The ErikAlbert Approach - A test

Discussion in 'FirstDefense-ISR Forum' started by Peter2150, Nov 27, 2007.

Thread Status:
Not open for further replies.
  1. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,053
    I think everyone knows Erik's approach, System/Program disk, separate data disk, and using FDISR freeze to keep his system clean.

    Without thinking of this in particular I was playing with a virus w32/backdoor.ATKB as identified by F-Prot. I was doing this on my VM machine.

    The machine has 2 20g drives(C:\ and E:\), and software wise, I have FDISR,Online Armor,F-Prot-SAS,ProSecurity,Sandboxie, and Returnil. All the tools.

    I was curious to monitor exactly what the installer of this virus was doing so I was clicking my way thru. Couple of interesting things caught my eye. First it disabled both taskmanager, and any registry editing tools. It create an autorun.inf, and system.exe. It put autorun.inf in both c:\ and e:\ The system.exe was created in c:\recycler and e:\recycler. An Auto run was created from c:\windows\recycler\.

    In testing F-prot caught the thing right off the bat. After infection F-Prot cleaned up all the files, but couldn't fix the registry entries.

    What made me think of Erik was the fact it was not only creating stuff on the c:\ drive, but also on the 2nd drive the e:\ drive.

    So, I set up again, and created an FDISR archive on the 2nd disk. Then I infected the c:\ drive, rebooted and confirmed it was a mess. Then booted to the secondary snapshot, where everything was fine. Updated the primary snapshot from the archive, and rebooted back to the primary. This is the equivalent of the reboot with freeze. As one would expect, the primary was now fine. Several reboots and tests confirmed that. BUT, the files the virus dropped on the e: drive were still there. Dormant, but there. Re scanned the e: drive with F-prot and it nailed the system.exe, but left the autorun.inf file in place.

    So first one can conclude, that the fdisr approach worked. But the fact files ended up on the other drive, and of course remained there, gives me a bit of cause for concern.

    Be interested in everyone's thoughts on this.

    Pete
     
  2. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    I suggest you use XP access permissions to restrict access to non-system drives when doing these sort of tests. Especially when you try it with file-infector malware that leave behind a considerably bigger mess than benign autorun.inf files.
     
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,053
    All done in a VMWare Workstation. When done I rollback with their snapshot feature. It isn't daunted even if you format the drives. Also it rollsback all the drives.


    Edit: PS Hi Solcroft. So you know I don't take your comments lightly. While running in the VM machine, I also have had returnil protection active on the host. But it only protects the c: drive on the host. Based on your comment, I 've switched out returnil on the host for Shadowdefender which allows me to shadow both C: and D: on the host, should per chance something leak from the VM machine. Thanks for the heads up. Pete
     
    Last edited: Nov 27, 2007
  4. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    I done a similiar test while connected to a hard drive x 2 partitions when unleashing a vicious file infector. It was a piece of cake for the virus to jump the fence and modify ALL exe's in the other partition too. Very agressive and destructive but limited since NOD32 was able to salvage at least a snapshot or 2, but for the most part FD-ISR was 0wned.

    That's the reason i then went with PS Security afterwards to not only lock but "hide" the other partition against any potential of a repeat of this time-consuming cruelty.

    As sour & awful as things appeared after having been compromised, a simple plug in of another safe-keeping alternate drive which stores it's updated snapshot archives completely restored everything back to it's original state again.

    FD-ISR while not an image app certainly could fool me, it's archives served just the same as Images and shortly thereafter everything was easily back to full working order again.

    Amazing work this ingenious FD-ISR program. Something malicious can break it it to bits rendering ALL your snapshots junk, but by keeping your "clean" archives safely away someplace else, is nothing short of life preserver when problems try to destroy your system with it.
     
  5. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
    Its definitely a big hole in fd-isr. It would be nice to have some kind of protection for snapshots and archives. I know rollback has protection against malicious disk activities, it would be nice to see some in fd-isr.
     
  6. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Peter,
    Thanks for the test. You forgot one thing. I will change my D in E for the test.

    I lock my Data Partition [E:] with PC Security, when I go on-line or do some 'dangerous' testing in my on-line snapshot, because I know that my data partition is very vulnerable due to infections in my system partition (on-line snapshot).
    That's why I isolate any infection in my system partition and what can a malware do there ? It can damage and even corrupt my system partition, but I have that back in 9 minuts, that is at least 2 x faster than a full scan with any advanced+ scanner.
    Most malware don't destroy my system partition, they do changes and those are removed during boot-to-restore. Thanks for proving this and you also proved that my theoretical assumption was correct : infections can hurt my data partition, while other users were telling me that this doesn't happen.

    So the virus would have infected my harddisk [C:], but not my locked harddisk[E:], which makes any reading, writing or stealing impossible.
     
    Last edited: Nov 28, 2007
  7. Ragzarok

    Ragzarok Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    85
    Hello,


    In terms of protecting the snapshots, using Deepfreeze is the answer, since it protects the entire C drive. (I've tried destroying the snapshots while Deepfreeze was on, and couldn't).
    As far as protecting the other drives on the computer, an access-protection program should do the job. In my case, my AV (Mcafee VSE 8.5i) has the User-defined drive/folder protection feature and it allowed me to block all access to non-system drives - except for specified programs. So far as I know, no known breaches. Would love to get my hands on that bug Pete. PM me if you would.
     
  8. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    To me DeepFreeze is not the answer, because DF is just a simple boot-to-restore solution, while FDISR does ALOT MORE than just a boot-to-restore.
    The fact that FDISR protects only one partition is solved with PC Security.
    It's not my fault that the development of FDISR has been frozen since I bought it and that FDISR is now terminated, because HDS considers FDISR as a threat for RollbackRx and that's why FDISR must be terminated.

    In post #11 of this thread, I explained how much more FDISR can do, try that with DeepFreeze.
    https://www.wilderssecurity.com/showthread.php?p=1126999#post1126999
     
    Last edited: Nov 28, 2007
  9. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Well AFAIK hole or no hole, FD-ISR stands up mighty in what it was designed for in the first place, Immediate System Recovery. Heck, it can even do that even after it's been virus attacked. That's the absolute beauty of Modularity and FD-ISR impliments recovery in part due to it's modular abilities as well as normal restoration from a simple Copy/Updata to snapshot from archive. I've yet to see any software completely fool-proof although you can garrison up a few enough apps to make your system, including FD-ISR 100% fail-safe! I already tested and experienced that. Everything else with other features i consider an additional major bonus in what FD-ISR does, and so easy & quick.

    The fact that FD-ISR permissions are tied to Windows is your hole, and for me anyway, that hole was a saving grace in disguise. With XYPloyer it's simple to navigate "access denied" $ISR folders/files and salvage programs, data etc. You can even move them about to your heart's content.

    What happen for me was deliberate of my own doing on purpose, any file infector virus or even KillDisk wouldn't make it past my front line HIPS, or Sandbox, or Power Shadow for that matter. :D
     
  10. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    This also proves that you can't trust F-prot as scanner or any other scanner either, because it didn't remove the autorun.inf file and that's why I lock my data partition, when I go on-line or do dangerous tests and why I don't use scanners anymore.
    Boot-to-restore and locking are doing a much better job than security softwares and that's why security software have a second place on my computer.
    It's not the first time that scanners fail to remove everything, because the days of the simple malware are over.

    PS.: system.exe ? This one has no chance to do anything with AE on board.
     
    Last edited: Nov 28, 2007
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    There are many malware that infect multiple partitions along with addition of autorun files to them.

    Even more dangerous are file infectors which will overwrite any exe files on all partitions and a make lot of copies of themselves that will surive FDISR.
     
  12. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,053
    Actually on this Erik you are wrong. Big flaw with AE, is you have to disable it to install anything. If I was using AE, which I've again dropped, I'd have never know what this thing did. I saw it by clicking thru SSM and OA. So if it installed by you by accident you would have had AE disabled, and when you reenabled it, it would have added system.exe to it's white list.
     
  13. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    Peter

    do you have the capability of testing this with 2 drives ? I keep OS and Programs on C: and data on D: but with D: being a different physical drive.
    from what you have said using a different physical drive might be no better than partitions ?

    Deepfreeze could, of course, be used with FD-ISR to provide complete protection. As with any other such solution the question though is how to save data ? it is all well and good having Deepfreeze lock C: D: E: and F: or using another program to lock the data drive - provided you never want to save anything. As soon as you open to save problems come back.

    Can bad things left on D: do any harm ? can they do anything at all from D: ?
    If the bad thing is an exe then would it not be restricted to launching itself to operate from C: only to die open reboot ( that is if freezeing C:)

    Upon reflection my only other comment is that it seems best to continue as I have in the past and to not have anything to do with Viruses or Spyware.
    If you lie down with dogs you get fleas has always been my family moto.
     
  14. tradetime

    tradetime Registered Member

    Joined:
    Oct 24, 2006
    Posts:
    1,000
    Location:
    UK
    Interesting test Peter, I can almost feel my paranoia levels elevate :D is the virus actually capable of doing anything on your data partition after the system partition has been cleansed. What I mean by that is, when it initially invades, it sets itself up in the system and as you have shown also places parts of itself into other partitions, but if the system partition is protected either by fdisr, or returnil, reboot will clear the system partition, Is whats left elsewhere, whilst undesireable, actually capable of doing anything?
     
  15. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I've read recently a disaster post at Wilders, where a user lost 3 non-system partitions, cleaned by a virus. I knew this already without Peter's test, because it is obvious and logical that this can happen. If a malware can damage a system partition, why not a data partition or any other partition.
    That's why installed PC Security to lock my data partition, the one Peter forgot in his test, otherwise his partition [E:] would still be malware-free.
    The main thing is that an archive can remove malware and that is enough for me.
    I'm only asking myself : does an archive really removes everything ? That's why I have my Zero Tool ready.
     
    Last edited: Nov 28, 2007
  16. tradetime

    tradetime Registered Member

    Joined:
    Oct 24, 2006
    Posts:
    1,000
    Location:
    UK
    Yes I can understand that, strictly speaking, but that is not my question. My belief, right or wrong is that most malware must install on your machine to do it's work, now when the system partition is cleansed the malware wherever else it may reside on whatever partitions or drives is no longer installed, so is it still harmfull? Cleaning the system partition to my mind is like cutting off the head
     
  17. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,053
    My VM machines aren't partitioned. It has two separate drives. I also agree with you about the being careful with what you do. What started me looking at this is sometime we install trusted things, and it turns out that the trust wasn't valid. So it raises the question: You put your favorite HIPS, or whatever in install mode, and the tell it to install in c:\program files., would there ever be a reason for installing an exe file, in the e:\recycle area, and should the hips alert/block that even though you told it the program was trusted. Something to ponder.
     
  18. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    Since I´m not an user of FD-ISR, I won´t comment anything regarding the methodology or its result. However, as for AE which I`m using myself, I personally regard it as a defence against unsolicited execution of files. As soon as you have accepted the file, executed or not, AE will loose its importance for defending your system against that file which Peter2150 remarked. So using a process monitor/guard behind AE could be useful.

    /C.
     
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,053
    Hi Tradetime

    I agree with you, but still this give me something to at least be aware of.

    Pete
     
  20. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I can't answer that question. If I knew what a virus can do or not can do by itself and what it needs to do something bad, then it would be alot easier for me.
     
  21. tradetime

    tradetime Registered Member

    Joined:
    Oct 24, 2006
    Posts:
    1,000
    Location:
    UK
    Absolutely a good test and good to know, particularly for me as when I setup my new machine one of the options I am considering is to have a second OS on another drive, so there is perhaps a great deal of risk there for me, certainly to be considered.
     
  22. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,053
    I wonder if locking the partition prevents malware from messing with it. May have to test.
     
  23. tradetime

    tradetime Registered Member

    Joined:
    Oct 24, 2006
    Posts:
    1,000
    Location:
    UK
    ROFL, you and me both Erik. You are not alone :D
     
  24. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    I have argued many times that it is far more difficult to get contaminated than many think, that most of the so called security programs are so called for a reason. To this must be added that the most likely source of a contamination is from a friendly source. Freezing C: can only provide a certain degree of protection C: has to be opened to update and change. Locking D: E: or W: likewise only protects data only so long as no new data is added. Once the door is open anything can happen.

    As to AE I find it comic that such a program can so easily be defeated by the user but isn't that the case with all security programs ?
     
  25. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    The user is always the weakest link and makes any security program useless, if he doesn't use them right or doesn't follow the basic rules.
    That Peter had to disable or uninstall AE to make this test possible is enough for me to keep AE.
     
Thread Status:
Not open for further replies.