Introducing AX64 Time Machine - hybrid imaging/snapshot software

Good to know about bets.

@Isso
Can AX64 work with Linux partitions. What if I use it just for normal image and restore of my Linux partition?

 

Good to know about beta.

@Isso
Can AX64 work with Linux partitions. What if I use it just for normal image and restore of my Linux partition?

Can I expect the beta to fix bypass by TDL4 root kit etc.

Thanks

 

aigle, would you please inform me as to what that's all about (wrt AX64)?

Thanks,
Cruise

 

Aigle, TDL4 is a MBR vectored infection. At the moment, to my understanding, AXTM does not deal with the MBR in any way. Based on that, the infection would stand between snapshots.

 

Aigle, I think AXTM needs an indigenous volume tracking mechanism for the partition it protects. My guess is that only the Windows ROOT system partition is the one it can manage at the moment.

 

Froggie, aigle,

We already added MBR restore support to the program, so beta version should cope with TDL rootkit just fine. I'll be testing it in upcoming days.

Linux partitions aren't supported, sorry.

For supported partitions - the user may select any partition (system, or non-system) to be protected. In both cases, if a boot (small hidden) partition exists on the drive, that is automatically backed up and restored too.

 

Don't take those thinking caps off just yet...

There are two new variants of the TDL rootkit... one modifies the VBR (Volume Boot Record) and leaves the MBR in tact (do you image the VBR when your taking your snapshot?), the other creates a hidden partition out at the end of the disk with its own file structure (looks UNALLOCATED to a partition tool), makes it active, then modifies the partition table in the MBR to BOOT through the hidden partition (kinda like a special SYSTEM partition).

These guys are very creative...

 

Froggie,

Thank you for the information. Yes, AXTM does restore VBR too. So as long as TDL depends on either VBR or MBR, it should be killed upon restore.

Isso

 

Shoud it? While there's no arguing that would enhance malware-protection, I don't think that invading the MBR is the only way malware could mess-up an AX64 system!

Cruise

 

Isso, while the ability to restore the MBR is important, I hope that it's a selectable option because there are times when we might not want to restore the MBR.

Cruise

 

Cruise, yes, that's an optional feature. I agree that malware may use other methods to compromise the system, but MBR IMHO should be protected, because it's one of the parts of OS that is quite easy to hack.

Isso

 

Excellent.

No argument about that, but some of the 'nasties' out there load direct disk I/0 drivers which can cause havoc anywhere!

Cruise

 

Yeah I agree. But those drivers will be placed into the partition itself, so will be handled by normal backup/restore.

Isso

 

Isso, I've solved the "Error! Please try other media" message.

It's amazing how trying to resolve another issue brings light on existing problems. I installed the latest version of IFW v2.80 and was trying to create a boot disk for it. It was failing miserably. It complained that the Winre.wim file was not at its expected location. I wondered if my F8 boot recovery still worked and discovered that the "Startup repair" option teminated with error. I have no idea how long this had been broken.

I did a quick google and soon learned that Winre.win should be located in a hidden/protected folder called "C:\Recovery". Since i dont know how to get folder permissions properly to look inside ( and then there's the issue of reinstating them exactly the same) i thought i'd do a google on repairing the Winre enviroment. I concluded that i'm the only person in the world with this issue. All the links talked about everything except how to fix missing files. Then i remembered a program from Josh Cell from MyDigitalLife forums called "Winownership". Essentially allows access to protected folders/files. I was able to look inside "C:\Recovery\{GUID}" and saw that Winre.wim had been renamed to Winre.dat. So i renamed it back to Winre.wim and my startup repair now works.

It suddenly hit me that this was probably the issue with AX64 boot disk creation so i tried it again and problem solved! It successfully created the boot disk.

 

Thanks for your suggestion and links RollbackFrog. I did download them but as you can see from my post above this issue should now be fixable.

 

carfal,

Aladdin knows all about missing winre.wim. I think his was due to Rollback Rx usage.

 

Hi Brain,

You beat me to this!

Yes, it is Rollback Rx which renames the winre.wim to winre.dat. And, upon uninstall of Rollback Rx, it doesn't name back the file to the original name. From winre.dat to winre.wim.

I remember pulling my hair out on my machines, eventually I had to reinstall Win 7 x64 on four of my machines, which is not very easy task.

Best regards,

Mohamed

 

Thanks

 

TDL4 can bypass AX64 recovery ATM.

 

I just ran some tests in a VM and as predicted you guys are right, RBRX is the culprit of renaming the "Winre.wim" file to "Winre.dat".

However it seems they've fixed the issue in RBRx v10 of renaming it back to Winre.wim after uninstalling RBRX. In my VM, Winre.wim was correctly renamed back after uninstall.

I havent had any issue since i manually renamed "Winre.dat" back to "Winre.win" while RBRx v10 was still installed.

I'll keep an eye on it and report any adverse effects.

 

carfal,

Of course, how could I forget about Winre.dat issue! We discussed it a while ago and aladdin pointed the problem root. I'm happy that it works for you now.

Isso

 

By the way, does anyone have any idea about why RBX renames that wim file?

Isso

 

To disable Windows Recovery. Windows Recovery breaks Rollback Rx.

Best regards,

Mohamed

 

Dear Carfal,

You can see now how badly Rollback Rx is written. From version 6 or 7 until version 9, for many, many years Rollback Rx messed up the "System Recovery", even for those who just wanted to have a 14 days trail.

I am sure that you won't agree that Rollback Rx is a craaapy program and HDS is an ethical company, but it doesn't matter. Most people on this forum have already concluded as such.

Having said the above, I have still some machines suffering from the above based on 14 days trail I had on these machines. And, would like detail instructions on how you fixed your machine. If we don't need to hijack this thread, then you can please PM me.

Best regards,

 

I see, thank you Mohamed. Ironically, we faced two same problems as Rollback RX about a year ago - 1) TRIM support and 2) Problems when the volume is modified from outside OS.

Rollback RX developers just went ahead and used two hacks - disabled TRIM and recovery environment. That I guess would take us a week to implement. Instead we spent entire year to properly resolve those issues, as I would never even think of releasing a program with such ugly hacks.

What we have as a result - RBX guys are making money for entire year, and we are almost broke. Summary - it's not always a good idea to perfect the program.

Moreover - if RBX guys now fix any of these problems, and make a paid update - the users will happily buy it, giving even more revenue to the company (another advantage of releasing a non-perfect program).

Just thinking out loud...