FDISR - Freeze

Discussion in 'FirstDefense-ISR Forum' started by ErikAlbert, Jul 18, 2006.

Thread Status:
Not open for further replies.
  1. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Today, I created another special snapshot : a frozen snapshot, which is only protected by the firewall "Look 'n' Stop" (+ Router DI-604).
    No scanners, no HIPS, no real-time protection, no IE-SPYAD, no HOSTS file, nothing ...

    It's my understanding that a frozen snapshot allows any change during two reboots and will undo any change during the next reboot.

    There are two kind of changes :
    1. Good changes, like Windows Update, AV/AS/AT/AK-Scanner Updates, Software Updates, ...
    2. Bad changes, like any kind of malware.
    All these changes are undone during the next reboot.

    It's also my understanding, that each possible threat can do its evil job during two reboots, until the next reboot.
    Maybe Faronic's Anti-Executable can prevent this.

    What do you think about this ?
     
  2. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    Yes, ALL changes are removed including the good ones. The Snaphot needs to be refrozen for the good changes to be kept (doesn't take that long, probably less than a minute).

    If I am understanding your last statement, yes, the baddie would be able to do its damage, but only in that Snapshot. All damage would be erased when the Freeze fixes things. :cool:

    Acadia
     
  3. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Although this is true, FDISR won't be able to see the difference between good and bad changes.
    So you can't re-freeze the snapshot, because the possible threats would be frozen too.

    I assume this is true too, but I ment another kind of damage, like stealing your personal data for example.
    If the malware is able to execute itself to steal your personal data between two reboots, the evil deed is done, even when the threat is removed during the next reboot.
     
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,048
    Hi Erik

    Yes in theory, anti-executable might protect you. I think there might be some better choices though. Real issue is can the bad guy get you while you are booting. He would have to be quick on the draw starting up.

    If I was seriously worried about that, then if I were you I'd go to a more layered defense approach, that I know doesn't thrill you. Also during that vulnerable boot and shutdown perioed, I'd turn off my DSL/Cable modem.(I don't bother with that)

    Pete
     
  5. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    Right, so you would turn on your pc, unfreeze, update all of your programs, refreeze, then surf away; that is how I did it for a brief period.

    Acadia
     
  6. wilbertnl

    wilbertnl Registered Member

    Joined:
    Dec 29, 2004
    Posts:
    1,850
    Location:
    Tulsa, Oklahoma
    It is possible to download desired updates and apply them after you take the system offline and reboot into the frozen snapshot.
    Also the Windows hotfixes can be downloaded and stored for that purpose.

    http://www.geocities.com/wilbertnl/images/hf.png
     
  7. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    My computer boots like this :
    1. Platinum Screen, caused by motherboard
    2. FirstDefense Pre-boot Screen
    3. Windows XP Screen with a scrolling bar.
    4. Black Screen
    5. Windows XP Screen with a scrolling bar. (again)
    6. Welcome Screen
    7. Desktop Screen

    When I reboot my computer it takes 1m40s from Desktop Screen to Desktop Screen using a FROZEN snapshot.

    If you reboot in a FROZEN snapshot, the Welcome Screen will last much longer, than a reboot in a NORMAL snapshot.
    So I assume that the frozen snapshot is CLEANED by FDISR during the Welcome Screen.

    I don't think that a threat can do anything during reboot.
    ----------------------------------------------------------
    I only mentioned Anti-Executable, because this is one of the rare security software, that tells me exactly how it works.
    Anti-Executable (AE) creates a white-list of your executable programs (it recognizes about 80 executables) during its installation. So you better install AE on a clean computer, which is possible.
    After that AE will stop any NOT white-listed executable to do anything bad.

    Most malwares are based on executable files, but AE has two weaknesses :
    1. it can't stop exploits, that abuse legitimate (white-listed) executables to do bad things.
    2. it can't stop malwares, that don't use executable files to do their evil job.
    That's what I understood from my readings, although it can be wrong.

    Why I'm telling all this?
    Immediate system recovery software, like FDISR, ShadowUser and DeepFreeze remove all possible changes on your harddisk and that is a very powerfull thing, because they keep your computer clean.
    Unfortunately there is a weak period between two reboots, where threats are able to execute themselves to do their evil job.
    AE might stop most of these malwares from executing, not all of them but I need only 4 or 8 hours to remove these threats.
    Keep also in mind that a possible installed threat isn't always executed, they are waiting for a trigger.

    How big is that weak period ?
    In normal circumstances : 4 hours, if you reboot during noon, 8 hours if you reboot the next morning.
    So the period of executing of a malware is maximum 24 hours, if you reboot your computer every day.
    ----------------------------------------------------------
    Good changes, like Automatic Windows Update and Automatic Scanner Updates, aren't saved in a frozen snapshot either, which means that Windows and Scanners are getting weaker and weaker every day, because they don't get their updates.
    The crucial question : is that important, when you know that a frozen snapshot doesn't accept any changes after reboot ?
    All the installed bad changes are gone, even the new and undetected malwares.
    There is no scanner that can do a better job than a frozen snapshot.

    Alot of users seem to have "scanners on demand".
    If a "scanner on demand" detects any malware, it's already too late.
    How long will it take to run all these "scanners on demand" on your computer?
    A simple reboot in a frozen snapshot will do the same and even better job in 1m40s.
    Is the TOTAL scan-time of all your on-demand scanners = 1m40s ? I doubt that very much, because I also know how long it takes to run my regular scanners.

    ----------------------------------------------------------
    My thread is about the advantages of frozen snapshot and any combination with another software that makes a frozen snapshot better.

    I don't wanna talk about the fact that creating and rebooting in frozen snapshots is slower. I and most FDISR-users know that already and I also know that freezing a snapshot isn't very popular amongst FDISR-users.
    I only want to discuss the freeze function itself and I have pretty good arguments to defend its advantages.
     
  8. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I would keep my frozen snapshot like it is. The updates don't matter anymore IMO, because a frozen snapshot does not allow any good or bad change.
    My only concern is the possible execution of malwares between two reboots, but it has to happen within 4 or 8 hours otherwise it will be too late.
     
  9. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,048
    Hi Erik

    If you want to play with exe control I'd suggest SSM(System Safety Monitor) No white list (well except you), but it gives you fine control. Not only can I control what runs but who runs it. So I can allow xyz.exe to run only when started by explorer.exe. I can also control what DLL's an exe can hook to, rather just allow it to do hooks. You can really lock down your system if you so chose. Also has a learning mode to make a rule list from your system.

    Pete
     
  10. wilbertnl

    wilbertnl Registered Member

    Joined:
    Dec 29, 2004
    Posts:
    1,850
    Location:
    Tulsa, Oklahoma
    Are you saying that bugfixes, driver updates and feature improvements are not necessary anymore?
    If so, did you disable any auto update that is available in your frozen snapshot?

    What would happen when malware is able to execute on your system and modify your personal data on your second non-frozen drive?
    Or a virus modifies your MBR...

    Fascinating! :ninja:
     
  11. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    You already solved this problem, Windows can be updated off-line, so it doesn't need to happen on-line. :)
     
  12. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    You run the same risks with scanners.
    What if they don't detect a malware that changes your personal data or MBR.

    EDIT:
    Where were all these AV scanners, when the top 10 viruses caused billions of dollars damage world-wide?
     
    Last edited: Jul 18, 2006
  13. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    I simply don't understand what you are saying here. If "a frozen snapshot does not allow any good or bad change" then how could something happen 4-8 hours later. Either your knowledge of pcs is WAY over my head (and THAT is entirely possible) or you don't yet understand how FD works (or I don't). :doubt:

    Acadia
     
  14. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Suppose my computer is 8 hours on-line and can be infected during those 8 hours.
    A malware doesn't install itself without a purpose. Suppose it wants to steal my data.
    Two possibilities :
    1. It can't execute its evil job, no harm done.
    2. It can execute its evil job, my data is stolen.

    After 8 hours I shutdown my computer.
    1. If it couldn't execute its evil job during those 8 hours, it's too late for the malware, because I will reboot my computer the next morning and the malware will be removed.
    2. If it could execute its evil job during those 8 hours, I'm ~snip~, but when I reboot my computer the next morning, the malware will be removed too.
     
    Last edited by a moderator: Jul 18, 2006
  15. crofttk

    crofttk Registered Member

    Joined:
    May 15, 2004
    Posts:
    1,976
    Location:
    Eastern PA, USA
    You can call it "CLEANED" if you want but I want to clarify that it's an update or refresh like in any other situation such as refreshing a secondary snapshot or an archive from your primary snapshot.
    Again, I can't see where arguing about this is rational. You have your reason for doing it. As you've stated on many occasions, you don't care what our arguments are, you test it under the constraints and value system that you feel are appropriate and draw your logical conclusions and implement those conclusions no matter what anyone thinks or says. I would feel like I was becoming the "Bubble Boy", you know the kid with the non-existent immune system who spent his life in a giant beach ball ? Doesn't sound like much fun to me, but whatever lets you sleep peacefully at night.

    I tried the freeze function too, but found it a pain in the A**. I'll stick with my layered backups.
     
  16. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    OK Guys, forget about it. This is going to end up in a silly discussion. :)
     
  17. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    Erik, now I understand, and yes, you are correct, while you are actually on line you can be ~snip~ as you put it. No "goback" or recovery type program in the world can save you from that; it then falls upon your other programs to do their jobs properly, your virus, spyware, and Trojan scanners. (Might I be so bold as to recommend Boclean).

    Acadia
     
    Last edited by a moderator: Jul 18, 2006
  18. crofttk

    crofttk Registered Member

    Joined:
    May 15, 2004
    Posts:
    1,976
    Location:
    Eastern PA, USA
    On the other hand, I can see where freezing could be useful, for instance, on my kids' computers. I don't want all the crapware and toolbars they try to put on it and they end up infected and crippled. Now, the fact that their computers also have data on a separate partition or physical disk allows me to refresh there system partition on every boot without deleting their homework.

    Yes, I still have the window of threats out there, but the "promiscuous" behavior of my children -- which they'll do no matter how much I preach at or discipline them -- is very handily wiped out insofar as which changes they have caused on the system partition. Rather than being Bubble Boys, I could let my children play, but with a condom on, so to speak .
     
  19. wilbertnl

    wilbertnl Registered Member

    Joined:
    Dec 29, 2004
    Posts:
    1,850
    Location:
    Tulsa, Oklahoma
    I don't consider the freeze as a security feature. It's more a 're-install over and over again'.
    I like it when I install software for beta testing purpose, and need to retest the same conditions with different settings, reboot and go.

    If you are testing security software and need to test with actual infections, then I see an offline ATI image as more secure than FD-ISR.

    ErikAlbert's take on the freeze feature is of course valid for him. :thumb:
     
  20. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,048
    They weren't on the machines. Many corporations are slow to react, and they try and defend the perimeter. No AV's on individual desktops. No Firewalls on individual desktops. Then ole Johnny brings in his laptop(which also has none of the above) and plugs into the network. Bye bye network, it all gets infected.

    As many corporations got hit as mom and pops.

    Pete
     
  21. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Right, now goback solution is able to prevent installed malwares from doing their evil job.

    Now I have been thinking about "AV/AS/AT/AK-scanners on demand", which are usually 2nd, 3th or even 4th AV/AS/AT/AK-scanners. Most users have only one real-time shield for each scanner and that is their main scanner.
    They use only one shield to avoid any conflict between two scanners of the same kind.

    Now let's talk about the scanners on demand, the additional scanners.
    Nobody runs them every minut, so they run them usually one time per day.
    If one of those scanners find a malware, it means that this malware could have executed its evil job already during 8 hours. So there is no difference between scanners and a frozen snapshot in this matter.
    If the user runs his second scanners once per week, like some users do, the malware had already 7 days x 8 hours = 56 hours to do its evil job.

    If I reboot in my frozen snapshot, it takes 1m40s to get rid of all my installed malwares.
    How many scanners scan your computer in just 1m40s.
    Since one scanner isn't enough you have to compare the TOTAL scan time with 1m40s.
    A frozen snapshot guarantees that all malwares are gone, scanners don't.
    I agree that a frozen snapshot isn't a security software, but you can use it as a security software with much better results in time, detection and removal.

    My only point is that you don't need second scanners at all, if you work with a frozen snapshot. If I'm wrong tell me about it.

    I still have to think about MAIN scanners and their real-time protection, but the real-time protection is as good as the scanner is : incomplete protection.

    The main damage of a malware is not its presence on your harddisk, it's the execution of its evil job.
    I only have to find a software to stop this execution.
     
    Last edited: Jul 19, 2006
  22. wilbertnl

    wilbertnl Registered Member

    Joined:
    Dec 29, 2004
    Posts:
    1,850
    Location:
    Tulsa, Oklahoma
    So, from the freeze feature we take a turn to security in this thread:

    It is my understanding that when you are behind a NAT router, your system is safe from threats that rely on network listener functions, they simply can't find your computer.
    That limits the threats to the kind that relies on user behaviour.

    The e-mail servers that I rely on have virus and malware scanners enabled, it's filtered out before I retrieve my e-mail. And I rarely missed e-mail from authorized senders, don't worry about that.
    And I use a fake e-mail address for all these web forms that actually don't need your contact information. I also use disposable e-mail addresses.

    When I want to install whatever, I scan it beforehand. Actually my download folder has been scanned with almost any available scanner.
    To me that means that I install authorized programs. Some installations come with additional unwanted toolbars or whatever, and I only continue after I disable these additions. Again, behaviour.

    My only concern would be the browser. they all, including Firefox, have security issues.
    I need a solution that monitors my browser and notifies me of any system changes while I'm browsing.
     
  23. wilbertnl

    wilbertnl Registered Member

    Joined:
    Dec 29, 2004
    Posts:
    1,850
    Location:
    Tulsa, Oklahoma
    I like recommendations. Is there a trial version available? I fail to find it.
     
  24. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    If you are surfing the net and contract what is, in my opinion, the greatest of all evils, the Trojan, you can still be hurt.

    You see, computer viruses only hurt your computer, they delete files and otherwise make your computer sick. Reboot using Freese would fix all of that.

    But the Trojan is a different animal. The Trojan does not try to hurt your computer, it needs a healthy computer to do its evil deeds; the Trojan instead tries to hurt YOU personally. It tries to discover your banking passwords, logons, etc., and phone them home, so you can financially be hurt.

    If you are surfing and contract a Trojan, that Trojan may only need seconds, or a minute or two, to discover whatever it is looking for, and phone them home. The damage is done. Rebooting using Freeze will remove the Trojan, but the information has already been sent away.

    YOU NEED SOMETHING SCANNING FOR TROJANS WHILE YOU ARE SURFING THE NET even when using these "goback in time" type of programs. An anti-Trojan may be the only type of security program that you need if you are constantly using Freeze, but I personally don't know enough to say that for certain. I personally would run all of my security programs even if using freeze; my processor can more than handle it so why not?

    Good luck,
    Acadia
     
  25. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    I would say that HIPS, or firewalls with some HIPS functions, are meant to prevent exactly this, I dont see the need for an anti-trojan program if one have a HIPS. They will alert when the trojan tries to report what it has found. If you have allowed it to execute and inject code, into a webbrowser for example. Where the trojan tries to hide the "bad traffic" in the legit traffic made by the browser.
     
Thread Status:
Not open for further replies.