Since this is a topic of current interest, I thought that it would be worthwhile pulling together at least my own experiences with these products. For the record, I have current licenses for each product and am currently running three of them in combination with an AV and/or firewall, so my experiences reflect some level of extended usage and not simply trial runs of the products. The specific installation details are as follows: ShadowUser Pro (http://www.storagecraft.com/products/ShadowUser/) - currently uninstalled. Have used it in conjunction with NOD32 AV (V 2.7), KAV WKS (6.0), and LooknStop firewall under Windows XP Pro without issue
PowerShadow (http://www.shadownow.com/) 3.0: Installed under Windows XP Pro with Dr. Web AV and LooknStop firewall. This is the main system partition I typically work from. See here (http://www.powershadow.com/) for the home site in China.
Returnil (http://www.returnilvirtualsystem.com/) 2.0 beta (and previously V 1.7 Personal): Installed under Windows Media Center with Eset AV V 3.0.
Shadow Defender (http://www.shadowdefender.com/) V 1.0.0.130: Installed under Windows XP Pro with KAV WKS V 6.0.3.830 (note KAV WKS is basically KIS of the same major version number)

Some prior comments of mine focusing primarily on PowerShadow/Returnil are here (http://www.wilderssecurity.com/showpost.php?p=1140959&postcount=7). Overall, as far as I can observe, each of these products provides the functionality advertised by the vendor. I've not experienced usage instabilities with any of these options and would wholeheartedly recommend any of them to even inexperienced users. However, there are some distinct differences between the products that are useful to bear in mind. With respect to the specific products: ShadowUser Pro V 2.5: While this is the oldest option in the group, it remains the only product that currently supports continuation of a single shadow session across restarts. If you wish to use this type of product for testing software, this facility is essentially required.
Clearly the costliest program in the group at $69.95
Currently possesses the broadest range of shadow session exclusion and commit options. During system configuration, a user can select the specific drives to a shadowed. In addition,selected folders/files on a shadowed drive can be excluded from shadowing at all (all changes immediately applied), or be selected to auto commit and changes will be permanently applied to these locations on a controlled shutdown or restart. Finally, a full session commit exists to basically commit all changes to the system. A user can also exercise a manual commit from the context menu
On the downside with respect to functionality, entry into a shadow session requires a full system restart. This, and a slightly aged user interface, are the only general program deficiencies that I've seen.
I've not directly tested whether SU Pro is resistant to direct low level disk writes (e.g. using Julie Lau's Sector Editor). The other three products are resistant to this type of change.
A trial version is available and activation is via a vendor supplied key code.
Support is via a vendor hosted forum (see here (http://forum.storagecraft.com/Community/forums/))
Current not Vista compatible, no publicly announced plans to release a Vista compatible product.
The current install executable that I have, which dates from Feb 3, 2006, is the latest version of the program. In many respects, this application was well ahead of it's time. The lack of any updates implies that active development is at least in hiatus. I have no idea if this will change in the current climate. If it did, the only way this application will compete is with a price cut to be in line with the competition.

PowerShadow 3.0: Able to enter shadow mode without a system restart, but currently cannot maintain a shadow session across restarts. This is also currently true for Returnil and Shadow Defender.
Shadow sessions can be started in either a single (system partition) or full (all partitions) shadow mode. Note, full shadow mode refers to all permanent partitions. Removable partitions are not shadowed and can act as intermediate storage locations for material to be saved from within a shadow session.
Protects against low level direct disk accesses (same for Returnil and Shadow Defender)
Does not support file/folder exclusion directly, but does offer a Folder Relocation facility to allow material resident on the system partition to be relocated to another partition. Note, this facility is operative in single shadow mode only.
Product activation is via a serial number and password supplied by the vendor on purchase, accompanied by communication with the vendor's home servers. One point to recognize is that this activation dialog binds the activation to the hardware configuration in use (primarily the HDD I presume). A change in hardware may necessitate generation of a support ticket at the vendor to allow reactivation if needed.
The English language site does not have a trial version available. A 30 day money back guarantee is provided. The Chinese website does provide for download of a Chinese language trial version (as PS2008 vs. PS 3.0 Workstation - it's unclear whether these are directly equivalent - a quick scan of the Chinese language site would suggest that PS 3.0 Workstation is, or is closer to, a single user variant of the enterprise level product)
As noted elsewhere on the site, PS contacts the vendor servers on a system restart and/or entry into shadow mode to apparently check for an update. Blocking this communication with a software firewall, at least in the short term, does not appear to impact program functionality. On a quick look at the information provided in this communication, no personal information is transmitted. However, PS does create a time dependent hardware ID tag that can be used in conjunction with a vendor supplied rescue utility in the event one is unable to exit shadow mode to allow disabling of PS (the vendor uses this code to create a rescue code - the hardware ID and rescue code can be used to disable PS. The codes have a 2 day lifetime). This ID tag is supplied to the vendor during this brief communication.
The primary support channels are via email and Windows Live Messenger, although live telephone support is also available. While the entire operation is based in Beijing, I've found their English language skills exceptional and support in general outstanding. The only minor support inconvenience that I've encountered is that it is available only during the normal business workweek (Mon-Fri; normal business hours, Beijing local time).
In fairly extensive usage, the only issue I encountered was what appeared to be a single install anomaly which caused the system to enter and remain in shadow mode. The problem was localized to one XP installation of my system and was reproducible. A repair XP install did not remedy the issue, but a complete nuke and pave of the system followed by a fresh XP install did remedy the problem. Reinstallation of all active applications did not recreate the problem. The underlying cause wasn't identified - although an errant driver or similar problem may have been at fault - I looked specifically for this, but couldn't identify any issues along these lines. For the present, I'd assume my system had some pathological state somewhere.
Full cost is currently advertised as $49, with a current special at 20% off ($39)
Supported OS's are Windows XP/2000/2003. Note: 64 bit OS's, RAID, Windows dynamic disks, compressed NTFS volumes are explicitly not supported at this time. PowerShadow, at least at the Chinese site, appears to target both single user and enterprise clients with centralized administration of enterprise clients

Returnil V 2.0 (beta): Currently supports system partition shadowing only.
Creates a virtual partition to provide a shadow session repository of information to be retained - useful on single partition systems
Provide specified folder and file commit, as well as full session save.
Has a free personal version. With the upcoming release of a paid premium version for personal use, the free version will possess a subset of the features of the paid variant.
Protection of non-system partitions has been mentioned as a future feature target
Protects against low level direct disk accesses (same for PowerShadow and Shadow Defender)
Has a good support presence here through ColdMoon (http://www.wilderssecurity.com/member.php?u=55770) and a forum just started at CastleCops, see here (http://www.castlecops.com/c63-Returnil.html)
The price for the paid premium version of Returnil 2008 is listed as $25/year, although it's unclear whether this is finalized pricing or brought over from the paid business product. I assume that the cost covers the initial license plus maintenance support with a renewal being charged for yearly maintenance support (i.e. any product assistance and/or upgrade); it's unclear whether a renewal would be at somewhat lower cost - I've not seen definitive information on this point. These details will be clear by release time.
Licensing/activation is via a vendor provided serial key code, with a 30 day trial also available
Supported OS's are Windows XP/2003 Server/Vista 32 bit.

Shadow Defender V 1.0.0.130: Effectively replicates the ShadowUser Pro feature set aside from the ability to maintain a shadow session across restarts. This capability is being worked on with a very provisional completion date estimate of ~ 2 months - roughly the end of Feb 2008. The specific features supported include user selectable protection by partition, specification of excluded files/folders, and commit to specific files/folders (selected or via context menu)
Protects against low level direct disk accesses (same for Returnil and PowerShadow)
Support has been variable, with my own experience as a paid license user disappointing (email requests sent mid September were never answered or acknowledged - requests sent from two separate ISP's, so filtering issues are unlikely). On the flip side, user support is only an issue in the event of a major system failure. Product usage is so simple that ongoing support is not required. That comment is true of all the products above. In addition, some users here have had no issues getting the attention of the support folks.
The current price is $35
Activation is via a vendor supplied serial key, with a trial also available
Supported OS's are Windows XP/2000/Vista.

That's a quick summary of information generally available and what I've experienced.

Thus far I don't see an overwhelming leader or trailer in the pack, and if there is one, in some respects ironically, it is ShadowUser Pro. The ability to quickly enter shadow mode live without a restart is a major operational advantage, and for most users, this is probably a more significant feature than the preservation of a shadow session across restarts. It significantly lowers the barrier to jump into a shadow session when you're surfing around and it occurs to you that some additional protective measures may be in order. ShadowUser Pro also suffers on the initial cost front, it is significantly more expensive than the other offerings, and there are no current plans to offer a Vista compatible product

At current pricing ($25 vs. $35 vs. $39), cost differences are fairly inconsequential. Of the three, only Powershadow does not have a formal trial available in the English language market. When I was having the install difficulty with PowerShadow described above, the support group in fact proactively offered a refund when it appeared that we were not making progress debugging the situation, so it's clear they will go the extra mile to keep clients satisfied.

In actual usage, the real feature set differences are actually a lot less than apparent. Shadowing of all partitions is a nice feature, but it's the system partition which is the critical one, so while Returnil may appear to lag on this front, it shouldn't be a deal breaker for any user. A similar comment applies to an inability to commit changes with PowerShadow in full shadow mode - it's a little less convenient, but a removable drive is always available to me to accomplish that.

So the punch line - in a vein similar to rating AV's - is that we have three top tier options based on feature set/support/price. In alphabetical order they are PowerShadow, Returnil, Shadow Defender. Depending upon the specific weight a user places on feature set, support options, or price, one of these products may clearly rise above the other two. ShadowUser Pro's feature set is exceptional, but from a cost benefit perspective, it clearly trails the newer offerings.

Blue

I was thinking about virtualization programs and am delighted to see a serious discussion. However, my faith in these programs is starting to decline.

I may not be a power user but the things I download get me in trouble apparently. On two seperate instances, Powershadow 2.6 and Returnil 2008 Beta failed to protect my system when used as the only security application. I had to reformat my hard drives both times. Returnil 2008 Beta also caused BSODs when downloading questionable software when used in conjuction with Sandboxie.

So, now, can someone confirm for me whether there is MBR (master boot record) protection for Shadowdefender?

Blue, excellent summation. I don't believe ShadowuserPro protects against the low level disk activity. I only tested it against Killdisk, and it failed.

As to support, Shadowuser, of course is storagecraft and grnxnm is here as well as their forum. Same with Returnil, Coldmoon here and the new forum

ShadowDefender has been variable. Email communication seems back. But even when it wasn't I noticed if you reported a problem, there was silence, but then a new build popped up. I think the variable was a translator.

Pete

Gargoyle, the products are only good (in terms of security) for preventing driveby downloads / email infections of your OS. In that respect they are more reliable than any other.

But to install a program permanently you have to deactivate them - that's when you need an Antivirus etc.

{QUOTE-> I was thinking about virtualization programs and am delighted to see a serious discussion. However, my faith in these programs is starting to decline.

I may not be a power user but the things I download get me in trouble apparently. On two seperate instances, Powershadow 2.6 and Returnil 2008 Beta failed to protect my system when used as the only security application. I had to reformat my hard drives both times. Returnil 2008 Beta also caused BSODs when downloading questionable software when used in conjuction with Sandboxie... <-QUOTE}

Hello Gargoyle,
Please send us a detailed report using our support contact form page with the subject line RVS 2.0 Beta so it can be reviewed and investigated by development.

http://www.returnilvirtualsystem.com/index_files/contactus_tech.htm

Kind regards
Mike

{QUOTE->
So, now, can someone confirm for me whether there is MBR (master boot record) protection for Shadowdefender? <-QUOTE}
Asking for you now.:)

{QUOTE-> Gargoyle, the products are only good (in terms of security) for preventing driveby downloads / email infections of your OS. In that respect they are more reliable than any other.

But to install a program permanently you have to deactivate them - that's when you need an Antivirus etc. <-QUOTE}
Vikorr, Excellent points. One question: how are they more reliable?

{QUOTE-> Gargoyle, the products are only good (in terms of security) for preventing driveby downloads / email infections of your OS. In that respect they are more reliable than any other.

But to install a program permanently you have to deactivate them - that's when you need an Antivirus etc. <-QUOTE}

I have issues with people that they assume they know exactly what you did on the computer. And to give advice that isn't revelant to the topic at hand.

{QUOTE-> Blue, excellent summation. I don't believe ShadowuserPro protects against the low level disk activity. I only tested it against Killdisk, and it failed. <-QUOTE}On direct challenge - no, ShadowUser Pro does not protect against low level activity
{QUOTE-> I may not be a power user but the things I download get me in trouble apparently. On two seperate instances, Powershadow 2.6 and Returnil 2008 Beta failed to protect my system when used as the only security application. I had to reformat my hard drives both times. Returnil 2008 Beta also caused BSODs when downloading questionable software when used in conjuction with Sandboxie. <-QUOTE}It's hard to discuss issues across versions, my personal experience is that PowerShadow V 3.0 is fairly robust. I have not used the earlier versions.

As for the need to reformat, was this a gross system instability that emerged or something easier to trace?
{QUOTE-> So, now, can someone confirm for me whether there is MBR (master boot record) protection for Shadowdefender? <-QUOTE}Well, when I attempt direct MBR edits, just like any other low level activity, it is blocked in the current ShadowDefender version (1.0.0.130).

Blue

Answer: Yes, SD does protect the MBR but does not overwrite it.

gee blue, you beat me to it. My answer did come from the vendor.

{QUOTE-> Well, when I attempt direct MBR edits, just like any other low level activity, it is blocked in the current ShadowDefender version (1.0.0.130).

Blue <-QUOTE}

Thanks.
This is vital and those are very useful results that need to be distributed in these type discussions per virtualization apps. Too many times users are faced with ever limited vague opinions, even if accurate, but are IMO too limited at times by single lone reports. The more results brought out like this widens the range of users and potential customers understanding to what they can expect, which is Maximum coverage from the potential of fatal disruptions, chiefly the forced modification of the MBR and other deep-level physical disk operations.

{QUOTE-> On two seperate instances, Powershadow 2.6 and Returnil 2008 Beta failed to protect my system when used as the only security application. I had to reformat my hard drives both times. <-QUOTE}
Gargoyle, can you provide any more details about what happened?

The problem was that WinXP would not start. The famous Blue Screen would pop up with this:

STOP: C0000221 [Bad Image Checksum] The image version.dll is possibly corrupt. The header checksum does not match the computed checksum.

Hello Coldmoon,

It may not be a fault of Returnil so much as it is a problem virtualization programs just can't deal with. Shadowdefender might fail as well.

I use the internet for more riskier interests than most of the people here--and I say this confidently after browsing this forum for months now. My experiences may not be the norm. For the record, I will still be using Returnil, just the old version - 1.7. Returnil's customer support really has no equal and I look forward to what Returnil has instore for us in the future.

Thanks,
Gargoyle

{QUOTE-> Hello Coldmoon,

It may not be a fault of Returnil so much as it is a problem virtualization programs just can't deal with. Shadowdefender might fail as well.

I use the internet for more riskier interests than most of the people here--and I say this confidently after browsing this forum for months now. My experiences may not be the norm. For the record, I will still be using Returnil, just the old version - 1.7. Returnil's customer support really has no equal and I look forward to what Returnil has instore for us in the future.

Thanks,
Gargoyle <-QUOTE}

Hi,
Regardless of what may be at fault, all information is valuable. We can't fix it if we do not know about it...

Mike

While not as comprehensive as the products reviewed, Sandboxie provides a form of virtualization. Of course it is application level.

Someone mentioned the usual objection about how a particular strategy protects against against drive by downloads, but not the user intentionally installing a Trojan program.

I am starting to believe there is not an automated solution for intentional user installation of a Trojan program that is not covered by AV signatures. Sure, a HIPS will through all sorts of warnings, but it will do that for legitimate software, and only an expert can interpret it, so that is hardly automated. Alternatively the HIPS must be turned off or down for the installation to complete, so defenses are dropped again.

All this said, I see the same objection every day here.

{QUOTE-> While not as comprehensive as the products reviewed, Sandboxie provides a form of virtualization. Of course it is application level. <-QUOTE}Application vs. System partition (or system) virtualization. Both are useful. Since it's not as granular, system virtualization has ease of use at the expense of some potential downsides (Gee..., I guess it wasn't such a great idea to download/server delete all that email while in shadow mode..., huh? Oh, and about that multi-gig download....), although recovery measures are straightforward in some circumstances
{QUOTE-> I am starting to believe there is not an automated solution for intentional user installation of a Trojan program that is not covered by AV signatures. <-QUOTE}I prefer to think of it as a form of natural selection at work....

Blue

{QUOTE-> I prefer to think of it as a form of natural selection at work.... <-QUOTE}
Would you mind expanding your theory? ;D

{QUOTE-> Would you mind expanding your theory? ;D <-QUOTE}

forgive me to hijack your question,....... but what i guess he meant there are limits to stupidity.........or.......,just my two cents !?!

Personally I prefer using application based virtualization because of the above mentioned reasons by Blue, but mostly for the reason where you for example tweaks your system or make some other changes to your settings, and then forget to commit these changes... could be really frustrating.

Regarding the intentional user installation this is not necessarily "stupidity" (even if in some cases it could be just that), but this has always been the most common vector for delivering the payload. One could argue "only download from trusted sources", but that could be circumvented by site crackers. How to solve this? hash check is the standard solution to this problem. But if there´s no hash sum at the site to check with, what then? After an installation a restore to an earlier state using an Image backup would then be the standard solution, but that assumes that you even knows that your system is infected.

I think it´s something we have to live with regarding the fact that whatever security steps we take, we will always have some "window" open for exploits, whether it´s zero-day malware, drive-by infections or by user installations.

/C.

{QUOTE-> forgive me to hijack your question,....... but what i guess he meant there are limits to stupidity.........or.......,just my two cents !?! <-QUOTE}I believe it was Albert Einstein who noted "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."

Blue

{QUOTE->
Regarding the intentional user installation this is not necessarily "stupidity" (even if in some cases it could be just that), but this has always been the most common vector for delivering the payload. One could argue "only download from trusted sources", but that could be circumvented by site crackers. How to solve this? hash check is the standard solution to this problem. But if there´s no hash sum at the site to check with, what then? After an installation a restore to an earlier state using an Image backup would then be the standard solution, but that assumes that you even knows that your system is infected.
<-QUOTE}
That is indeed a problem and no security software or visualization software will save you from that.
Any NEW object is a threat to your system and how do you know for sure that it isn't a threat ? It's simply a matter trust for average users and those who are able to analyze what a new object has done to their system, have an advantage, which is a minority group.

{QUOTE-> Personally I prefer using application based virtualization because of the above mentioned reasons by Blue, but mostly for the reason where you for example tweaks your system or make some other changes to your settings, and then forget to commit these changes... could be really frustrating. <-QUOTE}Point noted.

For the sake of keeping this discussion open, it is probably worthwhile noting that the four products that I mentioned in the title represent something in the middle of a continuum of options. By light virtualization, I'm really only trying to exclude the creation of full virtual machines, and I've done that for a couple of reasons. First, that's a relatively costly path to follow for most home users and that setting is my primary focus. Second, the formal licensing requirements can get complicated in a full VM environment (basically you need separate licenses for each concurrently running instance of the OS, or a model that explicitly allows multiple running instances, say Windows 2003 Server), and I really don't want to deal with that complexity. So basically the discussion should revolve around options aside from full VM installation, which fits the four cited products well.

Now, as noted in threads such as deepfreeze VS shadow defender (http://www.wilderssecurity.com/showthread.php?t=196067), DeepFreeze provides a related product approach that bears a strong relation Returnil/PowerShadow/ShadowDefender/ShadowUser Pro with the primary difference that the implicit system state is presumed to be primarily static as opposed to primarily dynamic. Aside from that difference, and how that impacts daily usage of the application, it provides a very similar functionality.

Finally, rather than virtualization at a system level, virtualization at an application level is possible through products such as SandboxIE and related tools where the primary focus is virtualization of applications which interact strongly with the external environment (i.e. the Internet and so on).
{QUOTE-> Regarding the intentional user installation this is not necessarily "stupidity" (even if in some cases it could be just that), but this has always been the most common vector for delivering the payload. One could argue "only download from trusted sources", but that could be circumvented by site crackers. How to solve this? hash check is the standard solution to this problem. But if there´s no hash sum at the site to check with, what then? After an installation a restore to an earlier state using an Image backup would then be the standard solution, but that assumes that you even knows that your system is infected.

I think it´s something we have to live with regarding the fact that whatever security steps we take, we will always have some "window" open for exploits, whether it´s zero-day malware, drive-by infections or by user installations.
<-QUOTE}I absolutely agree. That's one of the reasons all of the configurations that I've mentioned above have been using a light virtualization product in conjunction with the "expert system analysis" provided by an AV. This pairing appears to offer a very reasonable trade-off in performance, ease of use, and security. The same can be said of an application based virtualization plus AV, while a user of solutions such as Deep Freeze tend to not require the AV component if the system configuration in fact adhere to the primarily static model. Naturally, use of an AV can take many guises from the typical realtime monitoring to on-demand scanning only of new content as required.

Blue

I agree, even though some may not, that using any of these types of products are only enhanced by using a AV. Actually the AV comes first, then this type of product. A very good combo.

In theory, you don't need an AV to protect your EXISTING objects in a frozen system partition. Any change done by malware is gone after reboot and that is alot better than scanners.
You only need security softwares that stop the execution of malware in a frozen system partition.

You only need an AV to verify NEW objects and your local AV is just not good enough. In that case I would prefer to use VirusTotal and Jotti, which uses 30+ scanners to verify a NEW object with the limit of 10mb, which is again an incomplete solution, which is very typical for security.

{QUOTE-> You only need an AV to verify NEW objects and your local AV is just not good enough. <-QUOTE}Erik,

That's your opinion and I believe you're wrong. It appears that anything less than a 100% guarantee of coverage is not enough in your mind, and if you're exposed to 100% of the malware in existence, that's true. However, I'm not exposed to 100% of the malware in existence, so I'll take my chances with a current and pragmatic solutions.

{QUOTE-> In that case I would prefer to use VirusTotal and Jotti, which uses 30+ scanners to verify a NEW object with the limit of 10mb, which is again an incomplete solution, which is very typical for security. <-QUOTE}Again, I'm approaching this from an actual use situation. In that case, I view every step that requires a user initiated action to be a liability. For example - in comparing user initiated on-demand scanning vs. realtime monitoring - the result is the same if the same setting are used, but the former requires the user to deliberately initiate the scan while the latter happens as a matter of course. That renders the latter approach more robust in most hands over time. Both approaches work, but it comes back to a concept we've discussed time and time again - user discipline. My experience is that situations occur in which users lose discipline - they happen with me and they likely happen with you. For that reason, I believe that approaches which are predicated on maintaining a high level of discipline should be avoided by most users.

Blue

{QUOTE-> I agree, even though some may not, that using any of these types of products are only enhanced by using a AV. Actually the AV comes first, then this type of product. A very good combo. <-QUOTE}

Sorry to disagree but my systems would not be enhanced by an AV they would simply be slowed down by an outdated idea. The virus that is going to get me one day will not be one of the X billion on the white list but a new one that sneeks thru. If Returnil or DeepFreeze work "properly" the virus will be gone at reboot. If they Returnil or DeepFreeze do not work then I restore an image. If that doesn't work then I rebuild.

what is the point of light virtualization if we add back all the AV, AS, HIP, firewall, Anti exec security ?

well yes and no. On my laptop I only use SD. It is turned off and on frequently. On my desktop it is left on for a fews before ever rebooting, so I am only using Avira for the guard. Just to tell me if something pops up and I need to reboot. I dont scan with it and no it wont catch everything, but it really doesnt slow anything down so it is like added insurance.

Blue,
What discipline ? I only have to reboot and every change is gone.
If I open Firefox to surf on internet, it's automatically sandboxed and my data partition is locked automatically.
The only problem I still have are NEW objects, they require discipline, if you want to install them permanently.

Blue,

Would you try SafeSpacePersonal also, can be configured to virtualise a partition (with a folder to save changes) also, the default mode (Windows, + Programs Files directories).

Reason for asking is I appreciate your contributions and you also evaluate safespace, the criteria against which it is reported are more or less the same.

Thx

{QUOTE-> what is the point of light virtualization if we add back all the AV, AS, HIP, firewall, Anti exec security ? <-QUOTE}If one goes back and adds all that stuff aagin, you're right, it's pointless.

But here's an alternate scenario - rather than taking that AV - and only the AV - and maxing out it's settings so that everything is scanned/monitored/sliced/diced in every way imaginable, use settings with a very light touch. Use one with a light touch to start with and keep the settings low. The impact will not be apparent, and if it is, find a solution in which it's not apparent.

For many user's, they may not need even this level of intervention and light virtualization alone will suffice. It depends on personal usage patterns. It's not unlike folks who successfully run without an AV or any other elaborate setup at the moment - that works for some, but not others.

Light virtualization is simply one possible avenue to use to simplify and remain secure at the same time.

Blue

{QUOTE-> Blue,
What discipline

{snip}

The only problem I still have are NEW objects, they require discipline, if you want to install them permanently. <-QUOTE}Precisely my point. The discipline that you've just noted in the quote.

Blue

{QUOTE-> Blue,

Would you try SafeSpacePersonal also, can be configured to virtualise a partition (with a folder to save changes) also, the default mode (Windows, + Programs Files directories).

Reason for asking is I appreciate your contributions and you also evaluate safespace, the criteria against which it is reported are more or less the same.

Thx <-QUOTE}Perhaps later today or so. I have a clean partition that I can use.

Blue

and that is how I have Avira set up, to only scan defined files and the rest very light. I own it, it doesnt impact speed, so why not use it. You just never know when it might just,,,,,,,,,,,,,,

Keep in mind, when the left and right were created, a middle was included to.;D

{QUOTE-> I agree, even though some may not, that using any of these types of products are only enhanced by using a AV. Actually the AV comes first, then this type of product. A very good combo. <-QUOTE}

It is not the AV you should concentrate on as there is not that much difference between the consistent leaders as far as overall protection is concerned. It is the scope of the AV's role that requires adjustment in a strategy that includes virtualization.

The emphasis moves from the need for constant monitoring on the local machine to one where analysis of incomming/new content should be the focus. Virtualization does not detect or distinguish between what is good and what is bad; you invoke the System Protection and all changes are treated equally based on the user's preferences (drop all changes, save some changes, or save all changes).

This leaves an important role open for an "expert analysis" solution somewhere in the chain, just not at the local machine level outside of regular in-depth verification scans (think of your weekly or nightly on-demand full system scan as reference). In every system you still require some form of feedback as to status and efficacy of the system itself...

Mike

{QUOTE-> Precisely my point. The discipline that you've just noted in the quote.

Blue <-QUOTE}
That is exactly the discipline that EVERY USER has to practice, when he installs NEW objects, no matter what security he has.

{QUOTE-> It is not the AV you should concentrate on as there is not that much difference between the consistent leaders as far as overall protection is concerned. It is the scope of the AV's role that requires adjustment in a strategy that includes virtualization.

The emphasis moves from the need for constant monitoring on the local machine to one where analysis of incomming/new content should be the focus. Virtualization does not detect or distinguish between what is good and what is bad; you invoke the System Protection and all changes are treated equally based on the user's preferences (drop all changes, save some changes, or save all changes).

This leaves an important role open for an "expert analysis" solution somewhere in the chain, just not at the local machine level outside of regular in-depth verification scans (think of your weekly or nightly on-demand full system scan as reference). In every system you still require some form of feedback as to status and efficacy of the system itself...

Mike <-QUOTE}
totally agree and good post.:thumb:

{QUOTE-> It is not the AV you should concentrate on as there is not that much difference between the consistent leaders as far as overall protection is concerned. It is the scope of the AV's role that requires adjustment in a strategy that includes virtualization. <-QUOTE}An important detail to be sure, and one that underscores that any systemic approach has to examine the roles of each part and that as a users approach evolves, interdependent parts may need to change.

Blue

{QUOTE-> That is exactly the discipline that EVERY USER has to practice, when he installs NEW objects, no matter what security he has. <-QUOTE}True, but you are explicitly ignoring what I view as an important distinction, and that's whether the discipline involves an active user initiated event or not.

One can accomplish the same end result with either a passive safety net provided in the environment or by having the user to explicitly invoke that safety net an an exception as they deem it is needed.

Blue

{QUOTE-> Layers! Why can't the old technology peacefully co-exist with the new. Heck, NOD and Boclean both put together use next to none resources on my system. I say that as long as a system has the power, why not play it even safer and add even more layers.

Acadia <-QUOTE}

I would caution that layers for the sake of layers is not the way to go. Complexity for its own sake can become self-defeating when looked at the extreme. Layers are about ballance and management of risk rather than being a brute force approach...

Your goal should be the best line-up with the fewest resources based on your individual needs as one size does not fit all...

Mike

{QUOTE-> Layers! Why can't the old technology peacefully co-exist with the new. Heck, NOD and Boclean both put together use next to none resources on my system. I say that as long as a system has the power, why not play it even safer and add even more layers. <-QUOTE}Layers, to a point, are good. However, I think we've all seen many cases in which layering without taking the time to assess what was being layered on top of an existing configuration resulted in some very unfortunate outcomes - up to and including lost data and the need to perform a complete reinstall of a system.

It's important to keep the point made by ColdMoon in front at all times. You are creating a system in which there are clear, as well as hidden, interdependencies. Changing one part may necessitate adjusting how the other parts are used (or that they are possibly no longer used).

Blue

{QUOTE-> DeepFreeze provides a related product approach that bears a strong relation Returnil/PowerShadow/ShadowDefender/ShadowUser Pro with the primary difference that the implicit system state is presumed to be primarily static as opposed to primarily dynamic. <-QUOTE}I've added some some thoughts on using Deep Freeze Standard Version for Home use:

http://www.urs2.net/rsj/computing/tests/DF/index.html#thoughts


----
rich

{QUOTE-> Blue,

Would you try SafeSpacePersonal also, can be configured to virtualise a partition (with a folder to save changes) also, the default mode (Windows, + Programs Files directories).

Reason for asking is I appreciate your contributions and you also evaluate safespace, the criteria against which it is reported are more or less the same.

Thx <-QUOTE}Kees1958,

Here's what I see - bear in mind that this was a quick examination: First of all, applications such as SectorEditor will not successfully launch if launched as a SafeSpace protected application
If the application per se is not protected, it will launch and run as expected
If I virtualize the boot partition (D:\ in this case on physical disk1) I can perform low level sector edits (of the MBR for example) on this partition. The edits performed are simple ones that will not impact functionality (basically text strings that are part of the MBR). They survive a restart, so these are permanent changes on the disk. The situation is probably not a lot different than that seen with ShadowDefender - it's a specific case that has to be handled that was not a part of the initial design objective. I've not used this application extensively and haven't read through the documentation, so I hope that I've not configured it inappropriately.
Blue

{QUOTE-> Correct, if we're talking about adding 5 anti-virus and three firewalls, obviously it is absurd and self-defeating. I'm talking about only one of each type of software; I'd feel naked without my av or hips or sandbox or anti-spyware.

Acadia <-QUOTE}

Each user makes his/her own decisions. My question is "why would you or anyone feel naked without an AV, HIPS, Sandbox, AS, AT, Software Firewall..... ?" If the answer for each piece of software used is " well last week my AS picked up XXXX" and "last month my HIPS reported ZZZZ" then using that software would make sense to me. If I had ever seen a real life virus, If I had ever downloaded a program with spyware, if I had ever had a software firewall tell me that a program that I had not authorized was trying to communicate with... If I had ever had any of these problems I might still run these types of programs BUT as I haven't, I don't (see sig for security details)

As I have no idea as to how others operate or their degree of discipline I am NOT saying that everyone should surf naked. I am saying that it is possible and suggesting that everyone requires that any program run earns its keep and has a real reason for being there. I like DeepFreeze and Returnil. I prefer them to Sandboxie. Others will prefer the reverse. Others will use both and add Anti executable. Others will add even more. All each user really ought to do is ask how little do I need rather than trying to look like the Michelin Man.

I'm looking at using Shadow Defender or Returnil but I know this is not going to give me total security on it's own. I do know that they will do a good job of making sure that when I reboot my system, any nasties I have picked up since the last reboot are removed. Although that gives me a nice warm feeling that my clean system remains clean, I recognise it is not the whole answer. How do I know my system is clean in the first place and how do I keep it clean?

At some point in time I will have to change my system to install new applications. This is where I need an expert scanner to tell me that the new application contains no malware. Having passed this test, I would like to install the application but tag it as untrusted with limited rights, just in case. I would also like to keep an eye on all my applications for suspicious behaviour. If there were no suspicious behaviour detected for some time, I would conclude that my system is clean and the application is safe.

SD/Returnil do not provide analysis or monitoring capabilities. Without these, I think they may eventually be doing a good job restoring my system to a malware-infected state each day.

{QUOTE-> This leaves an important role open for an "expert analysis" solution somewhere in the chain, just not at the local machine level outside of regular in-depth verification scans (think of your weekly or nightly on-demand full system scan as reference). In every system you still require some form of feedback as to status and efficacy of the system itself... <-QUOTE}
Good remark. You should take measures to see if your strategy is working in the long-run. If you don't take these measures, you will fall into blind faith (i.e. I reboot the system or wipe the sandbox and all problems are gone).
I replace regular on-demand scannings with integrity checking. It isn't a solution for the average user, but it's much more powerful than blacklist scanners.
In the end, all the strategies seem similar with:
- Imaging: for the disaster scenario.
- Light virtualization/shadow softwares: regular cleaning (at reboot).
- On-demand scanning ("weak"), integrity checking/forensic analysis: is my strategy really working?
- Real-time AV/AM ("weak"), anti-exec, behav. blocker, HIPS, sandbox, LUA: daily battle with untrusted objects.
- Safe surfing/computing: brain-based content filtering (what should/shouldn't I run/accept/open/launch)
- Router: isolate your private LAN from the Internet.
Optional:
- Virustotal/Jotti/Threat Expert/Norman Sandbox: expert analysis of new objects (requires good discipline)
- Network access control (i.e personal firewall): only allow the necessary network comms and deny the rest (requires some network knowledge)
- Hardening: limiting/closing the entry points of malware and/or a failsafe measure to other security layers (excessive/incorrect hardening may cause that some functions/processes stop working properly)

{QUOTE->
I replace regular on-demand scannings with integrity checking. It isn't a solution for the average user, but it's much more powerful than blacklist scanners.
<-QUOTE}

Hi Lucas. What program do you use for integrity checking?

Merci!

{QUOTE-> I'm talking about only one of each type of software; I'd feel naked without my av or hips or sandbox or anti-spyware <-QUOTE}Sadly We as Security Forums across the net have left the basics of secure surfing sitting on the corner while We rush to the nearest wally world to grab the latest fix of the week for our additional layer :-\

I realize that's far beyond the scope of this thread and will save the rest of thoughts for a more appropriate thread....How one can surf safely without a resident av or hips or sandbox or anti-spyware

Bubba

{QUOTE-> Hi Lucas. What program do you use for integrity checking?

Merci! <-QUOTE}
- Tiny Watcher (http://www.donationcoders.com/kubicle/watcher/)
- Runscanner (http://www.runscanner.net/)
- FileCRC (http://www.enigmaticsoftware.com/filecrc/index.html)
- IceSword (http://www.majorgeeks.com/Icesword_d5199.html)
- Rootkit Unhooker.
Others are Rootkit Revealer, Rootkit Hook Analyzer, Autoruns, Hijackthis, Sentinel, FileMap, FileChecker, NIS File Check, etc :)

{QUOTE-> - Tiny Watcher (http://www.donationcoders.com/kubicle/watcher/)
- Runscanner (http://www.runscanner.net/)
- FileCRC (http://www.enigmaticsoftware.com/filecrc/index.html)
- IceSword (http://www.majorgeeks.com/Icesword_d5199.html)
- Rootkit Unhooker.
Others are Rootkit Revealer, Rootkit Hook Analyzer, Autoruns, Hijackthis, Sentinel, FileMap, FileChecker, NIS File Check, etc :) <-QUOTE}

Thanks Lucas. I use Tiny Watcher, IceSword and TrendMicro's Hijack This too.

You may also like this MD5 Checker, with option to compare the files in a folder with the results of an older check. No installation needed, runs from a folder. Freeware.

http://www.brandonstaggs.com/filecheckmd5/

{QUOTE-> You may also like this MD5 Checker, with option to compare the files in a folder with the results of an older check. No installation needed, runs from a folder. Freeware.

http://www.brandonstaggs.com/filecheckmd5/ <-QUOTE}
Nice :)
For this task, I'm using VisualHash (http://www.dominik-reichl.de/opensource.shtml#vishash) (the .NET-free version) and FileAlyzer (http://www.safer-networking.org/en/filealyzer/index.html)

Light virtualization does have some analytic possibilities, but only for the expert. It gives the user a chance to install something of questionable origin and check it out. Perhaps they can check to see if any of their other security software has been tampered with, root kit detection utilities may be run and so forth. Nothing is foolproof, but this gives another chance, before deciding to install whatever it is for keeps. If it smells bad, just roll back.

{QUOTE-> Light virtualization does have some analytic possibilities, but only for the expert. It gives the user a chance to install something of questionable origin and check it out. <-QUOTE}At least right now, for the applications listed in the title, only ShadowUser Pro has that capability. It is slated to be developed for ShadowDefender over the next few months, but let's allow that a few bumps in the road may appear and call that a very tentative projection.

Given some of the weaknesses of ShadowUser Pro, I probably wouldn't use it as a platform for testing questionable content, so realistically, none of these options are really currently suited as a test platform.
{QUOTE-> If it smells bad, just roll back. <-QUOTE}I tend to view these products in a somewhat different light - if I'm unsure of what's ahead, jump into shadow mode and let the chips fall where they may. When I'm done, restart to jump back. Simple, painless, clean.

Blue

{QUOTE-> Kees1958,

Here's what I see - bear in mind that this was a quick examination: First of all, applications such as SectorEditor will not successfully launch if launched as a SafeSpace protected application
If the application per se is not protected, it will launch and run as expected
If I virtualize the boot partition (D:\ in this case on physical disk1) I can perform low level sector edits (of the MBR for example) on this partition. The edits performed are simple ones that will not impact functionality (basically text strings that are part of the MBR). They survive a restart, so these are permanent changes on the disk. The situation is probably not a lot different than that seen with ShadowDefender - it's a specific case that has to be handled that was not a part of the initial design objective. I've not used this application extensively and haven't read through the documentation, so I hope that I've not configured it inappropriately.
Blue <-QUOTE}

Hi Blue.

From your points above, it is unclear whether you found SafeSpace successful or not. Points 1 and 3 are contradicting eachother, as you say SectorEditor wouldn't load in SafeSpace, and then point 3 says that a permanent write was successful?

I was hoping you could clarify your points a bit, as I know that low level disk access is not possible in SafeSpace.

Best regards,

Kris.

Artificial Dynamics.

{QUOTE-> From your points above, it is unclear whether you found SafeSpace successful or not. Points 1 and 3 are contradicting eachother, as you say SectorEditor wouldn't load in SafeSpace, and then point 3 says that a permanent write was successful?

I was hoping you could clarify your points a bit, as I know that low level disk access is not possible in SafeSpace. <-QUOTE}Sure.

SafeSpace was added as a pure default installation.

The sector editor is not an automatically protected application. If I identified the sector editor as a SafeSpace protected application, it wouldn't launch.

Point 3 was the case where the sector editor was not an explicitly protected application, but the entire D:\ partition was set to be a virtualized instead. I assumed that this would be a more typical usage scenario, and in keeping with some recent malware targeting. I attempted to and apparently successfully did perform low level sector edits of the D:\ MBR under this scenario. The changes appeared live and did survive a restart.

This result is basically identical to that obtained by both Returnil and ShadowDefender prior to some code tweaking by each of them. I assume SafeSpace is in the same position they were a short time ago - a very minor tweak and a potential little gap is closed. The specific editor used was Julie Lau's Sector Editor. However, if this result still sounds fishy to you, I can give it another whirl, although it might be better to see if you get the same result following these step I did (fresh install, virtualize drive, perform edits).

Blue

Thanks Blue.

SafeSpace is an application level sandbox, as opposed to Returnil and ShadowDefender which are system wide. The difference being that SafeSpace protects against malicious activity only for applications which are running inside the sandbox.

By default, SafeSpace protects internet facing applications (web browsers and instant messengers), the most exposed entry points into a system. Any activity or exploits targetting those applications in the sandbox will be restricted. So, as an example, if you are hit with a driveby which infects you with malware that intends to perform low level disk edits, it will fail because it is inside SafeSpace.

So although your test is perfectly valid for Returnil and ShadowDefender, it is out of context when you consider what SafeSpace is protecting you from.

Do you agree?

Best regards,

Kris.

Artificial Dynamics.

{QUOTE-> So although your test is perfectly valid for Returnil and ShadowDefender, it is out of context when you consider what SafeSpace is protecting you from.

Do you agree? <-QUOTE}Kris,

Short answer - sort of.

These types of challenge tests are easy to dream up in a way that some fairly nasty behavior can be inferred. In this case the inferred behavior would be potentially disasterous activity designed to render your system unworkable via corruption of the MBR or partition table. Now, according to my understanding, if this application had been downloaded during a SafeSpace session and launched, it should be launched in a sandboxed/protected state by SafeSpace - and the first example (failure to launch) will apply.

Now, some of the other settings, say virtualizing partition D:\, imply certain elements which don't seem to be quite achieved - at least to a launched console based attack, which is what my example was. Are there other routes that this could play out? Not that I can think of if the application works precisely as stated and no exceptional events occur.

Do I see this as an operational issue? At the moment, not really, although perhaps some different terminology should be employed to describe partition/drive virtualization since this implies systemic protection. Should a user be concerned that this is a gap? Personally, I don't think so.

Blue

{QUOTE-> at least to a launched console based attack <-QUOTE}

Enter (HIPS)! My HIPS monitors the windows command console and aborts it's activity untill me, the user, has first had time to review the SOURCE + TARGET and any other data of interest before granting permission to continue.

I am a HUGE proponant of HIPS because of the windows internal code schematics involved in keeping close tabs on these often overlooked manifestations of potential forced intrusions.

In retrospect, a quality Sandbox should contain any such activity originating from (in this case) the command console be it safe or of risk, but the underlying question is, how far reaching could a disruption order be once a set of pre-conceived commands are allowed to signal other areas of the operating system even if sandboxed to the containment area. Seems it would have to be specially coded to jump out from the program itself, and that possibility, because we are speaking of another software program, is not impossible by any stretch.

{QUOTE-> Sorry to disagree but my systems would not be enhanced by an AV they would simply be slowed down by an outdated idea. The virus that is going to get me one day will not be one of the X billion on the white list but a new one that sneeks thru. <-QUOTE}
:thumb:

Long View, the more posts I read here the more I am convinced that ditching realtime AV was the best decision I have made since I ditched realtime AS.

{QUOTE-> :thumb:

Long View, the more posts I read here the more I am convinced that ditching realtime AV was the best decision I have made since I ditched realtime AS. <-QUOTE}

Some users here may decide to ditch resident AV and thats fine if you prefer another solution that you think is more secure given your understanding of computer security.

Though I think for the average uneducated user, the blacklisting concept will still be the bread and butter for computer security.

{QUOTE-> Some users here may decide to ditch resident AV and thats fine if you prefer another solution that you think is more secure given your understanding of computer security. <-QUOTE}Just a personal perspective here - but I really think it's less a question of understanding computer security - that can be such a general and vague topic - and more a question of how you would determine whether or not a given executable or scripting file in front of you has malicious intent? That's the crux of the question for any user, even ones with rather strident default deny execution restrictions since, naturally, you can make a deliberate choice to execute.

If presented with file setup.exe obtained either on download, from a friend, just looking through an old collection of downloads, etc., how would you make the determination that it's malicious?

Running it and observing that your system does not appear compromised can be somewhat dicey since this implicitly assumes that any malicious actions are executed rather quickly - there are plenty of examples that show this is a bad assumption. If you look purely at actions, well, a lot of times the actions are no different than those used by regular applications. The context and content is often different, but the basic actions are the same. Unless one is willing to personally pull apart the file, or severely restrict what is done on a computer, a resident AV provides a lot in the way of expert backed guidance in assessing any file obtained from unvalidated sources.
{QUOTE-> Though I think for the average uneducated user, the blacklisting concept will still be the bread and butter for computer security. <-QUOTE}I believe it continues to go well beyond the average uneducated user, with some qualifications. Those qualifications include: The specific concerns voiced do not apply to some scenarios (e.g. rigorous default deny with no unvalidated exceptions)
There are plenty of complementary approaches which yield the same end results under specific circumstances.
There's a Heisenberg Uncertainty type principle intrinsic to security - as security is heightened, the facile user experience is degraded. Realistic approaches recognize this and balance these two forces
Earlier this year, in April, I estimated (http://forum.kaspersky.com/index.php?showtopic=36615&pid=327451&mode=threaded&show=&st=0) that KAV/KIS would hit 400,000 signature basically at the end of 2007. It turns out that I was rather conservative and off by ~ 100,000. As you can see in the figure below - which tries to assess malware growth rates by examining coverage provided by one of the comprehensive solutions - the past year (really since March) apparently has experienced another of the periodic accelerations in the growth of malware. The times in months listed on that figure are the doubling time for malware signatures. Specific values are different than some earlier figures due to specific region cut-off points applied, but the basic trending behavior remains unchanged.

There does appear to have been an appreciable acceleration in the appearance of malware on the Internet since April 2007, which has obvious consequences for any trailing response measure - which any blacklist approach represents.

So what's it all mean - at least IMHO?

Most users need some mechanism to provide an independent verdict of the fidelity of downloaded content. Right now, the best mechanism to provide that assurance is via the use of an AV product. The are other approaches, but this remains the easiest to implement.

Second, the robust backup of this scheme is growing increasingly important. There are multiple solutions here as well, but the light virtualization approach provided by any of the subject programs - and some others - appear particularly robust and facile to implement at the moment.

Blue

{QUOTE-> If presented with file setup.exe obtained either on download, from a friend, just looking through an old collection of downloads, etc., how would you make the determination that it's malicious? <-QUOTE}
Well, I would do an on-demand scan before executing the file.

Personally, I am not questioning the usefulness of AV softs; I'm questioning the usefulness of realtime AV scanning.

there will be more and more virus/spywares which can bypass the SD/RVS/PS in 2008.

if you seach this topic in chinese programer forums. You will find, from theory to code, that will be a new fashion and interst for them. LOL

The PassDisk, Robo Dog, KillDisk, CleanMBR which came out in the end of 2007 are the pioneers. But it is a bad news for these products.

You would think that curve might have spiked earlier then tapered off by now but it looks like it's focused mainly on signatures of AV's respectively.

Thanks Blue for the details btw and commentary.

The computer these days, (O/S) especially Powered By Windows! is in my opinion from the start been geared to expand developments all around the world and create developers with innovative thinking, concepts, then distributions, & so forth i think, (guessing here), and is likely why each security field tries to limit their expertise chiefly within their own respective specialty, and likely to remain that way because think about it.......

If and/or when AV's were to incorporate sandboxing/virtualization technologies into their traditional models, what exactly would that lead to? Merges and sellouts by the droves? Some are already leaning in that direction with so-called SUITES, and look at firewalls with HIPS now, and vice-versa.

I apologize if this, my own personal opinion seems steering a bit off course, but i mention that because of this; according just as Blue has laid out from Kaspersky statistics, the malware curve continues to trend upward at an alarming rate with no real deviation to the contrary, so what alternatives do Windows security aware users have to bridge-the-gap so to speak or at least compliment and/or shore up their Anti-Virus solution?

The handwriting is already on the wall, malware writers have definitely targetted the most, the AV's market and obviously mean to put their positions at risk IMO.

So it begs to question, are we soon going to be witnessing another new transition in the making here? Or will each expert security product vendor remain within their respective fields and continue to offer basically the same model with slightly improved detections every new release as the malware writers continue on their own quest to drive up this curve as far as they can push it?

{QUOTE-> I apologize if this, my own personal opinion seems steering a bit off course, but i mention that because of this; according just as Blue has laid out from Kaspersky statistics, the malware curve continues to trend upward at an alarming rate with no real deviation to the contrary, so what alternatives do Windows security aware users have to bridge-the-gap so to speak or at least compliment and/or shore up their Anti-Virus solution? <-QUOTE}
Excellent point, which emphasizes the need for light virtualization apps.
If Kaspersky has 500,000 signatures now, what will happen if five years from now that number has increased twenty-fold?
The database just keeps getting bigger, because even if a virus hasn't been seen for a while, they can't take it out of the database because you can never know if it will return in the future!
As Long View stated in another thread, AVs are based on an outdated idea.

In the virus, trojan, rootsckhidenpk's war, I chose to stop funding the mutual proliferation. I realized that I am always behind regardless of how much money I spend on programs or ones I get for free (AV's, AS's, and the like).

I chose Powershadow 2.6 and 2.8 (Greyware versions, yes) under WinXP. I liked the idea behind them in how they protect mainly for internet surfing and online poker. I feel it protects me from the insertions that occur while involved in these types of activities.

I now have a new laptop with WinVistaP. I can't use PS so I tried Returnil free to test it out. I don't know if its protection scope is more limited than the pay for version, or is an insidious intentional design, but it would crash after a few weeks. Right around 3 weeks to 1 month. This occurred on two different systems (both laptops, different manufacturers, same OS, WinVP), run by two seperate users. It forced a recovery on both machines. On the Gateway, it asked to reinstall WinVP and left a .old version, on the Toshiba it just crashed causing a reformat.

What I can not determine is if it is an infector or a conflict (Unintentional or otherwise).

Are there any plans for PS migrating to Vista, or should I just return to XP?
(I am not a code level thinker so linux is a little limited for me, not to mention its lack of microsoftstyle partnered support structure.)

P.S. The trend in the curve looks automated or mechanical. Maybe automated VTR generators and attacks growing in the unprotected unchecked areas of the computer world. Maybe something like virtualization would reduce this type of spread. Again, an on the surface perspective.

{QUOTE-> In the virus, trojan, rootsckhidenpk's war, I chose to stop funding the mutual proliferation. I realized that I am always behind regardless of how much money I spend on programs or ones I get for free (AV's, AS's, and the like).

I chose Powershadow 2.6 and 2.8 (Greyware versions, yes) under WinXP. I liked the idea behind them in how they protect mainly for internet surfing and online poker. I feel it protects me from the insertions that occur while involved in these types of activities.

I now have a new laptop with WinVistaP. I can't use PS so I tried Returnil free to test it out. I don't know if its protection scope is more limited than the pay for version, or is an insidious intentional design, but it would crash after a few weeks. Right around 3 weeks to 1 month. This occurred on two different systems (both laptops, different manufacturers, same OS, WinVP), run by two seperate users. It forced a recovery on both machines. On the Gateway, it asked to reinstall WinVP and left a .old version, on the Toshiba it just crashed causing a reformat.

What I can not determine is if it is an infector or a conflict (Unintentional or otherwise).

Are there any plans for PS migrating to Vista, or should I just return to XP?
(I am not a code level thinker so linux is a little limited for me, not to mention its lack of microsoftstyle partnered support structure.)

P.S. The trend in the curve looks automated or mechanical. Maybe automated VTR generators and attacks growing in the unprotected unchecked areas of the computer world. Maybe something like virtualization would reduce this type of spread. Again, an on the surface perspective. <-QUOTE}

I would return to Xp for so many reasons- Vista is still not out of beta in my view - and use Powershadow, Returnil, Deepfreeze .. whatever

{QUOTE-> there will be more and more virus/spywares which can bypass the SD/RVS/PS in 2008.

But it is a bad news for these products. <-QUOTE}

Yes there will be more and more attacks, but so what ? As the take up of freeze programs grows it is to be expected that the level of attacks will also grow. DeepFreeze has been attacked a number of times, initially failing, being fixed and then attacked again ?

Anyway what are we supposed to do ? continue with freeze programs that will be attacked and then be fixed or go back to AV/AS which will continue to be days if not weeks getting fixed, will continue to slow machines down and will continue to produce 50 false positives for every real nasty ( yes I confess I made that stat up but only to exemplify my point - not to delude in the way that most stats are used.) Real time AV/AS has had its day - I can see little point in running a program real time which will stop X billion nasties that I am not going to be attached by but lets through the latest and greatest. even if the same argument is made against freeze programs at least they do not slow
machines down nor produce false positives.

{QUOTE-> Personally, I am not questioning the usefulness of AV softs; I'm questioning the usefulness of realtime AV scanning. <-QUOTE}Which is a quite valid distinction and point to make.

My own prefererence is to keep realtime scanning for the moment, but the trending in that curve has to be recognized as an absolute killer of this approach at some point - not from the perspective of being unable to keep up with new entries per se (which is a real and significant issue as well), but from the shear logisitics of rapidly performing the signature analysis and comparison - in other words maintaining the function with limited resource footprint. There are many ways to address this, but it requires more finesse and forethought by the day.

Blue

{QUOTE-> there will be more and more virus/spywares which can bypass the SD/RVS/PS in 2008.

if you seach this topic in chinese programer forums. You will find, from theory to code, that will be a new fashion and interst for them. LOL

The PassDisk, Robo Dog, KillDisk, CleanMBR which came out in the end of 2007 are the pioneers. But it is a bad news for these products. <-QUOTE}There's no doubt of that since we already have seen as much.

I suppose the open question is how many independent bypass schemes really exist that could conceivably allow compromise of these types of products and what are the requirements to allow that compromise to occur.

I'm no expert in this area, but I do view the underlying conceptual simplicity of the approach as a powerful trait. They really perform one discrete function and there are a finite number of ways one can place data on a HDD surface. We've seen a couple of challenges quickly addressed. It remains to be seen whether more sophisticated approaches emerge.

Context is also critical to appreciate. An internet cafe in China and a random home user present two very different scenarios. One provides unfettered physical access to the machine to allow compromise, the other doesn't.

Blue

{QUOTE-> Excellent point, which emphasizes the need for light virtualization apps.
If Kaspersky has 500,000 signatures now, what will happen if five years from now that number has increased twenty-fold? <-QUOTE}I know you're just using reasonable numbers for effect, but with a 10.8 month doubling time, the database would be projected to increase 47 fold (=2^(Period/Doubling time)) in five years at just the current growth rate. Past history implies an acceleration will occur sometime in that period as well, so this could be a low estimate.

However, the period reflected by the curve is a fairly homogeneous one which roughly covers the release lifecycle of Win XP. Unknowns moving forward include: The impact of Vista and the architectural changes of that OS on malware proliferation.
The re-emergence of Apple/OS-X as a mainstream alternative
A ready and low/no cost Linux based alternativesEach of those factors represent a landscape shift, which unfortunately are likely to only lightly touch the current installed base of machines.
{QUOTE-> The database just keeps getting bigger, because even if a virus hasn't been seen for a while, they can't take it out of the database because you can never know if it will return in the future!
As Long View stated in another thread, AVs are based on an outdated idea. <-QUOTE}In a general sense, it's less of an outdated idea and more one that has potential scaleablility issues in the current Windows OS environment.

Blue

{QUOTE-> P.S. The trend in the curve looks automated or mechanical. Maybe automated VTR generators and attacks growing in the unprotected unchecked areas of the computer world. Maybe something like virtualization would reduce this type of spread. Again, an on the surface perspective. <-QUOTE}Increasing connectivity certainly enlarges the pool of potential exposure as well as transmission rates. I already see part of the fallout of that at my ISP - they're much more aggressive (too aggressive in my estimation) in filtering email from some of these unchecked locales. - rendering product support from vendors in these locations a hit and miss proposition.

Blue

{QUOTE-> Real time AV/AS has had its day - I can see little point in running a program real time which will stop X billion nasties that I am not going to be attached by but lets through the latest and greatest. even if the same argument is made against freeze programs at least they do not slow
machines down nor produce false positives. <-QUOTE}My own vision is slightly different - although I believe your approach is very reasonable and has a lot to recommend it.

We've all seen a lot of blood spilled here in discussions involving AV detection differences of 0.X % without any real information on whether that 0.X % population of malware was a viable and significant threat to anyone. From the testers perspective, digging down that deep is not a worthwhile expenditure of their resources and even if they did dig deeper, quantifying viable and significant is not an easy task.

That said, the direction I'm going is as follows: Is the tradeoff between a single AV which provides 99.XY% detection with a very light AV with potentially much lower global detection (but detection that covers the primary extant threats) augmented with light virtualization such that the AV/light virtualization combination provides a preferred balance in performance traits?

My own experience is a qualified yes. I tend to think it's a somewhat germane point in that this type of exercise involves an active tradeoff in the performance of one dimension with coverage in another, which tends to run counter to a lot of the discussion here and elsewhere in which the absolute limits in performance are demanded from all dimensions.

Blue

Hi Blue

there is no doubt that a price has to be paid for most things in life - there is usually a trade off and I can see the attraction of a light av ( if such exists) combined with virtualization being preferable to a heavy but effective AV

Each person must do there own research and thinking.

In 1995/96 I started on dial up and used Norton. Over the next few years I went thru the Spyware blasters and Spybots and Adawares.............. and then one day I realised that I had never actually seen a virus and that the malware being reported was little more dangerous than the odd tracking cookie.

My security is listed in my sig. I do run on demand scans every so often and never find anything more dangerous than a false positive ( which I do report).

I am not recommending that every one thows away their real time AS/AV software fiewall, Hips Hops whatever. I am saying that it is possible to live quite happily without them and than any program imstalled on a machine needs to pay its way and not be just another layer of clothing - in case it gets cold.

{QUOTE-> I am saying that it is possible to live quite happily without them and than any program imstalled on a machine needs to pay its way and not be just another layer of clothing - in case it gets cold. <-QUOTE}Perfectly stated!

To carry the clothing analogy a bit further, I see a lot of folks donning ski parkas for a walk on the beach in summer - you can do it, but it's probably not the best experience :)

Blue

I have readed this forum over a year now and I have tested lots of programs (av, as, hips, fw etc.). Nowadays I really like to use virtualization (+sandboxing). It's so easy to use and other users (my wife) likes it too. You don't have to know correct answer when something happens because everything is going back after reboot.

ATM I just use LUA+SRP with virtualization and sandboxing. So easy to use and users computer skills aren't so important.

-MikeNAS

{QUOTE-> Hi Blue

there is no doubt that a price has to be paid for most things in life - there is usually a trade off and I can see the attraction of a light av ( if such exists) combined with virtualization being preferable to a heavy but effective AV

Each person must do there own research and thinking.

In 1995/96 I started on dial up and used Norton. Over the next few years I went thru the Spyware blasters and Spybots and Adawares.............. and then one day I realised that I had never actually seen a virus and that the malware being reported was little more dangerous than the odd tracking cookie.

My security is listed in my sig. I do run on demand scans every so often and never find anything more dangerous than a false positive ( which I do report).

I am not recommending that every one thows away their real time AS/AV software fiewall, Hips Hops whatever. I am saying that it is possible to live quite happily without them and than any program imstalled on a machine needs to pay its way and not be just another layer of clothing - in case it gets cold. <-QUOTE}
Long View I like your setup. I am using a Netgear router, Firefox and Sandboxie. I am thinking of adding Deep Freeze. The funny thing is when I add Avira PE set to selective scanning and no pre-scheduled scans, it takes away nothing as far as speed. I have tested it several ways. I figure what does it hurt to keep it.

{QUOTE-> I figure what does it hurt to keep it. <-QUOTE}
Some of us are very sensitive to real-time scanning. As you see, it's more of a personal thing.

thanks lucas. I keep going round and round and no I can be a pain. I guess I am one of those old-schooled folks who just find it hard to give a AV when we have been taught from the start it is the way to go. Most of you are very astute and understand that with change comes new rewards and challenges. For the average user, I think the challenge part is the hump in making the move.

After taking ShadowDefender off for a week and trying other products, and going back to Avira, I learned two things. One, I missed SD becaue it was simple enough for me and the other is, that instead of preaching but listening to some of you, I realize giving up scanning doesnt have to be a large "hump.:thumb:

Very good thread for us computer security noobs. I decided to try the light virtulization/av route and am very pleased with the results so far. I know I could go without the av where it only takes emptying the sandbox or rebooting to get rid of stuff but I like the fact that it is there to tell me if something IS there to get rid of. I am still keeping SAS too but only running it on demand when I don't have Returnil turned on just to make sure that my underlying system isn't infected.
I may add Prevx to the mix. I already bought it a week ago, just waiting for my license to arrive. It would bug me too much to pay for it and not use it.

{QUOTE-> Very good thread for us computer security noobs. I decided to try the light virtulization/av route and am very pleased with the results so far. I know I could go without the av where it only takes emptying the sandbox or rebooting to get rid of stuff but I like the fact that it is there to tell me if something IS there to get rid of. I am still keeping SAS too but only running it on demand when I don't have Returnil turned on just to make sure that my underlying system isn't infected.
I may add Prevx to the mix. I already bought it a week ago, just waiting for my license to arrive. It would bug me too much to pay for it and not use it. <-QUOTE}
when you "buy" a license from Prevx, it is emailed immediately.

{QUOTE-> when you "buy" a license from Prevx, it is emailed immediately. <-QUOTE}

Errrrrr...not exactly. I used Pay Pal and they won't send me the license until it clears. I don't use credit cards so I gotta do it the slow way.

{QUOTE-> Very good thread for us computer security noobs. I decided to try the light virtulization/av route and am very pleased with the results so far. I know I could go without the av where it only takes emptying the sandbox or rebooting to get rid of stuff but I like the fact that it is there to tell me if something IS there to get rid of. I am still keeping SAS too but only running it on demand when I don't have Returnil turned on just to make sure that my underlying system isn't infected.
I may add Prevx to the mix. I already bought it a week ago, just waiting for my license to arrive. It would bug me too much to pay for it and not use it. <-QUOTE}
I'm the same way. Maybe I'm just too nosey LOL. Seriously though, my AV doesn't seem to slow me down and I'm like you, I have it, so why not use it.

@ BlueZ, great thread and thanks. It's good to see virtualization getting more exposure.

{QUOTE-> @ BlueZ, great thread and thanks. It's good to see virtualization getting more exposure. <-QUOTE}Thanks. It seemed like it was time to have a somewhat coordinated discussion of these types of products for a number of reasons: The new entries that have appeared are recent introductions and have now largely stabilized.
The introduction of dynamic entry into a virtualized state, in my opinion, eliminated a large use barrier that afflicted ShadowUser Pro.
These products are priced at a point where the mass market can respond. Whether they will is another matter, but the current price points are quite reasonable.
Finally, and probably more importantly, they represent a specific potential solution to the continuing lament voiced here that every AV under the sun experiences periodic vulnerabilities due to the onslaught of malware, the increasing rate of appearance of new malware (http://www.wilderssecurity.com/showpost.php?p=1159395&postcount=61), and the somewhat slow progress in developing proactive detection methods (aside from a couple of entries, it seems mired in the 25-40% range from 2004-2007 in the www.av-comparatives.org (http://www.av-comparatives.org/) retrospective tests). There are many distinct and competing options (execution control, software restriction policies, etc.) that should work as well, but virtualization does not require informed user intervention to work well. Further, as some have tried, light virtualization (or the competing options) can be used as the sole approach to securing a machine.
In the general view of the thread, I was somewhat undecided on whether to include Faronics Deep Freeze (http://www.faronics.com/html/deepfreeze.asp). It really is a member of the same category. However, it's primary market (institutional/enterprise) renders the feature set somewhat different than the products primarily covered in this thread. For someone looking for a solution, it does provide another available and highly recommended option.

Blue

I did some testing last nite to see how good this all works. I went to a couple different crack/keygen sites to get drive byed...it wasn't long before Avira (set at max hueristics and scan all files) was popping up to beat the band. So I made note of these sites and then rebooted to get rid of everything (was surfing with Returnil and Sandboxie btw) and uninstalled Avira flipped Returnil back on and went to the same sites again. Then I rebooted and ran full scans with Avira and a few others plus SAS. All was clean so I was pretty impressed.

Another thing that impressed the heck out of me is I tried these sites out (when I still had Avira on) with both IE and Firefox with No Script. When using IE I was getting all kinds of Avira alerts but when using Firefox with No Script...nothing.

Yep, it works. Of course SD and Sandboxie for me. Same results though.:thumb:

Yes! Thanks to this thread I think I have finally found a set up that I like and trust. The only question I have left to figure out is whether to run Prevx with it or not.

why? I just install Esets online scanner or Dr Webs Cure it still while in shadow mode to see if anything is around. Works flawlessly. Sandboxie covers most and is your first line of defense. Then Shadow Defender or Returnil are your boot to total safety as needed. I love it.:)

Hmmmm more options....thanks!!!!

{QUOTE-> why? I just install Esets online scanner or Dr Webs Cure it still while in shadow mode to see if anything is around. Works flawlessly. Sandboxie covers most and is your first line of defense. Then Shadow Defender or Returnil are your boot to total safety as needed. I love it.:) <-QUOTE}

play around with this sanboxie progy....found it lets say none user friendly nither nice to use it.

in your case u have SD so why u uses 2 virtualization software ? when in the next rebbot u clear from any malware?

better add other protection if u keep your pc run 24/7 like NAB or other what they call 0 day tool


cheers:dry:

{QUOTE-> play around with this sanboxie progy....found it lets say none user friendly nither nice to use it.

in your case u have SD so why u uses 2 virtualization software ? when in the next rebbot u clear from any malware?

better add other protection if u keep your pc run 24/7 like NAB or other what they call 0 day tool


cheers:dry: <-QUOTE}
Hi, if you play around a little more with Sandboxie, you will find it has the option to block access to certain files you specify (such as My Documents). That way during your Virtual Session, if you happen to pick up a key logger etc., your personal files will be safe and remain private. Sandboxie also affords the option to delete it contents and start a new browsing session without that pesky reboot a virtualization software needs.

{QUOTE-> Hi, if you play around a little more with Sandboxie, you will find it has the option to block access to certain files you specify (such as My Documents). That way during your Virtual Session, if you happen to pick up a key logger etc., your personal files will be safe and remain private. Sandboxie also affords the option to delete it contents and start a new browsing session without that pesky reboot a virtualization software needs. <-QUOTE}

i play with this look like beta progy 2 much. some of its "config" menu are TXT editors lol

dont like it to much workk to get simple actions

cheers:thumb:

{QUOTE-> i play with this look like beta progy 2 much. some of its "config" menu are TXT editors lol

dont like it to much workk to get simple actions

cheers:thumb: <-QUOTE}

You might also discover that anything in the sandbox can be left there thru reboot.

{QUOTE-> i play with this look like beta progy 2 much. some of its "config" menu are TXT editors lol

dont like it to much workk to get simple actions

cheers:thumb: <-QUOTE}
The newer versions of Sbie can be configured from a gui now. It may look like a beta to you, but it's protection is top notch. Have a look at some of the tests Peter2150 has performed. I personally use it to protect my D:\ data partition when I'm online which is even better when paired when I'm using Returnil which only virtualizes/protects C:\. I may even decide to run them both within a VM someday :shifty:.

Were getting off topic, but Sbie is not that hard to configure. Yes you can still use the text version, but the gui works for what I need. It does take a little effort and one may have to ask for help or search their forum, but help comes quickly. To me, it's worth it and almost all my online apps run through Sbie.

{QUOTE-> play around with this sanboxie progy....found it lets say none user friendly nither nice to use it.

in your case u have SD so why u uses 2 virtualization software ? when in the next rebbot u clear from any malware?

better add other protection if u keep your pc run 24/7 like NAB or other what they call 0 day tool


cheers:dry: <-QUOTE}
I use 2 because it works. With no impact to my PC. Go ahead and layer a AV,AS,AT etc, and see the impact. It is my choice, it works, and no, I didnt say it was the "Perfect" solution. But it is a darn good one.

I like the Sandboxie/Returnil setup also. I have Sandboxie set up to empty automatically when I close down Firefox (or whatever I decide to run in it) so all the baddies are gone and Returnil is there for a quick clean up if anything does get thru. So far in my testing Sandboxie hasn't let anything thru. I tested by scanning after closing Sandboxie with Avira set to on demand so it wasn't going off while doing my unsafe surfing. I went to the sites with Avira enabled so I knew what was there.

Just got a quick question. If your computer can still be badly affected even though you have these programs running then what program can you install that will provide maximum security? Which Vmware can block all modification and installation to your system? So nothing gets through? Need a firewall?

{QUOTE-> The newer versions of Sbie can be configured from a gui now. It may look like a beta to you, but it's protection is top notch. Have a look at some of the tests Peter2150 has performed. I personally use it to protect my D:\ data partition when I'm online which is even better when paired when I'm using Returnil which only virtualizes/protects C:\. I may even decide to run them both within a VM someday :shifty:.

Were getting off topic, but Sbie is not that hard to configure. Yes you can still use the text version, but the gui works for what I need. It does take a little effort and one may have to ask for help or search their forum, but help comes quickly. To me, it's worth it and almost all my online apps run through Sbie. <-QUOTE}

Greetings Again innerpeace:

I agree that many new improvements now stand out making SandboxIE even more configurable as well as increasing solid protection.

Do you happen to know the command line or/if it still can be used to have ERASER fill in as the sandbox's default deleter? I know i have run across that post b4 at SandboxIE forums but cannot find it again.

I believe it's a simple command line run thru the Invocation etc. Well, i think you know what i'm after.

Thanks in advance

EASTER

Hi Easter,

I don't use the secure delete, but I remember hearing about it. I'm also not an expert at Sandboxie, just a huge advocate LOL. I'm losing faith in blacklist scanners quickly. See if this link help any. http://www.sandboxie.com/index.php?SecureDeleteSandbox

Cheers,
innerpeace

{QUOTE-> Hi Easter,

I don't use the secure delete, but I remember hearing about it. I'm also not an expert at Sandboxie, just a huge advocate LOL. I'm losing faith in blacklist scanners quickly. See if this link help any. http://www.sandboxie.com/index.php?SecureDeleteSandbox

Cheers,
innerpeace <-QUOTE}

Thanks innerpeace:

I will look more into it.

Whitelist HIPS + SandboxIE/Power Shadow/Returnil type apps are the wave of future.

I quite agree, blacklists don't appeal to me either, too hit & miss with a consistent history of misses. STAMP OF APPROVAL the good/safe apps within a Whitelist while virtualizing/sandboxing etc.

Exciting to throw up a strong defense shield with minimal layering.

___EASTER

{QUOTE-> Thanks innerpeace:

I will look more into it.

Whitelist HIPS + SandboxIE/Power Shadow/Returnil type apps are the wave of future.

I quite agree, blacklists don't appeal to me either, too hit & miss with a consistent history of misses. STAMP OF APPROVAL the good/safe apps within a Whitelist while virtualizing/sandboxing etc.

Exciting to throw up a strong defense shield with minimal layering.

___EASTER <-QUOTE}

I fully agree with you.

{QUOTE-> Greetings Again innerpeace:

I agree that many new improvements now stand out making SandboxIE even more configurable as well as increasing solid protection.

Do you happen to know the command line or/if it still can be used to have ERASER fill in as the sandbox's default deleter? I know i have run across that post b4 at SandboxIE forums but cannot find it again.

I believe it's a simple command line run thru the Invocation etc. Well, i think you know what i'm after.

Thanks in advance

EASTER <-QUOTE}

Is there any point to use Heidi's Eraser with Sandboxie if I reboot computer every morning and I use Shadow Defender too?

{QUOTE-> Is there any point to use Heidi's Eraser with Sandboxie if I reboot computer every morning and I use Shadow Defender too? <-QUOTE}

I would say no, but it depends on what you do, and your paranoia level. I don't use any secure delete.

Pete

{QUOTE-> Greetings Again innerpeace:

I agree that many new improvements now stand out making SandboxIE even more configurable as well as increasing solid protection.

Do you happen to know the command line or/if it still can be used to have ERASER fill in as the sandbox's default deleter? I know i have run across that post b4 at SandboxIE forums but cannot find it again.

I believe it's a simple command line run thru the Invocation etc. Well, i think you know what i'm after.

Thanks in advance

EASTER <-QUOTE}

Here is that command (example):

"c:\Program Files\Eraser\eraserl.exe" -folder "%SANDBOX%" -subfolders -method DoD -results -queue

eraserl [Data] [Method] [-silent | -results | -resultsonerror ] [-queue] [-options]

Data:

-file....................data [-subfolders]
-folder................data [-subfolders] [-keepfolder]
-disk..................drive: | all
-recycled

Method:

-method.............Gutmann | DoD | DoD_E | Random passes | Library

Parameters:

-file...................The data to erase is a file (wildcards may be used)
-subfolders.........Include subfolders
-folder...............The data to erase is files on a folder
-subfolders.........Include subfolders
-keepfolder........Do not delete the folder
-disk.................The data to erase in unused space on a drive or all local hard drives (all)
-recycled...........Erase all data on the Recycle Bin
-silent...............Do not show any windows
-results.............Show Erasing Report
-resultsonerror..Show Erasing Report only in case of error
-queue..............Wait until previous instances have finished
-options.............Ignore all other valid parameters and show Erasing Preferences window

Thank You Much

That will prove very helpful.

As suggested by Pete, the secure erase with ERASER is more an individual decision since it's been a normal routine of mine for years to wipe individual files/folders just to be sure they're unrecoverable.

SandboxIE's use of Micro's delete is sufficient of course but i prefer to wipe the contents of the sandbox.

OK, I don't think this was asked earlier in the thread but a couple posts indicated that Shadow User Pro does NOT protect against low level threats....isn't that a major negative for it to still be considered functional? Maybe I am missing something.

As an owner/user of Shadowuser Pro for a couple years I hadn't looked at the new kids on the block as I don't mind rebooting to enter/exit shadow mode.

However, with the discussion of Shadowuser Pro missing low level stuff, would it be advisable to use Returnil during suspicious times (when you think you may be more at risk)? And if so, say I have 2 hours in Shadow mode then turn on Returnil because I am going to test or do something risky....will there be conflicts with what Returnil does and the exception list of Shadow User Pro on that first 2 hours?

If ShadowUser Pro can still be my clothing in summer and I only need the parka of the free Returnil when I fly to Alaska for a short time, that is great. If I need the parka all the time as the clothes Shadowuser Pro provides are no longer sufficient, I have a headache of reconfiguration and re-training of users on my hand.

Oh, and maybe I should use Sandboxie as mittens ever now and then, with or without the parka, depending on how cold or biter cold it is. ;-)

I think it would be better to ask your question without using such analogies, and get straight to your point or are you looking for confirmation to something you already know?

{QUOTE-> I think it would be better to ask your question without using such analogies, and get straight to your point or are you looking for confirmation to something you already know? <-QUOTE}

The analogies came from the previous page, so it was just a continuation. No, I don't know the answer. Without the analogies the question is:

A) Given that people have stated Shadowuser Pro does not protect against low level writes does that make it significantly more vulnerable for most use and one should look elsewhere for an updated product?

B) Or for average consumer use is Shadowuser Pro still a good solution, but perhaps during times of more robust / higher risk use would it be advisable to use Returnil for additional protection and layer against low level writes? And if so, would it conflict in any way with the excepted files from the Shadowmode of Shadow User Pro

I am hoping first and foremost the low level vulnerability of ShadowUser pro is insignifigant, in lieu of that I hope option B) is viable. I really do not want to have to migrate completely to another product as the main lightweight virtual defense as Shadowuser pro is what people are use to, and its exception capabilities and use on multiple drives is a benefit.

First of all, I want to say HI to everyyone here in Wilders Security Forums...this is the FIRST site I visit to take a recomentation or advise about something I found in the web...

I always entered this site as a guest, like many people here, but the diferrence it's that I made that a lot of times without even say "thanks" to somebody who had the same problem and another one solved it..

Well, I'm replying here because I'm having some questions about this "light virtualizations" programs...

The Thing or better say my DOUBT is about their way to protect the hard disk..

Does this software can make you hard drives to fail!!? because at least I'm testing Returnil (beta) with my system and I got that doubt..

It seems that some friends installed Deep Freeze or another virtulization program and they had problems with their hard drives. It seems that the program made exhaustive writes and reads in the disk in the same sectors, like Returnil do in a file that occupies a fixed size in the disk.

So my question is if that kind of programs makes to many writes in the same location many times, causing the hard drive to fail.
That's all for the beginning...i will be here from now on.

Thanks in advance.
Bollo

{QUOTE-> Without the analogies the question is:

A) Given that people have stated Shadowuser Pro does not protect against low level writes does that make it significantly more vulnerable for most use and one should look elsewhere for an updated product? <-QUOTE}At present, probably not. However, it really depends upon whether that approach becomes a significant generalized mechanism in the future. If you already own ShadowUser, it is a very decent solution. If you're currently looking, the more recently developed solutions will generally be better since they can and will adapt to recent developments.
{QUOTE-> B) Or for average consumer use is Shadowuser Pro still a good solution, but perhaps during times of more robust / higher risk use would it be advisable to use Returnil for additional protection and layer against low level writes? And if so, would it conflict in any way with the excepted files from the Shadowmode of Shadow User Pro <-QUOTE}If you're talking of mixing multiple light virtualization products, I'd recommend against it. Go with the best single solution from the start.
{QUOTE-> I am hoping first and foremost the low level vulnerability of ShadowUser pro is insignifigant, in lieu of that I hope option B) is viable. I really do not want to have to migrate completely to another product as the main lightweight virtual defense as Shadowuser pro is what people are use to, and its exception capabilities and use on multiple drives is a benefit. <-QUOTE}Of the current options, ShadowDefender is the closest in this regard, save for the inability to have a shadow session span across restarts.

Blue

{QUOTE-> Does this software can make you hard drives to fail!!? because at least I'm testing Returnil (beta) with my system and I got that doubt.. <-QUOTE}If you mean fail in the hardware sense, no. If you mean fail in the driver sense, I've not seen that happen. As with any application, conflicts can and do occur.
{QUOTE-> It seems that some friends installed Deep Freeze or another virtulization program and they had problems with their hard drives. It seems that the program made exhaustive writes and reads in the disk in the same sectors, like Returnil do in a file that occupies a fixed size in the disk.

So my question is if that kind of programs makes to many writes in the same location many times, causing the hard drive to fail. <-QUOTE}Fundamentally, this shouldn't be an issue. The situation is no different than any disk location which is extensively utilized. A hard drive, like any other device - particularly a device with moving parts - has a finite lifetime. But the activity connected to virtualization is really no different than normal use.

Blue

Thanks for the quick reply BlueZannetti...

Well that was more a curiosity than an issue, at least, for me, because it's interesting how they save the changes in specific sectors and then "writes" it to a "virtual file" that will be descarted when you reboot the machine. That's what makes me think about the many overwrites in the same sectors where the Returnil's file is. :D

Quite interesting these programs...
Also, sorry for my english it's not native, but hope it's understandable. :P
I'm from Tarija (South America) where we speak spanish.

Bollo

{QUOTE-> Well that was more a curiosity than an issue, at least, for me, because it's interesting how they save the changes in specific sectors and then "writes" it to a "virtual file" that will be descarted when you reboot the machine. That's what makes me think about the many overwrites in the same sectors where the Returnil's file is. :D <-QUOTE}Which is basically no different than what happens to a drive without Returnil or any of these other products.
{QUOTE-> Also, sorry for my english it's not native, but hope it's understandable. :P
I'm from Tarija (South America) where we speak spanish. <-QUOTE}It's quite understandable, no problem at all...

and welcome to Wilders as a member!

Blue

{QUOTE-> Thanks for the quick reply BlueZannetti...

Well that was more a curiosity than an issue, at least, for me, because it's interesting how they save the changes in specific sectors and then "writes" it to a "virtual file" that will be descarted when you reboot the machine. That's what makes me think about the many overwrites in the same sectors where the Returnil's file is. :D

Quite interesting these programs...
Also, sorry for my english it's not native, but hope it's understandable. :P
I'm from Tarija (South America) where we speak spanish.

Bollo <-QUOTE}

Hi Bollo,
The cach file is only created and used when you select the Disk cache method. You can switch to the Memory cache method at any time using the repair feature in the Uninstaller without having to uninstall/reinstall.

Another aspect of the duality is that if the Disk cache were to ever become damaged or corrupt, RVS will switch immediately to Memory cache so you do not loose System Protection/Session Lock

With kind regards
Mike

Thanks BlueZannetti for the Welcome and Coldmoon for the explanation, will be posting more curiosities at the Returnil's Beta Thread...

Thanks