Virus Attack!

Discussion in 'FirstDefense-ISR Forum' started by alloucho, May 1, 2008.

Thread Status:
Not open for further replies.
  1. alloucho

    alloucho Registered Member

    Joined:
    Dec 26, 2007
    Posts:
    145
    If a snapshot is infected by a virus or trojan, will other sanpshots be infected too? Because i have one snapshot without any antivirus installed, seems to be infected by a trojan, that start automatically with windows. I booted to the other sanpshot, in which is kaspersky installed, and i see the same autostart item in the startup control panel:ouch:
     
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    They possibly can be infected. Depends on what the trojan is. If you have the original FDISR, keeping an archive on another disk is much better. But even then it would be good if you have an image you could restore and then use the archive.

    Pete
     
  3. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I knew in advance that this could happen, it's just a matter of time and it has been discussed in the past at this forum. It happened to you, it will happen to me also.
    That's why this kind of event is included in my security/recovery setup and will be fixed when it happens.
     
  4. chrome_sturmen

    chrome_sturmen Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    785
    Location:
    Sverige
    It happened to me last year - I caught a virus on one snapshot that hooked in to my other snapshots, and no matter which I booted to, the virus activity was present. Not all can/will do that, but some surely can.

    Thanks,
    Chrome
     
  5. Leapfrog Software

    Leapfrog Software Leapfrog Management

    Joined:
    Jan 25, 2006
    Posts:
    251
    Location:
    Northern Nevada, USA
    Greetings All,

    The ISR technology shares the same NTFS partition for all snapshots. This means that the NTFS file structure and the MFT is open for file lookup and attack. We try to "hide" the non-active snapshots, but a crafty virus may get through. I recommend keeping archives of your important snapshots. I use ISR for my first line of defense, then a BMR or archives for hardware or corruption issues.
     
  6. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    I believe also, SOMEONE CORRECT ME IF I AM WRONG, if you were using the Freeze feature with the "Archive half" of the Freeze moved to another hard drive, that you would have removed the virus and recovered "cleanly" upon reboot.

    Acadia
     
  7. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Restoring an IMAGE is indeed the best solution to recover from a malware attack, BUT images can be infected also, if you discover the malware too late.

    That's why I have two sets of images :

    A. A clean set of images, that contains a fresh installed Windows + Applications, that has hardly been on-line or "used". I have a clean image of each needed snapshot.
    I keep that clean set up-to-date with the latest versions and converted each image to an ARCHIVE and that is the base for actual system partition.
    So my clean setup has this :
    1. One clean off-line image (.spf) + clean off-line archive (.arx)
    2. One clean on-line image (.spf) + clean on-line archive (.arx)
    This also means that ShadowProtect is #1 in my clean setup and that I can re-create my clean archives at any time and as many times I want.

    B. A daily set of images and archives, which is created with my clean set of images and archives.
    1. One daily image (.spf) of both snapshots, created via my clean archives.
    2. One daily off-line archive (.arx)
    3. One daily on-line archive (.arx) + Freeze Storage (.arx)
    This set isn't important to me, because I can re-create it over and over again via my clean set.
    I only use this set to work and play and I consider this set as possibly infected, because it is constantly on-line.
    Of course I try to avoid infections by using a frozen snapshot and security softwares that kill the execution of malware immediately.

    Don't think that this is hard labor or difficult, it's nothing more than mouse-clicks and WAIT until it is finished.

    My clean archives contain also an "UNUSED" system partition and that cleans my computer completely during each reboot, without using registry/history/junk cleaners and without the danger and incompleteness of all these cleaning softwares.

    This was only possible with FDISR and no other ISR-software can reach that level with the same convenience, otherwise I would have replaced the dead FDISR with a life ISR-software already, because I don't like softwares with no future on my computer.
    So my feelings for FDISR are very MIXED. I can't even recommend it anymore to other users, because I'm talking about a dead cow and that makes me feel ... ridiculous.
     
    Last edited: May 2, 2008
  8. Leapfrog Software

    Leapfrog Software Leapfrog Management

    Joined:
    Jan 25, 2006
    Posts:
    251
    Location:
    Northern Nevada, USA
    You are correct, since freeze restores from an archive, the virus would be removed. This is the case as long as the NTFS/MFT was not damaged from the virus.
     
  9. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    Why not? Older automobiles can be the most enjoyable automobiles to drive even though no one is selling them any more and parts can be hard to find.

    Acadia
     
  10. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I don't and can't agree, a number of things could be improved in FDISR to make it even better and that will never happen.
    As I said before, I'm not a fan of FDISR, but I can't replace it with RollbackRx either and softwares like Returnil, etc. is not even an option, I want to consider.
     
  11. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    Hmmmm, then maybe Returnil is a better product, at least for the protection part of it anyway, since Returnil also protects the MBR.

    Acadia
     
  12. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    True, so what ? Destructive malware, like Killdisk, Robodog, Robotdog, ... are killed by Anti-Executable immediately as an unauthorized executable.
    Keep in mind that all these malware, were tested without AE, otherwise they couldn't even run the tests.

    Regarding possibilities Returnil is nothing but an optional feature "Freeze" in FDISR and that's all. Even that optional feature is stronger in FDISR, than Returnil, because FDISR has "Freeze Previous", which doesn't exist in neither Returnil, nor DeepFreeze, ShadowDefender, PowerShadow, etc.
    That is the reason why Returnil and the rest, can't handle softwares that require a reboot during the installation.
     
  13. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    How can that be if Returnil protects the MBR but FDISR does not?

    Acadia
     
  14. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Good question. Maybe Leapfrog forgot it or it wasn't technical possible. I can't be the judge of that, I'm not a programmer.
     
  15. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    But the MBR question is the only way that I see Returnil as being superior to FDISR, in all other aspects, in my opinion, the edge goes to FDISR (the original, of course). :cool:

    Acadia
     
  16. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Here I agree and I'm not going to replace FDISR with Returnil, just because of the MBR. FDISR is still the king of possibilities and no ISR-software is able to beat FDISR, not even the latest ones.
    Everything what is better in the other ISR-software, can be added in FDISR also, but that never happened and will never happen.
    Until now my MBR was never destroyed and even when it happens, it's not a disaster, because I know what to do.
     
  17. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    As someone who is personally experienced this virus attack where ALL my snapshots/archives were rendered disabled except only two i could boot into from a total of 9, i would have been in a deep muddy pool of doo doo had i not FIRST saved those same snapshots archives to another internal disk JUST FOR THIS PURPOSE!

    I accidently let a file infector slip past without my HIPS on and it did a great deal of disruption to say the least. I was able to salvage enough good programs from other snapshots only to remember i already archived those snapshots to a SAFE PLACE and unplugged the internal.

    I eventually was forced to wipe the entire 200Gb drive, one partition at a time, reformatted and reinstalled FD-ISR and then just connect to this saved archive HD, and FD-ISR returned EVERYTHING! right back again as it was before the virus.

    I'd venture to say that my net program loss was less than 2% since those i had not done a Copy/Update to the SAVE ARCHIVES disk yet, so FD-ISR turned a most destructive situation into one that wasn't so critical afterall.

    The most IMPORTANT! chore for any FD-ISR (Genuine) user is to FIRST! archive to an alternative media for emergency purposes just like this.
     
    Last edited: May 3, 2008
  18. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,044
    What is BMR?
     
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    I would assume a bare metal restore.
     
  20. Leapfrog Software

    Leapfrog Software Leapfrog Management

    Joined:
    Jan 25, 2006
    Posts:
    251
    Location:
    Northern Nevada, USA
  21. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    ... "or archives", I like that. Almost four years of using FDISR and I have never had to use any of my three disk imaging programs because FDISR was always there. :cool: (Yes, Erik, I know, I know, I depend too much on FDISR, but sometimes life preservers really do float better than anything else to be found in the water!)

    Acadia
     
  22. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Uh Hem

    I resemble those remarks :D

    saved archives equal saved from depending solely on my backup images :thumb:

    In fact when i got popped, that's why i was so concerned since i didn't make a backup image for that drive which was bit, ENTER.......FD-ISR Archives!! to the rescue!!
     
  23. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    @Todd:
    Good, you still watching.
    Any chance of an FDISR boot disc to pop those external archives back on a wiped disc?

    I'm just so lazy...;)

    (or; if not in the LEapfrog pipeline, can/could you give suggestions as to how to get FDISR in a PE disc)
    just goes back to the lazy thingy again..
     
  24. chrome_sturmen

    chrome_sturmen Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    785
    Location:
    Sverige
    Fact is, after I got hit with that virus that hooked in to all my snapshots- it got me thinking, that sometimes it's good to have that true partition with a light install of an operating system. So, I created a small partition and installed windows into it basically with just a virus scanner- that way, if I ever got hit with a similar virus again, I could just boot to that partition, do a virus scan through my isr's, and kill it. If i'd done that before, instead of losing my snapshots and having to restore from archives, everything would've been good to go from that point.

    Moral: it's always good to have an operating system on it's own partition, regardless...

    Thanks,
    Chrome
     
  25. Huupi

    Huupi Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    2,024
    Maybe i'm missing something but i'ld guess that an all invasive virus can also hit your special partition. o_O
     
Thread Status:
Not open for further replies.