Pumpernickel (FIDES)

Discussion in 'other anti-malware software' started by TheRollbackFrog, Dec 9, 2016.

  1. TheRollbackFrog

    TheRollbackFrog Registered Member

    Joined:
    Mar 1, 2011
    Posts:
    4,490
    Location:
    The Pond - USA
    I think you're asking a FileSystem level driver to do too much as far as equivalencing wild cards at the directory level then files at the multiple sub-directory level. Something like this is better handled by an intelligent UI that would create the INI that the driver would use. The FIDES developer has already mentioned that, at this time, they're not in an intelligent UI development game.
     
  2. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    If this is true, how was Peter able to create an image while in shadow mode and when he exited shadow mode and rebooted the image was still there?
     
  3. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    405
    Location:
    router
    yep they are in kernal level not interested user-mode
    but hope see this feature all can handle with hand
     
  4. TheRollbackFrog

    TheRollbackFrog Registered Member

    Joined:
    Mar 1, 2011
    Posts:
    4,490
    Location:
    The Pond - USA
    Because FIDES prevented SD from reverting that particular change (the created image).
     
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hey Boredog

    It took me quite a while to wrap my mind about that one.
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Big Big Duh on this test we were just discussing. I just noticed today, then although I select all 3 drives to be shadowed two of them weren't. Turns out with Fides on they weren't shadowed. When I turned off Fides and shadowed all the drive and then turned Fides back up, and imaged. When I rebooted the image was gone.
     
  7. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,282
    If not already done, try to put the executables of Shadow Defender to your Whitelist, and let them access your protected partitions.
     
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Good idea. But it leaves me asking myself, do I need SD to defend those partitions since FIDES is already doing that. I'll bet if I do that an image, the images will go away on r eboot. I have to think about that a bit.
     
  9. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,282
    You can rely on FIDES for protection of these partitions, and let SD only protect your system partition.
    Or protect them with SD, but not with FIDES.
    In both cases you'll get "expected" results.

    Select one product to protect them, or use both but only after adding additional whitelist-rules (which might be needed for SD) in FIDES.
    But nevertheless they might conflict with each other.

    You have already dropped malware on your system and i guess both products successfully protected your partitions, so...
    The choice is yours.
     
  10. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Exactly. And Fides has proven to be so stable and reliable.
     
  11. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Not to mention literally zero footprint as well. I have to admit, the recent conversation here has got me thinking about getting back into FIDES again. I've been using just Bouncer and MemProtect combination for months now. But I am starting to see the need for protecting directories and particularly, as you all point out, external backup drives and such.
     
  12. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Okay FIDES experts:

    I've been toying with this crazy idea. It doesn't do badly in a virtual machine, but on my desktop I am a bit worried about a Click Once Installed application. Your thoughts:

    [#INSTALLMODE]
    [LETHAL]
    [LOGGING]
    [WHITELISTMODIFY]
    !C:\windows\*>c:\*
    !C:\windows\*>e:\*
    !C:\Program Files*\*>c:\*
    !C:\Program Files*\*>e:\*
    [BLACKLISTMODIFY]
    $*>e:*
    $*>c:*
    [WHITELISTREAD]
    [BLACKLISTREAD]
    [EOF]

    Pete
     
  13. TheRollbackFrog

    TheRollbackFrog Registered Member

    Joined:
    Mar 1, 2011
    Posts:
    4,490
    Location:
    The Pond - USA
    What happens to all the installers that usually run out of "Users/<user>/AppData/local/temp"... looks like they won't be able to install anything with the above directives... and since it's all SILENT (no logging), you won't even know about it 'til the installers blow up.

    I think I'm reading that INI right... :confused:
     
  14. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Ah, it obviously would have to be turn off during installs, like appguard. For that it's easy to swap it out for one without the extra stuff.
     
  15. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,282
    With the above configuration #87, all installed programs and Applications in the windows-directory have access to all data, all other programs are blocked.

    Note #1:

    Whitelisting of !C:\Windows\*>C:\* includes temporary files from C:\Windows\Temp\ (!)
    It might be better to add C:\Windows\Temp as a priority Blacklist-rule:
    [BLACKLISTMODIFY]
    !$C:\Windows\Temp*>*
    Now it overrules the whitelist-rule, and temporary files from this directory can't modify other data.

    Note #2:
    Blocks should be expected. Programs want to auto-update themselves automatically, Windows is doing its maintenance and is executing temporary files, etc.
    There can also be executables in C:\ProgramData which need to be whitelisted.

    Note #3:
    Vulnerable applications like browsers, pdf-readers, etc. which are in C:\Program Files\ have access to all data.
    It might be better to restrict at least these kind of applications from accessing other partitions or other important data.
     
  16. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Mood

    Thanks for taking the time to write that. There is an easy bottom line,which I am concluding. Not a good idea. Just looking for ways to take advantage of this gem.

    Thanks again.

    Pete
     
  17. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    peter

    ok so if you have SD and FIDES on at same time and have SD set to all drives, and if you do your backup to just the c drive, does the image go away after exiting SD on reboot?
     
  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    You have to turn FIDES off to get the drives shadowed, but then if you turn FIDES back on while shadowed, take an image and then exit shadow mode the image will be gone. The problem was I didn't realize that I selected the drives to be shadowed, but with FIDES protecting them they couldn't be shadowed.
     
  19. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    ok I think got it. If you have SD and FIDES on at same all drivers including C: are protected. I misunderstood. thinking your c: was not but your other two were and you had your image on one of the other drives ant not C:

    Is there any advantage of using FIDES while using Voodoo and Appguard?
     
  20. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    In my mind absolutely. I have 3 internal drives. C: F: and G: F: and G: are locked down by Fides, but c: is protected by conventional means and Macrium
     
  21. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    I only have on hard drive with the protection in my sig. 500 gigs is plenty since I don't save any music or videos. My images are on a 256 gig USB drive that only gets plugged in machine is turned off and then booting to Macurim from there.
     
  22. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,282
    With AppGuard you can also protect Folders (Read-Only / Deny-Access), but only for Guarded Apps.
    The "File & Folder"-Protection with FIDES is very granular and is more powerful.

    FIDES is not a replacement for AG or VS, but it can be seen as a good addition.
    But if you don't like to edit .ini-files manually or don't like GUI-less applications it may not be a good choice, but who knows...
    After you have found your ideal configuration you don't have to change anymore.
     
  23. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    mood

    I think I understand it only installs a driver that uses an ini file for the config. So it must install an ini file plus driver? I have not had to edit ini files since 1995.
    does it come with a default ini file?

    I also took a look at their site and see they have either a demo or a paid version. and doesn't seem to explain a lot.
     
  24. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,282
    Download the executable from their website, doubleclick it and the content is extracted (it's a SFX Rar Archive). Then you can see a readme.txt with some more information.

    The driver has to be installed from the user, there is no installer which is doing all required steps. The user must rightclick on the .inf-file + "install".
    Additionally the "default" .ini-file has to be copied to the WIndows-directory.
     
  25. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Okay experts the problem is back. Although protected, the icon is beige instead of green. I clean the log file, and it turn green and then back. Nexto_O
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.