How secure are the snapshots?

Discussion in 'FirstDefense-ISR Forum' started by SourMilk, Oct 26, 2006.

Thread Status:
Not open for further replies.
  1. SourMilk

    SourMilk Registered Member

    Joined:
    Mar 31, 2006
    Posts:
    630
    Location:
    Hawaii
    With all the trojans on the loose, I was wondering if anybody knew if the snapshots in the $ISR folder were readable. Thanks for any and all responses to such a stupid question :p .
    SourMilk out
     
  2. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    A snapshot has the same vulnerability as a system partition without FDISR and without any security software you will be infected for sure. Even a frozen snapshot doesn't protect you, it only removes all changes during reboot.

    I don't know, if ONE malware is able to infect ALL snapshots or at least more than one snapshot. As long malwares infect only the current snapshot and remain there, I don't see a problem. Infected snapshots can be removed, refreshed and recreated with clean archived snapshots.
    It's difficult to prove this, when FDISR-users secure their snapshots with several security softwares. Most malwares will be removed this way without infecting anything.

    I have an off-line snapshot on my system partition. If that snapshot ever gets infected, I have the proof that malwares can infect more than one snapshot, because my off-line snapshot can only be infected via my on-line snapshot and I consider this as impossible until the opposite is proven. :)
    I have only one weak moment in creating my CLEAN archived snapshots and images, I have to be on-line very shortly to activate winXPproSP2 and I hate M$ for that. The MVP's of M$ still don't know that internet is full of threats. :rolleyes:
     
    Last edited: Oct 26, 2006
  3. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi,folks: This is a concern. Snapshots including normal, frozon or even achieve are designed to work independently, like a cell. If one fails, the others come to rescue. In theory, it is ideal. Has the perimeter permeability been look at? If there are tiny holes existing w/ these border. How secure are malwares to be contained within frozon snapshot? What if with a very slight chance these evils sneak thru, the entire system will be in big limbo. Just few thoughts:-*
     
  4. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Theoretical everything is possible, but I like to see some proof instead of words and horror stories.
    When this ever happens we can report it to Raxco.
    Raxco will probably tell us that FDISR isn't designed for that and that FDISR is not a security software.
    So it's up to us to protect our snapshots as good as possible.
     
    Last edited: Oct 26, 2006
  5. King FN Kong

    King FN Kong Registered Member

    Joined:
    Sep 12, 2006
    Posts:
    134
    thats not a stupid question at all. ;)

    i dont think users know how "secure" one snapshot is from other snapshots, would be best to wait/ask developers.

    i would like to know as well.
     
  6. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I certainly don't depend on FDISR and Raxco already admitted that FDISR isn't foolproof, which is logical, because there always will be a brilliant malware-writer somewhere in the world that is able to compromise snapshots.
    I depend on my 100% clean archived snapshots and clean images, because they have been created off-line and are only used for restoration.
    Once my clean computer is back on-line, I consider it as possible infected.
     
  7. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi folks: Hi Erik, I assume you have archieve snapshot stored at a different partition, not at the same partition where primary, frozen snapshots are. In this case, should malwares compromise frozen snapshot and subsequently permeate into other ones, all the damages will be containted within that partition. This is logical. And FD-ISR is still somewaht foolproofed.:-*
     
  8. King FN Kong

    King FN Kong Registered Member

    Joined:
    Sep 12, 2006
    Posts:
    134
    who here depends on fdisr anyway. again, the question is, "how secure" is the lock on the inactive snapshots
     
  9. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Nobody is able to tell that for certain and I already explained this in my previous post.
     
  10. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    I think we have beaten this to death.

    1. The word secure implies security. This ISN"T security software.
    2. FDISR "protects" the other snapshots with WIndows NTFS file security and permissions. It is possible, albeit painful, to manually remove a snapshot. I've done it. It means reseting file and folder permissions, ownership etc, etc. It took me almost 3 hours to do it.
    3. Based on 2. it's obvious if I can do it manually, then malware could be designed to do it.
    4. For malware to do this it would first have to determine FDISR is present, and then go to work. Based on the probable number of installs of FDISR, the risk of that is small.

    Given all this, if I am going to do what I consider risky surfing, I do go to another snapshot, but I turn up the security stuff, and count on that. I also keep images and FDISR archives, on an external drive that is off. That way even if something could infect across snapshots, and detect when a clean snapshot is installed and infect it I am protected.

    Pete
     
  11. King FN Kong

    King FN Kong Registered Member

    Joined:
    Sep 12, 2006
    Posts:
    134
    there is a good answer.thnx
     
  12. SourMilk

    SourMilk Registered Member

    Joined:
    Mar 31, 2006
    Posts:
    630
    Location:
    Hawaii
    Wow! Thanks people for all the great answers. I just got back from grocery shopping and checked the forum. I never thought I would so many responses.

    Maybe Leapfrog could introduce encryption to the snapshots or their storage. One could probably encrypt an ARX folder on another partition/drive as a safety device.

    Thanks to all again.

    SourMilk out
     
  13. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Well I'm still trying all kinds of things with FDISR after 6 months, this is quite an interesting software, while ATI is such a bore. :)
     
  14. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Well I took care of that 6 months ago. I have :
    1. Special clean backup files for restoration only.
    2. Special clean archived snapshots for restoration only.
    3. Daily system partition backup files for backup and restoration = harddisk 1
    4. Daily data partition backup files for backup and restoration = harddisk 2
    5. Daily archived snapshots for each snapshot.
    All stored on an off-line external harddisk and not on CD/DVD's. = harddisk 3

    I might be a newbie in internet/malware stuff, but I'm not stupid.
    I don't even care anymore when something happens to my system/data partition. :)
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    FDISR isn't quite that fragile. Say you do something and it rewrites a standard MBR. Not a problem. WHen you boot, you won't see the preboot screen, but once you are up and running, if you open the First Defense GUI, you see preboot is disabled. Just enable it and you are back in business. Next reboot, and the preboot screen will be there. This has been tested and confirmed.
     
  16. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Tested indeed and it works. I've spent enough time on restoring any possible disaster scenario. I'm prepared, more than most users ever will.
    Now I have to continue with finding the right softwares to protect my computer in order to reduce the possible disaster scenarios to the absolute minimum. :)
     
  17. cthorpe

    cthorpe Registered Member

    Joined:
    Jun 30, 2006
    Posts:
    168
    Location:
    Texas
    Just something to think about...

    As discussed in another thread, there is a shareware file manager called xyplorer that can access inactive snapshots without making any changes to permissions. Please be aware that doing any of the actions I am about to describe may damage your snapshots.

    I was able to do the following:

    1) Access an inactive frozen snapshot and copy data out of it into the active snapshot. This data that I copied was data that would have been lost if I booted into the frozen snapshot since had been created recently and was not in an anchored location.

    2) Copy files into an inactive snapshot and have them be present when I booted into that snapshot

    3) Copy the software registry hive out of an inactive snapshot into an active snapshot. Once the hive was in the active snapshot, I was able to load it, modify it, then copy it back into the inactive snapshot. To test, I disabled a few autoruns and added a few. When booting back into that inactive snapshot, my changes took effect.

    4) It seems like it would be easy to copy any of the hives from the active snapshot into an inactive snapshot, though I have not tried it.

    I did run into a few instances of Windows wanting to do a chkdsk when rebooting, and actually had ISR get confused about which snapshot was frozen. Usually I have a snapshot called "Alpha" frozen. While testing, I was making changes to my snapshot called "Beta." I booted back into Alpha after testing #3 above and noticed that it didn't revert to my frozen state. I checked, and somehow Beta was listed as frozen and Alpha was not.

    So how likely is it that a given malware will be aware of isr and cause damage to other snapshots? I would guess that it is not very likely.
    How hard would it be for a given malware to cause damage or spread to inactive snapshots? Looks like it wouldn't be too much trouble. Just use the same methods that xyplorer uses to access the snapshots.
     
    Last edited: Oct 29, 2006
  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    Couple of thoughts.

    1. If you would have lost data without copying out of a frozen snapshot on reboot, then this was a bad application of freezing.

    2. You are skating on thin ice moving data and registries between snapshots. The whole point of FDISR is to have it so if you mess something up you can fix it by booting to another snapshot. Why go out of your way to try and mess them up. It is already a given that it can be done.

    3. You are absolutely right that if someone wanted to target FDISR they could. But why would you bother. Better to target easy marks.

    Pete
     
  19. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I agree with Peter. You are raping FDISR by using xyplorer to change the contents of snapshots and this could cause problems sooner or later.
    That it can be done, doesn't mean you can do it without risks.
    You are not supposed to be there, otherwise FDISR would have offered functions to do this.
     
  20. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I'm innocent. I never recommended tools like xyplorer and fsutil, I didn't even know these tools.
    My advice : stick to the functions of FDISR to do the job. :D
     
  21. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Just want to add it has a free version as well.
     
  22. cthorpe

    cthorpe Registered Member

    Joined:
    Jun 30, 2006
    Posts:
    168
    Location:
    Texas
    I performed the tests I mentioned as tests. I do not utilize xyplorer or any other method to access inactive snapshots. It was merely a test to see what could be done and to address the question of how secure the snapshots are.

    I do disagree, however, with the idea that you shouldn't do something just because the software doesn't provide the functionality on its own. If we followed that logic, then we wouldn't be using ISR in the first place, as obviously Windows itself wasn't designed to have multiple snapshots. On the other hand, using tools such as fsutil or another program to create hard links is merely using the built in functionality of the operating system. Is it for everyone? Of course not. Neither are many of the utilities discussed at Wilders. If understood and used correctly, however, these functions can extend the power of ISR.

    C
     
  23. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Thank you for testing this cthorpe.
    I always thought this type of access was possible and it is nice to have it confirmed.
    It is unlikely that malware would include this specific type of cross snapshot file infection, but as you have shown, it is not difficult either.
     
  24. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    This really didn't need a test. Raxco has acknowledge it is possible. Actually if you wanted to go thru the pain, you could manually change ownership, permissions etc and access them thru explorer.

    Only question is why?
     
  25. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Hi Pete,

    Where did Raxco acknowledge that cross snapshot file infection/modification is possible?

    The why is to prove whether FIDSR has some magical barrier that would prevent malware from spreading from one snapshot to another.
    The why is also to prove whether FDISR could be used as a primary line of protection from malware instead of its normally associated place as a secondary or tertiary line of protection (system recovery when primary lines fail).
    I knew in theory there was no substantive barrier between snapshots and that it is not meant as a primary line of defense, but it is important to prove it and now it has been.
     
Thread Status:
Not open for further replies.