Zoral Labs Complete Restore and Malware Removal (CRMR) is powered by a  Real-Time Multi-Snapshotting Engine (RMSE).

CRMR is an add-on security product that compliments and works with any A/V product to deliver a highly reliable and  flexible restore or detected malware removal functionality to A/V users.

CRMR, powered by a Real-Time Multi-Snapshotting Engine (RMSE) achieves this by letting supported or integrated A/V products automatically access encrypted, granular, historic snapshot(s), (created on the client hard drive or in the cloud), to analyze for malware presence and perform an automated restore from an unaffected historical snapshot, while at the same time preserving client current work.

When integrated with an A/V product, CRMR prevents malware from destroying or damaging client systems, without disturbing users from normal PC usage activities.

Unlike Virtualization solutions, which achieve efficient malware removal by rolling back all changes after a given moment, snapshotting allows to periodically “freeze” or “snapshot” the previous versions of the PC file system.

Recovery is achieved in two ways:

• by copying unaffected files from older snapshots
• by performing a full restore operation, when OS-visible disk data is overwritten with data from the snapshot.

Complete restore malware removal capabilities are illustrated bellow:

A key point of Multi-snapshotting solution is that the original file system content is not altered. When snapshotting is turned off, and product drivers are unloaded after a reboot, the OS sees the latest disk state. Snapshots of previous disk state are kept in the free area of the disk drive or in the cloud.

High-Level Design of a Real-Time Multi-Snapshotting Engine (RMSE)

RMSE utilizes copy-on-write (COW) techniques. If the Operating System requests a cluster overwrite, and its previous snapshot version have not been saved, the original cluster is read from its location, and written in the encrypted, protected snapshot data file. Relevant bookkeeping information is encrypted, tamper proofed and stored by RMSE on disk, so that it knows where each cluster is located.

A simplified view of a write operation in RMSE snapshotting mode is shown on Fig. 1.

During a protected read operation, clusters are read from their original location if the request is for a regular disk.

It is possible to mount a snapshot and “peek” into the past states of the file system. In this case, reads are classified and if the cluster has not been overwritten, it is read from its original location.  If it has been overwritten or somehow tampered with, an older version is read from the snapshot data file.

API overview

RMSE engine, as part of a CRMR solution, provides a flexible integration API to control its operation and create an add-on functionality for any security product. The API allows security and other approved software to use multi-snapshotting as part of their solution.

For interaction with user mode applications, a control device is created and IOCTL's are sent to it. However this can be easily done with a wrapper library. RMSE ControlDevice class implements a secure interface to approved control device and can be used to query and control the state of RMSE.

With RMSE ControlDevice class it is possible to:

• Query information about all volumes, current protection state and parameters
• Turn snapshotting protection on or off for arbitrary volume
• Configure protection parameters for arbitrary volume. Such as max snapshots size, max/min snapshots count, max snapshot lifetime, size of yellow/red zones and others
• Enumerate all snapshots for arbitrary volume
• Query additional information about snapshot. Such as creation time, user description, type and others
• Initiate new snapshot creation for arbitrary volume. Also snapshots are created automatically after snapshot in use time exceeds max lifetime
• Set description (name) for snapshot
• Mount and dismount snapshot as virtual volume (create/close shadow). Query information about created shadow
• Query RMSE engine metadata
• Perform immediately or schedule undo operation from current to target snapshot
• Query state of scheduled undo job
• Query progress of undo operation
• Etc.

For more information please contact us at: sales@zorallabs.com