ISR-softwares beat On Demand Scanners

Introduction
1. ISR-softwares is the collecting name for all Immediate System Recovery softwares :
- DeepFreeze
- FirstDefense-ISR + clones
- PowerShadow
- Returnil
- RollbackRx + clones
- ShadowDefender
- ShadowUser
- ...
Softwares like Sandboxie, DefenseWall, ... don't belong in this list because they don't recover an entire system partition.

The main goal of ISR-softwares is to keep your system (partition) UNCHANGED, not your personal data.
Although they use all a different method to keep your system UNCHANGED, the final result is the same : they reset your system during reboot. Some do it even better than others.

2. An On Demand scanner is any scanner that is used as second scanner. MAIN scanners are not included in this thread.
Personally, I consider MAIN scanners without a real-time shield also as ON DEMAND scanners. If you don't agree with me, tell me why.

The main goal of ON DEMAND scanners is to detect/remove any malware, that wasn't detected/removed by the MAIN scanner.
It doesn't really matter if it's an AV/AS/AT/...-scanner, because there is no clear distinction anymore, they all remove something bad, that doesn't belong on your system and that is important.

Differences
To keep it pure, no other security softwares are involved than ISR-softwares and ON DEMAND scanners.
I won't use ON DEMAND scanners anymore, I call them scanners for the rest of my post.

Vulnerable Period
ISR-softwares have a vulnerable period between two reboots.
Scanners have a vulnerable period between two scans.
Both allow installation and execution of any malware during that period. So there is no difference and that means it doesn't matter.

Removal of Malware
ISR-softwares remove any CHANGE and that means a complete removal of all bad changes.
ISR-softwares don't need signatures or heuristics to remove any malware, in other words they remove :
- any known malware
- any unknown/undiscovered malware
- any malware created in the future.

Scanners remove only what they recognize as malware, using signatures and heuristics, anything else remains on your harddisk.
Each scanner has a different signature database, so only the different signatures makes a scanner special.
This means that ONE scanners, might not be enough. So how many scanners do you need ? One, two, three, ... ?
This is a problem in theory. This problem is usually solved in practice by ignoring the theory and make a final choice, but that doesn't mean the problem is solved.
The bottom line is that scanners and even MAIN scanners, don't guarantee a complete removal of malware.

Removal Time
ISR-softwares remove malware on reboot, which is usually very short, in my case less than 2 minuts and FDISR is certainly not the fastest one.

Scanner require alot more than 2 minuts to do a full scan. The more scanners you have, the more time you need to run them.

Some users run scanners only one time a week. If this scanner finds a malware, it means that this malware has been on your system during a period of 1 upto 7 days. That is the same as leaving a burglar in your house during 1-7 days to steal whatever he wants or to destroy whatever he wants. So running a scanner one time a week is absurd and only proves that users want to save time, because there is no scanner of 2 minuts.

Since the reboot-time is so short, you can reboot more than one time a day, which means a shorter vulnerable period.

False Positives
ISR-softwares don't have false positives at all.

Scanners do have false positives, not all the time, but when it happens, these false positives will be removed by less-knowledgeable users, damaging their own system this way. Kind of suicide.

Conclusion
1. Regarding the vulnerable period, there is no difference.
2. Regarding removal of any malware, ISR-softwares are clearly the winners.
3. Regarding removal time, ISR-softwares are again clearly the winners.
4. Regarding false positives, ISR-softwares are again clearly the winners.

So ISR-softwares are much better than ON DEMAND scanners.

 

Hi, Erik: Excellent article! If one of these ISR-virtualization softwares can be one day built into every O/S, then the days of signature-based anti malware apps are certainly numbered.

 

Peter2150 has already mentioned and personally tested how deadly is the killdisk virus in most virtual systems. If virtualization ever made it to every computer there would probably be new variants of these type of viruses to destroy different type of virtual systems.

I think for your sake and for our sake at Wilders we better keep things for ourselves because any mass produced system can be defeated. I know it's a bit selfish...

 

I don't consider the killdisk virus as a serious threat anymore, I zero my harddisk, restore an image of my system partition and I'm back in business.

On the other hand, I wished that Microsoft created a Windows, that recovers and repairs itself immediately or at least during reboot, instead of imitating the traditional security of other companies.
Tradition in computer means always out-of-date.

 

I too am on the same exact page. This one is definitely copy/paste material for my own notes (barring any copyrights/trademark infringements)

And allow me to add for this record my absolute THANKS for such a great initial write-up and description of the differences many either are not fully aware of yet or just take for granted.

Very Nice Job!!!

Not to take anything at all away from the high regard like others that i hold to in FD-ISR, for one, and the support from their distributors, but folks like ErikAlbert & Peter2150 exclusively, and then joined in company with many of the membership here of FD loyals is vastly improved and made fun again computing on this end.

 

Hi, I certainly think your memory or reading may have somehow been off track. Peter has personally tested killdisk trojan against some of apps listed by Erik, and results are eye-opener for you. Just trace back some threads here. In addition, throwing an idea of any sort is not likely to be taken as a selfish act so easily. If your suggestion were true, who else here dares to enter ANY discussion. Whether my suggestion is feasible or else is up to PC manufacturers to decide, we here can do most is just to debate and exchange views, and hopefully on the side to pick up the right company stock at the right time. Any system can be beaten, by the same token, any defeat can be equally reversed. Which one evolves first ? O/S or malwares ? IMO, malwares are always trying to catch the train. Some gets on and some falls off.

 

I still don't understand your point "... My memory off track...Eye opener for me...Trace back some thread here?" What does that mean?

I was only trying to say that if Apple computers ever became as popular as Windows they would probably suffer the same kind of attack from mass malware writers. The analogy with vitualization was that if all computers had a in-built virtual system there would be ENDLESS variants of the killdisk virus for starters.

I wasn't criticising your suggestion.

 

What about the basic principle of prevention is better than cure? In other words, try to make sure you're not in the position to catch malware in the first place. Unless you want to test them as in the field of AV research or you visit high risk sites.

I'm using First Defense-ISR not to prevent getting malware, but in order so I can beta test the next version of my preferred on demand scanner!

As Peter has said, most average users won't use any of the aforementioned programs unless told about it or they read about it on a forum like this. I learnt of FD-ISR here, for example.

 

Hi, Osaban: Your points are fully understood. If there is any slip of my keystrokes offending you, please accept my sincere apology. I like any sort of healthy debates/discussion here, because after each exchange of different views, we all learn more. Have a nice one.

 

thats why i still have AV installed in my PC.

basically i used RollbackRx for Vista buggy software and corrupted software resulting to BSOD, etc....so that i'll save a lot of time uninstall/reinstall/reformat my HDD.

also you never know what will hit your saved snapshot/image....once AV company create a new virus, they will target that ISR setup

 

Erm, not sure you meant it like that. LOL

 

I didn't want to involve any other security softwares to keep a pure comparision between ISR-softwares and ON DEMAND scanners.

I only wanted to show/prove that you don't need any ON DEMAND scanner anymore, when you use ISR-softwares. These scanners are completely useless, when you use ISR-softwares.

I can't say that MAIN scanners with a real-time shield are useless, when you use ISR-softwares, because the real-time shield prevents installation of malware. So ditching your MAIN scanner is more a personal choice with or without ISR-softwares.
I think that most ISR-software users have still their MAIN scanners, but they certainly don't need their ON DEMAND scanners anymore.

 

At the end of the day, it's how one uses these various softwares, and, dare I say it, the Internet as a whole.

Peter mentions curious email. If it was me, I'd just delete the strange mail with its attachment. I ain't bothering opening it, and, therefore, creating a chance of possible infection. That's prevention in my case.

 

With that line of thinking you also don't need any "resident" scanners either, but for sake of Topic title discussion i'll (try) to stick to the main subject here.

I 100% agree with that conclusion but only recently, to a degree. Since the introduction of HIPS seemed to take center stage at the onset of them, ISR systems have quickly overtaken them and in advantages offer MUCH more freedom of flexibility but more importantly SAFETY! or PRESERVATION of data/system control.

No On-Demand scanner can REPLACE your entire setup including configurations and they are not designed in any way to do so. They are just that, scanners, not replacement protectors in event of some system corruption like ISR's can offer.

So it's rather a mute arguement IMO to compare the two simply because they are respectively and individually designed for totally different tasks.

So, of course, ISR's are the more reliable of the twain.

 

I do the same, I don't even open them, but this has nothing to do with ON DEMAND scanners and ISR-softwares.

 

Until a bug is discovered in the virtualization feature and malware use it to survive every reboot. In Windows, there are lots of way to execute code. Actual malware can kick out HIPS from the kernel. Shadow software also use kernel drivers/API hooks.

I'm on a opposite side. I don't use a realtime scanner to prevent malware, but I use on-demand scanners (and other tools) to assess the legitimacy of new files (downloads/attachments)
On the other hand, today's AVs aren't pure blacklist scanners

 

On-demand scanners are apples...ISR's are midget prostitutes...there isn't really a "pure comparison" here.

On demand scanners are still useful in systems utilizing ISR in the following ways:
1. Removal of unwanted things which reside in partitions or disks that are not protected by ISR's.
2. Removal of unwanted things which reside in partitions that ARE protected by ISR's.
3. On-access scanners are heavy in resource usage, they use the same signatures that their on-demand modules use. It's thus more economical for stable systems or networks to ditch the on-access scanners in favor of on-demand scanners.

For those of use who download a lot of things, our on-demand scanners are invaluable. So to say that ISR's can help protect us better than the scanners is misleading.

 

For the sake of argument, don't you scan your base ISR image? Anything I committed to any image, I would want to be sure it was clean. The only way I know of doing this is to scan. It may not be 100%, but it would be close with multiple scanners.

I'm not discounting ISRs because they are great. They are just another layer though. I don't have an ISR like Rollback or FD or even an imaging option. I use real-time apps and scan regularly with multiple on-demands. I scan less now because of sandboxie. If I do anything risky, I'm like Pete and use Returnil. I'm still on my original OEM install of Windows XP (2+years). How did I ever make it this far without getting bit .

I do want to play around a bit and that means spending money. I want FD-ISR and an external hard drive. That's $150 by my calculations . On the flip side, I have secured my system for free for 2 years. There is more than one way to skin a cat . Common sense and the great knowledge that I gain here and on other security forums have helped me greatly.

Cheers,
innerpeace

 

Perman: no problems!

 

I use ShadowSurfer (SS). However, I would appreciate an explanation of how to avoid the following problem areas of using it to displace any & all needs for second-opinion/on-demand scanners...

* I maintain most of my data files on non-systems partitions, so reboot with SS doesn't affect those. However, many programs INSIST on maintaining certain data in .ini, .log, .dat etc files in the system disk partition. Thus, reboot of a shadowed system disk will cause some data loss for certain programs. (Therefore, I use SS when I surf, but NOT when I'm doing serious work.)

* Further, when I update various programs, those updates often make substantial changes to the registry, dlls, & other "system disk" files. If I updated those programs while running SS, those updates would *break* on reboot. If I update those programs while NOT running SS, those updates might bring in spyware, calling home, or even worse. Ergo, I feel I still need on-demand (OD) scans, & OD scanners to do them.

* Along the same lines -- If I want to install & retain a program, I cannot install it during Shadow mode. Even if I install Program X (for instance) to a non-systems partition, Program X still makes changes to the registry, dlls, .sys, etc as a result of the install. Therefore, installing *Program X* to a non-systems partition, while at the same time maintaining the systems partition in Shadow mode, would mean that a reboot would kill Program X's entries in dlls, registry, etc.

There are ways to get around difficulties such as those listed above, but I found those work-arounds to be bloody inconvenient. As for trying to apply *ISR-vice-on-demand scans* to a network of any size & diversity, the mere idea boggles the mind of my IT.

Of course my IT is rather in his dotage (as am I). Ergo, by his adamant rejection of ISR as the be-all & end-all of security, he MIGHT be falling into the same mindset as Bill Gates when he reportedly once said "64K is all anyone will ever need." (Is that oft-mentioned quotation actual, or is it an urban legend, I wonder?)

Summary: It looks to me like...

1) ISR is fine for safe recreational surfing.

2) However, when one is doing productive work (updating programs, installing, uninstalling, processing email & email attachments*, creating, etc etc etc), ISR is a somewhat convoluted solution if someone seeks to use it to the total exclusion of using on-demand/second-opinion scans.

* Before someone tells me never to open attachments, I must tell you that doing so is necessary for my avocation. My IT has developed secure ways of doing this but those ways do not involve ISR or a sandbox. Even so, after many years & thousands of attachments (many of them poisonous) we have only ever had seven infections that I can remember.

 

I know from past experience that I'm in a minority here when I say that I start from a point of trust.

For example,

If I couldn't trust the updates, how could I trust the programs?

Same here with Deep Freeze. If I install programs from reputable sites and/or installation CD, that is my starting point of Trust. That has served me well for 15+ years of computing.

If you can't trust your sources, then of course you have to take other measures...

I don't know why one would fear opening attachments. Common sense and the right protection in place will prevent any accidental launching of an executable.

-rich

 

Hello,

I agree that on-demand scanners are not really useful, but there are some drawbacks in the ISR software, according to Erik's presentations:

1. Several reboots a day? Pain in the butt. I like to keep my machine one for 2-3 weeks without rebooting (Windows) and only when restart is needed after a kernel update (Linux). Rebooting several times a day is really really annoying, especially if you are queuing for downloads with your P2P thingie.

2. Why should the emphasis of computing be malware? The periods between reboots are called the vulnerable periods ... I disagree. There is no reasonable reason to get infected any which way while using your machine unless you are really really trying hard. Very few and simple, painless things are needed to achieve almost 100% productivity with 100% security on the expanse of no more than 5 seconds effort a day.

3. I agree with much of what bellgamin said.

4. ISR softwares can have vulnerabilities - exploitable ones - that could lull the user into playing it tough with software, more than he would ever do if not using ISR. Futhermore, there's always the issue of partition corruption, which the ISR might or might not be able to prevent or undo.

5. ISR cannot prevent data theft.

My conclusion:

ISR is not a bad idea for testing and such - but I believe a higher level of separation is needed if one strives for full productivity - OS virtualization seems like a better idea still, or a separate, dedicated PC.

On-demand scanners are not needed either with or without ISR, because things are much simpler than they seem.

Cheers,
Mrk

 

Thought provoking thread, with a lot of good points made by contributors. Complacency is a dangerous quality and people should avoid getting lulled into the idea that any software makes them invincible, there are many threats out there lurking, and many still yet to be thought up, common sense, knowledge, and undertanding still remain the best weapon against exploits, current and future.
That's not to undermine a discussion like this, in fact quite the opposite, knowledge and understanding are garnered from just such discussions.