Softpanorama
(slightly skeptical)
Open Source Software Educational Society
May the source be with you, but remember the KISS principle ;-)
Softpanorama Search
|
Softpanorama |
May the source be with you, but remember the KISS principle ;-)
Softpanorama Search
|
Substantial amount of money is spent on commercial antivirus/antispyware software and many users own products from at least two different vendors. The number of vendors in the field makes the situation similar to the situation in early XX century when anyone with a bathtub and some chemicals could mix and sell drugs — and claim fantastic cures. These “innovators” raked in profits by skillfully marketing lousy products because customers were poorly equipped to tell the difference between effective and ineffective treatments.
Additional hidden agenda of user frantic search for the cure for the particular spyware infection is the popularity of the idea that it is possible to find "the best anti-spyware scanner". See for example Top Spyware Scanners.
In reality the idea of perfect cure for spyware is very similar to the search of Philosopher's stone, the mysterious substance that can turn lead to gold. Analogy this is actually pretty apt analogy as infected computer is as close to a brick of lead as one can get. Spyware is a generic term that encompasses tremendous variety of products and each approach to combat it faces limitation on certain types of spyware. For example plain-vanilla signature based scanner will fail on the rootkit based spyware. Some types of spyware install additional drivers on the computer which can serve the role of recovery software restoring components after the deletion by spyware scanner on the next reboot. Often under new random names. Only changes in Windows architecture can provide lasting antispyware effect and the last thing Microsoft wants is the break in compatibility. Moreover frantic search for the anti-spyware program that can remove particular infection subject PC users to additional dangers. Now all anti-spyware vendors play fair. The recent proliferation of fake antivirus products is one example of the trend. In January 2006, Microsoft and the Washington state attorney general filed suit against Secure Computer for its Spyware Cleaner product. On December 4, 2006, the Washington attorney general announced that Secure Computer had paid $1 million to settle with the state. That means that they have that amount of money. See also People of the State of New York v. Direct Revenue, LLC.
The truth is that there is no perfect antispyware/antivirus program and there cannot be such thing. This is a variant of a classic "shell vs. armor" story. Malware authors quickly adapt to the capabilities of existing tools when writing new versions or new generation of malware. And as substantial part of malware is now about money (via direct or indirect extortion) they have motivation and means to achieve their goals. To get an idea of the technical complexity of spyware please read the description of Conficker (conficker-analysis). All this suggests that scanner based protection is far from being the best way to protect PC from spyware.
My claim is that better (or equal ;-) level of protection is achievable using image based restores. That means that it is preferable to limit yourself to free antivirus/antispyware program like offerings from Microsoft (Microsoft Security Essentials ), AVG Free , Avast! Home or Avira Antivir Personal and invest money into creating a fast system partition images backup infrastructure.
The key value of AV/antispyware scanners is not immediate disinfection, but alerting you to the problem "after the fact" in case you missed it. All those tools are usually are one step behind spyware writers. This is generic weakness of AV/antispyware scanners and nothing can be done about it. So buying some commercial AV/Antispyware program, for example Norton Antivirus 2010 from Symantec for $20 (which is actually $60 if you have three computers at home; see NORTON ANTIVIRUS 2010 1U/3PC ) is not a wise move. While it might be better on some spyware it is definitely worse then Microsoft's Security Essentials in some areas. Historically Norton Antivirus home edition used to cause so many problems on Windows that can be considered as a Trojan horse in its own right, no less dangerous then most ad-ware ;-). Generally the less AV/antispyware programs is running on your Pc the more stable it works. So one free is more then enough.
Money spent on on commercial AV should better be spent for creating fast image-based backup subsystem and creating images on a weekly basis. In this case you can restore your computer in case of troubles in approximately two-three hours, not two or three days after spending countless hours on the phone with the vendor.
SATA or iSATA connection to backup permits backing up/restoring of 30G of data on C partition (which is the typical size of data on C partition in Windows XP) in approximately 30 min. USB takes approximately twice longer.
A additional step in this pretty simple but very effective anti-spyware strategy involves splitting your harddrive into two partitions and storing some or all your user folders (Documents and Settings in Windows XP) and private data on the second partition, which you should backup daily using Windows XP backup. For those who store a lot of media on this drives this makes creation of the image of your system partition quicker as it has a smaller size. For those who do not store much data on the C: partition this step can be omitted. But those are tactical issues. The key strategic idea here is using image based fast restore instead of AV/antispyware program. that presuppose rigid discipline of making backups so it is beneficial for all other not connected with spyware problem and crashes of the computer. So the strategy has positive side effects.
While many simpler variants are possible in variant described below we will assume usage as a backup storage
With few exception such as Dell D620, D630 laptops which permit replacing CD-drive with a bay enclosure with hard drive installed internal drive solution is possible only for desktops.
Either two partitions on the same large (1-2TB) drive or two drives (one small one large) can be used:
There are several recommended stages for the backup process (as I mentioned before some of them can omitted based on your situation):
The key idea here is to make your system image small so that creation of the backup image of the partition does not take too long. Let's say 20 min on USB 3.0 or internal drive, 30 min if backing it up to eSATA or 1 hour on USB 2.0 drive.
People often keep too much staff of C drive and recently with music, photos and videos the situation became really unmanageable. If you keep just documents on your C drive and total amount of space consumed is within 30G this step is optional but still provides some advantages as it permit to collect all your valuable data (and your data are definitely more valuable then system image, may be 100 or 1000 times more valuable) in one place.
First, you need to empty trash bin and to defragment the C partition. It also helps to remove obvious junk from C partition. After that preliminary operation you can split your C partition into two. Vista and Windows 7 are capable to shrink partition C: using Disk Management interface. For XP you can use
In most cases it is recommended to allocate twice as much space you currently use now for your shrunken system partition (size calculation should be done excluding user data). So it 30G is used on partition C: (this is a typical size of all system and program folders in Windows XP) the shrunken size should be at least 60G.
That's an easy part. If it is small it can be formatting as FAT32 to improve recovery capabilities, but not necessary as most Linux distributions now can read and write data of NTFS partitions too.
In case you store a lot of data in your home directory (for examples images or music) you can move them into a separate partition which you can backup. In any case it is important practice to store your data on a partition different from the system partition and this practice should be strictly adhered to. You can save yourself from a lot of troubles by separating Windows operating system and your data.
Relocating parts or all your profile from C: to D: drive have several advantages in data recovery situations:
There are two major possibilities of moving user data from C: drive to D: drive here:
Dyonisii.com [windows Moving Documents and Settings Folder]Microsoft Knowledge Base Article 236621 indicates a solution for moving the Documents and Settings (D&S) Folder. However, this only applies to MS Windows Server 2000, Windows 2000 Advanced Server, Windows 2000 Professional, and Windows 2000 Datacenter Server.
If you are using Windows XP, here are the steps which you could follow. The following is based on KB236621 but has been revised so it would fully work for Windows XP.
Note: By executing the steps indicated below, you are doing so at your own risk. I can't guarantee that this is going to work, although it has always worked perfectly on my machine, each time I would reinstall Windows XP.
To move The D&S Folder from one drive (C) to another (D):[Thanks to Kasper from Copenhagen and Noel from Seattle, Washington for the feedbacks, and the guys discussing this document at Moveuser.exe
- Open Windows Explorer.
- Create a folder called "Documents and Settings" (without the quotes) in drive D.
- Show all files and folders [Tools > Folder Options > View tab > Choose "Show hidden files and folders" > Uncheck "Hide protected operating system files" > Ok.]
- Create a profile with administrative permission and call it "mover" (without the quotes) [Open Control Panel > Open User Accounts applet > Create a new account > type "mover" without the quotes > Click on Next Button > Choose Computer administrator > Click "Create Account" button.]
- Logout of Windows XP and use the "mover" account.
- Go to your current D&S folder (C:\Documents and Settings). You should be able to see all the folders there, including the ones used by the system. If this is not the case, please execute step 3.
- Copy all the Folders inside C:\Documents and Settings except the LocalService, NetworkService, and mover folders to the new location (D:\Documents and Settings). Notice that you cannot copy the LocalService, NetworkService, and mover Folders because they are in use. If you happen to copy these by mistake, just delete them. (The LocalService and NetworkService folders, which cannot be copied, will be created automatically at the new location after all the steps in this document has been executed.)
- Open RegEdit [Start > Run > regedit].
- Change all instances of C:\Documents and Settings to D:\Documents and Settings. ***Make sure that you backup your registry first before changing anything. Messing up with the Registry can be dangerous to your computer.*** (You may use F3 to search for every instance of D&S.)
- Change any entry which points to Documents and Settings to D:\Documents and Settings\... including, but not limited to, "\Device\HarddiskVolume1\Documents and Settings\...", "%SystemRoot%\Documents and Settings\...", and "%SystemDrive%\Documents and Settings\..." to "D:\Documents and Settings\...."
- Change also all instances of C:\Docume~1 to D:\Docume~1 as "Docume~1" is the 8.3 representation of "Documents and Settings"
- Double check all the changes you have made before closing RegEdit.
- Do a cold boot of your computer. [Shutdown your computer and turn it back on].
- Use the "mover" account again.
- Go through processes 8 until 11.
- Reboot your computer and use your original account.
- Your D&S setting should already be in drive D. Try renaming the "Documents and Settings" folder in drive C to, let's say OLDD&S. If the rename was successful, you have successfully moved your D&S folder from drive C to drive D.
- Congratulations!
- Restore the settings of your Windows Explorer by reversing the choices you made in step 3.
- Oh, and don't forget to remove the mover account you have created before if everything is working fine now.
Note: The Windows 2003 Server Resource Kit has a tool "moveuser.exe" that can re-associate a profile with another user account.
For desktops the easiest solution is to install additional harddrive. For laptops and minis your only option is to use external drive. eSATA drives are faster then USB so if your laptop/desktop supports eSATA it makes sense to buy eSATA enclosure and install the drive in it.
The procedure depends on the tool for creating images that you are using. The are several free and commercial possibilities here:
Free tools
DriveImage XML is free for private use
HDClone is also free for private use.
HotCopy & LiveImage while running Windows
SmartCopy & AutoExpand now supporting ext2/ext3 file systems supporting hard disks > 2 Terabytes (= 2000 GB)
Partition Saving Partition Saving is a DOS, Windows and Linux program that is used to save, restore and copy hard-drive, partitions, floppy disk and DOS, Windows or Linux devices.
With this program you could save all data on a partition to a file (such as you could save this file on a CD for example). Then if something goes wrong, you can completely restore the partition from the backup file. You no longer have to reinstall every piece of software from scratch. All you have to do is restore the partition from the backup file and then update any software that was modified since the backup was created.
Note: beware of software which installs or modifies files on multiple partitions (e.g. Windows programs which update the registry or DLLs that may be on other partitions). If one partition is saved or restored, you must include others (otherwise, inconsistencies could prevent software from running).
Partition Saving is able to compress data (using the gzip compression algorithm) and split it up into several files (e.g. if you need to save a 2 Gb partition onto a CD, this can be done by compressing it and, if necessary, splitting it up into 650 Mb files). Most partition types are supported. In the case of FAT (12, 16 and 32), ext2/3 and NTFS partitions, you can choose between saving all sectors or in-use sectors only.
Acronis True Image is one of the cheapest commercial offerings and is pretty reliable on 32 bit Windows XP. You can find it for approximately $25-$35 delivered electronically. It does not have high rating on Amazon but that is mainly due to complex cases when users expect from the program too much (case of sandwiched drive with multiple OS installed is one typical problematic case). For simple cases like ours this is OK program.
Ghost 15 (for XP Ghost 14 is also OK). Ghost 2003 was the last of "classic" Ghost that Symantec bought. Versions after that were disaster. After Symantec run Ghost into the ground it tried to resurrect it using Windows Preboot Environment (Ghost 14 and 15). Instead of DOS latest versions are based on WinPE. Because WinPE is based on the modern 32-bit Windows, it could use the same plug and play hardware drivers as Windows, making hardware support for Ghost much simpler. I did not try it but one reviewer mentioned that it prevented him from restoring the image to a different but identical hardware (see B Wong Amazon Review). May be it is licensed to one PC, not one user with multiple PCs. Which makes the product pretty much useless. Win 7 Ultra has a built in back up recovery environment that is more of less OK and might be a better deal.
PARAGON System Backup is $29.95
True Image is the cheapest of commercial offerings and works reasonably well. It is important to test not onlyh creation of the image but restoring it as well (into some additional USB drive for example see step 5)
Purchase or assemble a drive identical to in size to the one you use in your desktop or laptop (having spare drive is a good idea, as drive failure is the most frustrating experience for PC and especially laptop users) or a small USB drive (64G-120G, not more) and make a full copy or just a bootable copy of your C partition on this drive.
You can just restore the image you created on a previous step on the drive. True Image has special function of cloning of disks (hidden in Tools menu) is very useful and works really well. Please note that it uses a standalone loader (I think it is Linux based, not WinCE based).
It is very important that this operation is performed on a healthy system. While attempt to save a dying or infected system might succeed, failure in such case is more typical and should not surprise anybody...
Also the image that you use of C partition that you clone should have imaging program installed.
This "definitely healthy" bootable USB drive can later be indispensible for restoring the system partition on your PC or laptop. As it is a fully usable system it relives time pressure from the restoration process. And it is time pressure that is the source of most blunders during the restoration process, the blunders that often cost users their data.
It does not need make it to up today. You can update this drive one a month or quarter. Moreover the content of this drive can be completely static but in this case you need periodically check it (at least one a quarter).
If you moved you profile to the second partion you only option is to use imaging progam for backing up the partion.
In other cases Microsoft backup can be used . See Windows XP Backup Made Easy
Incremental backups are OK for this partition.
It is wise to write images of a large drive so several generation of images are available. The reason is that corruption of files often is detected in period larger then interval between backups (assuming it is one week or one day). 60 days backup storage is standard recommended practice. 1-2TB drive is usually sufficient. That provide you the capability to store multiple images of your system and backups on your data. Should probably be mirroed if you data are important, see for example should probably be mirrored if you data are important. For example, there are several options suitable for 32-bit Windows XP:
Restore process
The key idea of restoration strategy is to use the bootable USB drive (or bootable partition on you large drive) to get access to you imaging program (it is installed on the drive). It gives you two advantages:
It is important that the clone of C-partition on this drive has your imaging program installed. If accidentally it is not installed not, it is not that difficult to install it.
|
This additional ability of bootable UCB drive to alleviate the time pressure is extremely important for success of the restore operation. In my experience the most stupid and most damaging for data blunders were done when I was under time pressure and need working computer "now". |
I would like to stress it again: standalone (bootable) restore utility is a weak spot of any Ghost-like utility, even if WinPE is used for restoration like in Ghome 14 and 15.
In case of True Image some extra work should done to make your restore configuration as transparent for True Image as possible. Minimal amount of drives should be connected. For example laptops should taken out of dock and USB drive should be connected directly to laptop port without any hubs. That increases the chances of success. But any program that relies on custom standalone loader works badly without Windows and that's a critical problem of this class of programs. I think this is an irresolvable problem, so you need to find a way to avoid it completely (see below). Fortunately, with cheap USB drives available now this is possible.
It is important that before doing anything you backup your C: partition. Often in a rush people forget to copy some important files and restore the image on the drive destroying the file irrevocably.
The typical list includes:
Bookmarks,
Cookies
If the drive is unbootable you can read files by restoring infected image to additional USB drive and booting from you r USB drive with the "absolutely clean" copy of windows. You can also use any CD-based Linux distribution like Knoppix.
To automate the process you can also write a script that copies the folders that you are interested in to some predefined location.
Details depends on the program used. True Image permits booking from CD if the computer is unbootable.
This is trivial. After you restored the C: partition the OS is bootable and in working order so you ca restore all folders that you saved on the second (D: partition) before.
Working with images requires some basic understanding of partitioning so it cannot be consider fool proof technology. Disk Imaging software is a pretty complex software product. In fact the user needs to educate himself/herself in several technical topics such as boot process, boot loader, disk partitioning, to make most sense of the proposed spyware defense strategy.
Getting spyware infection on your computer is always unpleasant experience and as Murphy Law suggest it hits you in the most inappropriate time when you can be under tight deadline or something similar.
But in any circumstances you need to keep cool and avoid steps which can make situation worse, such as accidentally destroying your data during frantic attempts to disinfect the computer.
The strategy outlines can be tested of spare PC and some level of training in it is highly recommended to improve confidence and to make the recovery of the system partition from the image and porting remaining data quick and painless. This is an idea similar to fire drills.
As it does not depends on the type of spyware that hit your computer it can be learned to sufficient detail beforehand to avoid any unpleasant surprises during recovery of the image.
The is no majic bullet, but like with most things good preparation improves your chances of success in recovery.
Dr. Nikolai Bezroukov.
Internal
External
Copyright © 1996-2009 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. Submit comments This document is an industrial compilation designed and created exclusively for educational use and is placed under the copyright of the Open Content License(OPL). Site uses AdSense so you need to be aware of Google privacy policy. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
Disclaimer:
Last modified: March 10, 2010