first-defence isr

Discussion in 'FirstDefense-ISR Forum' started by the_sly_dog, Jul 21, 2010.

Thread Status:
Not open for further replies.
  1. the_sly_dog

    the_sly_dog Registered Member

    Joined:
    Feb 28, 2006
    Posts:
    297
    Location:
    The Heart Of London
    21/07/2010 21:2Hello People,
    I have installed first-defence isr i think its version 3.332.235 and i have installed faronics anti-executable version 3.50.1111.406 the problem is i have set AE3 To maintence mode and to off and i still get errors o_O if i boot into the second snapshot it will blue screen on blue o_O? Any help please


    21/07/2010 21:25:03 Copying snapshot "Primary Snapshot" to "Secondary Snapshot"
    21/07/2010 21:25:03 Starting Microsoft Volume Shadow copy Service (VSS) for drive C:
    21/07/2010 21:25:13 Preparing to copy
    21/07/2010 21:27:19 Copying
    21/07/2010 21:27:19 Replacing "Boot\BCD" in "Secondary Snapshot"
    21/07/2010 21:27:19 Replacing "Boot\BCD.LOG" in "Secondary Snapshot"
    21/07/2010 21:27:19 Adding "Program Files\Faronics\AE\AeFilter.sys" to "Secondary Snapshot"
    21/07/2010 21:27:19 Error - TFO::SetNamedSecurityInfo: Access is denied.
    21/07/2010 21:27:19 Windows error number 5
    21/07/2010 21:27:19 Error - Adding "Program Files\Faronics\AE\AeFilter.sys" to "Secondary Snapshot"
    21/07/2010 21:27:19 Adding "Program Files\Faronics\AE\AeKbd.sys" to "Secondary Snapshot"
    21/07/2010 21:27:19 Error - TFO::SetNamedSecurityInfo: Access is denied.
    21/07/2010 21:27:19 Windows error number 5
    21/07/2010 21:27:19 Error - Adding "Program Files\Faronics\AE\AeKbd.sys" to "Secondary Snapshot"
    21/07/2010 21:27:19 Adding "Program Files\Faronics\AE\AeMouse.sys" to "Secondary Snapshot"
    21/07/2010 21:27:19 Error - TFO::SetNamedSecurityInfo: Access is denied.
    21/07/2010 21:27:19 Windows error number 5
    21/07/2010 21:27:19 Error - Adding "Program Files\Faronics\AE\AeMouse.sys" to "Secondary Snapshot"
    21/07/2010 21:27:19 Replacing "ProgramData\AE\AEConfig.xml" in "Secondary Snapshot"
    21/07/2010 21:27:19 Replacing "ProgramData\AeTime.dat" in "Secondary Snapshot"
    "Secondary Snapshot"8:57 Adding "Windows\System32\drivers\AeFilter.sys" to "Secondary Snapshot"
    21/07/2010 21:28:57 Error - TFO::SetNamedSecurityInfo: Access is denied.
    21/07/2010 21:28:57 Windows error number 5
    21/07/2010 21:28:57 Error - Adding "Windows\System32\drivers\AeFilter.sys" to "Secondary Snapshot"
    21/07/2010 21:28:57 Adding "Windows\System32\drivers\AeKbd.sys" to "Secondary Snapshot"
    21/07/2010 21:28:57 Error - TFO::SetNamedSecurityInfo: Access is denied.
    21/07/2010 21:28:57 Windows error number 5
    21/07/2010 21:28:57 Error - Adding "Windows\System32\drivers\AeKbd.sys" to "Secondary Snapshot"
    21/07/2010 21:28:57 Adding "Windows\System32\drivers\AeMouse.sys" to "Secondary Snapshot"
    21/07/2010 21:28:57 Error - TFO::SetNamedSecurityInfo: Access is denied.
    21/07/2010 21:28:57 Windows error number 5
    21/07/2010 21:28:57 Error - Adding "Windows\System32\drivers\AeMouse.sys" to "Secondary Snapshot"
    21/07/2010 21:29:02 Finalizing
    21/07/2010 21:29:05 Copied 2.07 Gb (103 files, 4 dirs); Deleted 1.76 Gb (6 files, 0 dirs); Errors 12; 00:04:01.209
     
    Last edited: Jul 21, 2010
  2. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,572
    AE uses somekind of antitampering in this case.

    I would install AE in both snapshots. First in the secondary, then in the primary and then I would try to update.

    Other alternative options:
    1. Contact Faronics ;)
    2. Disable AE services
    3. deactivate AE's drivers

    Panagiotis
     
  3. the_sly_dog

    the_sly_dog Registered Member

    Joined:
    Feb 28, 2006
    Posts:
    297
    Location:
    The Heart Of London
    i will try that thank you
     
  4. the_sly_dog

    the_sly_dog Registered Member

    Joined:
    Feb 28, 2006
    Posts:
    297
    Location:
    The Heart Of London
    Guess i might have to email faronics i tried to install AE3 on both primary and second snapshot when i tried to copy i got a blue screen and had trouble getting in to any snapshot, I guess they are not liking each other :'( :'( :'( :'( :'(
     
  5. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,572
    You are welcome. :)

    Hmmm. I forgot another option.

    You should also check the security permissions of those driver files. Error 5 means access denied.

    ps. If you find a solution report back. It could help someone else with similar problems.

    Panagiotis
     
  6. the_sly_dog

    the_sly_dog Registered Member

    Joined:
    Feb 28, 2006
    Posts:
    297
    Location:
    The Heart Of London
    Hello There

    I recieved a email back today they are saying that there product is not compatible....

    I have tried that permission on them files all i get is denied and i cant add my self to give permission o_O?
     
  7. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,572

    Classic response. If they did not explaine why is incompatible, means they did not even tested it.

    Use FD-ISR exclusion feature to exclude those drivers and try to update. If booting to the secondary snapshot does not BSOD you mean that you can work around the problem with permissions. If it BSOD's they are incompatible and you will have to choose.
    What OS? post a screenshot of the security info tab of one of those files.

    Panagiotis
     
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,059
    I ran into an issue with AE also. I chose, although it's really no choice in my opinion.

    Pete
     
  9. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    Lol, yeah I bet that was one of the quickest choices you ever made.;)
     
  10. the_sly_dog

    the_sly_dog Registered Member

    Joined:
    Feb 28, 2006
    Posts:
    297
    Location:
    The Heart Of London
    Last edited: Jul 23, 2010
  11. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,572
    @the_sly_dog

    You can use the command prompt to take ownership or do it the easy way with the take ownership shell.

    Panagiotis
     
  12. the_sly_dog

    the_sly_dog Registered Member

    Joined:
    Feb 28, 2006
    Posts:
    297
    Location:
    The Heart Of London
    I Installed that program and found all the files that gave error and right clicked and gave myself permission and rebooted and tried first-defence here is the log.

    24/07/2010 10:16:37 Copying snapshot "Primary Snapshot" to "Secondary Snapshot"
    24/07/2010 10:16:37 Starting Microsoft Volume Shadow copy Service (VSS) for drive C:
    24/07/2010 10:16:50 Preparing to copy
    24/07/2010 10:19:27 Copying
    24/07/2010 10:19:27 Replacing "Boot\BCD" in "Secondary Snapshot"
    24/07/2010 10:19:27 Replacing "Boot\BCD.LOG" in "Secondary Snapshot"
    24/07/2010 10:19:27 Removing folder "Config.Msi" from "Secondary Snapshot"
    24/07/2010 10:19:27 Replacing "Program Files\Analog Devices\SoundMAX\SMax.log" in "Secondary Snapshot"
    24/07/2010 10:19:27 Replacing "Program Files\Analog Devices\SoundMAX\SMax.log.bak" in "Secondary Snapshot"
    24/07/2010 10:19:27 Creating folder "Program Files\Faronics" in "Secondary Snapshot"
    24/07/2010 10:19:27 Creating folder "Program Files\Faronics\AE" in "Secondary Snapshot"
    24/07/2010 10:19:27 Adding "Program Files\Faronics\AE\AEEngine.exe" to "Secondary Snapshot"
    24/07/2010 10:19:27 Adding "Program Files\Faronics\AE\AEEventMsg.dll" to "Secondary Snapshot"
    24/07/2010 10:19:27 Adding "Program Files\Faronics\AE\AeFilter.inf" to "Secondary Snapshot"
    24/07/2010 10:19:27 Adding "Program Files\Faronics\AE\AeFilter.sys" to "Secondary Snapshot"
    24/07/2010 10:19:27 Error - TFO::SetNamedSecurityInfo: Access is denied.
    24/07/2010 10:19:27 Windows error number 5
    24/07/2010 10:19:27 Error - Adding "Program Files\Faronics\AE\AeFilter.sys" to "Secondary Snapshot"
    24/07/2010 10:19:27 Adding "Program Files\Faronics\AE\AeKbd.inf" to "Secondary Snapshot"
    24/07/2010 10:19:27 Adding "Program Files\Faronics\AE\AeKbd.sys" to "Secondary Snapshot"
    24/07/2010 10:19:27 Error - TFO::SetNamedSecurityInfo: Access is denied.
    24/07/2010 10:19:27 Windows error number 5
    24/07/2010 10:19:27 Error - Adding "Program Files\Faronics\AE\AeKbd.sys" to "Secondary Snapshot"
    24/07/2010 10:19:27 Adding "Program Files\Faronics\AE\AeMouse.inf" to "Secondary Snapshot"
    24/07/2010 10:19:27 Adding "Program Files\Faronics\AE\AeMouse.sys" to "Secondary Snapshot"
    24/07/2010 10:19:27 Error - TFO::SetNamedSecurityInfo: Access is denied.
    24/07/2010 10:19:27 Windows error number 5
    24/07/2010 10:19:27 Error - Adding "Program Files\Faronics\AE\AeMouse.sys" to "Secondary Snapshot"
    24/07/2010 10:19:27 Adding "Program Files\Faronics\AE\Aewmiprovider.dll" to "Secondary Snapshot"
    24/07/2010 10:19:27 Adding "Program Files\Faronics\AE\AEWMIProvider.mof" to "Secondary Snapshot"
    24/07/2010 10:19:27 Adding "Program Files\Faronics\AE\AlertMessage.bmp" to "Secondary Snapshot"
    24/07/2010 10:19:27 Adding "Program Files\Faronics\AE\Antiexecutable.exe" to "Secondary Snapshot"
    24/07/2010 10:19:28 Adding "Program Files\Faronics\AE\BlackListEditor.exe" to "Secondary Snapshot"
    24/07/2010 10:19:28 Adding "Program Files\Faronics\AE\EXELauncher.exe" to "Secondary Snapshot"
    24/07/2010 10:19:28 Adding "Program Files\Faronics\AE\FAEStd_Manual.pdf" to "Secondary Snapshot"
    24/07/2010 10:19:28 Adding "Program Files\Faronics\AE\FAEStd_Manual_C.pdf" to "Secondary Snapshot"
    24/07/2010 10:19:28 Adding "Program Files\Faronics\AE\FAEStd_Manual_F.pdf" to "Secondary Snapshot"
    24/07/2010 10:19:28 Adding "Program Files\Faronics\AE\FAEStd_Manual_G.pdf" to "Secondary Snapshot"
    24/07/2010 10:19:28 Adding "Program Files\Faronics\AE\FAEStd_Manual_J.pdf" to "Secondary Snapshot"
    24/07/2010 10:19:28 Adding "Program Files\Faronics\AE\FAEStd_Manual_S.pdf" to "Secondary Snapshot"
    24/07/2010 10:19:28 Adding "Program Files\Faronics\AE\WhiteListEditor.exe" to "Secondary Snapshot"
    24/07/2010 10:19:28 Finalizing folder "Program Files\Faronics\AE" in "Secondary Snapshot"
    24/07/2010 10:19:28 Creating folder "Program Files\Faronics\Faronics Core" in "Secondary Snapshot"
    24/07/2010 10:19:28 Creating folder "Program Files\Faronics\Faronics Core\Common" in "Secondary Snapshot"
    24/07/2010 10:19:28 Adding "Program Files\Faronics\Faronics Core\Common\FaronicsProduct.mof" to "Secondary Snapshot"
    24/07/2010 10:19:28 Adding "Program Files\Faronics\Faronics Core\Common\FaronicsProduct_v2.mof" to "Secondary Snapshot"
    24/07/2010 10:19:29 Adding "Program Files\Faronics\Faronics Core\Common\FaronicsTracingEventLogFormat.dll" to "Secondary Snapshot"
    24/07/2010 10:19:29 Adding "Program Files\Faronics\Faronics Core\Common\MofMsiKeyPath.dll" to "Secondary Snapshot"
    24/07/2010 10:19:29 Finalizing folder "Program Files\Faronics\Faronics Core\Common" in "Secondary Snapshot"
    24/07/2010 10:19:29 Finalizing folder "Program Files\Faronics\Faronics Core" in "Secondary Snapshot"
    24/07/2010 10:19:29 Finalizing folder "Program Files\Faronics" in "Secondary Snapshot"
     
  13. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,572
    Repost a screenshot with the security permissions of one of those files.Especially the "system" account permissions.

    Panagiotis
     
  14. the_sly_dog

    the_sly_dog Registered Member

    Joined:
    Feb 28, 2006
    Posts:
    297
    Location:
    The Heart Of London
  15. jwcca

    jwcca Registered Member

    Joined:
    Dec 6, 2003
    Posts:
    722
    Location:
    Toronto
    Hi Sly (Benjamin),

    The same problem occurred with Program Guard (from DCS).

    The solution was easy,
    1) I shutdown PG (from it's systray > right click > shutdown PG),
    2) copied the snapshot and
    3) restarted PG using it's UI.

    PG created 'lock files' on it's key programs that wouldn't let the files be copied.
    It's not a 'bug', it's 'self protection'.

    Try to do the same with Faronics.

    Jim C.
     
  16. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,572
    Sly I need to see the actual permissions from the initial tab like the one I attached here. (I try to understand if the read deny error is caused by the ntfs security attribute or by the AE drivers).

    In the first tab click when you click on the group or user name shows the actual permissions for that member.

    Panagiotis
     

    Attached Files:

  17. the_sly_dog

    the_sly_dog Registered Member

    Joined:
    Feb 28, 2006
    Posts:
    297
    Location:
    The Heart Of London
    Hello Buddy that screenshot is all them files allow to come up? o_O i dont see that window on any of them AE3files>>> All other files i see that window like yours
     
  18. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,572
    I gave a run to the trial and is nothing you can do about this (at least not from inside the OS).
    AE's 4 services (1 normal and 3 driver type) cannot be controlled by an admin account, you cannot access neither their registry keys nor their files attributes.

    The only way to circumvent this is to boot from a winpe and modify the access security permissions of those files from there, and hope that faronics does not revert them back to their defaults.

    Why would anyone, home user or enterprise, want to install this @*&^% on their systems is beyond my comprehension; willingly paying and installing a rootkit over which you have absolutely no control is, at least from my point of view, insane.

    Panagiotis
     
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,059
    I can see an Enterprise firm, or an internet cafe, who doesn't want someone to tamper. I like there protection concept, but when the take the control away from me it's over.
     
  20. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    LOL. :D
    Ping Rmus ??
    https://www.wilderssecurity.com/showpost.php?p=1713798&postcount=127
    !!!
    It's got its' good points.
    Great for a relatively 'fixed' box.
    Sacrifice some aspects of control for better safety: and it really is a good implementation of whitelist security app: ? no better one around.
    Faronics has been notorious for being a poor communicator when issues arise
    Faronics apps can be a real problem to uninstall.
    Fun to have AE in a VM and tool around with it.

    Different to, worse in some ways and better in others than sandboxie.
    There is experience with AE centrally managed from console in classroom type rollouts etc: seems to works well.

    Heh: conflicts with FDISR so..on this system disc....:cautious:

    @the_sly_dog: if you want some rocksolid app that does "similar" and works with FDISR: Sandboxie. :thumb:
    Another option might be DefenceWall ( I just realised that for some reason I've never tried DW in an FDISR snapshot/copy operation: o_O

    Pete??, Pandlouk??
     
    Last edited: Jul 26, 2010
  21. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,572
    Yes, I see the advantages of AE too... But they could prevent tampering and allow the admin of the system to temporarly disable it for backing up. How hard is to add a checkmark like "deactivate AE service for x minutes/hours"?

    I am talking mostly for the standard version, I don't know if they have such a feature for the enterprise one.

    Panagiotis
     
  22. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    :) I'm just shooting the breeze...loved that description; pretty good if ESL ?? :)

    Heh: FDISR : the tame rootkit ??

    Ya: that's a sticking point for the tool: they seem to have taken the POV that while exe's can be added to the whitelist blacklist by authorised users, the 'drivers' are never 'off'
    Agree that what we might like to use 'should' be compatible with easy Imaging routines.

    It might be possible as an Anti_Exe Admin ( which is not equivalent to Local Admin ) to completely turn it off, I'm not sure.
    While I like the concept , the implementation is very secure and might be thought of as a bit cumbersome.
    Design 'give and take'.
    I dont think since V3 that they regard power users/testers like you as the market of choice.
    More the default click happy user :blink:

    When I tried it I got a bit frustrated: cant remember if I tried a hot image or not.
    Did not try a boot disc image.
    Still have it in the back of my mind as a possible.
     
    Last edited: Jul 26, 2010
  23. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,059
    Hi Longboard

    A recovery disk image should be fine, as the hard drive is inert. I love the AE concept, but I always end up having trouble. Hope springs eternal.

    So it's back to using MD, as a sort of down version of AE. You can almost get it there by turning of some of the protections in MD. For me MD seems to mind it's manners.

    Pete
     
  24. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    I love AE, but then again, I'm still using the simple version 2. :D

    Acadia
     
  25. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,059
    It even caused me FDISR problems.
     
Thread Status:
Not open for further replies.