Sandboxie v2.86

Discussion in 'sandboxing & virtualization' started by ErikAlbert, Apr 23, 2007.

Thread Status:
Not open for further replies.
  1. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Always learning something. I thought SP would recover from something like that..
    Peter: what is it that stops SP from recovering from that specific situation?
     
  2. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Zero is not the same as format. According Western Digital, my zero program results in a NEW harddisk.
    I always use that program when I reinstall from scratch.

    The clean program of PartDisk overwrites EVERYTHING with zeroes. So there is no difference with my program.
     
    Last edited: Apr 26, 2007
  3. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Well, my problem of "Direct OCR Error" seems to be gone, since I removed the bar "Canon Easy-WebPrint" in MSIE.
    Tzuk was glad, I could solve it this way.
     
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Hi Peter, I am not sure but long ago when I tried Killisk I did not need to use DiskPat. I simply formated and installed XP by booting from XP CD( if I remember well I am not sure), can u check it?
    Did u tried it against Freezed snapshot and ShadowUser/ Surfer/ PowerShadow etc?
     
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    It leaves a really screwed up partition table out there. SP see's it as a fat16 partition and it does there restore but can't set the partition active. Afterwards when you look you still don't see anything. Once you delete the bad partition then SP had no problem.

    I tell you that is one nasty piece of work. Handy to have either a windows CD which has the recovery console, or a Bartpe disk which also has DiskPart on it.

    Clearly prevention is the best way.
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I suspect that using the install of XP would have by default started with a clean slate. I was testing restore from an image, so slightly different.

    None of the other programs above would have survived. Anything that required the c drive for recovery was toast. The drive was toast.
     
  7. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Peter,
    Thanks for the testing, I knew how nasty killdisk was, but I was never worried about it. Now we know for sure what to do in such disaster scenario.
    And Sandboxie did a very good job and that is also good to know.
     
  8. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    One last question: so SP doesn't restore the partition table, only MBR?
    Shouldn't a program like this restore everything for a working OS?
    I'm sorry if these Q's look really dumb.. :D but this seems like a disaster for a "disaster recovery program".
     
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    I suspect ShadowUser/ Surfer etc might survive( I read here on forums but not sure).
    Eaz_fix has survived here too.
     
  10. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Your reasoning isn't so bad at all. I would also expect from the Acronis Rescue CD, that it would restore an image from my external harddisk without troubles, no matter what is on my harddisk.

    Of course it is standard procedure for me, to zero my harddisk and then restore an image after a malware attack, but this has nothing to do with what happened.
     
  11. Bob D

    Bob D Registered Member

    Joined:
    Apr 18, 2005
    Posts:
    1,235
    Location:
    Mass., USA
    Digressing a bit here if I may, but one of my primary reasons for liking this software (enough to register), is it's convenience, aside from all the security benefits (and they are substantial).
    Before SandboxIE, I was constantly turning cookies on/off (depending on site visiting), as well as Java, JavaScripting, etc. Made me crazy.
    OK, I'm at Wilders, cookies on. Browsing elsewhere, cookies off. Other trusted sites, damn, they're not rendering correctly, Java/JavaScript on.
    Constantly clicking permission stuff depending where on the web I was.
    At the end of sessions, I was constantly reviewing, subsequently selecting/deleting cookies, as well as clearing history, etc.
    Ahhhh....With SandboxIE, I find the browsing experience much more relaxed.
    Cookies, Java, JavaScripting, all ON.
    Browsing done, close browser, EVERYTHING gone.
    Simplistic approach. I like simple.
     
  12. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Pedro

    It does when the disk is totally blank, but Killdisk leaves things screwed up and you first get to a clean disk. By the way it wasn't just shadowprotect, but Acronis couldn't even tell the disk was there, and I couldn't do anything with that either.
     
  13. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    See comment above. It would have, but I suspect you still would have had to do diskpart first to get to a blank drive.
     
  14. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I may download trials and try.
     
  15. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Actually, you're not :) , and i also agree with you. Everything is in one place, where i can get rid of in a click or two.
    I also have everything on, except cookies (go figure). With Opera, the few sites i want cookies for, i enable it for them.
     
  16. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    I usually open all my trusted sites outside the sandbox with all my login details saved in FF's cache and password manager.

    Then everytime I empty the sandbox and start a new FF sandboxed browsing session the login details are resandboxed and retained hence speeding things up.

    I have set CCleaner not to clean FF as emptying the sandbox gets rid of all other unwanted cookies and cached sites that are picked up in any browsing session.
     
  17. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Thanks for the info. :thumb:
    I realize by your tests/details (thanks btw) that most if not all would fail, but still i suppose SP should restore everything anyway. It holds how the HD was formatted, files, MBR et al, it should restore the information it holds on the HD when the image was taken.
     
  18. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Peter,
    You don't need a blank drive to restore an image, the image just restores over the existing harddisk. I've done this so many times. The contents of harddisk doesn't matter at all during a restoration.
    If the CD didn't work after the killdisk, it means that CD isn't good enough.

    The question is : if you didn't had DiskPart, would the CD have restored your harddisk or not ?
     
    Last edited: Apr 26, 2007
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Okay. For grins I am going to image with ATI in bart and see what happens.
     
  20. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    OK. That's good enough for me, but restore right after killdisk without using DiskPart. This should work properly, otherwise there is something wrong. After all not every user has DiskPart or any other zero program.

    After that you can use DiskPart to be sure that everything is gone and restore again.

    PS: I thought Acronis CD didn't work on your computer due to mouse problems ?
     
    Last edited: Apr 26, 2007
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    It doesn't. I have ATI in a Bartpe CD.

    Okay, the test results are in. First I did an image with Acronis from the bartpe CD

    @aigle I tried Shadowsurfer, ran killdisk while in shadowmode: Killdisk killed it dead

    Then tried Eazfix. Built several snapshots, and move around them, and finally from the 3rd one I ran Kill disk. Eazfix fought back but ultimately lost. Killdisk shut the system down, but this time, it started reboot. Eazfix ran thru defragging all the snapshot, then optimized space, and then failed with the bad partition error. So then I moved on to the restore tests.

    Booted to barte after the eazfix kill, and started to restore with ATI. Everything looked okay, so I stopped short of restoring and fired up Shadowprotect. Everything looked normal so I tried restore, and it worked just as we'd expect. Picture Peter scratching his head:D

    Then it occured to me that this was the first time I'd tried a restore without the new FDISR which moved it's preboot code to the partition table. So I decided to take two more shots at it without eazfix, once with FDISR uninstalled, and once with it installed. First try was with no FDISR.

    I killed the disk and then proceeded to try the restore. First I started with ShadowProtect and when I saw the condition I'd seen as bad, I stopped and fired up Acronis. Normally when I'd select the image location I'd see C: primary and D: secondary. What I saw was C: local disk, and D: secondary. I selected the image from the D: drive, and moved on. I was able to select the right disk from the image, but when it came time to select the target the only choice even showing was the D: drive. C: drive was not there, hence no restore possible.

    Erik if this puzzles you bear in mind that Killdisk's purpose is to really mess you up, and it trashes the partition table in a way that the imaging software, can't get past it to do it's thing. You are right that the average user would be in a world of hurt. Puzzlement is the difference with Eazfix.

    Pete
     
  22. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Yes it puzzles me indeed, that you couldn't restore an image with an ATI/SP Recovery CD, right after a killdisk attack.

    The Acronis Rescue CD is able to restore an image on a ZERO-ED harddisk, which is even worse than killdisk, because there is nothing anymore on a zero-ed harddisk.
    BUT it can't restore an image after a killdisk attack, that is SOOO UNLOGICAL.

    That makes any Recovery CD of any image backup software WORTHLESS after a killdisk attack. That is almost UNBELIEVABLE for me.
    I'm very disappointed in this, I hope that somebody of ShadowProtect is able to explain this to me, because this will be my next Image Backup Software. Pffft.
     
  23. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Erik you are missing the point. First of all it's not just Shadowprotect. Also it's not a normal situation, in the partition has been deliberately damaged in a way that prevents SP,ATI and I suspect all the rest of the imaging programs from figuring out what is going on.

    If they see no partition, or a good partition they can deal with it, but this one has been deliberately and purposely damaged. Therefore it has to be deleted. Once deleted both programs can do a restore. Remember you aren't dealing with a failure, but a deliberately malious piece of work.

    Diskpart, and an image restore is still one heck of a lot better than reinstalling windows. At least now we know what's going one and how to deal with it. Far better then to be struck and have no machine to do research with.
     
  24. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    I can,t believe this as well.

    Peter two Qs for u.

    1- Are u doing all this on VM? If yes, then I will suspect the results might be different on real hardware. VMs can,t be 100% real many times.

    2- When u failed with ATI and SP, did u try to insert an XP CD and see if it allows u to reinstall XP( without running DiskPart as I think I did like this in the past( but not sure). If XP CD allows a reinstall of windows then it might be OK for a normal user.

    3- What is disk part?
     
  25. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Scarry. I am still doubtfull as I know very well that SS/ SU protects MBR.
    Here is the flaw. When u reached Eaz-Fix pre-boot screen, did U try to restore just to the last snapshot taken before running KillDisk? I have done it and EAZ-FIX boots into all snapshots OK. U just loose ur curent working state, nothing else by KillDisk. I am very much sure.

    Sorry as I did not understand it at all. Also where is the try with FDISR.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.