Discussion in 'FirstDefense-ISR Forum' started by aigle, Sep 23, 2006.
Ah my mistake, I thought aigle was just looking for the hidden ISR folder.
You can look in the snapshots if you boot a BartPE cd or usb drive. I would assume that you can copy files out of the snapshot, but I didn't try it.
Ok, I got it but my other Q remains there.
Ok, at least I will like to see it but this does not work either.
How u are seeing it in windows explorer?
I have sent a mail to them as well and will wait for reply.
Why do you feel the need to see it. If you really want to just boot to it, and then you can look to your hearts content.
Just wonder that other people find these folders in C. Why I can,t see them in my system.
The most you should be able to see is the base folder, the logs, etc, and 0,1,2,etc folders, but those you shouldn't be able to get into, and frankly you don't want to. One of the key points is having those snapshots intact if you mess something up in your working snapshot, so last thing you should be doing is messing around with those folders from your working snapshot.
Through BartPE CD I can see $ISR folder and all subfolders in it. I did not messed more and just came out of it.
I found out that Explorer does *not* allow me to browse the snapshot folders ($ISR/0, $ISR/1 etc): I got an access denied error.
However, I can tamper with whatever I want through XYplorer, another file manager (give it a try).
And if XYplorer can, I suppose the next virus can too!
No Question that if FDISR itself can do a virus or some malware could. But the malware would have to specifically be designed to look for First Defense folders and then do it's work. Given the number of FDISR users relative to the whole playing field, it's just not that lucrative for the malware writers today to do that.
That doesn't sound right to me; if you couldn't give specific permissions to some programs only, then PC security as a whole would be a myth. Ie. Process Guard can terminate running processes, but another program cannot.
A virus doesn't need to make a beeline to C:/$ISR, it just has to infect a file in every directory and that's it.
If the snapshot folders are easily writeable, you cannot do whatever you want in a snapshot, with the certitude that you will always be able to boot on another snapshot. In other words, FDISR would be a handy multi-config software, but not anywhere near a security-related product.
But what if malware uses brute force and does access each and every directory to plant it's seeds or read personal data?
The idea of FD-ISR is that inactive snapshots are guaranteed safe and secure, would you not agree?
All softwares are vulnerable and what all softwares have in common doesn't really interest me.
One day FDISR will become a target of the bad guys and Leapfrog will fix it, just like Mozilla fixes Firefox all the time. Until now it never happened, at least not to my knowledge.
FirstDefense-ISR is NOT a security software, it's an immediate system recovery software (ISR).
It doesn't protect you against any malware, it only has functions to create/update/archive/restore/freeze snapshots.
It has no scanners, no HIPS, no virtual protection, ...
Even a frozen snapshot is a normal function of FDISR and works like an automatic refreshing function.
You can't blame a car for not being a boat.
Erik is right. FDISR isn't really a security program. As an artifact of it's design most malware won't affect snapshots, assuming you don't mess with stuff. Malware as a rule looks for the windows directory, looks for the registry where it routinely belongs. Most malware doesn't go looking elsewhere. Even if it used brute force, though it would have to know it has a special situation to deal with. So by accident FDISR protects you, but it's design is immediate recovery.
Now the ability to keep an archive off disk and on an external drive which is turned off, still gives one a good safety tool. As a test I've restored my system from IFD DVD's and then used an archive to bring system current. No way Malware could touch that stuff, well it would be pretty tough anyway.
I wonder how many users believe their system is safe when fooling around on a secondary snapshot. Some of them even appear to have an "Internet snapshot" to protect them while they surf the web.
The fact that the snapshots lie in C:/ was already a disappointment to me (I thought they were stored on an hidden partition), and now I realize the snapshots are not really independent -- FDISR looks more and more like a glorified xcopy with a boot loader to me
A frozen snapshot creates a file called "Freeze Storage.ARX" and archived snapshots have also the extension .ARX. It's technically the same kind of file.
During reboot FDISR copy/updates FROM "Freeze Storage.ARX" TO the frozen snapshot and during that operation objects are added, removed and replaced, just like in a normal copy/update, except that it runs automatically.
But the same operation can be done manually, using the copy/update function.
A frozen snapshot allows any infection to install and execute, just like any other snapshot, but once you reboot FDISR will remove any change (good or bad).
A frozen snapshot doesn't remove "malware", it removes "any change" and that's why it looks like a security software, but it isn't.
Only scanners remove malwares and don't touch the rest.
Keep in mind, that the IS in FDISR isn't Internet Security, but Immediate System Recovery. Not sure how you can say they aren't independent, when I can have two different system configurations in different snapshots. And yes for almost all of the nasty stuff you can currently get surfing the web, you can pretty well rely on FDISR to get rid of it. Certainly with the external archive's you can.
FDISR was designed with a certain task in mind, and it does that task extremely well. What you almost are saying would be like saying you just installed the new KAV 6.0 anti virus and are disappointed it doesn't do backups.
Maybe you can hide them with a special tool. I could be wrong but these tools exist to hide any folder.
Regarding immediate recovery :
FDISR is designed for that and does a MUCH BETTER job than Windows System Restore and that's why you need
at least TWO snapshots : a snapshot for work and a snapshot for rollback.
In a snapshot for work anything can happen :
- a new software that doesn't like your total system, can result in a BSOD and cause an infinite loop without being able to get even in Windows. Peter and me had that experience.
Any software, legitimate or not, can bring you in such situation.
- a user can accidently delete system files or make mistakes in the registry and screw up his own computer.
FDISR requires only a reboot in a rollback snapshot to save your system = ISR.
FDISR is more than that and users use their imagination to do other things with FDISR.
FDISR is luxury, not really necessary. If you don't like it, use an image backup file, to recover your system, but it won't be that fast.
Well, I'm sort of disappointed because I thought FDSIR provided a complete sandbox, and it's only partial. I say they are not independent because you can screw up a snapshot from another one. This means that a major software damage on a partition kills FDISR, and you have to go and fetch your DVDs to restore your system - but I already got IFW for that.
I don't say FDISR isn't good, I mean, it's fine to be able to revert some unfortunate changes, but everything's always conditionnal: you may be able to revert them, but maybe you won't, in case of critical filesystem corruption, due to a virus, malware, or something else. You just can't be sure.
Erik, yes, a robust 3rd party protection tool would turn FDISR like I thought/wish it were. Again, I don't want to appear grumpy or anything , but it looks sooooo wrong to store a sort of backup, without protection (or a very minimalist one), into what you backed up!
Look at my signature. I installed Faronics Anti-Executable (AE) in a FROZEN snapshot.
I use the frozen snapshot to remove all changes, including all malwares during the next reboot and that takes 90 seconds.
So this is alot faster than running all my scanners. No serious scanner on earth runs that fast and so complete.
Of course a frozen snapshot allows any installation and execution of any malware between two reboots and that is a serious problem. So I needed something else to protect me against that : Anti-Executable.
AE makes a whitelist of all your executable objects installed on your computer during the installation of AE.
After that AE prevents any installation and execution of not-whitelisted objects.
So I created my own sandbox. Does it work ? I don't know for sure, but in theory it should work at least for the majority of malwares.
Maybe you can also use Prevx1 for this, which is supposed to do the same and more and it is also more flexible.
AE is VERY STRICT when its security level = HIGH.
I'm not saying you have to do this, you might consider it.
I did this very recently, so I don't have much experience and didn't really test it thoroughly.
FDISR allows you to create upto 10 different bootable work environments with any possible combination of softwares. I even have a snapshot without internet connection, because I was tired of being disturbed by security software messages/popups while I was working.
Of course when you don't need all that, don't use FDISR.
Only image/file backup is a MUST, unless you like to install your computer from scratch manually.
First when you say complete Sandbox, it is as much so as any other sandbox. They are definitely independent. Sure you can find a special tool that lets you get to them and damage them, but thats true of anything on your system. But I don't see what major software damage you are talking about. I've come close to totally trashing my system. I had to do a power reset once while running a registry cleaner. Not good let me tell you. Just booted to second snapshot, and fixed the problem in minutes. I had things so bad, I couldn't even boot to safe mode. No sweat with FDISR.
I am curious of something you think could happen, as opposed to working at a way to break it. Sure if someone knowledgeable about FDISR could write a piece of malware that could defeat it. But that is also true of Sandboxie, VM stuff, whatever. But if you go online, and just encounter the "normal" nasties that target the average machine, FDISR will be as good if not better than any of the others.
But if you can't access those snapshots with normal tools, it isn't really fair to say I've got this special XYZ tool, and with that I can mess up a snapshot, so FDISR won't protect me.
Besides what FDISR is really design for is the situation where you install something like a beta, which I've done, and it so trashes the system you can't boot. Been there done that and FDISR works like a champ.
I agree that FDISR covers many threats, and probably most of what you can come across surfing the web. Like I said, I don't contest its usefulness.
Yet, it's not as bullet-proof as one could expect. I know that nothing's really bullet-proof and so on, but almost-plain filesystem access is really not enough secure. I say almost, because Explorer doesn't let you go there, but come on - XYplorer isn't a special purpose tool! It's a nice file manager, like total commander. It has *not* been designed to access hidden, protected system files. This is my day to day file browser, and a lot of ppl don't use Explorer either. Thus, a hook into Explorer to prevent access doesn't cut it, does it? Maybe I'm wrong, and there's something special about XYplorer - but I doubt it!
My point is that if the average file manager can access a supposedly protected folder, malware can too probably, without special effort.
The fact that it would have to target FDISR isn't a valid point to me, because it's all too easy to design a program that scan the whole filesystem and tamper with what it finds - meaning your snapshots are compromised. Or another piece of malware could scan the FS for private information, and find stuff that you carefully removed from the active partition - but is present in a snapshot!
One could argue it's unlikely - but is it? Weren't race conditions supposed to be unlikely too?
Well, I hear all valid arguments in this thread.
But then I think about the inital purpose of FD-ISR: offering the fastest restore into a backup installation after a software disaster. That's basically all it does.
It's the users who took this concept several steps further and started creating snapshots with different characteristics/installations. And now the users have needs that surpassed the purpose and concept of FD-ISR.
Exactly. Reve repeat after us. FDISR is NOT a security program. Can't say it plainer then that. It is an Immediate System Recovery tool.
If you want it to measure it as a security tool, and it doesn't measure up, so be it.
PS Reve If you really want to put the security test to the extreme. Take FDISR, and create an archive on an external USB Drive which you can also use to update snapshots. Then turn the drive off. Betcha can't access those files. I actually do save archives on an internal 2nd drive, and external drive for several different purposes.