Running different AV or Firewalls on Snapshots

Discussion in 'FirstDefense-ISR Forum' started by beethoven, Dec 15, 2007.

Thread Status:
Not open for further replies.
  1. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,044
    One of the benefits of F_ISR is to be able to test new software and discard without any problems if not happy. I believe ErikAlbert also mentioned that he does not use any AV but once in a while just scans his pc to verify it is clean (proving his freeze approach).

    I am just wondering if having different AV installed on one pc but in different snapshots (or different firewalls or hips) for testing purposes, are there any conflicts? Normally it is not recommended to "run" two real-time AV on one pc - I guess if you install only one app per snapshot , this should be fine as only this particular app is running? Can anyone please confirm this?
     
  2. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    You are absolutely correct, you may indeed have different anti-virus and firewalls on different Snapshots, it is as if they are installed on different computers. That is one of the greatest joys of this program, the ability to play! Enjoy!

    Acadia
     
  3. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Yes, I use a frozen snapshot, which removes any good or bad change in my on-line snapshot.
    My theory is that any kind of infection CHANGES my harddisk and that's how they betray themselves. I use that weakness to destroy them.

    A frozen snapshot removes ANY CHANGE by comparing my on-line snapshot with my freeze storage, which is in fact a whitelist of every object that is installed in my on-line snapshot and this happens each time, when I reboot from desktop to desktop in less than 2 minuts.

    Unfortunately, FDISR can only have ONE frozen snapshot and that is my on-line snapshot. In order to clean my off-line snapshot, I do a copy/update from archive to snapshot, which cleans my off-line snapshot in the same way as my freeze storage in 10 seconds.

    Each archive = fresh installed snapshot, that has hardly been on-line and those archives do a much faster and complete job, than :
    - any AV/AS/AT/AK/AR/... scanner or combination of scanners
    - any registry cleaner
    - any history cleaner
    - any junk cleaner
    - any specialized uninstaller of softwares.

    And that keeps me completely in control of the contents of each snapshot.
    In other words, I decide when one of my snapshots needs a good change or not.

    After six months using a frozen snapshot, I ran KAV, NOD32, BitDefender, SUPERAntiSpyware, Spyware Doctor, TrojanHunter and a bunch of other scanners, I can't remember anymore by name.
    They couldn't find anything, because that is in theory impossible.
    My theory is that when a scanner ever detects a malware on my computer, it will be a false positive.

    I'm using FDISR since March 2006 and this software still fascinates me.
    All the other ISR-softwares like DeepFreeze, Returnil, ShadowDefender, etc. are boring compared with FDISR, including ShadowProtect or any other Image Backup software.

    I never solved so many problems with a simple reboot.
    FDISR has only one big disadvantage : it keeps me stupid and lazy. :)
     
    Last edited: Dec 15, 2007
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,049
    On the first point I totally concur whether it is with a frozen snapshot, or just regular use of FDISR

    On the second point, I'd add a disclaimer that Erik is speaking strictly for himself.:D :D
     
  5. Huupi

    Huupi Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    2,024
    I think he means problems are sorted by FDISR with a simple copy/update or a reboot from frozen environment .
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,049
    Of course. I was just yanking on his chain abit.:D
     
  7. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    FD might keep you lazy, Erik, but you sure like heck ain't stupid! :cool:

    Acadia
     
  8. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,422
    Location:
    New Mexico, USA
    Thank you, EricAlbert. I'm learning more about fdisr from reading your posts than I am from the help file. I just updated my secondary snapshot, per your post, since I'd made some changes in the primary. It was simple and worked flawlessly.

    Of all the security programs I've used, this one is without doubt the most amazing and useful. I wish I'd installed it long ago when I purchased it and put it aside. It would have saved me from formatting and reinstalling a couple of times in that space of time.

    The real joy of fdisr, besides being fun and not difficult to learn, is that for those who test or play with software and reformat on a yearly basis or so, there's no longer any need. You can load programs on your computer, unfreezed, until the computer bogs down to the point it will barely run in the primary snapshot. Then reboot into the secondary clean snapshot, remove the primary and all is well again, and it only takes a couple of minutes. Then, fdisr will create a new second snapshot and you're good to go. Your computer is just as it was before all the downloads.
     
  9. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Before FDISR and if I had a problem, I had to fix it myself. So in those days I had to do some research and readings in order to solve these problems, so I learned something.
    After FDISR, I don't have to do this anymore, so I don't learn much anymore as I used to.

    Each time when I have a problem caused by a test or an experiment in my on-line snapshot
    - I don't need to know what the problem caused
    - I don't need to know how to solve it
    - I don't need to spend any time on research or reading
    - I don't need to ask Wilders how to fix it.
    I simply reboot and the problem is fixed. That alone saves me alot of time.

    Most users know which malware infected their computer.
    I never know, if my computer is infected or was infected, unless the malware causes some visual special effects, like hijacking my browser or destroying my system partition.
    I don't even see the difference between a good object and a bad object.
    I don't need to know, because a reboot removes them anyway. :)
     
  10. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,044
    I have three follow-up questions:

    1. How many snapshots and archives do you keep. When I rebuilt my system last weekend I created some snapshots and archives during various points on the way (OS, OS + prime utilties, then after more changes and so on), just to give me the option to go back one step or two steps or three steps.

    I am now more or less done and everything is running smoothly. How many snapshots are still useful. I think I want to keep my "Baby"Snapshot (consisting of OS plus Firewall) and perhaps for a while an interim snapshot. But in the long run, will two snapshots not do?


    2. Re ErikAlberts approach, malware has no chance to stick as it will be cleaned out automatically. However, what are the issues with respect to online banking - is there not always a risk that you have just caught something in your active snapshot prior to doing the banking? In that case, would an AV or HIPS program not provide additional comfort and security?

    3. If you delete a snapshot manually or reboot when frozen, where exactly are the contents dumped? Do they still float around somehow on my harddrive (hidden and difficult to retrieve but nevertheless present) until overwritten? In this case similar to using Sandboxie I am wondering if malware could still be doing harm?
     
  11. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,049
    1. I only keep two snapshot. My primary is my full working computer, and my secondary is just an OS, with firewall. I use archives for everything else. I just use the secondary as a place to boot if the primary is damaged.

    2. I don't use the freeze thing at all, so yes I do take other precautions.

    3. If you delete a snapshot manually, the files are deleted as any others are. But I think if malware were just in a snapshot and it was deleted, that would be the end of it.

    Pete
     
  12. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    My boot-to-restore only REMOVES malware, in case malware bypasses my security. It doesn't stop the execution of malware, that's why I still need security softwares, but no scanners, because I already have a better removal tool, that removes all known and unknown malware. That's the advantage of whitelists : they are always COMPLETE, blacklists are NEVER complete.

    If I reboot right before on-line banking, all possible keyloggers are gone.
    Not long ago my bank changed the login procedure, which makes any keylogger useless, because my password changes during each login and the thief needs a hardware device to calculate that password and he also needs my bank card and the password of my bank card, which is stored in my head and written nowhere.
    So a keylogger can steal my password, once the thief has that password, it's already changed and he can't calculate it, because he is still missing 3 things.

    You can't compare my approach with Peter's approach, but we have both TWO snapshots.
     
    Last edited: Dec 15, 2007
  13. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Only whitelists of executables are always complete. Data filetypes can't be whitelisted and data filetypes may carry malware/exploits.
    The "problem" (note the quotes) with whitelists is trust. Once you whitelist a piece a software, it's game over.
     
  14. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    My freeze storage is a complete list of ALL objects in my system partition, not only executables.

    This "problem" is the same for all users, no matter how they protect their computer. New objects on your computer are always a threat and only one person allows these new objects : the user, the weakest link in the security chain. I will put it even stronger : as long you don't know what a program does, you will never be sure and the only way to verify a program is reading the source code of that program. Who is going to read the source code, if there is one available, the average user ? :)
     
  15. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Hello.

    Kaspersky AV rendered my FDISR (almost) useless when I installed it in a secondary snapshot a few months ago. I couldn't switch snapshots from Windows, as FDISR was "disabled". I could do it from a pre-boot screen though (which was not acceptable). As I could tell at the time, I was not the only one with this problem.

    So beethoven, take some care when installing software (particularly Kaspersky) in FDISR snapshots. Keep your images handy, and update your primary snapshot before any major activities (installing/uninstalling).

    Cheers,
     
  16. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I have only two snapshots : off-line and on-line (frozen).
    Two archives and one freeze storage.

    But I have two sets : clean and daily. (The clean set has no freeze storage)
    The clean set is for restoration only. The daily set is for daily and normal usage and I use the clean set to keep the daily set clean via archives.

    What is the cleanest snapshot : a snapshot that has been hardly on-line OR a snapshot that has been on-line for a year ?
     
    Last edited: Dec 15, 2007
  17. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    Good grief, only the version 5 of KAV could hurt FD, as I remember it ... what version were you using ... from version 6 onward, everything was OK because KAV stopped messing with the ADS. Also, FD stopped relying so much on the MBR ... you TRUE FirstDefense experts, am I missing anything here?

    Thank,
    Acadia
     
  18. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Actually, it was a Kaspersky clone, some chinese AV for the purpose of that "AV screenshots" sticky. It could've used v5 Kaspersky engine. Dunno...
    It was a few months ago.
     
  19. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I also think that Seer is talking about older versions of FDISR and KAV. Also personal experiences get out-of-date. I ran KAV not long ago without problems. :)
     
  20. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Sorry, in that case your claims are based on an a cloned KAV, which are considered as suspicious circumstances in this legitimate forum. The reader has to ignore these remarks. ;) :) :D
     
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,049
    I agree. I ran a lot of KAV beta's from version 6 thru 7, and none affected FDISR. A clone is not KAV.

    pete
     
Thread Status:
Not open for further replies.