Frozen Snapshot vs. Scanners.

Discussion in 'FirstDefense-ISR Forum' started by ErikAlbert, Sep 27, 2006.

Thread Status:
Not open for further replies.
  1. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Dear brains,
    I know you all love your scanners and don't want to ditch them, but forget all that for a brief moment, when you read this thread. After that you may keep your scanners. :D
    I also know that frozen snapshots aren't very popular, but I like to squeeze FDISR until no possibilities are left to use by me.
    Any thoughts would be welcome. I'm not really interested in good comments, I prefer negative comments to prove the idea is total nonsense or partial nonsense, severe disadvantages, whatever.

    Installation of malware
    AS/AV/AT/AK-Scanners WITHOUT a real-time shield allow any installation of any malware and it doesn't matter, if you work with a normal snapshot or a frozen snapshot or a system partition without FDISR.
    Only scanners WITH a real-time shield protect you against installations of malwares.
    To avoid any conflicts, you can only use ONE scanner WITH a real-time shield and that is of course a disadvantage, because only ONE scanner prevents the installation of malwares.
    So this scanner better be an advanced+ scanner or you will be even more vulnerable.

    Execution of malwares
    If the installation was not prevented, we have 2 possibilities :
    1. The malware is activated and starts its evil job.
    2. The malware is sleeping and waiting for a trigger.
    Neither scanners, nor a frozen snapshot will stop this execution.

    Detection of malwares
    Once the scanner runs and detects malwares using blacklists/heuristics, we have 3 possibilities :
    1. The malware was NOT detected.
    2. The malware was detected and reported as a false/positive.
    3. The malware was detected and reported as a real malware.
    A frozen snapshot doesn't detect malwares, it only detects "changes".
    A frozen snapshot doesn't have false positives.

    Removal of malwares
    After detection, the scanner will remove the malwares, usually with user assistance and we have 3 possibilities :
    1. The malware is NOT removed, because it wasn't detected.
    2. The malware is removed partial and that has been proven.
    3. The malware is removed completely.
    A frozen snapshot however will remove everything, even malwares that bypassed the real-time shield.

    CONCLUSION
    1. A frozen snapshot removes ALL malwares, because it considers them as "changes" and
    changes are not allowed in a frozen snapshot and removed during the next reboot.
    So we are talking about a 100% REMOVAL OF MALWARES and scanners don't guarantee that.
    In other words you don't need scanners anymore to remove malwares.

    You still need scanners to remove malwares in download objects from an unknown source,
    but this has nothing to do with this thread. That's another problem.


    2. Since the installation of malwares in itself is not dangerous, we have only ONE BIG problem left :
    EXECUTION of malwares, that needs to be stopped.
    So a frozen snapshot only needs one or more security softwares that stop the execution of malwares.
    Keep also in mind ;
    - that sleeping malwares aren't dangerous YET and they will be removed anyway by the frozen snapshot.
    - that stopping the execution doesn't need to be 100%, because all malwares will be removed anyway by the frozen snapshot.

    Having the less-knowledgeable user in mind, I have already 2 possible security softwares to stop the execution of malwares :
    1. Anti-Executable.
    2. Prevx1.
     
    Last edited: Sep 27, 2006
  2. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    ErikAlbert,
    I agree with you and also utilize the frozen snapshot technology found within FDISR. Your proposed use of FDISR is right on. I just wanted to tweak it a bit. All executables need to be prohibited because a malicious software that is allowed to execute on your system, even for a moment, can begin arbitrarily deleting data. This deletion could even affect data from other snapshots.
     
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,055
    Hi gang

    Only difference I see is I'd swap out Faronic's and Prevx1 for Online Armor and System safety Monitor.

    The reason Erik is you are already totally over the head of the "less Knowledgable user", that it doesn't matter. OA gives you the anti executable and really reigns in Internet Explorer should you need it. SSM gives you excellent parent child relationships, meaning it not only controls what can run but who can run it.

    Pete
     
  4. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I certainly agree with Dallen and I'm sure that Peter has the same in mind, that ALL executions need to be stopped.
    Although I'm quite certain of the complete removal of malware, I'm not convinced yet that I can stop ALL executions, but I will do everything to make that also possible.
    So in theory I fully agree on that, we just have to make it possible in PRACTICE.

    I'm also planning to study "Online Armor" and "System Safety Monitor" more seriously as Peter suggested. I know already that they don't have any problems with FDISR, because I had both on my computer in the past.
    Maybe I ditched both too quickly. Everybody makes mistakes and certainly me regarding internet and malwares, two subjects I'm not sure about anything.
    I'm already very happy, I can ditch my scanners. I'm dreaming about this, since I was a member of SWI 2 or 3 years back. I just didn't know how to do it.

    I admit that booting in to a frozen snapshot takes more time, but that boot-time is NOTHING compared with the total run-time of all your scanners, not even when you use only one scanner.
    Another big advantage is the reassurance that your computer is clean, I never had that feeling after running all my scanners, not even after getting the messages "Congrats. No threats found."
    These messages give you a fake feeling of being safe, that's a psychological trick of scanners, you feel safe in your head, but that doesn't mean your computer is safe.

    I'm planning to re-install my computer anyway, not because I'm in trouble, but because I recently discovered the freeware "nLite", which looks very promising.
    I didn't test it completely yet to confirm my expectations, but I was stupified by the pre-tests.
    IF nLite really works, I have another dream that comes true : moving the complete folder "Documents and Settings" to my data partition [D:].

    My actual separation works only for myself and not for all users, if I would have more than one user on my computer at home in a network and that was bothering me constantly. nLite is supposed to solve that problem.
    Once I re-installed my computer with my new "nLite WinXPproSP2 Installation CD" + all my other applications, I will know alot more about this.

    Thanks alot for the remarks and tips.

    P.S.: I wonder if you can do this with RollbackRx/Eaz-fix also.
    One thing that always bothered me was the baseline snapshot of RollbackRx, while FDISR doesn't have a baseline snapshot.
     
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,055
    Hi Erik

    I'd agree with everything except maybe some about the scanners. I do run Superantispyware realtime(rarely do an on demand scan) and I also run KAV 6.0 (latest beta's) and the slowdown is not noticed. KAV has fired up when on dodgy websites, as does online Armor if it has active X stuff. One of the reason's I like KAV is I can do a full system scan with it in about 1.5 minutes. Is it 100%? No. But KAV updates signatures very frequently, so it's not bad. One more protection.

    Pete
     
  6. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Well that will be the difference between you and me. I will try it without scanners, but we agree on stopping the execution. :D
    The basic idea is there, but that doesn't mean I won't check this in practice. I only have to find ways to keep this "experiment" under control.
    But I have time enough, malwares are still there tomorrow. :D

    If we would do exactly the same thing, we can't learn anything from eachother either.
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,055
    Erik, we aren't far from being on the same side. If it weren't for KAV"s ability to scan the way it does(and the paranoids say that isn't safe) then I would probably be on the same path as you.

    Pete
     
  8. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    I'm already doing what ErikAlbert is doing with my "Surfing" snapshot. However, within this snapshot I am still running an AV and one AS (real-time). This is probably due entirely to paranoia.

    ErikAlbert,
    In my opinion, you are on the right track. Personally, I think that finding a method of stopping all executable files is overkill. Furthermore, with ActiveX and other similar methods I'm not sure that you'd still be entirely theoretically safe. The real goal is to be practicably safe. In actuality, I think that ditching your scanners and using the frozen snapshot technology from FDISR is virtually safe.
     
  9. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Dallen,
    Yes to stop ALL executions won't be that easy.
    Don't forget that scanners were most probably the first protection of computers, so most users grew up with these scanners.
    I can understand their mixed feelings, if you suddenly tell them they can ditch them in a frozen snapshot. LOL.

    Keep also in mind that scanners detect and remove grosso modo the same malwares, only the differences makes them special.
    So if you buy an extra scanner of the same type, you pay alot of money for only the differences, because the rest is the same.

    Another big disadvantage is that you have alot of redundancy, because one scanner doesn't know what the other scanner already scanned. So each scanner starts all over again and this is a huge waste of time.
    The more scanners you have, the bigger the redundancy will be, the more time the user will need to run them.
     
    Last edited: Sep 28, 2006
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Why not to use ShadowSurfer free in a simple snapshot without any other thing (except firewall) and u will be more secure.
    It will even stop KillDisk virus.
    Not tested all this set up though. But I think it to be more secyre and no need for any anti-executable, prevx etc.
     
  11. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Instead of "I think" can't you say "I know" ? That would be more reassuring for me. :D
     
  12. SUPERAntiSpy

    SUPERAntiSpy Developer

    Joined:
    Mar 21, 2006
    Posts:
    1,088
    @ErikAlbert - where do you propose users store their data? Data certainly can't be rolled back via a snapshot or all work would be lost. What if the data becomes partially infected i.e. Word Macro Virus, etc.? What if the infection lies dormant for a year and thousands of "good changes" have happened to the snapshot during daily work - if the users rolls back the original snapshot then they lose their actual data, settings, installed programs, etc.

    Nick Skrepetos
    SUPERAntiSpyware.com
    http://www.superantispyware.com
     
  13. Reve_Etrange

    Reve_Etrange Registered Member

    Joined:
    Nov 4, 2005
    Posts:
    108
    It depends on what you do with your computer I guess. If I had to use a frozen snapshot, I would have thousands of entries in my anchored data list.
    And I would probably keep losing changes, because I didn't mark the file/folder as anchored yet.
    But maybe I misunderstood what you meant.

    RE
     
  14. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,055
    No, for what Erik is doing you don't do any anchoring. You create a separate snapshot for the surfing, and you want to put back to some standard configuration on every reboot.
     
  15. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,700
    Hello,
    One question, Erik: why would you get infected with malware in the first place?
    Mrk
     
  16. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Ya, I wish I could!
    BTW, As Nick said, I believe an AV is must in any way.
     
  17. nexstar

    nexstar Registered Member

    Joined:
    Jun 23, 2004
    Posts:
    371
    Location:
    Southampton, UK
    It has been a while since I used FDISR but isn't the Rollback 'baseline' the equivalent of the 'primary snapshot' in FDISR, or is there more to it?
     
  18. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Straight from the FirstDefense-ISR Help :
    This means that any anchored folder in the frozen snapshot will keep its changes after reboot.
    I don't have any experience with anchoring, because I store my data on another harddisk. So I don't need anchoring.
    If a user wishes to keep his data on the system partition, than he has to anchor the folder(s) where his personal data is stored. For instance the folder : "C:\Documents and Settings"

    Peter is familiar with anchoring and he probably knows better than me which folder(s) have to be anchored.

    Peter's idea and I quote :
    is also very good and even better, because the more you anchor folders in a frozen snapshot, the more vulnerable it becomes for infections.
    I use Peter's idea, because my data is somewhere else. If I want to keep something in my frozen snapshot, I only have to store it in my data partition [D:]. FDISR works only on the system partition [C:].

    It depends on what the users wants. FDISR only offers possibilities and it's up to the user HOW to use them or how to combine them.

    I certainly proved that a COMPLETE REMOVAL of threats is possible in a frozen snapshot and scanners try to do the same thing, but not so complete and fast as a frozen snapshot. I clean my frozen snapshot in 90-120 seconds, not even ONE scanner works so fast if it does a FULL scan.

    Only the EXECUTION is a problem and needs to be stopped, but scanners don't stop the execution either.
    So you need one or more security softwares to stop the execution of malwares between two reboots, once the reboot is done all threats are gone anyway.
    Since Wilders is full of experts, I'm waiting for good proposals to stop the execution of malwares.
    I got already 5 proposals :
    1. Online Armor
    2. System Safety Monitor
    3. Prevx1
    4. Anti-Executable
    5. ShadowSurfer
     
    Last edited: Sep 29, 2006
  19. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Mrkvonic visit the forum SWI and you will see how many users are infected and begging for help to solve their HijackThis Log.
    I don't work for knowledgeable users, I work for less-knowledgeable users or indifferent users.
     
  20. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    If my memory is good, you can NOT DELETE a baseline snapshot, because all other snapshots depend on that baseline snapshot.
    All snapshots in FDISR are independent units and the Primary Snapshot is just a snapshot like any other snapshot.
    You can delete a Primary Snapshot, rename it, etc. it doesn't matter and it's true, because I did enough tests to prove it.
     
  21. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    In that case Nick has to prove that a frozen snapshot is not good enough to remove ANY threat. I only need some proof and Nick is better qualified than me to prove it. I'm a newbie+++ compared with Nick.
    A frozen snapshot doesn't accept any change and no change means NO CHANGE.
    Even the smallest change in the settings of a software isn't accepted by a frozen snapshot.
     
  22. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    You probably don't understand it, because you have still your OLD configuration in mind.
    I don't need any anchoring and I still can store my personal data.
    You have to think logical and theoretical and start all over again and forget the past and your old ways of doing it.
     
  23. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Ya I know. But if u save any thing while surfing then?
     
  24. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    It will not stop executables. However it will stop them from doing any harm to the system.
    I suggested it as a replacement for both anti-executable and frozen snapshot( 2 in 1 and free).
     
  25. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    ErikAlbert,

    On the face of it, I don't see huge issues in principle. You have a restorable snapshot as an immediate rollback/cleanup protocol and a mechanism to prevent the start of various types of non-whitelisted executables. If one tries hard, there are subtle gaps that can, in principle, be identified (e.g. potential malware scripting under an application whitelisted by AE and things along this path), but pragmatically speaking, that eventuality is so inconsequential that it is worth ignoring all together.

    As I previously mentioned some time ago in other threads (for example You do NOT need any other security software... or A perfect security system?), this style of approach requires maintaining very strict discipline. That is where the problem lies for most users, they will become complacent over time, start taking shortcuts, and eventually regret it. You can maintain it won't happen, but I see it happen all too frequently in situations that lead to much more severe outcomes (namely industrial manufacturing plant accidents). These poor folks understood the risks as well, but were trying to save a couple of minutes here and there. It's no different than not booting to the "surf only" snapshot because, well, I needed to finish up quickly...

    It's not that the approach is total nonsense, it's that in some scenarios that "shouldn't" happen, you may be left wide open. Personally, given the choice between say "surf only snapshot + Prevx or AE" and "KAV or NOD32 + Prevx or AE", I would still choose the latter although I recognize that both approaches will work, in principle.

    Blue
     
Thread Status:
Not open for further replies.