Question on Rollback RX/EAZ-FIX...

IFW was successful, basically, by accident. It decided many moons ago to develop its own pre-driver software to image a HOT Windows system, rather than rely on Windows very own Volume Shadow System (VSS). It was this decision that allows it to bypass VSS (it can use VSS also if you'd like) and successfully image a HOT system without Rollback getting in the way. All other products (that I've tested) have used VSS for HOT imaging, and when this is done, the Rollback pre-driver will not let the imager see the whole system correctly. The REGISTRY tweak is nothing more than making sure that the IFW pre-driver for the disk is loaded (at BOOT time) before Rollback's pre-driver.

Acronis can do the HOT imaging, via VSS, but its image will be compromised by Rollback.

 

Rollback should test just fine under most virtual systems (I use VMware successfully).

I'm not sure what you mean when you say... "Rollback RX has been bypassed in the past."

 

sorry for not making myself clear, what i mean is is this;

i test software alot but i currently do it in virtualbox, i would like to do it on my real system using rollback rx as i think this would be faster, so do you guys recommend this or would it be better if i stuck to virtualbox.

(i have not bought rollback rx yet)

 

I fully agree with you. If I want to test any new software, I believe I should be able to test it in real environment, in my real system. Rather than artificial environment of virtualbox, where it doesn't represent reality at all.

 

If I need to move my real environment to virtualbox, and work everything from the virtualbox, then why do I need Rollback Rx?

 

i dont think you understand what i am trying to ask. i dont know if am not explaining it properly or if its you who is not understanding my question.

i will ask a different question now, is it safer to test software in virtualbox or rollback rx?

i have not said anything about both programs being on the same computer

 

Why do you want to test it in an artificial environment like virtualbox.

So, the question is and I am with you, is Rollback Rx good enough to test in the real environment as per their claims?

So, far the answer given to you is NO!

Rollback Rx is not good enough to test in real environment, it needs virtualbox to test in an artificial enviroment.

 

LOL OMG. i still dont think you understand my question, really sorry if i am not explaining properly.

i will try asking in a more simpler way.

here goes.. my question is;

if i test malware in rollback rx then what are the chances that the malware will escape and infect the real system as opposed to virtual box.

i have read that rollback rx has been bypassed by malware, but i have yet to read the same with virtualbox.

 

please can someone else have a go in answering aswel

 

Treehouse, I think I know what you're asking, but the answer is a bit subjective. There have been cases where malware has broken out of virttual systems and caused problems and there have been cases where malware has broken out of Rollback RX systems and caused problems (specifically when attacking the MBR). Based on that information, I would say that neither environment is perfect.

In the real world... I used to use virtual machines to do everything risky in the past, whether it was chasing malware or just testing software subsystems. I have since switched ro Rollback RX as I've found it to be just as effective at managing detected malware and test environments.

There is risk with anything offered in the marketplace, but Rollback is very convenient... and I love convenience.

 

I don't use Rollback RX, but my opinion is...if you are going to test malware (assuming you are going to purposely infect your system), I would do it in a virtual environment (or even better, another system, but it sounds like this is not your case). Only because depending on what you infect it with the snapshots could get infected as well and who knows what might happen then.

I would trust TheRollbackFrog...sounds like there is some experience there.

 

Rollback snapshots are not "files" in the conventional sense... infectable files so that danger is not very high at all. The snapshots are controlled by a proprietary database, very basic, not something malware even tries to jump on.

And you should know that many malware samples have proven to be VM aware, and as such, become benign or non-existant in a VM. One recent example was a variant of that "Your machine is infected with 200,000 virii" malware proved to not install itself in a virtual environment (specifically VirtualBox) thereby being non-detectable... but the same sample blows up a real system like clockwork. Malware is getting very sophisticated in this area... VM detection. I think the main reason is the malware authors are assuming that the AV software companies are using VM honeypots (rather than real hardware-based systems) to do a lot of their malware detection and discovery. If they spend some significant brain cells detecting VM environments then they can beat the detectors at their own game.

Based on the above, it sounds like it's safer to run your production in a VM all the time.

 

Cool, thanks for the information. I am 99% sure I am buying Rollback RX (or EAZ-FIX)...

 

thank you!! yes you have understood my question. i will wait for version 10 of RX to come out and then i will purchase it (assuming it works nice with SSD's of course). many thanks

 

treehouse,

If I had to choose between your two alternatives, I would probably go with a virtual environment. That said, I don't believe it's totally safe to test malware on any system other than one dedicated for such testing.

I'm a long-time RB user (and most certainly a fan), but I wouldn't consider using it without real-time antivirus protection, as there are a few nasties out there that can circumvent RB's MBR protection and/or disk-writing redirection!

Aaron

 

thank you for that vital info, would adding an 'mbr gaurd' help RX out when testing malware? (https://www.wilderssecurity.com/archive/index.php/t-270031.html)

 

Certainly MBRguard is another layer of protection (re potential MBR rootkits), but I still have to wonder why you would risk anything but a test system when 'playing with' malware?

Aaron

 

i must confess that even though i am asking these questions, i have an ulterior motive. you are quite right aaron in the sense that i would be stupid to test malware on my real system even if it is with RX.

my reasoning is that some legitimate programs can behave like malware (adobe CS5 etc) by modifying mbr and first few sectors of hdd. so by me asking about malware, i am really asking about DRM etc

 

Gotcha, just keep in mind that while RB is a teriffic program for protecting you against your own 'goofs' and for testing 'legit' software it does not provide any means whatsoever for detecting malware!

Aaron

 

many thanks for your help

i just really hope SSD support is implemented soon

kind regards

tree

 

Treehouse, there are successful users of Rollback with SSDs... the success is due to the user turning off TRIM in Windows 7. Although theory states that the SSD will not run at its optimum with TRIM disabled, these Rollback users state the system runs just fine and is as snappy as they expect.

Your mileage may vary, of course...

 

that's what i meant, although there might not be a perceivable drop in performance with trim disabled, there will defo be a nand wear increase which will decrease the life of the ssd and i would not be willing to risk that on my £300 ssd

 

I did understand what you wanted, but unfortunately you did understand how I was trying to help you. To me Virtualbox is useless to test any software in comparison to the real system.

Let us say that I want to test a software. If I test that software in a virtualbox in insolation with my real system, I would never know how it conflicts with other software in my real system. But if I test the same software in my real system, I might be able to tell if it conflicts with other software(s) in my real system.

Both Virtualbox and Rollback Rx a snapshot away from disaster, the former works in isolation and the later works in real system. Both have been advertised agaisnt malware being a snaphot away, so has many other imaging softwares too.

You have been given your answer and as far as giving you any guarantees, no one can, as it depends what you wanted to test.

I even understand the 786 at end of treehouse. Even if you had said LOL O'My 110, I would have understood to be LOL OMG.

Best regards,

KOR!

 

sorry for the misunderstanding, i now get what your saying and you make a good point about testing on the real system so we can discover conflicts

lol excellent! i see you are from Oman so thats why you understand the 786 .

 

Thank you.

For those who are wondering what 786 means, it is the very first verse of the Holy Quran, which is:

In the name of God, the Unconditional Mercy and the Eternal Mercy.

Arabic language is abjad, thus each letter has a corresponding number.

Here is Wikipedia:

http://en.wikipedia.org/wiki/Abjad_numerals