Test on FirstDefense-ISR Rescue Area

Discussion in 'other anti-malware software' started by yankinNcrankin, Dec 9, 2007.

Thread Status:
Not open for further replies.
  1. yankinNcrankin

    yankinNcrankin Registered Member

    Joined:
    May 6, 2006
    Posts:
    406
    With all these new technologies coming out for instant recovery and virtualization I wanted to do a simple test on a program which has been talked about a lot, FD-ISR. I wanted to see how well this program protected itself as far as its rescue area is concerned simply because if it ever got breeched or altered or messed with, than the program would simply fail to work. Here I used a simple low level tool created by Julie Lau, sector editor v1.05. Before using this tool I successfully installed and created rescue area and successfully booted to it several times and having everything restored back to its original state, after making little changes like changing desktop wall paper and deleting program folder(s). Now I know that the program is working I ran sector editor and did a simple sector fill of my C: after doing this this is what I saw, Pre-Boot was disabled, so I figured maybe it could still work if I reboot, did the reboot and got a Error loading operating system black screen. Scary to know that there are current malware out in the wild that have the ability to do sector fills like Julie Lau's sector editor. I think it should'nt be this easy to hurt this program anyone else wanna comment.
     

    Attached Files:

  2. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,222
    I think any sandbox/snapshot/vitualization program can be hacked if it is specifically targeted. From my point of you the great advantage of using them is that they won't be affected by the majority of viruses that damage normal systems.

    Using them in conjunction of a HIPS or AV (any other classic antimalware) should give you maximum protection. Malware for normal systems are in the order of hundred thousand, for virtual systems so far they don't seem to be that many.
     
  3. yankinNcrankin

    yankinNcrankin Registered Member

    Joined:
    May 6, 2006
    Posts:
    406
    Yes I agree\.

    I just was hoping that some kind of sector protection of this program's Rescue Area gets implemented as I've seen in other similar programs.
     
  4. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,422
    Location:
    New Mexico, USA
    Thanks yankinNcrankin. I just today discover (or remember) that I bought fd-isr a long time ago, load it, update it to build 205, and then read your test. LOLOL

    I think I'll keep it since, other than one word processor it's about the only software I've actually got that wasn't free. I'd like to think that with my av/as, and using either Sandboxie, geswall or Bufferzone, and maybe Returnil, I'll be covered.
     
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,059
    Basically any of the malware, that can directly attack the partition can take down FDISR. WIth the new FDISR - Rescue it's all over. With the original FDISR, you can have off disk archives, so as long as the disk it is on is protected you can use the archives to get back in business.

    THe tricky part of some of the malware is it corrupts the partition table which means until you get the partition table deleted non of the image recovery programs will work. Been there done that only the malware that screwed up stuff was ME.

    Pete
     
  6. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I can corrupt any harddisk and any existing software with such an editor, it's not even difficult, I can do this too and I'm not even knowledgeable. Partitions, MBR or anything else can be restored easily.
    How worse and scaring this may sound, a simple restore of an image solves this problem. A pure system partition is easy and fast to recover.
    I'm afraid of other stuff, that can't be restored with an image.

    The first time I see some screen of FirstDefense-ISR Rescue which is a very crippled version of the real FirstDefense-ISR.
    HDS should sell FDISR to some other company, who is really interested in a further development of FDISR. HDS is killing FDISR, because it competes too much with their own flagship "Rollback Rx". :)
     
    Last edited: Dec 9, 2007
  7. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,634
    Location:
    U.S.A. (South)
    Erik is quite right and by now everyone sees this for themselves from the butcher job done on FD-ISR.
    This is one app that had all the makings for success to go very far and take the spotlight alone from any of the others if further developed by it's originators.

    What began as some semblence of hope from the merger announcement quickly is deteriorated into a huge loss all the way around.
     
  8. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    That's what happens to a very good software when average users evaluate software, based on :
    1. too much space required
    2. too slow
    3. big footprint
    4. it isn't freeware
    The rest isn't important and requires more brains to evaluate.

    I never saw so many posts regarding BOClean, when BOClean became freeware.
     
  9. yankinNcrankin

    yankinNcrankin Registered Member

    Joined:
    May 6, 2006
    Posts:
    406
    quote
    Yes which is how malware that is able to write to sectors of your HD and remain there protected even after zeroing your HD with low level wipes is why image restore will fail, and is why it will always come back when active OS is detected. FD-ISR could implement similar methods to protect itself and not have its Rescue Area crippled which should include entire boot sector of the partition as well - sounds good provided you got a clean base to start off with.
     
    Last edited by a moderator: Dec 9, 2007
  10. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Can malware really protect themselves THAT good, even when you use a zero tool from the manufacturer, that makes their HDD's look like new ?
     
  11. yankinNcrankin

    yankinNcrankin Registered Member

    Joined:
    May 6, 2006
    Posts:
    406
    YES, low and behold a component of the mysterious beast, many different flavors Rustock C D E .........what makes it crazier is when the real problem is your hardware which intentionally facilitates such things to happen...
    sorry off topic but you asked.........apologies to the mods I will not speak of this any more.
     
  12. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    And no cure for this o_O Sorry, but it's hard to believe this, like all the other ghost stories. Rustock creates objects on your harddisk, like any other malware. Zero them, restore an image and Rustock is history. :)
     
    Last edited: Dec 9, 2007
  13. yankinNcrankin

    yankinNcrankin Registered Member

    Joined:
    May 6, 2006
    Posts:
    406
    Zero them, restore an image and Rustock is history.

    If you believe that than ok for you. But Rustock is a character of the BEAST and by far not the BEAST and your system shall behave as you think it should.....:D
     
  14. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,222
    I think from memory you mentioned in one of your posts that a solution to this problem was to use the original installation CD from Windows. Does that mean reinstalling the original windows and then restoring your image? If that is not the case, how do you delete the partition table?
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,059
    There is a utility on the installation CD, DiskPart. With that you can delete the partition table.

    Where I got into a really big mess was really corrupting the partition table. Problem I had was I need nvidia drivers to access the disk and once the partition table was bad even my windows CD blue screened. That was a really big uh oh. Only thing that saved me was bootitng. Some how it saw my disks, and let me delete the partition table. Then image restore was rosy.
     
  16. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,222
    Thanks. I know you've created on purpose that 'big uh oh' situation! What are the odds from real malware to get some one in such a hopeless situation?
     
Loading...
Thread Status:
Not open for further replies.