Light virtualization: Returnil/PowerShadow/ShadowDefender/ShadowUser Pro

[BlueZannetti]

Quote:

Originally Posted by ErikAlbert

You only need an AV to verify NEW objects and your local AV is just not good enough.

Erik,

That's your opinion and I believe you're wrong. It appears that anything less than a 100% guarantee of coverage is not enough in your mind, and if you're exposed to 100% of the malware in existence, that's true. However, I'm not exposed to 100% of the malware in existence, so I'll take my chances with a current and pragmatic solutions.

Quote:

In that case I would prefer to use VirusTotal and Jotti, which uses 30+ scanners to verify a NEW object with the limit of 10mb, which is again an incomplete solution, which is very typical for security.

Again, I'm approaching this from an actual use situation. In that case, I view every step that requires a user initiated action to be a liability. For example - in comparing user initiated on-demand scanning vs. realtime monitoring - the result is the same if the same setting are used, but the former requires the user to deliberately initiate the scan while the latter happens as a matter of course. That renders the latter approach more robust in most hands over time. Both approaches work, but it comes back to a concept we've discussed time and time again - user discipline. My experience is that situations occur in which users lose discipline - they happen with me and they likely happen with you. For that reason, I believe that approaches which are predicated on maintaining a high level of discipline should be avoided by most users.

Blue

[Long View]

Quote:

Originally Posted by trjam

I agree, even though some may not, that using any of these types of products are only enhanced by using a AV. Actually the AV comes first, then this type of product. A very good combo.

Sorry to disagree but my systems would not be enhanced by an AV they would simply be slowed down by an outdated idea. The virus that is going to get me one day will not be one of the X billion on the white list but a new one that sneeks thru. If Returnil or DeepFreeze work "properly" the virus will be gone at reboot. If they Returnil or DeepFreeze do not work then I restore an image. If that doesn't work then I rebuild.

what is the point of light virtualization if we add back all the AV, AS, HIP, firewall, Anti exec security ?

[trjam]

well yes and no. On my laptop I only use SD. It is turned off and on frequently. On my desktop it is left on for a fews before ever rebooting, so I am only using Avira for the guard. Just to tell me if something pops up and I need to reboot. I dont scan with it and no it wont catch everything, but it really doesnt slow anything down so it is like added insurance.

[ErikAlbert]

Blue,
What discipline ? I only have to reboot and every change is gone.
If I open Firefox to surf on internet, it's automatically sandboxed and my data partition is locked automatically.
The only problem I still have are NEW objects, they require discipline, if you want to install them permanently.

[Kees1958]

Blue,

Would you try SafeSpacePersonal also, can be configured to virtualise a partition (with a folder to save changes) also, the default mode (Windows, + Programs Files directories).

Reason for asking is I appreciate your contributions and you also evaluate safespace, the criteria against which it is reported are more or less the same.

Thx

[BlueZannetti]

Quote:

Originally Posted by Long View

what is the point of light virtualization if we add back all the AV, AS, HIP, firewall, Anti exec security ?

If one goes back and adds all that stuff aagin, you're right, it's pointless.

But here's an alternate scenario - rather than taking that AV - and only the AV - and maxing out it's settings so that everything is scanned/monitored/sliced/diced in every way imaginable, use settings with a very light touch. Use one with a light touch to start with and keep the settings low. The impact will not be apparent, and if it is, find a solution in which it's not apparent.

For many user's, they may not need even this level of intervention and light virtualization alone will suffice. It depends on personal usage patterns. It's not unlike folks who successfully run without an AV or any other elaborate setup at the moment - that works for some, but not others.

Light virtualization is simply one possible avenue to use to simplify and remain secure at the same time.

Blue

[BlueZannetti]

Quote:

Originally Posted by ErikAlbert

Blue,
What discipline

{snip}

The only problem I still have are NEW objects, they require discipline, if you want to install them permanently.

Precisely my point. The discipline that you've just noted in the quote.

Blue

[BlueZannetti]

Quote:

Originally Posted by Kees1958

Blue,

Would you try SafeSpacePersonal also, can be configured to virtualise a partition (with a folder to save changes) also, the default mode (Windows, + Programs Files directories).

Reason for asking is I appreciate your contributions and you also evaluate safespace, the criteria against which it is reported are more or less the same.

Thx

Perhaps later today or so. I have a clean partition that I can use.

Blue

[trjam]

and that is how I have Avira set up, to only scan defined files and the rest very light. I own it, it doesnt impact speed, so why not use it. You just never know when it might just,,,,,,,,,,,,,,

Keep in mind, when the left and right were created, a middle was included to.

[Coldmoon]

Quote:

Originally Posted by trjam

I agree, even though some may not, that using any of these types of products are only enhanced by using a AV. Actually the AV comes first, then this type of product. A very good combo.

It is not the AV you should concentrate on as there is not that much difference between the consistent leaders as far as overall protection is concerned. It is the scope of the AV's role that requires adjustment in a strategy that includes virtualization.

The emphasis moves from the need for constant monitoring on the local machine to one where analysis of incomming/new content should be the focus. Virtualization does not detect or distinguish between what is good and what is bad; you invoke the System Protection and all changes are treated equally based on the user's preferences (drop all changes, save some changes, or save all changes).

This leaves an important role open for an "expert analysis" solution somewhere in the chain, just not at the local machine level outside of regular in-depth verification scans (think of your weekly or nightly on-demand full system scan as reference). In every system you still require some form of feedback as to status and efficacy of the system itself...

Mike

[ErikAlbert]

Quote:

Originally Posted by BlueZannetti

Precisely my point. The discipline that you've just noted in the quote.

Blue

That is exactly the discipline that EVERY USER has to practice, when he installs NEW objects, no matter what security he has.

[trjam]

Quote:

Originally Posted by Coldmoon

It is not the AV you should concentrate on as there is not that much difference between the consistent leaders as far as overall protection is concerned. It is the scope of the AV's role that requires adjustment in a strategy that includes virtualization.

The emphasis moves from the need for constant monitoring on the local machine to one where analysis of incomming/new content should be the focus. Virtualization does not detect or distinguish between what is good and what is bad; you invoke the System Protection and all changes are treated equally based on the user's preferences (drop all changes, save some changes, or save all changes).

This leaves an important role open for an "expert analysis" solution somewhere in the chain, just not at the local machine level outside of regular in-depth verification scans (think of your weekly or nightly on-demand full system scan as reference). In every system you still require some form of feedback as to status and efficacy of the system itself...

Mike

totally agree and good post.

[BlueZannetti]

Quote:

Originally Posted by Coldmoon

It is not the AV you should concentrate on as there is not that much difference between the consistent leaders as far as overall protection is concerned. It is the scope of the AV's role that requires adjustment in a strategy that includes virtualization.

An important detail to be sure, and one that underscores that any systemic approach has to examine the roles of each part and that as a users approach evolves, interdependent parts may need to change.

Blue

[BlueZannetti]

Quote:

Originally Posted by ErikAlbert

That is exactly the discipline that EVERY USER has to practice, when he installs NEW objects, no matter what security he has.

True, but you are explicitly ignoring what I view as an important distinction, and that's whether the discipline involves an active user initiated event or not.

One can accomplish the same end result with either a passive safety net provided in the environment or by having the user to explicitly invoke that safety net an an exception as they deem it is needed.

Blue

[Coldmoon]

Quote:

Originally Posted by Acadia

Layers! Why can't the old technology peacefully co-exist with the new. Heck, NOD and Boclean both put together use next to none resources on my system. I say that as long as a system has the power, why not play it even safer and add even more layers.

Acadia

I would caution that layers for the sake of layers is not the way to go. Complexity for its own sake can become self-defeating when looked at the extreme. Layers are about ballance and management of risk rather than being a brute force approach...

Your goal should be the best line-up with the fewest resources based on your individual needs as one size does not fit all...

Mike

[BlueZannetti]

Quote:

Originally Posted by Acadia

Layers! Why can't the old technology peacefully co-exist with the new. Heck, NOD and Boclean both put together use next to none resources on my system. I say that as long as a system has the power, why not play it even safer and add even more layers.

Layers, to a point, are good. However, I think we've all seen many cases in which layering without taking the time to assess what was being layered on top of an existing configuration resulted in some very unfortunate outcomes - up to and including lost data and the need to perform a complete reinstall of a system.

It's important to keep the point made by ColdMoon in front at all times. You are creating a system in which there are clear, as well as hidden, interdependencies. Changing one part may necessitate adjusting how the other parts are used (or that they are possibly no longer used).

Blue

[Rmus]

Quote:

Originally Posted by BlueZannetti

DeepFreeze provides a related product approach that bears a strong relation Returnil/PowerShadow/ShadowDefender/ShadowUser Pro with the primary difference that the implicit system state is presumed to be primarily static as opposed to primarily dynamic.

I've added some some thoughts on using Deep Freeze Standard Version for Home use:

http://www.urs2.net/rsj/computing/te....html#thoughts


----
rich

[BlueZannetti]

Quote:

Originally Posted by Kees1958

Blue,

Would you try SafeSpacePersonal also, can be configured to virtualise a partition (with a folder to save changes) also, the default mode (Windows, + Programs Files directories).

Reason for asking is I appreciate your contributions and you also evaluate safespace, the criteria against which it is reported are more or less the same.

Thx

Kees1958,

Here's what I see - bear in mind that this was a quick examination:

• First of all, applications such as SectorEditor will not successfully launch if launched as a SafeSpace protected application
• If the application per se is not protected, it will launch and run as expected
• If I virtualize the boot partition (D:\ in this case on physical disk1) I can perform low level sector edits (of the MBR for example) on this partition. The edits performed are simple ones that will not impact functionality (basically text strings that are part of the MBR). They survive a restart, so these are permanent changes on the disk. The situation is probably not a lot different than that seen with ShadowDefender - it's a specific case that has to be handled that was not a part of the initial design objective. I've not used this application extensively and haven't read through the documentation, so I hope that I've not configured it inappropriately.

Blue

[Long View]

Quote:

Originally Posted by Acadia

Correct, if we're talking about adding 5 anti-virus and three firewalls, obviously it is absurd and self-defeating. I'm talking about only one of each type of software; I'd feel naked without my av or hips or sandbox or anti-spyware.

Acadia

Each user makes his/her own decisions. My question is "why would you or anyone feel naked without an AV, HIPS, Sandbox, AS, AT, Software Firewall..... ?" If the answer for each piece of software used is " well last week my AS picked up XXXX" and "last month my HIPS reported ZZZZ" then using that software would make sense to me. If I had ever seen a real life virus, If I had ever downloaded a program with spyware, if I had ever had a software firewall tell me that a program that I had not authorized was trying to communicate with... If I had ever had any of these problems I might still run these types of programs BUT as I haven't, I don't (see sig for security details)

As I have no idea as to how others operate or their degree of discipline I am NOT saying that everyone should surf naked. I am saying that it is possible and suggesting that everyone requires that any program run earns its keep and has a real reason for being there. I like DeepFreeze and Returnil. I prefer them to Sandboxie. Others will prefer the reverse. Others will use both and add Anti executable. Others will add even more. All each user really ought to do is ask how little do I need rather than trying to look like the Michelin Man.

[hammerman]

I'm looking at using Shadow Defender or Returnil but I know this is not going to give me total security on it's own. I do know that they will do a good job of making sure that when I reboot my system, any nasties I have picked up since the last reboot are removed. Although that gives me a nice warm feeling that my clean system remains clean, I recognise it is not the whole answer. How do I know my system is clean in the first place and how do I keep it clean?

At some point in time I will have to change my system to install new applications. This is where I need an expert scanner to tell me that the new application contains no malware. Having passed this test, I would like to install the application but tag it as untrusted with limited rights, just in case. I would also like to keep an eye on all my applications for suspicious behaviour. If there were no suspicious behaviour detected for some time, I would conclude that my system is clean and the application is safe.

SD/Returnil do not provide analysis or monitoring capabilities. Without these, I think they may eventually be doing a good job restoring my system to a malware-infected state each day.

[lucas1985]

Quote:

Originally Posted by Coldmoon

This leaves an important role open for an "expert analysis" solution somewhere in the chain, just not at the local machine level outside of regular in-depth verification scans (think of your weekly or nightly on-demand full system scan as reference). In every system you still require some form of feedback as to status and efficacy of the system itself...

Good remark. You should take measures to see if your strategy is working in the long-run. If you don't take these measures, you will fall into blind faith (i.e. I reboot the system or wipe the sandbox and all problems are gone).
I replace regular on-demand scannings with integrity checking. It isn't a solution for the average user, but it's much more powerful than blacklist scanners.
In the end, all the strategies seem similar with:
- Imaging: for the disaster scenario.
- Light virtualization/shadow softwares: regular cleaning (at reboot).
- On-demand scanning ("weak"), integrity checking/forensic analysis: is my strategy really working?
- Real-time AV/AM ("weak"), anti-exec, behav. blocker, HIPS, sandbox, LUA: daily battle with untrusted objects.
- Safe surfing/computing: brain-based content filtering (what should/shouldn't I run/accept/open/launch)
- Router: isolate your private LAN from the Internet.
Optional:
- Virustotal/Jotti/Threat Expert/Norman Sandbox: expert analysis of new objects (requires good discipline)
- Network access control (i.e personal firewall): only allow the necessary network comms and deny the rest (requires some network knowledge)
- Hardening: limiting/closing the entry points of malware and/or a failsafe measure to other security layers (excessive/incorrect hardening may cause that some functions/processes stop working properly)

[Fuzzfas]

Quote:

Originally Posted by lucas1985

I replace regular on-demand scannings with integrity checking. It isn't a solution for the average user, but it's much more powerful than blacklist scanners.

Hi Lucas. What program do you use for integrity checking?

Merci!

[Bubba]

Quote:

I'm talking about only one of each type of software; I'd feel naked without my av or hips or sandbox or anti-spyware

Sadly We as Security Forums across the net have left the basics of secure surfing sitting on the corner while We rush to the nearest wally world to grab the latest fix of the week for our additional layer

I realize that's far beyond the scope of this thread and will save the rest of thoughts for a more appropriate thread....How one can surf safely without a resident av or hips or sandbox or anti-spyware

Bubba

[lucas1985]

Quote:

Originally Posted by Fuzzfas

Hi Lucas. What program do you use for integrity checking?

Merci!

- Tiny Watcher
- Runscanner
- FileCRC
- IceSword
- Rootkit Unhooker.
Others are Rootkit Revealer, Rootkit Hook Analyzer, Autoruns, Hijackthis, Sentinel, FileMap, FileChecker, NIS File Check, etc

[Fuzzfas]

Quote:

Originally Posted by lucas1985

- Tiny Watcher
- Runscanner
- FileCRC
- IceSword
- Rootkit Unhooker.
Others are Rootkit Revealer, Rootkit Hook Analyzer, Autoruns, Hijackthis, Sentinel, FileMap, FileChecker, NIS File Check, etc

Thanks Lucas. I use Tiny Watcher, IceSword and TrendMicro's Hijack This too.

You may also like this MD5 Checker, with option to compare the files in a folder with the results of an older check. No installation needed, runs from a folder. Freeware.

http://www.brandonstaggs.com/filecheckmd5/