Light virtualization: Returnil/PowerShadow/ShadowDefender/ShadowUser Pro

[QQ2595]

Quote:

Originally Posted by EASTER

Thanks innerpeace:

I will look more into it.

Whitelist HIPS + SandboxIE/Power Shadow/Returnil type apps are the wave of future.

I quite agree, blacklists don't appeal to me either, too hit & miss with a consistent history of misses. STAMP OF APPROVAL the good/safe apps within a Whitelist while virtualizing/sandboxing etc.

Exciting to throw up a strong defense shield with minimal layering.

___EASTER

I fully agree with you.

[MikeNAS]

Quote:

Originally Posted by EASTER

Greetings Again innerpeace:

I agree that many new improvements now stand out making SandboxIE even more configurable as well as increasing solid protection.

Do you happen to know the command line or/if it still can be used to have ERASER fill in as the sandbox's default deleter? I know i have run across that post b4 at SandboxIE forums but cannot find it again.

I believe it's a simple command line run thru the Invocation etc. Well, i think you know what i'm after.

Thanks in advance

EASTER

Is there any point to use Heidi's Eraser with Sandboxie if I reboot computer every morning and I use Shadow Defender too?

[Peter2150]

Quote:

Originally Posted by MikeNAS

Is there any point to use Heidi's Eraser with Sandboxie if I reboot computer every morning and I use Shadow Defender too?

I would say no, but it depends on what you do, and your paranoia level. I don't use any secure delete.

Pete

[MikeNAS]

Quote:

Originally Posted by EASTER

Greetings Again innerpeace:

I agree that many new improvements now stand out making SandboxIE even more configurable as well as increasing solid protection.

Do you happen to know the command line or/if it still can be used to have ERASER fill in as the sandbox's default deleter? I know i have run across that post b4 at SandboxIE forums but cannot find it again.

I believe it's a simple command line run thru the Invocation etc. Well, i think you know what i'm after.

Thanks in advance

EASTER

Here is that command (example):

"c:\Program Files\Eraser\eraserl.exe" -folder "%SANDBOX%" -subfolders -method DoD -results -queue

eraserl [Data] [Method] [-silent | -results | -resultsonerror ] [-queue] [-options]

Data:

-file....................data [-subfolders]
-folder................data [-subfolders] [-keepfolder]
-disk..................drive: | all
-recycled

Method:

-method.............Gutmann | DoD | DoD_E | Random passes | Library

Parameters:

-file...................The data to erase is a file (wildcards may be used)
-subfolders.........Include subfolders
-folder...............The data to erase is files on a folder
-subfolders.........Include subfolders
-keepfolder........Do not delete the folder
-disk.................The data to erase in unused space on a drive or all local hard drives (all)
-recycled...........Erase all data on the Recycle Bin
-silent...............Do not show any windows
-results.............Show Erasing Report
-resultsonerror..Show Erasing Report only in case of error
-queue..............Wait until previous instances have finished
-options.............Ignore all other valid parameters and show Erasing Preferences window

[EASTER]

Thank You Much

That will prove very helpful.

As suggested by Pete, the secure erase with ERASER is more an individual decision since it's been a normal routine of mine for years to wipe individual files/folders just to be sure they're unrecoverable.

SandboxIE's use of Micro's delete is sufficient of course but i prefer to wipe the contents of the sandbox.

[boberang]

OK, I don't think this was asked earlier in the thread but a couple posts indicated that Shadow User Pro does NOT protect against low level threats....isn't that a major negative for it to still be considered functional? Maybe I am missing something.

As an owner/user of Shadowuser Pro for a couple years I hadn't looked at the new kids on the block as I don't mind rebooting to enter/exit shadow mode.

However, with the discussion of Shadowuser Pro missing low level stuff, would it be advisable to use Returnil during suspicious times (when you think you may be more at risk)? And if so, say I have 2 hours in Shadow mode then turn on Returnil because I am going to test or do something risky....will there be conflicts with what Returnil does and the exception list of Shadow User Pro on that first 2 hours?

If ShadowUser Pro can still be my clothing in summer and I only need the parka of the free Returnil when I fly to Alaska for a short time, that is great. If I need the parka all the time as the clothes Shadowuser Pro provides are no longer sufficient, I have a headache of reconfiguration and re-training of users on my hand.

Oh, and maybe I should use Sandboxie as mittens ever now and then, with or without the parka, depending on how cold or biter cold it is. ;-)

[yankinNcrankin]

I think it would be better to ask your question without using such analogies, and get straight to your point or are you looking for confirmation to something you already know?

[boberang]

Quote:

Originally Posted by yankinNcrankin

I think it would be better to ask your question without using such analogies, and get straight to your point or are you looking for confirmation to something you already know?

The analogies came from the previous page, so it was just a continuation. No, I don't know the answer. Without the analogies the question is:

A) Given that people have stated Shadowuser Pro does not protect against low level writes does that make it significantly more vulnerable for most use and one should look elsewhere for an updated product?

B) Or for average consumer use is Shadowuser Pro still a good solution, but perhaps during times of more robust / higher risk use would it be advisable to use Returnil for additional protection and layer against low level writes? And if so, would it conflict in any way with the excepted files from the Shadowmode of Shadow User Pro

I am hoping first and foremost the low level vulnerability of ShadowUser pro is insignifigant, in lieu of that I hope option B) is viable. I really do not want to have to migrate completely to another product as the main lightweight virtual defense as Shadowuser pro is what people are use to, and its exception capabilities and use on multiple drives is a benefit.

[Bollo]

First of all, I want to say HI to everyyone here in Wilders Security Forums...this is the FIRST site I visit to take a recomentation or advise about something I found in the web...

I always entered this site as a guest, like many people here, but the diferrence it's that I made that a lot of times without even say "thanks" to somebody who had the same problem and another one solved it..

Well, I'm replying here because I'm having some questions about this "light virtualizations" programs...

The Thing or better say my DOUBT is about their way to protect the hard disk..

Does this software can make you hard drives to fail!!? because at least I'm testing Returnil (beta) with my system and I got that doubt..

It seems that some friends installed Deep Freeze or another virtulization program and they had problems with their hard drives. It seems that the program made exhaustive writes and reads in the disk in the same sectors, like Returnil do in a file that occupies a fixed size in the disk.

So my question is if that kind of programs makes to many writes in the same location many times, causing the hard drive to fail.
That's all for the beginning...i will be here from now on.

Thanks in advance.
Bollo

[BlueZannetti]

Quote:

Originally Posted by boberang

Without the analogies the question is:

A) Given that people have stated Shadowuser Pro does not protect against low level writes does that make it significantly more vulnerable for most use and one should look elsewhere for an updated product?

At present, probably not. However, it really depends upon whether that approach becomes a significant generalized mechanism in the future. If you already own ShadowUser, it is a very decent solution. If you're currently looking, the more recently developed solutions will generally be better since they can and will adapt to recent developments.

Quote:

B) Or for average consumer use is Shadowuser Pro still a good solution, but perhaps during times of more robust / higher risk use would it be advisable to use Returnil for additional protection and layer against low level writes? And if so, would it conflict in any way with the excepted files from the Shadowmode of Shadow User Pro

If you're talking of mixing multiple light virtualization products, I'd recommend against it. Go with the best single solution from the start.

Quote:

I am hoping first and foremost the low level vulnerability of ShadowUser pro is insignifigant, in lieu of that I hope option B) is viable. I really do not want to have to migrate completely to another product as the main lightweight virtual defense as Shadowuser pro is what people are use to, and its exception capabilities and use on multiple drives is a benefit.

Of the current options, ShadowDefender is the closest in this regard, save for the inability to have a shadow session span across restarts.

Blue

[BlueZannetti]

Quote:

Originally Posted by Bollo

Does this software can make you hard drives to fail!!? because at least I'm testing Returnil (beta) with my system and I got that doubt..

If you mean fail in the hardware sense, no. If you mean fail in the driver sense, I've not seen that happen. As with any application, conflicts can and do occur.

Quote:

It seems that some friends installed Deep Freeze or another virtulization program and they had problems with their hard drives. It seems that the program made exhaustive writes and reads in the disk in the same sectors, like Returnil do in a file that occupies a fixed size in the disk.

So my question is if that kind of programs makes to many writes in the same location many times, causing the hard drive to fail.

Fundamentally, this shouldn't be an issue. The situation is no different than any disk location which is extensively utilized. A hard drive, like any other device - particularly a device with moving parts - has a finite lifetime. But the activity connected to virtualization is really no different than normal use.

Blue

[Bollo]

Thanks for the quick reply BlueZannetti...

Well that was more a curiosity than an issue, at least, for me, because it's interesting how they save the changes in specific sectors and then "writes" it to a "virtual file" that will be descarted when you reboot the machine. That's what makes me think about the many overwrites in the same sectors where the Returnil's file is.

Quite interesting these programs...
Also, sorry for my english it's not native, but hope it's understandable.
I'm from Tarija (South America) where we speak spanish.

Bollo

[BlueZannetti]

Quote:

Originally Posted by Bollo

Well that was more a curiosity than an issue, at least, for me, because it's interesting how they save the changes in specific sectors and then "writes" it to a "virtual file" that will be descarted when you reboot the machine. That's what makes me think about the many overwrites in the same sectors where the Returnil's file is.

Which is basically no different than what happens to a drive without Returnil or any of these other products.

Quote:

Also, sorry for my english it's not native, but hope it's understandable.
I'm from Tarija (South America) where we speak spanish.

It's quite understandable, no problem at all...

and welcome to Wilders as a member!

Blue

[Coldmoon]

Quote:

Originally Posted by Bollo

Thanks for the quick reply BlueZannetti...

Well that was more a curiosity than an issue, at least, for me, because it's interesting how they save the changes in specific sectors and then "writes" it to a "virtual file" that will be descarted when you reboot the machine. That's what makes me think about the many overwrites in the same sectors where the Returnil's file is.

Quite interesting these programs...
Also, sorry for my english it's not native, but hope it's understandable.
I'm from Tarija (South America) where we speak spanish.

Bollo

Hi Bollo,
The cach file is only created and used when you select the Disk cache method. You can switch to the Memory cache method at any time using the repair feature in the Uninstaller without having to uninstall/reinstall.

Another aspect of the duality is that if the Disk cache were to ever become damaged or corrupt, RVS will switch immediately to Memory cache so you do not loose System Protection/Session Lock

With kind regards
Mike

[Bollo]

Thanks BlueZannetti for the Welcome and Coldmoon for the explanation, will be posting more curiosities at the Returnil's Beta Thread...

Thanks.

Bollo

[demoneye]

Quote:

Originally Posted by Bollo

Thanks for the quick reply BlueZannetti...

Well that was more a curiosity than an issue, at least, for me, because it's interesting how they save the changes in specific sectors and then "writes" it to a "virtual file" that will be descarted when you reboot the machine. That's what makes me think about the many overwrites in the same sectors where the Returnil's file is.

Quite interesting these programs...
Also, sorry for my english it's not native, but hope it's understandable.
I'm from Tarija (South America) where we speak spanish.

Bollo

hi BOLLO and welcoem i will put it short returnil can be trusted 100% its do its job , no HD MBR modification (also goes for SD and DF).
and its good returnil developer (coldmoon) is all over here and can approve or override what we sys in here

cheers

[boberang]

Quote:

Originally Posted by BlueZannetti

....... If you already own ShadowUser, it is a very decent solution. If you're currently looking, the more recently developed solutions will generally be better since they can and will adapt to recent developments.
If you're talking of mixing multiple light virtualization products, I'd recommend against it. .....

Blue

Thanks Blue...that was my gut feeling, but I don't pay attention daily and didn't know if the low level threats had become more viable.


Bollo: I agree with others here...these products shouldn't cause a hard drive to fail before its time. Having said that though, all hard drives are NOT created equal. Some fail more often than others, not because of products like these but just general use. So plan accordingly. :-)

[BlueZannetti]

Quote:

Originally Posted by boberang

Thanks Blue...that was my gut feeling, but I don't pay attention daily and didn't know if the low level threats had become more viable.

My pleasure. The other option to consider, and it really depends on your usage style and application base, is to run your machine as a limited user with SU (or your preferred alternate) running with Admin credentials.

Blue

[EASTER]

On the matter and concern of these type softwares and their impact on the hardware HD's, i often raised the same concern some years ago at the Heidi's ERASER forums and was "VERY" skeptical even when assured there was no real reason to be pessimistic that over time due to so many writes of a wiping program, one might expect their drive to eventually fail much sooner then expected.

Well, in conclusion, i never stopped using ERASER, even when using the 35 Pass method, and after years of this routine no drive i own, even the oldest which housed Windows 98SE, is ever shown signs of or experienced a failure.

I assume the same equally applies to the apps above just mentioned but on an even lesser basis IMO. No expert here on hardware and the impact of softwares on them, but i be willing to venture that my daily use of ERASER for years in a many passes mode far surpasses the writes any of those virtual programs could do.

[Osaban]

Quote:

Originally Posted by boberang

Thanks Blue...that was my gut feeling, but I don't pay attention daily and didn't know if the low level threats had become more viable.

Running SU with any HIPS (they all stop executables) or any reputable AV for that matter (if you feel uncomfortable with HIPS) will neutralize the danger of these 'low level threats'.

Returnil, SandboxIE, ShadowDefender are more or less updated against these threats, because some people at Wilders specifically pointed out their existence to the developers.

The bottom line is that no matter what solution one chooses, they can be defeated at any time in the future by new threats, if one relies on their protection alone. Perhaps a new animal should be created: A signature based virtualization program which would be the same as adding an AV to your system.

[lucas1985]

Quote:

Originally Posted by Bollo

I'm from Tarija (South America) where we speak spanish.

Welcome to Wilders Bollo. The more South Americans, the better

[Bollo]

Thanks for the welcome to everyone.
Will be glad aiding in whatever I know...

See ya.

[apathy]

I was looking at deep freeze and some of the other programs out there but I absolutely love EAZ-FIX. At first I was interested in Rollback Rx but heard from a few seasoned people on this forum that it was somewhat flawed. Using eaz-fix and making a snapshot before installing a program is a lot better than relying on the uninstall program to remove everything which it won't. I have yet to see any problems with rolling back to a previous snapshot.

[BlueZannetti]

Quote:

Originally Posted by apathy

I was looking at deep freeze and some of the other programs out there but I absolutely love EAZ-FIX. At first I was interested in Rollback Rx but heard from a few seasoned people on this forum that it was somewhat flawed. Using eaz-fix and making a snapshot before installing a program is a lot better than relying on the uninstall program to remove everything which it won't. I have yet to see any problems with rolling back to a previous snapshot.

apathy,

EAZ-Fix and Rollback Rx are a little different than the programs which are the main focus of this thread, although many final results appear quite similar.

The main potential issue with EAZ-FIX/Rollback Rx is that if one leaves the filesystem environment provided by these applications and makes any changes to the disk (for example, boot to a Bart PE session or something similar, defrag using a 3rd party application on boot, etc.), these changes will be unknown to the environment and will lead to it's corruption.

That can be a bit of inconvenience in some situations, but the advantage of these applications is the enormous speed advantage accrued via use of this approach in making and switching between snapshots.

Blue

[demoneye]

yo all

after check this amazing EAZ FIX ... its actuley can be used for what we all were missing long time for now and its "continue shadow mode after restart" . can than test program np and ROLLBACK if something went wrong.

for all of you who scream SU has it ..well it bugy and not work well under some systems

i find it better to use also it can provide same abilty of SU SD DF and so on

cheers