FirstDefense-ISR and Rootkit Recovery

No, there is no yearly subscription fee. I would contact Raxco tech support about the errors, it is unusual for there to be errors, at least for me.

Acadia

 

Thanks - I may try another image and see if the errors persist and then contact tech. support. Thanks for the response.

 

Do you have the very latest build of FD, released just a couple of weeks ago? It fixed one bug that did indeed produce errors, although FD still was able to function OK without fouling up your system. If all of your errors are from that particular bug, then FD is still OK to use but you definitely need to double check with tech support if you continue to receive errors with the latest build, because build number 166 should produce no errors.

http://www.raxco.com/support/windows/updates.cfm#FDISR

Acadia

 

It wouldn't hurt to run a boot-time CHKDSK /F on your system drive before you try again.

 

I get a lot of errors that are due to timing issues related to copying image files such as jpg, gif, png, etc. The files get copied but FD tries to verify too soon, doesn't get a response and counts that as an error. I've reported this to Raxco (about 3 months ago) but haven't seen a 'fix' yet.
It is tedious to scan for 'error' and read the messages, I almost go blind.
One way to reduce the lines to review is to perform the copy, then wipe the logs then perform the copy again (then check the logs which are smaller because not much has changed since the first copy).

Valid errors occur if, for example, you haven't disabled Process Guard Protection, which prevents FD from copying the pghash.dat and pguard.dat files, so you should check the log. However, if I haven't installed anything new, I get the same # of errors on the image files and if that stays constant, then I don't bother checking.

Jim

 

Thanks for the responses but after playing with it today (and the cost after the evaluation period is over) I decided to unlaod it. Scan times were long (about 45 minutes). There was no manual available in the evaluation copy (that I could open). There were also errors in each of the scans. ProcessGuard would not initialize after I rebooted from an imaged copy (but I did not disable it before the scans). Anyhow, thanks for the responses.

 

How big is your c: drive? Mine is about 2.4GB and it takes about 7 minutes to create a new snapshot. To refresh a snapshot takes a few seconds because only changed and new objects are copied to the target and deleted objects are removed from the target. You should probably 'anchor' objects like your outlook.pst so it's not copied, siince this is data, not a program, and can be available in every snapshot. Other data objects should be in a different (d:?) partition so that the snapshots are just for your OS and application programs.
As I said, PG needs to be disabled to have it's critical files copied and PG won't work if you didn't. This isn't difficult. The image errors are annoying, but so is putting on seatbelts in the car, but, like seatbelts, FDISR provides important protection that far outweighs the 'inconvenience'.

 

JW - It is around 8 GB worth of data. I am sure I did not follow the needed procedures to make the program work properly. I wish I could get a hold of the manual to read what steps I need to take, etc. beforehand. Obviously I missed exiting PG first, probably should have done the same to UnhackMe and maybe a few other resident programs. May try this one again (FDISR) someday. I like the idea. Right now I back up all my data and things I can't lose to an external HD. I don't back up the enitre HD though. One question is when you boot into a snapshot, do you have to keep rebooting into the same snapshot. That is how would you dump the original HD contents if the original was corrupted or infected or on the next reboot does it take you to the snapshot you selected (I am sure there is a way to do this I just am unaware of the procedure)? Also are AV scans 2X, 3X as long based on the number of snapshots you keep? Did do a CHKDSK /F and corrected 2 errors. Thanks for the responses.

 

When FD is working properly you can boot into any Snapshot at any time. If you want to recover from a mistake of some kind that you made on a particular Snapshot, you would boot into a pristine Snapshot and use it to update the muffed up Snapshot. Then you can reboot back into the original Snapshot and it will be as good as new. Whenever you use one Snapshot to undate another, both Snapshots are then identical. So if you use a good Snapshot to udate a bad Snapshot, both Snapshots would now be good.

Acadia

 

Acadia - How would you make your default (boot) snapshot your main one so that on reboot you don't have to <Enter> F1 again to enter the same or other snapshot. That is if I reboot (F1) to a snapshot I know is good and want to make that one my default or permqanent so I don't have to keep rebooting using FD (an entering F1)?

 

Whatever Snapshot you are in when you shut your system down, you will be in that Snapshot the next time that you turn your system on. Whenever you enter into a Snapshot it is as if the other Snapshots cease to exist; that Snapshot becomes your one and only c:drive. All Snapshots have equal weight and importance, you can choose any Snapshot that you want to use as your normal booting Snapshot; if you are in that Snapshot when you shut down, you will be in that Snapshot when you reboot. You can enter another Snapshot either by the F1 reboot method, or using the option to do so in the FD-ISR program itself.

Acadia

 

G1111, there is a pdf manual that you can look at or download here, look for the FirstDefense-ISR User Guide:
http://www.raxco.com/support/windows/SupportOptions.cfm?product=fdisr&ProductVersion=fd

This is for the older version of FD but the older version of FD is identical to the newer version in the way that those particular features work. Downloading the pdf at the above link will give you a good heads up on many of the features of the new version; the way those old features work has not changed.

Acadia

 

Thanks Acadia - That clears it up. I will also download the manual.

Are AV scan times longer (depending on how many snapshots you have saved)?

From FD website:
"There are interoperatiblity issues with Kapersky Anti-Virus 5.0 and FirstDefense. If you have KAV 5.0 installed, then FirstDefense is not supported on your system."

I am currently using KAV 5.0 personal. May have to wait for this to be resolved until I try FD-ISR again or switch to NOD32 when my KAV subscription expires.

 

Ok, be EXTREMELY careful if you have both KAV 5.0 and FD on your system. In version 5.0, KAV uses the Alternate Data Streams when you do a full system on-demand scan. The ADS hoses the Master Boot Record setup for the FD program -- I KNOW FROM PERSONAL EXPERIENCE.

As I understand it, you can still use KAV on your system if you turn off the ADS feature somewhere in the options, or something like that. There are a couple of folks here who use KAV and FD with the ADS turned off. I personally made the switch to NOD, but that is just my personal preference, plus I got pissed at KAV tech support for ignoring my pleas for help when their product hosed my MBR.

Scan times may be longer depending upon which AV that you are using. Yes, my scan times are unfortunately much longer with NOD as it scans all 10 of my Snapshots; picture scanning your c:drive 10 times consecutively. Norton and I believe McAfee did not scan all snapshots. Also, TrojanHunter and Spy Sweeper will scan all Snapshots. I use Spy Sweeper's Smart Sweep option to avoid that. AdAware and Spybot do not scan all 10 Snapshots. Good luck.

Acadia

 

Thanks Acadia - You need to turn ADS (Kavichs) off when you install KAV. I believe to disable it you need to uninstall and you can get rid of them during the uninstall process. There is also a KAVICHS cleaner tool at Kaspersky's website. I still have a few of them on my machine (they show up in a RootkitRevealer scan). I wasn't concerned about them, but would have to clear those out if I reinstalled FDISR. That may explain some of the errors in the snapshots I created.

 

The ADS remover at Kaspersky did not work for me, I had to use another, the program that RejZor created.

Acadia

 

I'll have to check that one out. Do you have a link?

 

No, sorry, I don't. As you are probably aware, he's a very regular member here, just send him a PM.

Acadia

 

Thanks for the comments and answers everyone. I put this back on my list to try again. I see the need for a recovery program even though I have a lot of security running.

 

Although it should be mentioned there are two FD files running in Task Manager, namely ISRMonitor.exe and ISRService.exe. However, they are very small in size, around 450k and 590k respectively.