Frozen Snapshot vs. Scanners.

Dear brains,
I know you all love your scanners and don't want to ditch them, but forget all that for a brief moment, when you read this thread. After that you may keep your scanners.
I also know that frozen snapshots aren't very popular, but I like to squeeze FDISR until no possibilities are left to use by me.
Any thoughts would be welcome. I'm not really interested in good comments, I prefer negative comments to prove the idea is total nonsense or partial nonsense, severe disadvantages, whatever.

Installation of malware
AS/AV/AT/AK-Scanners WITHOUT a real-time shield allow any installation of any malware and it doesn't matter, if you work with a normal snapshot or a frozen snapshot or a system partition without FDISR.
Only scanners WITH a real-time shield protect you against installations of malwares.
To avoid any conflicts, you can only use ONE scanner WITH a real-time shield and that is of course a disadvantage, because only ONE scanner prevents the installation of malwares.
So this scanner better be an advanced+ scanner or you will be even more vulnerable.

Execution of malwares
If the installation was not prevented, we have 2 possibilities :
1. The malware is activated and starts its evil job.
2. The malware is sleeping and waiting for a trigger.
Neither scanners, nor a frozen snapshot will stop this execution.

Detection of malwares
Once the scanner runs and detects malwares using blacklists/heuristics, we have 3 possibilities :
1. The malware was NOT detected.
2. The malware was detected and reported as a false/positive.
3. The malware was detected and reported as a real malware.
A frozen snapshot doesn't detect malwares, it only detects "changes".
A frozen snapshot doesn't have false positives.

Removal of malwares
After detection, the scanner will remove the malwares, usually with user assistance and we have 3 possibilities :
1. The malware is NOT removed, because it wasn't detected.
2. The malware is removed partial and that has been proven.
3. The malware is removed completely.
A frozen snapshot however will remove everything, even malwares that bypassed the real-time shield.

CONCLUSION
1. A frozen snapshot removes ALL malwares, because it considers them as "changes" and
changes are not allowed in a frozen snapshot and removed during the next reboot.
So we are talking about a 100% REMOVAL OF MALWARES and scanners don't guarantee that.
In other words you don't need scanners anymore to remove malwares.

You still need scanners to remove malwares in download objects from an unknown source,
but this has nothing to do with this thread. That's another problem.

2. Since the installation of malwares in itself is not dangerous, we have only ONE BIG problem left :
EXECUTION of malwares, that needs to be stopped.
So a frozen snapshot only needs one or more security softwares that stop the execution of malwares.
Keep also in mind ;
- that sleeping malwares aren't dangerous YET and they will be removed anyway by the frozen snapshot.
- that stopping the execution doesn't need to be 100%, because all malwares will be removed anyway by the frozen snapshot.

Having the less-knowledgeable user in mind, I have already 2 possible security softwares to stop the execution of malwares :
1. Anti-Executable.
2. Prevx1.

 

ErikAlbert,
I agree with you and also utilize the frozen snapshot technology found within FDISR. Your proposed use of FDISR is right on. I just wanted to tweak it a bit. All executables need to be prohibited because a malicious software that is allowed to execute on your system, even for a moment, can begin arbitrarily deleting data. This deletion could even affect data from other snapshots.

 

I certainly agree with Dallen and I'm sure that Peter has the same in mind, that ALL executions need to be stopped.
Although I'm quite certain of the complete removal of malware, I'm not convinced yet that I can stop ALL executions, but I will do everything to make that also possible.
So in theory I fully agree on that, we just have to make it possible in PRACTICE.

I'm also planning to study "Online Armor" and "System Safety Monitor" more seriously as Peter suggested. I know already that they don't have any problems with FDISR, because I had both on my computer in the past.
Maybe I ditched both too quickly. Everybody makes mistakes and certainly me regarding internet and malwares, two subjects I'm not sure about anything.
I'm already very happy, I can ditch my scanners. I'm dreaming about this, since I was a member of SWI 2 or 3 years back. I just didn't know how to do it.

I admit that booting in to a frozen snapshot takes more time, but that boot-time is NOTHING compared with the total run-time of all your scanners, not even when you use only one scanner.
Another big advantage is the reassurance that your computer is clean, I never had that feeling after running all my scanners, not even after getting the messages "Congrats. No threats found."
These messages give you a fake feeling of being safe, that's a psychological trick of scanners, you feel safe in your head, but that doesn't mean your computer is safe.

I'm planning to re-install my computer anyway, not because I'm in trouble, but because I recently discovered the freeware "nLite", which looks very promising.
I didn't test it completely yet to confirm my expectations, but I was stupified by the pre-tests.
IF nLite really works, I have another dream that comes true : moving the complete folder "Documents and Settings" to my data partition [D:].

My actual separation works only for myself and not for all users, if I would have more than one user on my computer at home in a network and that was bothering me constantly. nLite is supposed to solve that problem.
Once I re-installed my computer with my new "nLite WinXPproSP2 Installation CD" + all my other applications, I will know alot more about this.

Thanks alot for the remarks and tips.

P.S.: I wonder if you can do this with RollbackRx/Eaz-fix also.
One thing that always bothered me was the baseline snapshot of RollbackRx, while FDISR doesn't have a baseline snapshot.

 

Well that will be the difference between you and me. I will try it without scanners, but we agree on stopping the execution.
The basic idea is there, but that doesn't mean I won't check this in practice. I only have to find ways to keep this "experiment" under control.
But I have time enough, malwares are still there tomorrow.

If we would do exactly the same thing, we can't learn anything from eachother either.

 

I'm already doing what ErikAlbert is doing with my "Surfing" snapshot. However, within this snapshot I am still running an AV and one AS (real-time). This is probably due entirely to paranoia.

ErikAlbert,
In my opinion, you are on the right track. Personally, I think that finding a method of stopping all executable files is overkill. Furthermore, with ActiveX and other similar methods I'm not sure that you'd still be entirely theoretically safe. The real goal is to be practicably safe. In actuality, I think that ditching your scanners and using the frozen snapshot technology from FDISR is virtually safe.

 

Dallen,
Yes to stop ALL executions won't be that easy.
Don't forget that scanners were most probably the first protection of computers, so most users grew up with these scanners.
I can understand their mixed feelings, if you suddenly tell them they can ditch them in a frozen snapshot. LOL.

Keep also in mind that scanners detect and remove grosso modo the same malwares, only the differences makes them special.
So if you buy an extra scanner of the same type, you pay alot of money for only the differences, because the rest is the same.

Another big disadvantage is that you have alot of redundancy, because one scanner doesn't know what the other scanner already scanned. So each scanner starts all over again and this is a huge waste of time.
The more scanners you have, the bigger the redundancy will be, the more time the user will need to run them.

 

Why not to use ShadowSurfer free in a simple snapshot without any other thing (except firewall) and u will be more secure.
It will even stop KillDisk virus.
Not tested all this set up though. But I think it to be more secyre and no need for any anti-executable, prevx etc.

 

Instead of "I think" can't you say "I know" ? That would be more reassuring for me.

 

@ErikAlbert - where do you propose users store their data? Data certainly can't be rolled back via a snapshot or all work would be lost. What if the data becomes partially infected i.e. Word Macro Virus, etc.? What if the infection lies dormant for a year and thousands of "good changes" have happened to the snapshot during daily work - if the users rolls back the original snapshot then they lose their actual data, settings, installed programs, etc.

Nick Skrepetos
SUPERAntiSpyware.com
http://www.superantispyware.com

 

It depends on what you do with your computer I guess. If I had to use a frozen snapshot, I would have thousands of entries in my anchored data list.
And I would probably keep losing changes, because I didn't mark the file/folder as anchored yet.
But maybe I misunderstood what you meant.

RE

 

Hello,
One question, Erik: why would you get infected with malware in the first place?
Mrk

 

Ya, I wish I could!
BTW, As Nick said, I believe an AV is must in any way.

 

It has been a while since I used FDISR but isn't the Rollback 'baseline' the equivalent of the 'primary snapshot' in FDISR, or is there more to it?

 

Straight from the FirstDefense-ISR Help :

This means that any anchored folder in the frozen snapshot will keep its changes after reboot.
I don't have any experience with anchoring, because I store my data on another harddisk. So I don't need anchoring.
If a user wishes to keep his data on the system partition, than he has to anchor the folder(s) where his personal data is stored. For instance the folder : "C:\Documents and Settings"

Peter is familiar with anchoring and he probably knows better than me which folder(s) have to be anchored.

Peter's idea and I quote :

is also very good and even better, because the more you anchor folders in a frozen snapshot, the more vulnerable it becomes for infections.
I use Peter's idea, because my data is somewhere else. If I want to keep something in my frozen snapshot, I only have to store it in my data partition [D:]. FDISR works only on the system partition [C:].

It depends on what the users wants. FDISR only offers possibilities and it's up to the user HOW to use them or how to combine them.

I certainly proved that a COMPLETE REMOVAL of threats is possible in a frozen snapshot and scanners try to do the same thing, but not so complete and fast as a frozen snapshot. I clean my frozen snapshot in 90-120 seconds, not even ONE scanner works so fast if it does a FULL scan.

Only the EXECUTION is a problem and needs to be stopped, but scanners don't stop the execution either.
So you need one or more security softwares to stop the execution of malwares between two reboots, once the reboot is done all threats are gone anyway.
Since Wilders is full of experts, I'm waiting for good proposals to stop the execution of malwares.
I got already 5 proposals :
1. Online Armor
2. System Safety Monitor
3. Prevx1
4. Anti-Executable
5. ShadowSurfer

 

Mrkvonic visit the forum SWI and you will see how many users are infected and begging for help to solve their HijackThis Log.
I don't work for knowledgeable users, I work for less-knowledgeable users or indifferent users.

 

If my memory is good, you can NOT DELETE a baseline snapshot, because all other snapshots depend on that baseline snapshot.
All snapshots in FDISR are independent units and the Primary Snapshot is just a snapshot like any other snapshot.
You can delete a Primary Snapshot, rename it, etc. it doesn't matter and it's true, because I did enough tests to prove it.

 

In that case Nick has to prove that a frozen snapshot is not good enough to remove ANY threat. I only need some proof and Nick is better qualified than me to prove it. I'm a newbie+++ compared with Nick.
A frozen snapshot doesn't accept any change and no change means NO CHANGE.
Even the smallest change in the settings of a software isn't accepted by a frozen snapshot.

 

You probably don't understand it, because you have still your OLD configuration in mind.
I don't need any anchoring and I still can store my personal data.
You have to think logical and theoretical and start all over again and forget the past and your old ways of doing it.

 

Ya I know. But if u save any thing while surfing then?

 

It will not stop executables. However it will stop them from doing any harm to the system.
I suggested it as a replacement for both anti-executable and frozen snapshot( 2 in 1 and free).

 

ErikAlbert,

On the face of it, I don't see huge issues in principle. You have a restorable snapshot as an immediate rollback/cleanup protocol and a mechanism to prevent the start of various types of non-whitelisted executables. If one tries hard, there are subtle gaps that can, in principle, be identified (e.g. potential malware scripting under an application whitelisted by AE and things along this path), but pragmatically speaking, that eventuality is so inconsequential that it is worth ignoring all together.

As I previously mentioned some time ago in other threads (for example You do NOT need any other security software... or A perfect security system?), this style of approach requires maintaining very strict discipline. That is where the problem lies for most users, they will become complacent over time, start taking shortcuts, and eventually regret it. You can maintain it won't happen, but I see it happen all too frequently in situations that lead to much more severe outcomes (namely industrial manufacturing plant accidents). These poor folks understood the risks as well, but were trying to save a couple of minutes here and there. It's no different than not booting to the "surf only" snapshot because, well, I needed to finish up quickly...

It's not that the approach is total nonsense, it's that in some scenarios that "shouldn't" happen, you may be left wide open. Personally, given the choice between say "surf only snapshot + Prevx or AE" and "KAV or NOD32 + Prevx or AE", I would still choose the latter although I recognize that both approaches will work, in principle.

Blue