restoreIT.. an alternate plan to stay fast and safe.

[rondon]

RestoreIT is a recovery tool that came with my Intel motherboard but is sold online as well. Once installed it prompts the user to make a permanent restore point referred to as Static. By default the static restore point is named “Factory restore” and as implied allows the user to set the win 2000/winXP back to the condition window’s was in at the time the “factory restore” point was created.

All well and good but restoring the computer to that one and only permanent restore point means all the optional software, tweaks and settings need to be reinstalled. Annoying .

But that restore point can be changed … brought forward until nearly every tweak and install is included in that permanent restore point. The trick is to make this appear to the computer as if you had sat down with a new, clean install of windows and loaded everything at one time. With no mistakes or exposure to the internet.

Fast, permanent and malware free

I like this so much that I have to share it. Or try to. I have had it for 18 months. 1st with win2000 then the last 2 months with WinXP .. it has never failed me. and in fact pleases me more as time passes.

[Gary Richardson]

Hi RonDon,

I see you're looking for another argument, as the other thread has been withdrawn.

That is not my purpose here, members can judge your system as they see fit.

My purpose is only to point out some of the shortcomings of your system, so that they have a more complete picture.

As a recovery system it has a lot going for it, and certainly it will help victims of an obvious attack recover use of their computer (in most cases).

However, it will not prevent them getting infected. That infection may not be apparent, and could be a keylogger or RAT (remote access trojan). Often users with such an infection are unaware of their condition, and can be subject to identity theft and other invasions of privacy. They must NOT use your system if engaging in ONLINE BANKING, or other financial transactions. (You don't explicitly warn of this in your tutorial, it would be helpful if you did)

Similarly it would not prevent your computer being used as a relay point for DOS (Denial of Service) attacks or other similar criminal enterprises, where the criminal wishes to hide their presence by obscuring their trail. (Neither of these need to indicate their presence to user hence infection is not suspected).

Lastly there are certain kernel mode attacks from which your system would not recover, and these are becoming more common on the web. I help out on a couple of Malware Removal forums, and in the last few months the number of "Rootkit" supported infections has grown quite a lot.

So what I would advise, is to incorporate your recovery system into a more "conventional" protection system. At the very least install and use a 2 way Firewall (Windows Firewall is one way and not really upto the job).

Lastly, as a help to any who do use your system, try using Kaspersky online virus scan http://www.kaspersky.com/virusscanner in preference to Trend Micro, it's more thorough. (Scans only, does not clean).

[rondon]

Did you miss this?

Quote:

This isn’t Virus protection but I don’t know why it couldn’t be used with most security software. It does add the ability to easily recover from most malware.

I've never looked for an agument over this.. debate is the correct way to ascertain the tone. I am glad you opened up a discussion and if holes exist I want to know of them

I had written my notes in word and used various aids to draw attention to important sections.. including security, but wasn't able to post it here.

As for Banking I think that would fall under

Quote:

Not business machines or others that depend on C: drive for archiving.

I'm not sure that Restore points increase any risk though... just that if the files are archived on C: they will disappear returning to the restore point.

I buy things online with a card but all record of it is cycled back into storage using the restore point.. Over written with time but wiping the slack is always an option if someone feels it is urgent.

Your Kaspersky online virus scan sounds good.. anything that makes us trust the system before committing it to a permanent restore point. Remember though the method allows even traces of this scan and others to evaporate. Keeping the debris to a minumum.

your Quote

Quote:

Lastly there are certain kernel mode attacks from which your system would not recover, and these are becoming more common on the web. I help out on a couple of Malware Removal forums, and in the last few months the number of "Rootkit" supported infections has grown quite a lot.

Elaborate on that if you will... Your number before was around 2-3% wasn't it?... and isn't this threat the same without restoreIT ? if not... why?
if one of those rootkit worms squirm in it would surely pay to have recent file backups on disk but don't we already?

Anyone who already has partitioned a hard drive and feels comfortable with clean window installs is going to be savy enough to take security into account..

please feel free to discuss issues you have but to make it easier for others to follow please bring up one at a time..

[Gary Richardson]

OK. I'll answer some of your points, but I don't intend to get into a prolongued discussion on this. This is a forum for retouching and image manipulation, and detailed technical discussions on security matters are best addressed in forums dedicated to such issues.

As regards my comment on the need to make EXPLICIT instructions not to use your system for online banking and financial transactions, I bring your attention to the word EXPLICIT. You do indeed state that

Quote:

Not business machines or others that depend on C: drive for archiving.

but inexperienced readers may not fully realise that this means their online purchases are not safe.

Quote:

I buy things online with a card but all record of it is cycled back into storage using the restore point.. Over written with time but wiping the slack is always an option if someone feels it is urgent.

If you had a hidden keylogger on your system, details of your credit card numbers, bank account details etc. can be read, captured, and stored in real time (ie. as you key them in) by your attacker. These programs do not advertise their presence on your system, and as you have no infection PREVENTION systems fitted, there is nothing to prevent them getting onto your system. You will not be getting rid of them with a restore, because you've no idea they're on there in the first place.

Quote:

Your number before was around 2-3%

I believe that was for BIOS viruses, without checking my earlier post I can't be certain. But lets suppose the figure was for Rootkit infections. Malware is a constantly evolving phenomenom. Every week there are many new types of infection, or "improvements" of existing infections made to make them more difficult to remove.

One of the more depressing statistics is the ever increasing use of ROOTKITS to hide the presence of, and to make the removal of infections more difficult.

A kernel mode rootkit put in its most simple terms, infects the core system processes of your computer, subverting them in such a way that they lie to you about what is on your system. Once a Rootkit is installed to your computer, it is practically impossible to discern the presence of the processes that have been installed. They often come with backdoor access to your system, such that an intruder can totally take over your computer, disabling protective devices (including programmes like Restore It) as well as anything else the attacker can think of (and they're a remarkably inventive lot).

The only practical defence at the moment is to keep them off your computer by means of strong defensive systems. Once on, they can be almost impossible to remove. In most cases a complete low level re-format and re-install is needed. Even seperate partitions and restore points can be compromised if the attacker has time to work on your system (and as you don't know they're there because of the rootkit, they usually have plenty of time).

One of the reasons I'm not as active on this forum as I once was, is due to the increasing time I'm spending on security forums, helping users to remove this stuff from their computers. In the last few months the number of Rootkit backed infections has mushroomed.

Hope this better explains some of my concerns.

[rondon]

what does this have to do with RestoreIT?

I've not advocated dropping security in this thread.

I've stated past threads that I don't use a firewall or software like norton but that's my personal choice. I do have safeguards on my email.

That root virus you speak of is not caused by having RestoreIT.

[Gary Richardson]

I've been trying to think of a better way to communicate my concerns regarding your system, and have put together this scenario, based roughly on events that have happened to other unsecured users.

Quote:

Mr Slease an unknown writer of Malicious Software is sat at his computer. He has just finished his latest creation. A worm, with which he hopes to create a botnet of zombied computers, subject to his evil will. (A bit over dramatic I know, but keep with me.)

He launches it to the Internet, and it trawls around looking for unprotected systems. Unfortunately it finds yours, and rapidly sets up shop. It executes its payload, and install several small programs. A downloader, so that Mr Slease can download further programs to you at his convenience. A RAT (Remote Access Trojan), a Keylogger, an explorer, and a Rootkit to hide them all.

Straight away the explorer looks round your system, and takes a copy of your Uninstall List, and along with your IP number and other connection details, "phones home" to communicate them to Mr Slease.

Days or even weeks pass. Scans of your system by your online scans have found nothing (the Rootkit sees to that), and you are quite happy that your system is safe. Mr Slease is looking through the reports from his worm, and notices that your computer has Restore It installed. Can't have that he says, that could remove all my hard work, so he' sets about neutralising the problem.

There's a couple of ways he could do this (probably a lot more, but I'm not as knowledgeable as he is). Firstly he could create a small program which he sends via the downloader his worm installed. The program would re-write areas of your registry such as to prohibit Restore It from running.

Secondly he could use the backdoor created by the RAT to access your computer. Modern RATs are quite sophisticated. No struggling with an outdated Command Line interface for Mr Slease, he has a spiffy new Graphic User Interface that gives him a Windows like view, and with almost the same functionality. He may as well be sat at your keyboard.

No problems with passwords to gain access due to the keylogger, he opens Restore It, and notes the time and date you created your main resore point. He now resets your computers clock and calendar, then deletes your restore point, and creates a new one that incorporates all the changes his worm made, same date, same time as the original. Now he resets the time and date, cleans up any logs that may have been made by your computer, and exits. His control of your computer is now secure.

You're now a part of his botnet, and your Restore It is powerless to remove him from your computer, even if you knew you were infected. he can use you as a Spambot, as a part of a DDOS (Distributed Denial of Service) attack to blackmail honest web sites, or anything else he may consider. He may sell you on as a negotiable asset to his friends, the possibilities are endless.

As I said, the only safe way, is to keep them off your machine in the 1st place, by setting up strong defences. It's a PITA I know, but unfortunately it has become a necessity. I am not now, and have never said, that Restore It is not a useful tool in recovering from an infected state, what I am quite obviously saying is that it cannot be used as an alternative to a properly secured system, and you have clearly stated that that is how you use it.

Anyway, I've made my point, and readers of this post can make their own decisions. As I said in my 1st post I'm not going to get into a prolongued argument with you like Chris did.

[chrishoggy]

Just to add to this and make my point on this clear.
I have never said restoreIt doesn't have it's merits. As a last resort recovery system, it is a good thing.
As

Quote:

an alternate plan to stay fast and safe.

in the way you use it (and advocated it in the past), it is a insecure method.
As you now run XP using this method while using credit cards for payments etc, let me also add to Gary's points.
As an OPEN XP system, you have nothing in place to stop anybody from accessing your PC. No matter what you do, or where you store your files/address book, they have access to them all. They don't even need to install a program to have access, as all your ports are open to abuse.
If a key-logger was put on your system (and you wouldn't know about it), the hacker would have your credit card details, the second you typed them in. This would then be cross referenced with your name, address and date of birth details that are freely available on the net, if he didn't get them from his key-logger. Now once he's finished spending your money, and you discover the payments on your statements. I expect you would contact the card company to make a claim of fraud, with a possible insurance claim to cover the cost of the fraud. This is when your actions will cause you even more problems. As you freely advertise the fact that you don't use firewall or anti-virus on your PC, the insurance company will not cover the fraudulent payments. This is because it is classed as "customer misuse". In other words you have not taken adequate precautions to prevent your card or details from being misused. This means you have to pay the bill.

To give you an example of how easy this is to get in, I will tell you a story.

In January last year, I upset a very large retail group in the UK by giving the consumers of a product, information that the retail group didn't want to be widely publicised. One member of this retail groups shop staff thought he would be smart by trying to crash my site, but in doing so he left a trail for me to follow. On checking this retail groups IP range, I found they had little/no protection on their whole network. So using what I know (and I will not give details), I accessed their network, then accessed their systems and pinpointed the exact PC that was used to attack my site (took min's to do). I could give it's area, shop location, where the PC was in the shop and who was using it. I also had access to any and all parts of their system, as it was open with many LIVE computers for me to use.
Now I didn't do this to be malicious, I used it to ID a problem member of staff. So I reported my findings and the member of staff to the Directors of the company, and they were grateful for the information I provided. After doing that I also set up my site so if this staff member tried again (and he did), his PC would be locked in a harmless but disabling loop. This meant he could not get out of my site once he attacked, and would be caught red handed in the store.
Now had I been a nasty hacker, I could have caused this retail group a lot of problems.

There are kids of 10-15 years old that know more about hacking than any of us on here, and they can and will find your system. It's not a case of if, it's a case of when.

My advice to any PC user is "Be safe, not sorry"

Test your systems against these 2 security scans
http://scan.sygate.com/
http://onlinecheck.emsisoft.com/en/

[rondon]

People can use security.I don't.

That negates your scenario, but I do wonder if you think I'd be unaware that a multi gigibit file was being created?

If your purpose is to bloat this thread you're doing ok there.. heck! I don't even like to read it all.... already!

I won't respond to anyone in this thread with a history of deleting their posts. That is how threads get deleted.

[Doug Nelson]

No, this is how threads get deleted: things get personal.

I think this thread has played out its useful life.