FIRST DEFENSE users: a concern

Discussion in 'FirstDefense-ISR Forum' started by Acadia, Dec 12, 2005.

Thread Status:
Not open for further replies.
  1. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    Please don’t get me wrong here, I still consider FD my all-time-favorite program, EVER. In fact, it is because of my love for this program that I am posting this: I wish to continue to have faith in this program.

    FD uses the special qualities of the NTFS filing system to perform its magic, which is why FD is incompatible with OS that are not NTFS. The theory is that the special folders that FD creates, and uses to store its Snapshots, are "off limits" and protected from EVERYTHING, much like the GoBack bins, or hidden partition, or whatever GoBack is using these days.

    In the past year I have used three security scanning programs that have been able to get inside of those supposedly protected folders and start scanning them; yes, those of you who know how FD works, it would be just like scanning an entire c:drive, because that’s basically what each Snapshot is. Trial versions of TrojanHunter, NOD32, and a purchased version of Webroot’s Spy Sweeper have all been able to get inside of those folders. OK, so that is probably no big deal since these are programs that are not out to do any damage to our systems. But I do have one concern: if these programs are able to get inside of those protected folders, could a virus or Trojan do the same.

    I never had ANY program get inside of the GoBack bin during the five years that I used it, but I had never tried TrojanHunter or Spy Sweeper during that time; I did have NOD32 on my system during that time and it could never get inside the GoBack bin.

    During the past year-and-a-half that I have had FirstDefense on my system, Norton AV and KAV have never been able to get inside of the "protected" FirstDefense folders.

    So, what do you fellow FD users think, like I said, I love this program and just want to feel secure with it. Thank you.

    Acadia
     
    Last edited: Dec 12, 2005
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,802
    Location:
    Texas
    Have you spoken with them Acadia?
     
  3. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    Not about his particular issue, no. (Don't know how much weight just one voice would have.)

    Acadia
     
  4. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,802
    Location:
    Texas
    It is a valid question. I will be interested in their reply.
     
  5. hollywoodpc

    hollywoodpc Registered Member

    Joined:
    Feb 14, 2005
    Posts:
    1,325
    Hi Acadia .
    I can tell you who to email as the " main " person there is a pain in the butt and will not care about what you say . The person you need to email is really a great person and will try to get things done
    I will send you the name .
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,057
    Hi Acadia

    That is indeed an interesting question. I know Dantz's retrospect backup, which is a file backup program also backups up other snapshots. But here is the interesting part.

    Early on in my FD experience I had an uninstall fail. Subsequent install failed, and I had to remove the snapshot and FD directories manually. It was a bear of an exercise. Took quite a while, and I got a real lesson in permissions, ownership, and all that good stuff. So was so messy I've forgotten most of it. Recently, I got curious what would happen if I restored some of those other snapshot files, so I restored them to an external drive. They are still there, can't access or remove them. Going to have to relearn what I'd forgotten. That tells me they are fairly secure.

    I may pursue this a bit tomorrow.

    Pete
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,057
    Hi Acadia

    Just a further thought tonight. I would be surprised if anything could do anything with the Goback.bin.

    Years ago I worked with a file system that was based on tape data. If you were to look at those files, all would see is records consisting of 8 bit words. But the program that read the file had a table that told it to read the first x words of a record. Then it went to a table, that told it okay, this is the kind of record you have, then it read another x words and got additional info. Finally it would get data the same way. The data could be ascii or in any number of format. Again this was spelled out in the headers. These files often contained 20-50 files of varing size.

    I would bet Goback.bin is a file of a structure of somekind of simliar structure, and without the goback program, you can't decipher the records. Obviously no file based type of scanner could read the contents.

    On the other hand FD store's copies of the files in a vault. Very different. In a way I am not surprised that a few programs can read them, question is can they write to them.

    Actually, if I remember right from discussing this with Jason at Raxco, in theory, yes malware could do it. But it require the malware knowing that First Defense was installed, would have to know it's storage structure, and have enough privilege to modify permissions and take ownership of both the files and structures. Given the easy targets for malware, would it be worth the bother, to try and target such a few machines.

    Actually I suspect I would be at greater risk with Goback from defragging, or the other things that can wipe out goback.

    If anyone wants to get an idea of how secure those files are I'd suggest an experiment for you.

    1. Image your disk.
    2. Uninstall FDISR, but leave a snapshot.
    3. Remove the snapshot manually.
    4. Then just reinstall.

    Be prepared to have some real fun in step 3. Oh.. As you are deleting the snapshot, all the windows warning about deleting system files, is great for the nerves. :)

    Pete
     
  8. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    Peter, thanks for all the info. I'm just concerned that the three security programs appeared to so easily be able to get into those folders: you could see the folders that they were scanning within those secure folders. How did they do that without special permissions or whatever? Raxco tech support told me twice that it could be a problem if the scanners removed or moved a file within those Snapshots, so it must be possible that something like that can happen. Again, if a scanner can apparently get "inside" so effortlessly, could a virus or Trojan?

    I'm planning on trialing F-Secure fairly soon, might be interesting to see what it can do.

    Thanks again,
    Acadia
     
  9. StevieO

    StevieO Guest

    Hi,

    It might be interesting to see what an App like Rootkit Revealer or Blacklight etc etc could also discover ?


    StevieO
     
  10. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,057
    Hi Guys

    I've run Black light and it finds nothing.

    Acadia, with all I wrote, you might have missed on key thing. Since Retrospect backs up the FD directories, I tried restoring one to an external drive. It still was as well protected as the original directories.

    Hey just got an idea. Interesting test.

    I am sure Nod32 has the ability to delete an infected file.

    1. Download eicar.com from www.eicar.org
    2. Refresh your snapshots so eicar.com is in all of them.
    3. Run Nod32, and see if it can delete eicar.com from the other snapshots.

    Reason I am not all that concerned is:

    Say you download a nasty such as a root kit. By design it does it drops it's stuff in the system folders, modifies the registry, etc etc. But it would have to be specificly designed to also know it had to look for the appropriate directories with then the FD file structure and try and drop them there. Could it be done. I suspect so, but the question is why a malware author would go to that bother. Just to many easy targets. Probably someone would have to want your specific machine, and know you have FDISR. Just not a likely scenario.

    Pete
     
  11. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,057
    Hi Acadia

    On other thought. I wonder if some of the security scanners are using something like the open file technology that the backup programs use. I know Retrospect has this and it allows it to capture the system files even though the files are locked. It can read them and copy them for backup, but it can't restore windows files, while within windows.

    My concern on FD isn't as much that something could read a file in another snapshot, but that something can't write to it or modify it. Big difference, at least I think so.

    Pete
     
  12. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    Last night I ran a NOD scan on my old computer ,which has 2 snapshots . I am allmost positive it scanned both snapshots.
     
  13. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    Raxco tech support told me to be cautious of these scanners deleting or moving a file, so I would think that it would also be possible to write to or modify a file. Anyway, you're probably right, why would a hacker bother writing a virus to penetrate those Snapshots when FD is only on a fraction of a percentage of systems, and there are gazillions of easier targets. Now I'm just concerned about those scanners doing something to the Snapshots that they should not be able to see into. Since NOD32 does not let me exclude the Snapshots from scanning, NOD32 is out of consideration, now I am going to try F-Secure. Webroot's Spy Sweeper does have a feature that lets me skip the Snapshots during scanning, it means that I cannot scan my ENTIRE system, but that does not concern me, I only obtained Spy Sweeper for its Real Time capabilities anyway. Thanks, Peter.

    Acadia

    Acadia
     
  14. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    If it took exactly twice as long as it usually does, it scanned both Snapshots, plus NOD lets you see what folders are being scanned while they are actually being scanned and you will see the $ISR of FirstDefense being scanned and it will take quite a long time, as long as your normal c:drive. I use all ten FD Snapshots, so you can imagine how long it would take me to scan, which is why I'm glad that I trialed NOD instead of purchasing it.

    Acadia
     
    Last edited: Dec 13, 2005
  15. jwcca

    jwcca Registered Member

    Joined:
    Dec 6, 2003
    Posts:
    722
    Location:
    Toronto
    AdAware also scans all of the snapshots. Pete, I may try your test with the eicar.
    Jim
     
  16. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    Hmmm, interesting, AdAware does NOT scan all of my Snapshots. JW, what version of AdAware are you using, Pro, etc., and did you change any of the default settings? Thanks.

    Acadia
     
  17. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,057
    I just did a scan with the latest KAV 6.0 beta and it didn't scan those directories either.

    Be aware, that if some program can elevate it's privileges and permissions, it could access those files. Only question really is the probablity of a malware authoring bothering to test for FDISR and do this. I suspect Raxco would be happy if their market share came even close to warrant the attention.

    That having been said I certainly would deliberately go looking for trouble. Also if I wanted to seriously experiment with malware, I'd image my disk first.

    As always common sense rules.

    Pete
     
  18. jwcca

    jwcca Registered Member

    Joined:
    Dec 6, 2003
    Posts:
    722
    Location:
    Toronto
    It's SE 1.06r1 and set to Scan withing Archives, under Custom Settings.

    And to Pete, I did copy my SATA to an IDE before doing the test, you saw this previously in the OA Beta forum....

    Cheers,

    Jim
     
  19. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,635
    Location:
    UK
    I got the impression the snapshots were just hidden from view. If you uninstall FD and retain the snapshots, you can see the folder they're stored in. The fact some scanners can see these files and others can't is interesting tho.

    It's the same with some Registry cleaners. RegSeeker picks up FD references in the Registry, which should be excluded for future scans otherwise leaving those entries and deleting them would cause FD to fail, but RegSupreme doesn't highlight the keys.
     
  20. maddawgz

    maddawgz Registered Member

    Joined:
    Aug 13, 2004
    Posts:
    1,277
    Location:
    Earth
    same here i wondere'd that if a virus can change it once i tried to revert back to a snapshot said dll missing? hymmmmmm cant we hide the folder or lock it with another program r md o_O
     
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,057
    Geesh, I thought I'd answered this post, but I see it's not here. The snapshots aren't just hidden. If you set explorer to view hidden and system files you can see the $isr and it's program folders, but you can't get into the snapshot. To do that you have to start changing ownership and permissions. Obviously if you can do it, some malware could conceivably elavate privileges and do something. But it would have to be written to specifically target First Defense and how likely is that given FDISR isn't a high visibility or highly installed program.

    Pete
     
  22. f3x

    f3x Guest

    Unfortunately i am not a firstdefence customer
    but i dont see the link between NTFS rigth and target of firstdefence

    I mean if there is one way to *ultra-hide* any file / folder with a lot of security permission, then that malware can attack those file no mather if they are created by firstdefense or not

    it's not like if firstdefense installed a rootkit to hide those file or something fd specific.

    sorry if i'm off the track but i don't see any such link as special NTFS rigth and fd specific
     
  23. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,057
    The link is this.

    The average say root kit, drops stuff in the system area, and modifies the registry. To attack a snapshot, it would first have to know it's there, and it's significance. Namely it would have to be able to drop files and modify the registry in the snapshot. To do this it would also have to elevate it's privileges to be able to access the files. I am just saying it's not likely malware authors would go to the effort for the number of machines that have FDISR.

    Pete
     
  24. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,635
    Location:
    UK
    I have folder options to show hidden files and folders, but I can't see $ISR anywhere. [See attached.]

    When I did a test uninstall, but retained the snapshots, I did see the $ISR folder.
     

    Attached Files:

  25. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    My $ISR folder is the very first thing that I see when I open my C:drive.

    Acadia
     
Thread Status:
Not open for further replies.