System Partition Imaging as Anti-Malware

Discussion in 'other anti-malware software' started by TheKid7, Sep 3, 2010.

Thread Status:
Not open for further replies.
  1. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    I routinely image my Windows XP Pro SP3 System partition to both other internal hard drives and DVD(s).

    My concern is: Does Malware "always" infect only the Windows System partition? If not, what steps do you take to protect the other partitions/hard drives from infection?

    Thanks in Advance.
     
  2. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,222
    In theory all partitions and to a lesser extent other internal hard drives could be infected by some malware. In practice it would be a rare event to happen.

    I think you are covered because you mentioned that you save images to DVDs. My only comment would be to save images to USB Hard drives, they are fast, not connected to the machine, and IMO more reliable than DVDs.

    If you want to protect other partitions/ hard drives from infection independently from imaging then light virtualization does that very well: Shadow Defender, DeepFreeze to name two that I would recommend.
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    No. File infectors, for example, search all partitions for *.exe. These were quite common a year or so ago.

    Earlier viruses and worms would plant bogus files across other partitions. One installed several hundred fake links to pornographic videos which directed the user to spam and other such sites. While not the infecting-type of files, none the less, they were a mess to clean up!

    Speaking for myself:

    Malware is malware, no matter what it does. I suspect that the sophistication of such malware as TDL3 rootkits is not completely understood, and may be doing more behind the scenes than is realized, since they are constantly changing and being updated.

    Yet the installation methods of the malware these days are the same: either by remote code execution, or by a social engineering trick. So, my protection is to have security policies and software to prevent the infection in the first place.

    Osaban's suggestions also have merit.

    ----
    rich
     
  4. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    I forgot that I could block access to my other partitions/hard drives with Sandboxie while I am on the web. I just added them to the blocked access list in Sandboxie.

    Sandbox>Settings>Resource Access>File Access>Blocked Access
     
  5. JosephB

    JosephB Registered Member

    Joined:
    Jan 3, 2008
    Posts:
    310
    What would be the best Partitioning Structure to use for a single internal hard drive, when planning on using Imaging Backup software ?
     
  6. Robin A.

    Robin A. Registered Member

    Joined:
    Feb 25, 2006
    Posts:
    2,285
    I keep the "system" and the "data" on separate partitions. I only create images of the system partition, and this structure reduces their size. Currently, an image of the Windows 7 x64 system partition is about 7.5 GB.

    To backup the "data", I copy selected folders to external hard disks and DVD. I keep the folders synchronized using the MS program SynchToy x64.
     
  7. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    I also keep the "system" and "data" on separate partitions. The compressed image sizes of my "system" partition (2 PC's) varies between ~4.5 GB and ~7.5 GB.

    I periodically backup my data to other hard drive(s) and a NAS RAID1 Server using Syncback Free.
     
  8. JosephB

    JosephB Registered Member

    Joined:
    Jan 3, 2008
    Posts:
    310
    Robin A., TheKid7,

    As I previously mentioned, I currently only have 1 partition (system - c: drive) on the only internal drive with Win XP. I have a lot of application pgms installed and according to My Computer ,I am currently using 40GB of my 160GB drive. I think most of my used space is from the applications installed.

    Questions:

    .... However, I noticed that you have indicated that when you backup your "system partition" you said it is max 7GB, so does that mean you have your space consuming applications pgms on another partiton or if you have your application pgms on the "system partition" with the Win OS for 7GB, maybe I just have too many app pgms installed for me to get up to 40Gb used, since I don't have too many personal data files that could be consuming that much space.

    1. So, does your "system partition" have both: windows os + applications programs (program files\....) on it or are the application pgms on yet another partition ?

    2. Which partition do you have: windows temp folder files, browser temporary files, browser favorites, browser cookies ... system, data or other partition ?

    P.S. Do you know of a utility pgm where I could just select the parent folder and it will tell me the total space used by all subfolders and thier files below the highlighted parent folder in one grand space total ?
     
  9. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    1. Windows OS, All Installed Programs, a few small files such as MS Office files (doc's, ppt's, xls's), pdf's, etc.

    2. All on the System Partition.

    I have not used this program, but I think that it may be helpful:

    https://www.wilderssecurity.com/showpost.php?p=1454300&postcount=14
     
  10. JosephB

    JosephB Registered Member

    Joined:
    Jan 3, 2008
    Posts:
    310
    Thanks.

    BTW,

    1. How much space is used on your system partiton, before it is compressed by the imaging pgm ?
    .... I was wondering how much the image pgm compression factor/perecentage is ?

    2. Which Imaging Pgm do you use ?
     
  11. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    1. Last full image size = 7.3 GB (standard compression). Currently my System Partition "properties" shows 15.1 GB (14.0 GB) used space. However, my imaging software shows the uncompressed file size during the imaging process and the figure is usually a little lower than what is shown under the System Partition "properties". Also, before each imaging I use MS Disk Cleanup (including deleting all but the most recent restore point) and I delete temporary Sun Java files. The above System Partition used space size should decrease some when I run Disk Cleanup prior to the next imaging operation. I have tried the Maximum Compression option once but the compressed file size was only a few percent smaller than with Standard Compression but the Imaging time was several times longer for Maximum Compression versus Standard Compression. I don't remember the exact time for making a full image (Standard Compression) but I think it was around 12 to 15 minutes (includes a byte-for-byte verify of the image file).

    2. Image for Windows/Image for DOS/Image for Linux - I use Image for Windows to make a monthly full image to internal hard drive(s), weekly differential image to internal hard drive(s), and a monthly image to a Dual Layer DVD. To restore the internal hard drive images, I use either Image for DOS or Image for Linux since the System Partition cannot be restored when Windows is running. Images to DVD(s) are made bootable by default and you can restore from DVD(s) without using Image for DOS or Image for Linux.
     
    Last edited: Sep 7, 2010
  12. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    If one stores an image file of the system partition, like a Paragon Backup File 'PBF' (or similar Acronis 'TIB' or Norton 'GHO/GHS') on a (separate) partition, do you guys think malware (even as sophisticated as current TDL3 versions) could infect such backup files.
    Even if those are (proprietary) image files?
     
  13. JosephB

    JosephB Registered Member

    Joined:
    Jan 3, 2008
    Posts:
    310
    TheKid7,

    Thanks, for utility space program. Mystery solved, I forgot about the old backup pgm that came with my pc which I had stopped using and place backups in a folder that you can access directly on the system partition, unless you give your admin id access permsisison of system acct. I had never erased the backup files via the backup pgms gui interface, when I stoped using it (after switching to paragon backup pgm). The backup files were using 15 GB, plus 5gb of copies of software install cd's, I had temp. saved on the drive and etc stuff.
    ... So actually if I count just my Win XP OS + application pgms, and not allocate space to system restore, I think my "system partition" will come to about 7 GB.

    P.S. How much space do you typically allocate to system restore (% od fisk or xx,xxx mb)
     
    Last edited: Sep 9, 2010
  14. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,222
    It is a good question, I hope somebody can answer it as I don't know for sure. This is one of the reasons I keep my full images on USB hard drives which are most of time unplugged from my system, especially when I'm connected to the Internet.
     
  15. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,434
    Location:
    Europe
    The problem is if TIB format is a Windows or a Unix format.
     
  16. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    Do you mean f.i. that a Windows Imaging Format (WIM) file is more susceptible to malware than other (proprietary) imaging file formats or do you mean more common formats like .IMG?

    Is that because of the popularity of Microsoft (WIM) or the high prevalence of popular formats like .IMG or something else?

    If you can explain a bit more in-depth or link to any available infomation, I'd be much obliged as I wonder what malware can actually mount an image, read it and change it's content.
     
Loading...
Thread Status:
Not open for further replies.