Light virtualization: Returnil/PowerShadow/ShadowDefender/ShadowUser Pro

[MikeNAS]

I have readed this forum over a year now and I have tested lots of programs (av, as, hips, fw etc.). Nowadays I really like to use virtualization (+sandboxing). It's so easy to use and other users (my wife) likes it too. You don't have to know correct answer when something happens because everything is going back after reboot.

ATM I just use LUA+SRP with virtualization and sandboxing. So easy to use and users computer skills aren't so important.

-MikeNAS

[trjam]

Quote:

Originally Posted by Long View

Hi Blue

there is no doubt that a price has to be paid for most things in life - there is usually a trade off and I can see the attraction of a light av ( if such exists) combined with virtualization being preferable to a heavy but effective AV

Each person must do there own research and thinking.

In 1995/96 I started on dial up and used Norton. Over the next few years I went thru the Spyware blasters and Spybots and Adawares.............. and then one day I realised that I had never actually seen a virus and that the malware being reported was little more dangerous than the odd tracking cookie.

My security is listed in my sig. I do run on demand scans every so often and never find anything more dangerous than a false positive ( which I do report).

I am not recommending that every one thows away their real time AS/AV software fiewall, Hips Hops whatever. I am saying that it is possible to live quite happily without them and than any program imstalled on a machine needs to pay its way and not be just another layer of clothing - in case it gets cold.

Long View I like your setup. I am using a Netgear router, Firefox and Sandboxie. I am thinking of adding Deep Freeze. The funny thing is when I add Avira PE set to selective scanning and no pre-scheduled scans, it takes away nothing as far as speed. I have tested it several ways. I figure what does it hurt to keep it.

[lucas1985]

Quote:

Originally Posted by trjam

I figure what does it hurt to keep it.

Some of us are very sensitive to real-time scanning. As you see, it's more of a personal thing.

[trjam]

thanks lucas. I keep going round and round and no I can be a pain. I guess I am one of those old-schooled folks who just find it hard to give a AV when we have been taught from the start it is the way to go. Most of you are very astute and understand that with change comes new rewards and challenges. For the average user, I think the challenge part is the hump in making the move.

After taking ShadowDefender off for a week and trying other products, and going back to Avira, I learned two things. One, I missed SD becaue it was simple enough for me and the other is, that instead of preaching but listening to some of you, I realize giving up scanning doesnt have to be a large "hump.

[Threedog]

Very good thread for us computer security noobs. I decided to try the light virtulization/av route and am very pleased with the results so far. I know I could go without the av where it only takes emptying the sandbox or rebooting to get rid of stuff but I like the fact that it is there to tell me if something IS there to get rid of. I am still keeping SAS too but only running it on demand when I don't have Returnil turned on just to make sure that my underlying system isn't infected.
I may add Prevx to the mix. I already bought it a week ago, just waiting for my license to arrive. It would bug me too much to pay for it and not use it.

[trjam]

Quote:

Originally Posted by Threedog

Very good thread for us computer security noobs. I decided to try the light virtulization/av route and am very pleased with the results so far. I know I could go without the av where it only takes emptying the sandbox or rebooting to get rid of stuff but I like the fact that it is there to tell me if something IS there to get rid of. I am still keeping SAS too but only running it on demand when I don't have Returnil turned on just to make sure that my underlying system isn't infected.
I may add Prevx to the mix. I already bought it a week ago, just waiting for my license to arrive. It would bug me too much to pay for it and not use it.

when you "buy" a license from Prevx, it is emailed immediately.

[Threedog]

Quote:

Originally Posted by trjam

when you "buy" a license from Prevx, it is emailed immediately.

Errrrrr...not exactly. I used Pay Pal and they won't send me the license until it clears. I don't use credit cards so I gotta do it the slow way.

[innerpeace]

Quote:

Originally Posted by Threedog

Very good thread for us computer security noobs. I decided to try the light virtulization/av route and am very pleased with the results so far. I know I could go without the av where it only takes emptying the sandbox or rebooting to get rid of stuff but I like the fact that it is there to tell me if something IS there to get rid of. I am still keeping SAS too but only running it on demand when I don't have Returnil turned on just to make sure that my underlying system isn't infected.
I may add Prevx to the mix. I already bought it a week ago, just waiting for my license to arrive. It would bug me too much to pay for it and not use it.

I'm the same way. Maybe I'm just too nosey LOL. Seriously though, my AV doesn't seem to slow me down and I'm like you, I have it, so why not use it.

@ BlueZ, great thread and thanks. It's good to see virtualization getting more exposure.

[BlueZannetti]

Quote:

Originally Posted by innerpeace

@ BlueZ, great thread and thanks. It's good to see virtualization getting more exposure.

Thanks. It seemed like it was time to have a somewhat coordinated discussion of these types of products for a number of reasons:

• The new entries that have appeared are recent introductions and have now largely stabilized.
• The introduction of dynamic entry into a virtualized state, in my opinion, eliminated a large use barrier that afflicted ShadowUser Pro.
• These products are priced at a point where the mass market can respond. Whether they will is another matter, but the current price points are quite reasonable.
• Finally, and probably more importantly, they represent a specific potential solution to the continuing lament voiced here that every AV under the sun experiences periodic vulnerabilities due to the onslaught of malware, the increasing rate of appearance of new malware, and the somewhat slow progress in developing proactive detection methods (aside from a couple of entries, it seems mired in the 25-40% range from 2004-2007 in the www.av-comparatives.org retrospective tests). There are many distinct and competing options (execution control, software restriction policies, etc.) that should work as well, but virtualization does not require informed user intervention to work well. Further, as some have tried, light virtualization (or the competing options) can be used as the sole approach to securing a machine.

In the general view of the thread, I was somewhat undecided on whether to include Faronics Deep Freeze. It really is a member of the same category. However, it's primary market (institutional/enterprise) renders the feature set somewhat different than the products primarily covered in this thread. For someone looking for a solution, it does provide another available and highly recommended option.

Blue

[Threedog]

I did some testing last nite to see how good this all works. I went to a couple different crack/keygen sites to get drive byed...it wasn't long before Avira (set at max hueristics and scan all files) was popping up to beat the band. So I made note of these sites and then rebooted to get rid of everything (was surfing with Returnil and Sandboxie btw) and uninstalled Avira flipped Returnil back on and went to the same sites again. Then I rebooted and ran full scans with Avira and a few others plus SAS. All was clean so I was pretty impressed.

Another thing that impressed the heck out of me is I tried these sites out (when I still had Avira on) with both IE and Firefox with No Script. When using IE I was getting all kinds of Avira alerts but when using Firefox with No Script...nothing.

[trjam]

Yep, it works. Of course SD and Sandboxie for me. Same results though.

[Threedog]

Yes! Thanks to this thread I think I have finally found a set up that I like and trust. The only question I have left to figure out is whether to run Prevx with it or not.

[trjam]

why? I just install Esets online scanner or Dr Webs Cure it still while in shadow mode to see if anything is around. Works flawlessly. Sandboxie covers most and is your first line of defense. Then Shadow Defender or Returnil are your boot to total safety as needed. I love it.

[Threedog]

Hmmmm more options....thanks!!!!

[demoneye]

Quote:

Originally Posted by trjam

why? I just install Esets online scanner or Dr Webs Cure it still while in shadow mode to see if anything is around. Works flawlessly. Sandboxie covers most and is your first line of defense. Then Shadow Defender or Returnil are your boot to total safety as needed. I love it.

play around with this sanboxie progy....found it lets say none user friendly nither nice to use it.

in your case u have SD so why u uses 2 virtualization software ? when in the next rebbot u clear from any malware?

better add other protection if u keep your pc run 24/7 like NAB or other what they call 0 day tool


cheers

[innerpeace]

Quote:

Originally Posted by demoneye

play around with this sanboxie progy....found it lets say none user friendly nither nice to use it.

in your case u have SD so why u uses 2 virtualization software ? when in the next rebbot u clear from any malware?

better add other protection if u keep your pc run 24/7 like NAB or other what they call 0 day tool


cheers

Hi, if you play around a little more with Sandboxie, you will find it has the option to block access to certain files you specify (such as My Documents). That way during your Virtual Session, if you happen to pick up a key logger etc., your personal files will be safe and remain private. Sandboxie also affords the option to delete it contents and start a new browsing session without that pesky reboot a virtualization software needs.

[demoneye]

Quote:

Originally Posted by innerpeace

Hi, if you play around a little more with Sandboxie, you will find it has the option to block access to certain files you specify (such as My Documents). That way during your Virtual Session, if you happen to pick up a key logger etc., your personal files will be safe and remain private. Sandboxie also affords the option to delete it contents and start a new browsing session without that pesky reboot a virtualization software needs.

i play with this look like beta progy 2 much. some of its "config" menu are TXT editors lol

dont like it to much workk to get simple actions

cheers

[Peter2150]

Quote:

Originally Posted by demoneye

i play with this look like beta progy 2 much. some of its "config" menu are TXT editors lol

dont like it to much workk to get simple actions

cheers

You might also discover that anything in the sandbox can be left there thru reboot.

[innerpeace]

Quote:

Originally Posted by demoneye

i play with this look like beta progy 2 much. some of its "config" menu are TXT editors lol

dont like it to much workk to get simple actions

cheers

The newer versions of Sbie can be configured from a gui now. It may look like a beta to you, but it's protection is top notch. Have a look at some of the tests Peter2150 has performed. I personally use it to protect my D:\ data partition when I'm online which is even better when paired when I'm using Returnil which only virtualizes/protects C:\. I may even decide to run them both within a VM someday .

Were getting off topic, but Sbie is not that hard to configure. Yes you can still use the text version, but the gui works for what I need. It does take a little effort and one may have to ask for help or search their forum, but help comes quickly. To me, it's worth it and almost all my online apps run through Sbie.

[trjam]

Quote:

Originally Posted by demoneye

play around with this sanboxie progy....found it lets say none user friendly nither nice to use it.

in your case u have SD so why u uses 2 virtualization software ? when in the next rebbot u clear from any malware?

better add other protection if u keep your pc run 24/7 like NAB or other what they call 0 day tool


cheers

I use 2 because it works. With no impact to my PC. Go ahead and layer a AV,AS,AT etc, and see the impact. It is my choice, it works, and no, I didnt say it was the "Perfect" solution. But it is a darn good one.

[Threedog]

I like the Sandboxie/Returnil setup also. I have Sandboxie set up to empty automatically when I close down Firefox (or whatever I decide to run in it) so all the baddies are gone and Returnil is there for a quick clean up if anything does get thru. So far in my testing Sandboxie hasn't let anything thru. I tested by scanning after closing Sandboxie with Avira set to on demand so it wasn't going off while doing my unsafe surfing. I went to the sites with Avira enabled so I knew what was there.

[Avail]

Just got a quick question. If your computer can still be badly affected even though you have these programs running then what program can you install that will provide maximum security? Which Vmware can block all modification and installation to your system? So nothing gets through? Need a firewall?

[EASTER]

Quote:

Originally Posted by innerpeace

The newer versions of Sbie can be configured from a gui now. It may look like a beta to you, but it's protection is top notch. Have a look at some of the tests Peter2150 has performed. I personally use it to protect my D:\ data partition when I'm online which is even better when paired when I'm using Returnil which only virtualizes/protects C:\. I may even decide to run them both within a VM someday .

Were getting off topic, but Sbie is not that hard to configure. Yes you can still use the text version, but the gui works for what I need. It does take a little effort and one may have to ask for help or search their forum, but help comes quickly. To me, it's worth it and almost all my online apps run through Sbie.

Greetings Again innerpeace:

I agree that many new improvements now stand out making SandboxIE even more configurable as well as increasing solid protection.

Do you happen to know the command line or/if it still can be used to have ERASER fill in as the sandbox's default deleter? I know i have run across that post b4 at SandboxIE forums but cannot find it again.

I believe it's a simple command line run thru the Invocation etc. Well, i think you know what i'm after.

Thanks in advance

EASTER

[innerpeace]

Hi Easter,

I don't use the secure delete, but I remember hearing about it. I'm also not an expert at Sandboxie, just a huge advocate LOL. I'm losing faith in blacklist scanners quickly. See if this link help any. http://www.sandboxie.com/index.php?SecureDeleteSandbox

Cheers,
innerpeace

[EASTER]

Quote:

Originally Posted by innerpeace

Hi Easter,

I don't use the secure delete, but I remember hearing about it. I'm also not an expert at Sandboxie, just a huge advocate LOL. I'm losing faith in blacklist scanners quickly. See if this link help any. http://www.sandboxie.com/index.php?SecureDeleteSandbox

Cheers,
innerpeace

Thanks innerpeace:

I will look more into it.

Whitelist HIPS + SandboxIE/Power Shadow/Returnil type apps are the wave of future.

I quite agree, blacklists don't appeal to me either, too hit & miss with a consistent history of misses. STAMP OF APPROVAL the good/safe apps within a Whitelist while virtualizing/sandboxing etc.

Exciting to throw up a strong defense shield with minimal layering.

___EASTER