Frozen Snapshot vs. Scanners.

Hello,
Simplest solutions:
Do not run anything you don't trust.
Use Restriction Policies to whitelist executables.
Mrk

 

If you download malicious softwares and you install them.
Only your anchored folders are vulnerable in a frozen snapshot, if the malware has those folders as a target of course.
The rest will be cleaned during a reboot.

A frozen snapshot doesn't control the user actions, not any security softwares does that. Security softwares are not intelligent or don't have any intuition, they only do what the programmer told them to do.
Some websites call their softwares intelligent and intuitive, because that sells better, but no programmer is able to turn his program into a human being.
Only SF-movies have intelligent and intuitive softwares.

 

BlueZannetti,
Yes I remember those posts and I understand you very well.
I'm just offering a possibility to users, who don't like to run scanners all the time and still want a clean computer the next morning.
The combination "Frozen snapshot + AE" for instance, allows these users to work in a normal way with their softwares.
Only NEW softwares (good or bad) are refused and the frozen snapshot is an extra safety, if AE fails or their firewall fails.

 

@ErikAlbert - correct - the frozen snapshot "can't" get infected - but that is not the only thing that matters - the users data (documents, .TIF/.WMV/.DOC/.SWF, etc.) can all become infected and destroy the rest of the data - a rollback won't protect you from that. An infection could destroy the snapshot, and then you're really out of luck.

If you want a "malware free" snapshot, then you can do the rollback - sure that works - but that will not work for real users in the real-world - meaning end-users. No one is going to remember to make sure they snapshot each set of data as the progressively added to it over the course of a year or more. At some point there will be an infection that is saved off with the user data.

Having a clean snapshot is just that - a clean snapshot - it may work for you - but it likley won't work for users in the real-world.

Understand that I am not criticizing your (or anyone's) use of snapshots, but the reality is, as long as there are spyware infections - there will need to be scanners - that's the bottom line. Viruses have been around for well over 10 years and they still exist......

Nick Skrepetos
SUPERAntiSpyware.com
http://www.superantispyware.com

 

That depends on how good the execution is stopped. If the execution is well protected, your personal data won't be infected either, unless you download infected files yourself, but that is another problem.
Anti-Executable with security level set to high doesn't allow anything to install or run, that is not whitelisted. All whitelisted applications run normal.
So this is good environment for users, who always work with the same applications to do their job and use internet for research.
The frozen snapshot is an extra safety to remove the malwares that passed through Anti-Executable or the firewall.
Scanners don't even stop the execution and users run their scanners usually one time per day to clean their computer and what isn't found remains on their computer. If users don't care about that, then they don't need to be surprised being infected and live with it.
A frozen snapshot restores also your registry, your history, ... all these extra softwares aren't necessary anymore.

 

I fully understand the snapshot model as we use them in testing everyday. The Process Firewall applications are great for those that understand what a process is, and can determine if something is indeed bad - one mistake can jeopardize the entire system - snapshot or not. If the snapshot operating system has access to the actual data drive, then that too can be compromised.

A new snapshot has to be created each time a user performs simple tasks such as:

* Changes any browser settings
* Changes any Windows settings
* Changes installed applications

etc, etc, etc. - you get the idea - anytime anything (application or user) changes a single registry value, the entire snapshot has to be saved off or the changes will not be kept for the next session. Items such as autoforms and password data would also not be saved unless a new snapshot is made.

This also includes the browser cache and cookies - a snapshot completely invalidates the use of the browser cache and for dial-up users this would dramatically slow down their ability to surf pages they visit often with any speed - unless they save snapshots each time they visit a page so that the cache can be retained.

Many scanners, including SUPERAntiSpyware Professional, do block the execution of known spyware applications - granted a new, undiscovered harmful application could get through - but so could it on a snapshot system or process firewalled system if the user simply clicks "Yes/Allow" and allows the execution of the application.

It sounds as if the snapshot model works well for you - it just won't work for real-world users - too many things change on the computer daily.

Nick Skrepetos
SUPERAntiSpyware.com
http://www.superantispyware.com

 

Well it works for me until now, but it's still an experiment. I just wanted a second opinion from Wilders to get an idea of possible OTHER problems and I agree that it isn't very flexible.
Nevertheless I'm going to use it for a longer period. I prefer to spend time on my job/hobbies and running scanners isn't one of them.
I created an off-line snapshot without internet connection, no security, no browser, no emails that allows me to work in a silent environment.
But I also need an on-line snapshot and that is my frozen snapshot without too many security softwares.
All the rest of my snapshots are for testing softwares.
Thanks for all the usefull information, I will keep it in mind, when I use my frozen snapshot.

 

Indeed Peter and that is what BlueZannetti and Nick are trying to tell me too.
It requires too much discipline and average users don't like that.

 

Hi, folks: Execuse me for jumping in. I understand that Erik is experimenting frozen snapshot model w/ FD-ISR and I do have a question to ask Nick; you say that snapshot model is not a bulletproof method, does your assessment also apply to Frozen partition/drive created by DeepFreeze or ShadowUser? From what I learn so far those two app freeze the whole partion/drive and any damage occurred can be wiped out upon reboot. Your clearification on this issue is appreciated.

 

Pete - I completely understand Erik's point - I just want to clarify for users that the rollback system is not a system for the typical user.

Nick Skrepetos
SUPERAntiSpyware.com
http://www.superantispyware.com

 

A frozen snapshot won't become "infected" as it is a snapshot in time - so when you restore the snapshot you won't be infected. The other products you mention, as well as product such as Ghost, Drive Image, etc. will also preserve the non-infected "state". The issue is that MOST typical users won't grasp the fact that they start with a clean system each time, and if they make ANY changes to Windows settings, program settings, etc. they need to "re-freeze" the image and ensure that they are not infected when they freeze the image.

I am not bashing the idea of Images, Virtual Machines, etc. - the point is, that the snapshot system is not practical for the TYPICAL USER.

Nick Skrepetos
SUPERAntiSpyware.com
http://www.superantispyware.com

 

I totally agree. i want an all working PC, not a machine that need to boot into different snapshots for different work.

 

For that OK. But for this I will use just use Freezed snapshot, EAZ-FIZ, DF, Sandboxie,SU , SS or anything like this. But I will not bother for any scanner, HIPS etc, here. After I finish my surfing, I will just Rollback/ Delete everything etc acc to the osftware I used.

I do it many times.

 

Hi,folks: After using DeepFreeze for a while, I do have a wishful thinking: if every computer would have equipped w/ a sanbox-virtualization app such as sandboxie, shadowuser, deepfreeze and so on. We probably would not need so many security programs. Or that many system cleaners. This would lead to minimal but optimal defense lineup. I have enjoyed the benefits and wished that I could have started these sandbox much earlier.

 

U are right.

 

Indeed, that's the main reason, why I'm doing all these experiments to get rid of most of my security softwares.
I can't depend on Windows, because M$ offers the same classical security softwares and they aren't better or even worse than the 3th party party security softwares.
Look at Windows Defender, everybody is ditching it because it doesn't do anything, System Restore doesn't work outside Windows and doesn't do a better job inside Windows either.

Why doesn't M$ design a Windows, that recovers itself during reboot and removes anything that doesn't belong in the original installation of Windows instead of giving BSOD's to users.
Windows should have its own well-protected registry and a separate registry for 3th party softwares.
Why is M$ spending its time on transparent windows, while their Operating System has more holes than a Swiss cheese.
M$ has all the means/money/brains and doesn't do anything with it, while other poor companies create better Operating Systems and Applications.
M$ is like a bank, selling softwares to users and buying softwares from other companies, but they lost their creativity.

 

I seem to remember that we used to have this years ago and called it ROM

 

Hi,folks: ROM ? interesting, can you tell us more? I am still in my infancy of computer years. Thanks.

 

It was a bit of a tongue-in-cheek comment to be honest but, most of the original home computers would store their operating system in Read Only Memory (ROM). The modern-day equivalent is the BIOS chip on the motherboard.

Now, if only the OS could be squeezed into the BIOS chip

 

Yes, you are right. For me, that was one of the reasons I stopped using FDISR as it required a lot of disk space for each snapshot. But we all have slightly different requirements

 

Just a correction here, I should have said ShadowUser instead of ShadowSurfer as I just came to know that ShadowSurfer will not play nice with FDISR due to lack of exclusion feature in it.

 

Do you agree then? You have always maintained that you are looking a solution of less knowledgable users, but are we to assume that these users are above average in discipline?

I've noticed that your ideal setup has now evolved to include the addition of a anti-executable. Have you tried using an anti-excutable for any appreciable amount of time? Do you really think a less knowledgable user will be able to use such a tool (leaving aside diligence issues)?

 

One thing you might consider is that this process isn't as simple as you paint it. Whitelisting the correct applications is not a simple task, particularly when you take into account updaters.