Test on FirstDefense-ISR Rescue Area

With all these new technologies coming out for instant recovery and virtualization I wanted to do a simple test on a program which has been talked about a lot, FD-ISR. I wanted to see how well this program protected itself as far as its rescue area is concerned simply because if it ever got breeched or altered or messed with, than the program would simply fail to work. Here I used a simple low level tool created by Julie Lau, sector editor v1.05. Before using this tool I successfully installed and created rescue area and successfully booted to it several times and having everything restored back to its original state, after making little changes like changing desktop wall paper and deleting program folder(s). Now I know that the program is working I ran sector editor and did a simple sector fill of my C: after doing this this is what I saw, Pre-Boot was disabled, so I figured maybe it could still work if I reboot, did the reboot and got a Error loading operating system black screen. Scary to know that there are current malware out in the wild that have the ability to do sector fills like Julie Lau's sector editor. I think it should'nt be this easy to hurt this program anyone else wanna comment.

 

I think any sandbox/snapshot/vitualization program can be hacked if it is specifically targeted. From my point of you the great advantage of using them is that they won't be affected by the majority of viruses that damage normal systems.

Using them in conjunction of a HIPS or AV (any other classic antimalware) should give you maximum protection. Malware for normal systems are in the order of hundred thousand, for virtual systems so far they don't seem to be that many.

 

Yes I agree\.

I just was hoping that some kind of sector protection of this program's Rescue Area gets implemented as I've seen in other similar programs.

 

Thanks yankinNcrankin. I just today discover (or remember) that I bought fd-isr a long time ago, load it, update it to build 205, and then read your test. LOLOL

I think I'll keep it since, other than one word processor it's about the only software I've actually got that wasn't free. I'd like to think that with my av/as, and using either Sandboxie, geswall or Bufferzone, and maybe Returnil, I'll be covered.

 

I can corrupt any harddisk and any existing software with such an editor, it's not even difficult, I can do this too and I'm not even knowledgeable. Partitions, MBR or anything else can be restored easily.
How worse and scaring this may sound, a simple restore of an image solves this problem. A pure system partition is easy and fast to recover.
I'm afraid of other stuff, that can't be restored with an image.

The first time I see some screen of FirstDefense-ISR Rescue which is a very crippled version of the real FirstDefense-ISR.
HDS should sell FDISR to some other company, who is really interested in a further development of FDISR. HDS is killing FDISR, because it competes too much with their own flagship "Rollback Rx".

 

Erik is quite right and by now everyone sees this for themselves from the butcher job done on FD-ISR.
This is one app that had all the makings for success to go very far and take the spotlight alone from any of the others if further developed by it's originators.

What began as some semblence of hope from the merger announcement quickly is deteriorated into a huge loss all the way around.

 

That's what happens to a very good software when average users evaluate software, based on :
1. too much space required
2. too slow
3. big footprint
4. it isn't freeware
The rest isn't important and requires more brains to evaluate.

I never saw so many posts regarding BOClean, when BOClean became freeware.

 

quote

Yes which is how malware that is able to write to sectors of your HD and remain there protected even after zeroing your HD with low level wipes is why image restore will fail, and is why it will always come back when active OS is detected. FD-ISR could implement similar methods to protect itself and not have its Rescue Area crippled which should include entire boot sector of the partition as well - sounds good provided you got a clean base to start off with.

 

Can malware really protect themselves THAT good, even when you use a zero tool from the manufacturer, that makes their HDD's look like new ?

 

YES, low and behold a component of the mysterious beast, many different flavors Rustock C D E .........what makes it crazier is when the real problem is your hardware which intentionally facilitates such things to happen...
sorry off topic but you asked.........apologies to the mods I will not speak of this any more.

 

And no cure for this Sorry, but it's hard to believe this, like all the other ghost stories. Rustock creates objects on your harddisk, like any other malware. Zero them, restore an image and Rustock is history.

 

Zero them, restore an image and Rustock is history.

If you believe that than ok for you. But Rustock is a character of the BEAST and by far not the BEAST and your system shall behave as you think it should.....

 

I think from memory you mentioned in one of your posts that a solution to this problem was to use the original installation CD from Windows. Does that mean reinstalling the original windows and then restoring your image? If that is not the case, how do you delete the partition table?

 

Thanks. I know you've created on purpose that 'big uh oh' situation! What are the odds from real malware to get some one in such a hopeless situation?