FDISR users-- few Qs

Ah my mistake, I thought aigle was just looking for the hidden ISR folder.

 

You can look in the snapshots if you boot a BartPE cd or usb drive. I would assume that you can copy files out of the snapshot, but I didn't try it.

C

 

Ok, I got it but my other Q remains there.

 

Ok, at least I will like to see it but this does not work either.

@Eric

How u are seeing it in windows explorer?

 

Thank.

I have sent a mail to them as well and will wait for reply.

 

Just wonder that other people find these folders in C. Why I can,t see them in my system.

 

Through BartPE CD I can see $ISR folder and all subfolders in it. I did not messed more and just came out of it.

 

I found out that Explorer does *not* allow me to browse the snapshot folders ($ISR/0, $ISR/1 etc): I got an access denied error.

However, I can tamper with whatever I want through XYplorer, another file manager (give it a try).
And if XYplorer can, I suppose the next virus can too!

RE

 

That doesn't sound right to me; if you couldn't give specific permissions to some programs only, then PC security as a whole would be a myth. Ie. Process Guard can terminate running processes, but another program cannot.

A virus doesn't need to make a beeline to C:/$ISR, it just has to infect a file in every directory and that's it.

If the snapshot folders are easily writeable, you cannot do whatever you want in a snapshot, with the certitude that you will always be able to boot on another snapshot. In other words, FDISR would be a handy multi-config software, but not anywhere near a security-related product.

RE

 

But what if malware uses brute force and does access each and every directory to plant it's seeds or read personal data?
The idea of FD-ISR is that inactive snapshots are guaranteed safe and secure, would you not agree?

 

All softwares are vulnerable and what all softwares have in common doesn't really interest me.
One day FDISR will become a target of the bad guys and Leapfrog will fix it, just like Mozilla fixes Firefox all the time. Until now it never happened, at least not to my knowledge.

FirstDefense-ISR is NOT a security software, it's an immediate system recovery software (ISR).
It doesn't protect you against any malware, it only has functions to create/update/archive/restore/freeze snapshots.
It has no scanners, no HIPS, no virtual protection, ...
Even a frozen snapshot is a normal function of FDISR and works like an automatic refreshing function.
You can't blame a car for not being a boat.

 

I wonder how many users believe their system is safe when fooling around on a secondary snapshot. Some of them even appear to have an "Internet snapshot" to protect them while they surf the web.

The fact that the snapshots lie in C:/ was already a disappointment to me (I thought they were stored on an hidden partition), and now I realize the snapshots are not really independent -- FDISR looks more and more like a glorified xcopy with a boot loader to me

RE

 

A frozen snapshot creates a file called "Freeze Storage.ARX" and archived snapshots have also the extension .ARX. It's technically the same kind of file.
During reboot FDISR copy/updates FROM "Freeze Storage.ARX" TO the frozen snapshot and during that operation objects are added, removed and replaced, just like in a normal copy/update, except that it runs automatically.
But the same operation can be done manually, using the copy/update function.

A frozen snapshot allows any infection to install and execute, just like any other snapshot, but once you reboot FDISR will remove any change (good or bad).
A frozen snapshot doesn't remove "malware", it removes "any change" and that's why it looks like a security software, but it isn't.
Only scanners remove malwares and don't touch the rest.

 

Maybe you can hide them with a special tool. I could be wrong but these tools exist to hide any folder.

Regarding immediate recovery :
FDISR is designed for that and does a MUCH BETTER job than Windows System Restore and that's why you need
at least TWO snapshots : a snapshot for work and a snapshot for rollback.
In a snapshot for work anything can happen :
- a new software that doesn't like your total system, can result in a BSOD and cause an infinite loop without being able to get even in Windows. Peter and me had that experience.
Any software, legitimate or not, can bring you in such situation.

- a user can accidently delete system files or make mistakes in the registry and screw up his own computer.

FDISR requires only a reboot in a rollback snapshot to save your system = ISR.
FDISR is more than that and users use their imagination to do other things with FDISR.

FDISR is luxury, not really necessary. If you don't like it, use an image backup file, to recover your system, but it won't be that fast.

 

Well, I'm sort of disappointed because I thought FDSIR provided a complete sandbox, and it's only partial. I say they are not independent because you can screw up a snapshot from another one. This means that a major software damage on a partition kills FDISR, and you have to go and fetch your DVDs to restore your system - but I already got IFW for that.

I don't say FDISR isn't good, I mean, it's fine to be able to revert some unfortunate changes, but everything's always conditionnal: you may be able to revert them, but maybe you won't, in case of critical filesystem corruption, due to a virus, malware, or something else. You just can't be sure.

Erik, yes, a robust 3rd party protection tool would turn FDISR like I thought/wish it were. Again, I don't want to appear grumpy or anything , but it looks sooooo wrong to store a sort of backup, without protection (or a very minimalist one), into what you backed up!

RE

 

Look at my signature. I installed Faronics Anti-Executable (AE) in a FROZEN snapshot.
I use the frozen snapshot to remove all changes, including all malwares during the next reboot and that takes 90 seconds.
So this is alot faster than running all my scanners. No serious scanner on earth runs that fast and so complete.

Of course a frozen snapshot allows any installation and execution of any malware between two reboots and that is a serious problem. So I needed something else to protect me against that : Anti-Executable.
AE makes a whitelist of all your executable objects installed on your computer during the installation of AE.
After that AE prevents any installation and execution of not-whitelisted objects.
So I created my own sandbox. Does it work ? I don't know for sure, but in theory it should work at least for the majority of malwares.

Maybe you can also use Prevx1 for this, which is supposed to do the same and more and it is also more flexible.
AE is VERY STRICT when its security level = HIGH.

I'm not saying you have to do this, you might consider it.
I did this very recently, so I don't have much experience and didn't really test it thoroughly.

FDISR allows you to create upto 10 different bootable work environments with any possible combination of softwares. I even have a snapshot without internet connection, because I was tired of being disturbed by security software messages/popups while I was working.

Of course when you don't need all that, don't use FDISR.
Only image/file backup is a MUST, unless you like to install your computer from scratch manually.

 

I agree that FDISR covers many threats, and probably most of what you can come across surfing the web. Like I said, I don't contest its usefulness.

Yet, it's not as bullet-proof as one could expect. I know that nothing's really bullet-proof and so on, but almost-plain filesystem access is really not enough secure. I say almost, because Explorer doesn't let you go there, but come on - XYplorer isn't a special purpose tool! It's a nice file manager, like total commander. It has *not* been designed to access hidden, protected system files. This is my day to day file browser, and a lot of ppl don't use Explorer either. Thus, a hook into Explorer to prevent access doesn't cut it, does it? Maybe I'm wrong, and there's something special about XYplorer - but I doubt it!

My point is that if the average file manager can access a supposedly protected folder, malware can too probably, without special effort.

The fact that it would have to target FDISR isn't a valid point to me, because it's all too easy to design a program that scan the whole filesystem and tamper with what it finds - meaning your snapshots are compromised. Or another piece of malware could scan the FS for private information, and find stuff that you carefully removed from the active partition - but is present in a snapshot!

One could argue it's unlikely - but is it? Weren't race conditions supposed to be unlikely too?

RE

 

Well, I hear all valid arguments in this thread.
But then I think about the inital purpose of FD-ISR: offering the fastest restore into a backup installation after a software disaster. That's basically all it does.
It's the users who took this concept several steps further and started creating snapshots with different characteristics/installations. And now the users have needs that surpassed the purpose and concept of FD-ISR.