Rollback and Malware... how well do they play

[Froggie]

It was suggested that a more general thread be started to follow the existing specific thread Does Rollback Rx prevent Safesys virus ?.

I will start with the last comment from the previous thread. This particular follow-up concerns the Windows Security Virus which, apparently, has many forms...

Quote:

Originally Posted by nexstar

Froggie, for the record, I personally feel that your investigations are pertinent to the topic as they concern Rollback's ability to protect itself as well as the system.

It's a pity you didn't try the baseline snapshot as that's the one which you should always be able to boot to if RB is doing its job. The subsequent snapshots may simply have been infected and put into a non-bootable state.

Also, if you boot into the baseline then you should still be able to explore and recover files from even non-booting snapshots, which can be useful.

I'm not sure how you plan to reconstruct RollBack as I presume the system is back in use again with fresh data being written.

Were you using your MBR tool inside or outside of Windows? My tests a few years ago with similar tools found that they didn't get the correct information when used within Windows which, I assumed at the time, was one way RB protected its MBR.

Good luck with the mission .

Graham

Graham... since a simple MBR rewrite allowed the system to come alive once again, I don't believe trying to get to any Rollback snapshot would have worked. The rewrite only changes the MBR (Sector 0) and not the whole of Track 0 (other interesting stuff). The 440 words of MBR code are common to everything the system tries to do... including rolling back to any snapshot. In my observation, Rollback does not "tweak" the MBR when doing rollbacks. It only tweaks it when it INSTALLs and DeINSTALLs (to put its "bridge" code in). What it does do is mark specific sectors on the disc (not the MBR or VBR) as either available or unavailable for Windows use, then forwards the operation to a standard Windows boot which deals with those freshly marked sectors. This allows Windows to come up with a different sector set (or snapshot) and it proceeds normally from there. If the MBR itself is damaged (which this one was), you're pretty much dead in the water (English translation for SOL) in trying to get to any Windows boot code.

Reconstruction of Rollback snapshots may, indeed be impossible. I'm going to try a "snapshot scavenger" I read about a while back and see what I come up with.

All my MBR work was done outside of Windows in a RAM-based DOS partition... all tools were DOS tools.

I'll keep this thread posted as to what else I may find.

[nexstar]

Froggie, by restoring the MBR, you were putting the system back to boot where it was prior to the RB install. Restoring RB to that point would have shown if indeed the RB MBR was truly corrupted and not just the boot files in the other snapshots as it would have failed to boot into a previously known-to-be-working state.

I've had a situation in the past when a drive has become full, RB has kept popping up saying it has run out of room and I've gone and deleted all other snapshots except for the current one. I then discovered that the current one wouldn't boot due to some corruption or other but I was still able to go to the baseline snapshot.

You may well be right and the RB MBR may have been compromised but I'm not sure that it's possible to say that for sure based on this at the moment. However, that's just my view on things .

Graham

[tubby]

Does Bill Gate's "gift" to the world Microsoft Security Essentials" protect my PC from the nastier forms of malware you folks speak of?

- I am by no stretch of the imagination a PC pro. - I just have the task to keep several family PC's running.

The only "real-time" protection I use is Microsoft Security Essentials.

- I do occasional "on demand" scans with Malwarebytes and Super Anti-malware.

Basic question. For the average Joe, are these popular, fairly inexpensive (in the case of Microsoft Security Essentials, absolutey free) effective. Are they just too weak to really work?

tubby

[Owl]

I use Zone Alarm (firewall) and AVG (antivirus), both free for personal use, but in the main my browsing habits do not expose me to danger and my ADSL router blocks incoming threats.

The firewall is most useful in checking which of your (deliberately installed) software keeps "phoning home", and stopping it if you wish. If you run several environments with RBRx, the last thing you want is software updates taking place in the background without your knowledge.