Battle of the security programs...who wins?

[Flexigav]

Many programs create virtual disks that are initiated first in the start-up line. It would seem pointless starting a system vitalization process after other processes have already been engaged, especially if they are of malicious intent!

So I can only assume programs that set-up virtual environments like Shadow Defender, Deep Freeze, Time Machine, Returnil, WTF etc, do so before any other programs are executed at start-up.

If my assumption is correct, then if more than one is enabled at the same time, who would get in first! It is a rhetorical question really. The real question is can any other program be loaded, executed and even have internet access before the virtual program kicks in at start up? Could one be stealthy working on your real OS in the background, while you work in the virtual environment unaware of what is happening in the real environment, because it got in first—before the virtual session was started! It might even have delayed the implementation of that virtual environment session for a few seconds to give it time to make a stealthy internet connection! Really a discussion more than a question!

[pegr]

Quote:

Originally Posted by Flexigav

Many programs create virtual disks that are initiated first in the start-up line. It would seem pointless starting a system vitalization process after other processes have already been engaged, especially if they are of malicious intent!

I understand the point you are making in relation to trusted system processes, but the question is wide of the mark concerning the way in which virtualization software protects the system against malware.

Virtualization software can't be relied on to protect the system against malware that has already been installed outside of the virtual environment. If the user has allowed the real system to become compromised then remedial action needs to be taken to remove the malware.

This post by chris1341 makes a similar point in relation to Sandboxie: http://www.wilderssecurity.com/showp...4&postcount=28

[Flexigav]

Yes you would be right. My question was based on the paranoia of malware slipping in before you have a chance to initiate your virtual environment, but that would in all likelihood only happen as you say; after you have already been compromised and for that the ultimate peace of mind is backup!

Cheers

[LockBox]

Quote:

Originally Posted by pegr

I understand the point you are making in relation to trusted system processes, but the question is wide of the mark concerning the way in which virtualization software protects the system against malware.

Virtualization software can't be relied on to protect the system against malware that has already been installed outside of the virtual environment. If the user has allowed the real system to become compromised then remedial action needs to be taken to remove the malware.

This post by chris1341 makes a similar point in relation to Sandboxie: http://www.wilderssecurity.com/showp...4&postcount=28

I run Faronics AE (Anti-Executable) along with Deep Freeze. I think your scenario is highly unlikely if your virtualized system is setup with the virtual app and a whitelisted AE.

`

[pegr]

Quote:

Originally Posted by LockBox

I think your scenario is highly unlikely if your virtualized system is setup with the virtual app and a whitelisted AE.

And that's precisely the point I was making. When using light virtualization as part of a layered defense, malware is unlikely to get onto the system unintentionally so the question raised by the OP as to whether a malware process gets loaded before the virtualizer is hypothetical, and can be discounted for practical purposes.

[PJC]

Many people I know have stayed Malware-Free by using
the FREE combo: Returnil + Sandboxie.

[umbrapolaris]

Reinstall a clean system, install Rollback RX, then Shadow Defender, then your AVs/FWs/suite.

[Mman79]

Quote:

Originally Posted by Mr.PC

Many people I know have stayed Malware-Free by using
the FREE combo: Returnil + Sandboxie.

I don't see a lot of point in running both, and neither work for programs that require restarts (I think that is still the case.). From an ease of use and coverage standpoint, I would give Returnil the advantage...if it were not for the fact that it has more than once let files and other leftovers leak on to the real system. It's an annoyance for harmless leftovers, it's a problem if malware gets out of there.

[bo elam]

Quote:

Originally Posted by Mman79

..if it were not for the fact that it has more than once let files and other leftovers leak on to the real system. It's an annoyance for harmless leftovers, it's a problem if malware gets out of there.

Thats one of the reason why I use Sandboxie for security and prefer to use LV programs (I use WTF/TTF) for trying other programs only.

Bo

[Quassar]

I still dont know which i should use on my 64 bit ssd :/

for hdd answer is easy "Shadow defender" pwn all, time to exit Diskshot but not yet avaible in EN ver.

I prefer do list and write "+" and "-" (ex. support 64 bit, SSD disc)
for specific program like in anti virus and firewall comparsion sites.
Can smb advanced user try do it ?

BTW....How many we have disc virtualization programs to choice ??

Shadow Defender
Returnil Virtual System
Wondershare Time Freeze
ShadowProtect
Toolwiz Time freeze
DeepFreeze
Diskshot

[PJC]

Quote:

Originally Posted by Mman79

I don't see a lot of point in running both

Extra Layer of protection...

[pegr]

Quote:

Originally Posted by Mman79

I don't see a lot of point in running both, and neither work for programs that require restarts (I think that is still the case.).

Whilst it is true that neither can be used to test software that requires a restart to install, they can be usefully combined because they are different types of program with different features.

Because Sandboxie is an application sandbox with comprehensive policy restriction features that works at the file system level, it is ideally positioned as a browser protection utility. It can be used for testing software that doesn't require a reboot, but not for software that installs a device driver or service.

Light virtualization programs, such as Returnil, that work at the disk sector level can be used to test software that installs a device driver or service, providing no restart is required. Because disk virtualization programs work below the level of the file system, they don't require updating as frequently as application sandboxes to stay compatible with updates to other application software such as browsers, etc. By keeping the system partition virtualized during normal use, the real system only changes when the user reboots to exit the virtual system in order to apply software installs and updates. For people who like to manage system change in this way, disk virtualization is a good option.

I combine Sandboxie and Shadow Defender, and find both useful for different purposes.