Friday, February 25, 2011

Fortres Grand Cleanslate Review, Found wanting

Need for new softwareRecently we made the move from Windows XP to newer computers with Windows 7 64bit for our library. The software that most places might use Steady State never was setup to work with Windows 7, and has now been discontinued as a whole. Microsoft provides a couple of guides to allow you to do most things that SS did through other methods such as Group Policy. I was game for it but our librarian wanted to use some software recommended to her by another librarian.

Fortres Grand Clean Slate
I looked at the software and based on their website it would work. Grabbed a demo and tried it real quick. Seemed to do what it would say. Sadly I am an Army of one so intense time couldn't be spent testing it pre-purchase. The Academic pricing was great so I thought if it didn't work very well I would yank it off. So I approved the purchase of the software by the librarian.

Setup
After getting my computers ready then I installed the software on the computer. After configuring one just like I wanted I was able to export the settings to use with to easily setup the other computers. The feature worked great. Install went by fast I did notice that the software did not have my antivirus listed so I added my Antivirus program as an exception which was pretty straight forward. Left the computers protected and safe.

Problems - Don't logoff
Two days later I came back to resolve some problems with other software and while there someone sat down to the computer and when logging in to the user they went to click on an icon on the taskbar and pow a nice error popped up, "Can't open this item - It Might have been moved, renamed, or deleted. Do you want to remove this item?", and they couldn't do anything. I told them to use another computer and sat down at the computer.

The computer refused to do anything other than letting me open the Start Menu and logoff(We had changed the default to be logoff on the button since logging off is quicker than restarting and patrons are impatient just like me). I went to login as the public user again and the same problem. I then restarted and the problem went away. But after logging off and back in the problem occurred again. The long and short of it, Logging out and back in didn't work. Clean Slate wasn't doing all it needed through a logoff. It needs to restart to do all of its jazz it seems. Still working on this issue.

Setting the default button to be restart resolved the problem mostly but people would still occasionally find the logoff and then the next patron would be welcomed to a beautiful error. called support twice and had no luck so left a message. No go, so I relented and filled out their support form. They emailed me a link to the latest version and told me to update to it. After testing it on one, the problem didn't go away. the next recommendation was to Enable access to full C and registry and see if the problem went away. When it did I was to work down to the tightest it could while still working. I am busy and don't have the time to do this but have deducted that the HD can be left protected and that it seems to be something under the HKLM key. Haven't had time to finish due to another problem.

Problem - Some updates OK others not
Well a couple of days later I receive a support ticket that one of the computers was stuck at 35% update and a day later it still was sitting at the Configuring updates 35% complete. No HD light activity. I force shutdown the unit and restarted it stopped at the same point. I fight on this and while doing that I start updating all other computers 8 in all. 4 of them worked fine, 4 others had problems and wouldn't install all the updates which is what lent to my previous blog entry about the windows update error.

For some reason 4 of the computers were missing necessary servicing files. I was able to get the files and then get those computers going( read the previous blog post if you have a similar issue.) I then had 2 more join the 35% completion computer in the same forever udpating dance. I tried disabling antivirus and checked Clean Slate's Disable all security on this computer. Still no luck they were still saying configuring updates. I was able to restore them to a previous point and they worked but installing updates even one by one caused 2 of them to still have the problem. I left the out of order sign on the computers knowing SP1 for Windows 7 was coming out and hoped it would resolve the problem.

I assumed that since only the Public computers (and not all of them just most of them) were having problems maybe people were force shutting them down and that corruption was causing some problem. Weirdly a chkdsk and sfc /scannow which usually shows corruption listed no problems. Ehh wierder things have happened.

System Imaging also means Service Packs
So I download the standalone installer for SP1 and got it started on two computers. Weirdly after two hours it's still not finished. I check the log and see access denied errors on moving some files it had just extracted. Left the computers hoping the next day they would be good. No such luck. They had popped up with the following error you see to the right.

I closed them out and was quite irritated. Started working with Microsoft support through chat. While doing this. One of the computers had for some reason done a system restore before Clean Slate had been installed. It got my wheels spinning. Maybe it was Clean Slate. I start SP1 install on this computer. About 30 minutes later it is almost done, passing the spot where it usually hung on the other computers and there were no access denied errors in the SP1 Install log.

I then uninstalled Clean Slate on another computer that had not allowed SP1 to install previously. Long story short it installed fine. I then let the Microsoft rep know about this. He did a "Clean Boot" and still weirdly Sp1 failed. So I called with Fortres Grand they explained that the "Disable All Security on this computer" does disable all security, but that when it is such a big change as a service pack then you you need to use the option "System Imaging Support." This apparently disables the driver from loading, for clean slate. I went to System Imaging support and told it to disable Clean Slate for the next 10 reboots. Rebooted and SP1 installed. Did this on all the other computers and the updates that would cause the Configuring Update hang would install and SP1 would install fine.

So solution is with some updates(no way to tell which) and Service Packs to use System Imaging Support to ensure no problems.

System Imaging Solution not a solution
I disagree with System Imaging just disabling a driver, because I was getting access denied errors of copying files to locations, not SP1 hanging because of a goofy driver. So obviously "Disable All Security on this Computer" does not do just that.

Also there is only one place in the whole help file that mentions that you might need to use System Imaging Support for updates and here it is verbatim.

Other Uses
In rare circumstances it may be useful to use System Imaging Support to disengage Clean Slate for certain software updates.
So unless you read the whole manual, which since I don't image right now so I didn't read this section, which was at the very bottom of the help function for System Imaging. You may waste tons of time as I did before you even realize Clean Slate is the issue.

If this was a known issue which since the tech support guy said it right out as well as it is state in the help document(hidden deep within). They should have a Best Practices section that states this kind of info, and also before you buy it. Because the only working solution I can see is that I disable updates, and then every once and awhile I come down use system imaging support and install all the updates. I can't just leave updates enabled and let someone call me when one of them does a "Configuring Updates Hang"(Not really hangs the circle still spins), which then requires me Hard powering off the device.

I think the software is preventing Windows from doing final update steps, which causes Windows to sit there forever. This probably is also why(not for sure) that I was getting the missing manifest error from my previous post.

False Advertising
I am fine with software having a problem but it better be posted somewhere that makes since. Clean Slate is supposed to allow updating. As a matter of fact here is a picture from their site:

The Language there and in the manual conflict. As well as my experience conflicts with that.

Support
You will be hit and miss on phone support based on my experience. Their email support is quick to respond though. Although both times I was told it was probably just a corrupt install and to update my software first without asking for further information like my settings, etc. Which corrupt install wouldn't fly in my situation since I have 8 machines having the exact same problem.

I will be working with them further to hammer out a couple more of my issues, so we'll see how it progresses.

Also Online update doesn't work currently. It failed on my installs so I had to update manually.

Conclusion
The software has huge potential but in it's current state I would recommend looking elsewhere, unless you want you and your patrons to be beta testers. Also you could go this route if you had lots of time. Which I doubt you have if you are reading this article. 

They need to correct their advertising, since it was some critical updates that was causing my "Configuring Updates at 35%" problem. Also they need to create a best configuration document or something so people don't spend the time I did before figuring out you need to use System Imaging Support.

At a future time I will follow up on the product and state my personal thought on the best running practices to keep it running well and see if future revisions fix my problems.

24 comments:

  1. Thanks for this nice review,
    What is your opinion about faronics deepfreeze?
    Have you tested this software?

    ReplyDelete
  2. Sorry for the delay on getting back to you. I have started this comment multiple time but I have always gotten busy and thn forgot to get back to this.

    I have used Faronics Deepfreeze but it was about 4 years back. Someone had previously configured them and they weren't getting any microsoft updates and antivirus updates. They would get viruses and pass them on to the next computer, but after restart they would be safe again.

    The process between the two is different.
    Deepfreeze takes an "image" per say of the drive and after a restart reverts to the original image. Also after any changes the administrator sets gets added to the image
    Cleanslate keeps track of all changes and then undoes them all after logoff or restart. This is unless the program is white listed. This process is more difficult I belive, but after time might be better.
    I haven't tried on Deepfreeze on Win7 or x64bit and it has been awhile so take my opinion with a grain of salt.
    Thanks

    ReplyDelete
  3. I just want to say thank you for posting this informative review. I am currently tasked with deploying Clean Slate in my school district and I have been experiencing all the same problems you have described and more. The last 3 months we have been a constant test environment for us, and these problems are really starting to affect our user's productivity.

    While Fortress Grand Tech Support has been very quick to respond with advice and ideas about problems we're experiencing, nothing we have tried seems to quite fix the issues.

    Two very common issues we have also been experiencing is users randomly being unable to use their USB flash drives, even though they have worked fine on that same PC before. They also randomly get errors when saving documents and files saying they don't have access or rights to save the files anywhere on the local PC or even their network drives, thus sometimes resulting in losing their work.

    We had Deepfreeze here for the last 2 years, but we found that its maintenance mode was not reliable when combined with our software deployment methods. I would sometimes spend hours or days after a deployment push verifying if the software did in fact deploy during the maintenance mode or if the PC never went to Maintenance mode and the software push just got wiped out after a reboot. It was a nightmare to maintain regular updates system wide.

    We switched to Clean Slate based on the premise it was supposed to integrate with our AV software, MS Updates, and our software deployment server without disabling security. But the issues we are experiencing with the software are really making us rethink that decision.

    Chad

    ReplyDelete
    Replies
    1. I understand your reasons for the compromise and having to stay with Clean Slate. But I think that the best solution would be to use Drive Vaccine (www.horizondatasys.com). It has the best balance of features. You can restore on any schedule - reboot, log-off, end of day, week etc. But more importantly, it works outside of windows, and thus protects the entire PC, even if windows crashes. DV protects the MBR as well.

      Delete
  4. We have been using Clean Slate and Fortres 101 on lab computers for a couple years now. USB Flash drives rarely ever work for the users...but no rhyme or reason why. Also Windows Updates usually will not install...even after uninstalling the Fortress Grand programs!! I would say the software in general is OK but has a ton of bugs.

    I too was thinking about Faronics Deepfreeze. ANy other thoughts on it?

    ReplyDelete
  5. Deepfreeze is great for what is does, remove all changes on reboot. However the difficulties you may experience depends on how your network is setup and functions.

    We redirect My Documents to a networked home drive via GPO, so users rarely lose documents unless they save them elsewhere on the machine. We do not use roaming profiles, so users regularly have to deal with "new user" configuration on a lot of common programs daily. This is an annoyance. We also get a lot of complaints about losing internet favorites and desktop shortcuts users create. Faronics makes a utility called DataIgloo that will redirect user profiles to a specially designate Thawspace partition (which can be hidden too). But that played havoc on our folder redirects and some programs would not function when the user profile was redirected outside C:\Documents and Settings\.
    Also, many malware (especially fake AV software) will reside in a user’s profile folder and run from their HKEY_Current_User registry when they log in, and with their profile redirected to a thawed partition, the malware/viruses never go away.

    If you can put up with the user complaints about total lockdown, then use Deepfreeze as is, lock it all down, and use maintenance mode for windows updates. If you cannot know reliably that the PCs will be online to enter maintenance mode, scheduled software deployment can be a real pain. If you’re like me and cannot work after-hours manually doing software updates, then it can take days or weeks to complete system wide software updates if your window of opportunity is small. Since our users do not have Admin rights, even Java and Flash Player updates are a real pain to complete.

    For us, the time it saved us in dealing with students and teachers installing crap and viruses was lost to the time spent trying to keep frequently updated programs up to date. Basically our support side issues decreased and our maintenance issues increased equally.

    Chad

    ReplyDelete
  6. Deepfreeze is great for what is does, remove all changes on reboot. However the difficulties you may experience depends on how your network is setup and functions.

    We redirect My Documents to a networked home drive via GPO, so users rarely lose documents unless they save them elsewhere on the machine. We do not use roaming profiles, so users regularly have to deal with "new user" configuration on a lot of common programs daily. This is an annoyance. We also get a lot of complaints about losing internet favorites and desktop shortcuts users create. Faronics makes a utility called DataIgloo that will redirect user profiles to a specially designate Thawspace partition (which can be hidden too). But that played havoc on our folder redirects and some programs would not function when the user profile was redirected outside C:\Documents and Settings\.
    Also, many malware (especially fake AV software) will reside in a user’s profile folder and run from their HKEY_Current_User registry when they log in, and with their profile redirected to a thawed partition, the malware/viruses never go away.

    If you can put up with the user complaints about total lockdown, then use Deepfreeze as is, lock it all down, and use maintenance mode for windows updates. If you cannot know reliably that the PCs will be online to enter maintenance mode, scheduled software deployment can be a real pain. If you’re like me and cannot work after-hours manually doing software updates, then it can take days or weeks to complete system wide software updates if your window of opportunity is small. Since our users do not have Admin rights, even Java and Flash Player updates are a real pain to complete.

    For us, the time it saved us in dealing with students and teachers installing crap and viruses was lost to the time spent trying to keep frequently updated programs up to date. Basically our support side issues decreased and our maintenance issues increased equally.

    Chad

    ReplyDelete
  7. Chad wow great write up! Thanks for the help on this. Sounds like Deepfreeze should work for us. We are running resident "business centers" in large apartment complexes.

    Basically we just want the residents to be able to walk up to a computer, use Word, Excel, PowerPoint, Adobe, IE, print to network printer, and save to their USB flash drives.

    There are no user profiles or anything..just a generic "Resident" logon with no password.

    Basically want them locked down or the ability to reset everything so that whatever junk they download or settings they change will not effect the next resident that wants to use the computer.

    It sounds like with DeepFreeze a reboot will do that.

    Fortres Clean Slate is supposed to do that but many times saved docs on the desktop get stuck and cannot delete without the admin login. And it causes all kinds of random program crashes.

    ReplyDelete
  8. Great informative post! I have been having the exact same issues with Clean Slate at our library. It doesn't seem to work right with Win7 32-bit or 64-bit. FG's support was no help. They just kept sending me one "beta" release after another. I can't get SP1 to install on any PC running Clean Slate. I'll try the Imaging Support option.

    I also have problems with it randomly not working. A public PC will stay clean for several days and then stuff users do will be retained for one day and then nothing will be retained for several following days. Once a month I have to clean up the public PCs manually. I'm ready to give Deep Freeze a try.

    ReplyDelete
  9. Andrew - The Imaging Support option should help you but the reality is due to Clean slate than some of the manifests may be missing. So you may need to follow instructions from this to fix the problem. http://todd4tech.blogspot.com/2011/02/windows-update-error-80073712-and.html
    Hope that helps

    ReplyDelete
  10. Todd,

    I am the IT Manager for a public library. We are getting ready to, or rather, attempting to, deploy Win7x64 machines for patrons. I am struggling with the changes Microsoft made to what you can lock down with GPOs - namely, the ability to browse the network, which you can do on XP machines. How do you keep patrons from browsing your network? I would love to communicate with you via email. Please email me at gina @ ebcl(dot)lib(dot)id(dot)us if you have any tips, suggestions, etc.

    Thanks much!
    Gina Emory

    ReplyDelete
  11. Todd - your comprehensive posts on CleanSlate causing the Windows Update errors, followed by the solution has preserved my sanity and the harmony and productivity of the organization I support. I am proceeding now to the System Imaging Support phase, and look forward to a successful outcome.

    Thank you.
    R

    ReplyDelete
  12. Thanks to all of you for the detailed information on this topic!

    Microsoft's SteadyState was an easy-to-use tool for both controlling the user interface and locking down the disk image on Windows XP computers. Sadly, SteadyState won't work with Windows 7, which we're all being forced to move to, so we now must pay for similar lockdown tools that Microsoft provided free (beginning with the Gate's Foundation grants to schools and libraries).

    Unfortunately, there is no exact equivalent to SteadyState. To achieve close to the same functionality with other tools usually means purchasing the more costly (and complex) "enterprise" or "server" versions.

    About ten years ago, I began using the "key lock" version of Centurian Guard to lock down library OPAC computers. This worked, but all software and AV signature updates required manual work by an administrator. SteadyState solved this with the ability to schedule updates.

    From info. on their Web site, Fortres Grand's Clean Slate appeared to be a good SteadyState replacement, but now I have my doubts.

    Our library also uses Pharos software to control patron login and use. SteadyState worked well with Pharos. Pharos documentation does mention compatibility with Faronic's DeepFreeze, but it looks like the "enterprise" version is needed to schedule updates from a "core" server. This is more complicated than it should be.

    ReplyDelete
  13. I just made the switch from Clean Slate to Deep Freeze. Deep Freeze works 100%! I highly recommend Deep Freeze.

    ReplyDelete
    Replies
    1. You may want to consider Drive Vaccine. Deep freeze on restores on reboot. With Drive Vaccine you can restore on any schedule and is far more robust than Clean Slate. Check it out at www.drivevaccine.com

      Delete
  14. We have a 1200 student private school. We also went to Windows 7 64 bit. Fortres Grand worked OK, but we didn't have time to truly evaluate Clean Slate. So it is now turned off. But the real kicker was that we had to completely uninstall it to get SP1 to install!
    In addition, the latest Fortres 6.5 slowed our XP machines down considerably.

    ReplyDelete
  15. I'm really surprised that none of you have mentioned Shadow Defender, the ONLY light virtualization software that can undo TDSS rootkit infections. It is also very light and low on resources. So far NOTHING beats Shadow Defender and I'm surprised that computer pros like you guys haven't figured out this well-known fact yet.

    Deep Freeze, Clean Slate, Wondershare Time Freeze, Returnil products, all of those are vunerable to TDSS and other rootkits and cannot undo such infections. Fortes Grand are shameless selling their buggy crap and expecting their customers to become beta testers!

    So far only Shadow Defender seems to be resistant to TDSS trojans, and for a product that hasn't been updated for almost two years now this is testament to Tony's (Shadow Defender creator) coding ability. And before any n00bies start babbling about the latest Shadow Defender 1.1.0.331, check your facts: Anyone who knows what's what won't use this latest version which was released by unknown people who silently took over Shadow Defender after Tony's disappearance. Tony has been gone without a trace for almost two years now, and in the meantime these unknowns have released v331 without a changelog. They silently keep selling the software whatout responding to anyone's e-mails, and without providing any form of support whatsoever. Not a good way to do business, especially so for a security-related application.

    I have been using Shadow Defender 1.1.0.325 on all my systems for the last two years and it has been great. I have also tried it on the Win8 developer preview and it still works great. It's a true shame that such a great piece of code is now owned by ...shady unknowns who silently keep selling the software without responding to any e-mails or providing any form of support whatsoever...

    You guys must start having a regular look to sites like wilders security before buying security-related software:

    http://www.wilderssecurity.com/forumdisplay.php?f=98

    ReplyDelete
  16. Thanks everyone for your comments. There are so many different solutions sadly I don't have the time to be the test bed for all. I will have to look at shadow detector. I actually read the wildersecurity forums, but stay primarily in the eset forums. I wish everyone luck in finding a solution that works for them. I appreciate everyone sharing solutions they have foudn work well for them so others of us can learn.

    ReplyDelete
  17. Clean Slate is a total farce. We used it in our school and found that students could easily bypass its security by simply booting into safemode and then deleting the cleanslate directories. Fortres grand classifies this product as DESKTOP SECURITY - go figure... Anyways we moved onto a much more robust solution called Rollback Rx. It does everything that you would expect to instantly restore PC's on any fixed schedule (reboot, log-off etc.)

    ReplyDelete
  18. This forum has finally come back alive. As for the topic, Clean Slate is quite disappointing software.It started off well, performing as how it was developed. As time went by it was falling apart.Like the anonymous posted previously, it is indeed hackable to the worst.I wouldnt even touch it for protecting my pc. As for Rollback Rx, i do not know what that is or how much I can trust it, So if any one is willing to guide me on how to get that one, it would be nice. Cheerz

    ReplyDelete
  19. I've been using Clean Slate 6.5 since April of 2011 on about 60 public library Win7 machines. Works about 98% of the time, but 2 percent of 150,000 sessions is 2 percent more than I saw with DeepFreeze. I'm going to have to go back, I fear.

    ReplyDelete
  20. I have review both Deep Freeze and Clean slate and our IT department had the same bad experience with Clean Slate. And Deep Freeze was too static (reboot on restore only). We went with Rollback Rx. It was more expensive but then as old adage goes - You get what you pay for.

    Website: http://www.rollbacksoftware.com

    Thanks for you review. I share your sentiment on Clean Slate

    ReplyDelete
  21. I love this blog.It is never out-of date, but I must say I am quite disappointed as to this post.I see people mentioning about Deep Freeze and Clean Slate but not Rollback?!?!:(.Although an anonymous mentioned about using it but has not given brief details as to why Rollback is amazing solution. During my previous post I have asked as to where to find more information to Rollback a little bit of research and installing a free trial version I was quite impressed by Rollback.It blew the roof off.I have read other users using it too, that is why I am surprised as to why no one mentioned about Rollback.Is there a reason why Rollback has not been mentioned, maybe something I over looked?.Help me out before my bacon gets fried as I trust Rollback is good for my system.

    ReplyDelete
  22. Rollback Rx and Drive vaccine are from the same company http://www.horizondatasys.com/.
    I've been using Rollback Rx for several years and so far haven't had any issues.
    It works independantly of Windows, has fast snapshots, and can set appointed folders or drives as exceptions. However, it's still not updated for Win 8.
    Otherwise, I highly recommend this software not to mention thier very good support through instant chat.

    ReplyDelete

Keep it Clean.