  1. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,051
    Hi all

    Anyone else tried using Shadowsurfer with FDISR. I did and just noticed I have a FDISR problem. Can copy and boot to my standard FDISR secondary snapshot, but just noticed I can't add a snapshot and boot to it. Don't know for sure if it is Shadowsurfer related. I've removed shadowsurfer and problem persists. Suspect I will have to uninstall and reinstall FDISR. Just wonder if anyone else has tried this.

    Pete
     
  2. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    Good grief, Peter, now I'm glad that I never tried ShadowSurfer, please, keep us informed and GOOD LUCK! :doubt:

    Acadia
     
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,051
    Fixing FDISR isn't that big a deal. Just an uninstall and reinstall. Only thing is that while it will fix FDISR, it wouldn't conclusively prove it was Shadowsurfer was the culprit without taking another shot.

    Pete
     
  4. betauser2

    betauser2 Guest

    Peter just curious to know if you lose your FD-ISR snapshot when you uninstall? or does it give you an option to delete them?
     
  5. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    Betauser2, whenever you uninstall FirstDefense, it will always ask you if you want to keep the Snapshots. That way the program itself is uninstalled but you CAN keep the Snapshots for a future installation of FirstDefense. That way, even a couple of years from now, you can return to your old system as if it were yesterday. BTW, I have only had to uninstall FD once and that was only because Raxco came out with a new version of FD and you had to uninstall it to install the new version, and yes, it kept all of my old Snapshots even though changing to a new version.

    Acadia
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,051
    Hi Betauser2

    Acadia is absolutely right, that you can uninstall and leave the snapshot in place, and I have done so.

    Having said whn if I uninstall and reinstall and reinstall to fix the problem I've created, I will probably remove the snapshot first. One time way back in my early FDISR experience I had a bad uninstall, and couldn't reinstall, so I ended up having to remove the snapshot manually. That was a 3 hour experience I care not to repeat, so in this case I will remove snapshot first.

    But normally if all was working right, and I wanted to uninstall and reinstall I wouldn't bother.

    Pete
     
  7. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,041
    Any updates?
     
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,051
    Hi Starfish

    Raxco is working with the developer on this one. The error message I am getting is "one that shouldn't be happening." They sent me a boot simulator, which checked my MFT and the tried a simulated boot. Generated a huge log file. No results yet. Worse part is I don't know how long the situation existed so I don't know exactly what caused it.

    Also the problem doesn't interfere with anything else.

    Pete
     
  9. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,041
    Thanks for the update - like to know how this turns out
     
  10. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,051
    I'll keep you posted.

    Edit: Update. I got a second boot simuation to run, and return the logs. So the Raxco folks are on the case. I'll keep you posted.


    Pete
     
    Last edited: Feb 14, 2006
  11. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,051
    Hi all

    The final update. First in terms of the role of ShadowSurfer, it might have had a roll, but if so it was a fluke rather than flaw. A fluke in terms of the fact it puts a file in the root directory, which in and of itself shouldn't have been an issue.

    In terms of the time passed, remember this was going back and forth from me to Raxco to the developer and back. Then I had to find the time to reinstall FDISR and build a snapshot and test. Inherently there was time lag, but Raxco and Leapfrog were excellent.

    After running the couple of simulations and tests and having the logs reviewed, Greg was able to describe the problem. I am quoting him here, as I'd be hard pressed to paraphrase.

    "You have a relatively large number of files in the root directory. The
    number and names of the files combine to produce a MFT record which is
    very close to full. You also have an extra attribute in the root record
    ($OBJECT_ID). Because the record is so close to full and because of the
    extra attribute the swapover runs out of room in the MFT record and
    fails."

    He also confirmed they were indeed treating it as a bug as it was a condition FDISR didn't detect and couldn't handle.

    They then sent me a fix to run, and then return the logs, before trying anything. Then I caused a mild panic by moving a bunch of the unnecessary files out of the root directory. They wanted the files there to test the fix, sooo I put them back. Then I installed and built a snapshot and ran the fix. Tried swapping to the new snapshot and it failed. Then I cleaned out the root directory and tried another reboot to the secondary snapshot. It failed again. So I uninstalled FDISR, and emailed Raxco.

    Got a response saying it might take two shots of the fix, please try again. So I reinstalled FDISR and built a new snapshot. Decided to test before reruning the fix. BINGO, it worked fine and has continued to work. Needless to say I am keeping my root C:\ directory clean.

    It is my understanding they are working on a permenant fix for FDISR.

    One heck of a detective job if you ask me. I thank Greg,Raxco and the Leapfrog developers for hanging in there to resolve this issue.

    Pete
     
  12. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    Pete,
    Could you PM me with a description of what you did to clean your root directory. Is this something that shoud be done as a part of regular maintenance?
     
  13. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,051
    Hi Dallen

    Nothing special. The root directory is just c:\ I had a bunch of junk like the KLStreamremover.exe and other stuff like that. To be safe besure system files and hidden files ARE HIDDEN. This will ensure you don't do something grim. Then just besure you know what you are deleting. I checked my laptop and it only had 2 files. My Desktop had about 15 including some batch files I'd made and put there. Watchword is if in doubt don't delete.

    Pete
     
  14. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    It seems that ShadowUser shouldn't be needed as FirstDefense-ISR allows for...

    ... and also has data anchoring simular to the exeptions in ShadowUser.
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,051
    Your right. I was experimenting, and shadowsurfer probably had nothing to do with the problem I had.

    Pete
     
  16. Leapfrog Software

    Leapfrog Software Leapfrog Management

    Joined:
    Jan 25, 2006
    Posts:
    251
    Location:
    Northern Nevada, USA
    Greetings All,

    Although we have a similar feature built-in to our ISR technology called "Freeze", I know some folks have the ShadowStor products they would like to use. I downloaded demos of both and tested FirstDefense-ISR, PEER-ISR, BootBack with ShadowSurfer and ShadowUser.

    The \$ISR folder is the ISR working folder, and thus needs to be excluded from the ShadowStor products. If not, you will not be able to update snapshots, archives, use Data Anchoring, or boot to other snapshots. The ShadowSurfer product does not have the feature to exclude folders, only drives. The ShadowUser product has this capability. It is in their configuration section under “2. Exclusion List”. You must add “@\$ISR\” to this list. I would also suggest that you also add your ISR Data Anchored folders as well; otherwise it defeats the purpose of our Data Anchoring feature.

    I did notice that the ShadowUser low-level redirection driver conflicts with our open file technology driver. You will get a Windows “Blue Screen of Death” during an active OS snapshot copy. This means is you will not be able to use our copy snapshot command when the source snapshot is the active OS. You can copy any static snapshot or archive, just not the active OS snapshot. I got around this by booting another snapshot, and then copying the previously booted OS to another snapshot or archive. We’ll look into future compatibility with their technology to see if we can alleviate this issue.

    Anyway, I hope this helps. Now back to the grindstone for me.
     
  17. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    If you are a FDISR-user, you don't need ShadowSurfer/User IMO, because both clean your computer and FD-ISR allows more than one snapshot, while ShadowSurfer/User have only ONE snapshot.
    So the choice is easy. FD-ISR offers more possibilities.

    FD-ISR and ShadowSurfer/User don't protect you against malwares doing their evil job, they only remove malwares completely during the next reboot and that is of course a very big advantage compared with AV/AS/AK/AT scanners, that don't always remove everything and it takes hours to run scanners.
     
  18. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    Yep, FD-ISR with good firewall and outbound protection is a very secure combination.
     
Thread Status:
Not open for further replies.