FDISR + nLite + Anti-Executable

Discussion in 'FirstDefense-ISR Forum' started by ErikAlbert, Apr 30, 2007.

Thread Status:
Not open for further replies.
  1. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    This might sound strange, but it happened on my computer and it's something you would not expect at all.

    nLite allows you to create a customized "Windows Installation CD".
    In order to do that, nLite copies your original "Windows Installation CD" in a folder created by you.
    I stored that folder on my system partition [C:], because I'm still studying nLite and you don't have access to all these options, unless you have that folder on your computer.
    So far everything was fine, until I installed Anti-Executable (AE).

    During the installation AE scans ALL your harddisks to create a whitelist of executables, installed on your computer.
    After installing AE completely I started testing the copy/update function of FDISR, because I knew from the trial period that AE can cause errors in copy/update when you put AE on maximum security. Everybody knows that certain security softwares cause errors during the copy/update and AE is one of them, if you put it maximum security, not on low security.

    In spite of my correct AE-configuration, the copy/update didn't work at all and I had constantly 6000+ errors during each copy/update.
    After reading FDISR's Detailed Log file, I discovered that the folder, containing a complete Windows CD, was the cause of this.

    I reinstalled my system partition, deleted that folder and re-installed AE and then everything was OK.

    My advice : turn Anti-Executabe OFF, before you start using nLite to create a customized CD and get rid of this folder and you better delete the ISO-file to burn the new CD also. Then you can turn AE back ON.

    Storing this folder on another partition can't be trusted either, because AE scans every harddisk and you can't exclude anything during the installation of AE.

    I'm telling this, because you don't expect this at all and it's a NIGHTMARE, once you start using copy/update and just because your computer had a folder with Windows in it. :)
     
  2. EASTER.2010

    EASTER.2010 Guest

    Thanks Eric, i'm taking notes of finds like this of yours with AE because if it proves out like i think it will, it'll go a long way in me completely shutting down some routine security programs and even HIPS. If i can prove AE is capable of powering safety over my HIPS that will be a first and a welcome one at that. Don't get me wrong, i like them and trust in HIPS but they are more than exercise for the mind, it takes time and decision-making which i can do but if a program soft like AE can do that for me, then it's that much less clock-seconds i have to spend answering prompts.
     
  3. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I have only three security softwares now as you can see in my signature.
    A frozen snapshot is NOT a security software, but it REMOVES every change, including infections on my computer during reboot.
    I only need these three security softwares to save the day and they act IMMEDIATELY, while a frozen snapshot cleans them TOO LATE. But scanners are also TOO LATE when they remove infections on your computer.
    Are these three softwares enough ? I don't know for sure, but my frozen snapshot keeps my computer clean anyway and that is enough for me.
     
  4. EASTER.2010

    EASTER.2010 Guest

    The last time i engaged a hardening app like AE was many moons ago and it was extremely formidable like it still is today. I shy away from them because i'm not up to speed if they can compile a complete whitelist without missing something that my machine might need to execute. I know theres Low Security but if we're going for Solid Steel shielding with a program like this, i would prefer to tap into it's highest security level 100% of the time my PC is online and not be concerned with some loss of functionality with any program (executable) that i want to run.
     
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    One thing to consider is your machine state. Erik's is static and the freeze works great. With my beta testing my machine state slowly evolves and changes and a freeze snapshot would be more trouble than it's worth.

    A constantly upated archive can accomplish the same thing. Easier to update, but requires two reboots roll things back.

    Pete
     
  6. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    That's not true. You don't install software permanently every day, but you test software alot. I only have to disable AE and I can test any software in my frozen snapshot. I only have to reboot to get rid of it.
    I only need AE, because AE reacts immediately, when a unauthorized executable tries to install/execute itself. A frozen snapshot doesn't react immediately, it only removes the infection and that is always TOO LATE, just like scanners.
    If you copy/update you also have to disable certain security softwares, just like I have to disable AE to do things. I don't see the difference.
    I still have the same flexibility as before and disabling security softwares is common for all FDISR-users.
    I do THINK about these matters, before I do something or install something.
    I have at least a CLEAN computer after each reboot and that takes only 100 seconds, how many users have that ?
    Most users BELIEVE their computer is clean, because their scanners told them, their computer is clean, but I know for sure my computer is clean. That's the difference.
     
    Last edited: May 1, 2007
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    Still wouldn't be as easy for me. Some things I test and remove, some I test and leave on. My machine state is constantly evolving based on several different beta programs. Plus I am constanting improving stuff I use for business purposes so that is basically in a constant state of evolution. I doubt if they stay the same more than 5 days out of 30 each month.
     
  8. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I'm working on a WORK environment, that remains CLEAN for average users at work. They don't test software, they don't use virtual softwares. They just do their job on a pc and they always use the same softwares.
    Unfortunately these users are also connected to the internet and that's the problem.
     
  9. EASTER.2010

    EASTER.2010 Guest

    Important to point out in spite of the confidence that users attest to with them plus the vendors claims are legit but like you say, that has to come into play AFTER-THE-FACT.

    You bring up some very useful observations with your results Erik about AE.
     
  10. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    My practical experience with AE is rather small, I'm using it for just a few days. According my readings and my short experience, it works like advertised. It doesn't really matter if AE has holes, because ALL security softwares have holes and my frozen snapshot is there to CLOSE all these holes.

    I can't work without security softwares, otherwise each possible malware can do its evil job during the period between reboots. So I need something to stop them and most probably I won't stop them all, but they will be removed during the next reboot.
    Users with a classical setup have the same problems, they run a few scanners and they ASSUME their computer is clean, because their scanners told them.
    It wouldn't be the first time, when users try a new scanner, that this scanner detects malware on their computer, that was never detected by their other scanners. I don't have that problem.

    Talking about "inconveniences".
    EACH setup has its inconveniences, but you accept them after awhile and you forget they were ever "inconveniences".
    That's how it works in practice : you get used to them and you don't even talk about them anymore.

    I've seen security setups with SEVEN scanners or more.
    Running SEVEN scanners each day is that sooo convenient ? I only have to reboot and my computer is clean in 100 seconds, I timed it from desktop to desktop.
    Why have these users so many scanners, because it's convenient for them and they accepted and forgot how much time it takes to run seven scanners.

    Some users tell me, they don't run all these scanners every day. Is that security, leaving the malware on your computer during a week and then remove it ? I have a good laugh with this approach.

    The only convenient security setup is the one that has no security softwares, like my off-line snapshot and all the rest IS inconvenient without exception.
    Meanwhile, I have to read all these personal stories, how convenient their setup is. I put all these stories aside, because they aren't full stories. :)
     
  11. EASTER.2010

    EASTER.2010 Guest

    Funny. I only have to reboot POWER SHADOW! even with a rootkit "plus" :eek: malware (Haxdoor) on it and my PC is crystal clean in 30 seconds!!!! I time mine too, plus i have several window's customizations the run at start up, BootScreen/Log-On Studio among a couple :D

    POWER SHADOW! protects my FD-ISR snapshots in a manner akin to superior double-protection ensuring that i return each reboot to a 100% perfectly clean screen again without taxing resources or space that FD Freeze method demands. :thumb:
     
  12. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    You are still missing the point. PowerShadow removes them, just like FDISR, it doesn't stop the execution. Even their website recommends not to remove your security softwares when you start using PowerShadow.
     
  13. EASTER.2010

    EASTER.2010 Guest

    I understand that view, i'm only pointing out that even "IF"/"WHEN" an unwarranted intrusion occurs it's of no serious consequence OR concern whatsoever so long as you employ FD-ISR covered by POWER SHADOW! because a simple reboot even if your screen is seized up and you need to manually press the restart button, everything returns to as it was before shadowing.

    Absolutely of course, the machine needs guarding with security programs during the duration of any users session, thats common sense and not missing the point at all. In fact what is the point? o_O
     
Thread Status:
Not open for further replies.