A perfect security system?

you use deepfreeze for every employee? you have it installed on every workstation? at work we have 500 employees, most of them like 90% knows nothing from security or whatever.

as for system admins and IT managers, SU and Vmware can be used off course .. It's an extra layer, just like having Norton Ghost (that's what we have at work) an important one just like an antivirus scanner. but Vmware is only for admins at work so is SU I guess...that's a different story Imho

/edit: they have something like shadowserver .. I wonder how that works to be honest, I don't have any experience with that. is it centralised with one control panel for the system admin?

 

it's not entirely the same Erik. Cause if I reboot with Vmware, everything remains in it's place even malware but it's impossible to infect my main machine...

I'm not a big fan of SU to be honest. I tried it twice but the fact that I loose everything I gather when I surf in shadowmode is simply not done, or you have to reboot again and ... that's time consuming. safe it is, I give you that ... how would you gather the data you need, that you want to use? that needs to be scanned for malware if you want to keep that data? so you'll still need an antivirus/antimalware scanner on your machine I guess.

Take care

 

Ahh, now we're going into perfect security for who scenario, as opposed to Perfect Security per se !

But devil did actually state "The perfect system for me" not for anybody else !

So some will have differing viewpoints on certain issues, and/or generally as i did. But i don't think that everybody will agree on what constitutes Perfect Security. That's because of the points i made earlier about different Systems/Set ups etc, and of course all of our own personnal choices and degrees of knowledge.

I wouldn't be able to code error free security software, or any other, even if you paid me a $Mil. We expect those that do code to have taken all the correct steps in the process that's possible to do, whatever that means. Even if they have, which as we all know rarely if ever truly happens 100%, it's those as yet unknowns that will come back to haunt them, and cosequently us.

So even with a bucket load of the very best Apps in the world, regardless of whether they are Free or paid, even those Apps are still subject to possible errors. We occasionally see this from time to time, especially during "Upgrades". All these Apps will also have some as yet undefined holes in them, by the very nature of the beast, and humans too.

If we can constuctively and impartially, iron out exactly what these Levels of security could be and consist of, and how many Levels and Apps are viable etc, then we will be able to produce an intelligent list to work from. The question of overhead and resources etc, and interaction etc, also come into play here as well.


StevieO

 

therein lies the answer... IMO there is *no* perfect security, but someone else may achieve it [to their logic] on their system.

Everyone likes to think they have the best to their ability set-up, but time and again someone gets nailed [as a poster here aptly put] to the wall either by intent on someone else's doing, or a simple mistake.

bit like having the perfect motor vehicle. does not exist, all have to have maintenance for preventive, and then things still go wrong which an "oil and grease" did not stop.

The latest .wmf vulnerability proved that even what anybody thought 2 years ago was impossible [picture formats able to be used to corrupt a system] was realised.

There will always be someone who can 'crack something' that was thought uncrackable in the future.

TAS

 

Another nonsense statement from a guy who knows nothing about computers. Scanning is automatic. You click. it starts. you do your work. How does it take 4 hours? I hate to break it to you erik, but the scan continues even when you are not looking at it... LOL.

Red herring. Ever heard of something called real time scanner? I guess not lol.

I find your statement ironic really coming from the guy who wants to run just SU alone, and does care if between SU reboot sessions he is unprotected. Well i guess it doesn't matter because you have nothing to lose or so you claim, but i doubt a big fortune 500 company could say the same.

Actually Erik, you are saying it is THE solution, you dismiss other solutions based on wishful thinking and (bad) logic, and worse yet no experience on the solution you are supporting.

You are making all sorts of bold claims , as if you know what you are talking about, when it comes down to it, you are just guessing! SU is the greatest rah rah rah. Based on what?

A little learning is a dangerous thing....

Infinity, Erik said this, not me!

And Erikalbert is wrong. "Whitelist scanners" do exist. In a business/corporate environment, such restrictive environments where only approved app can run,
iis the answer.

 

Hi,
I must interfere.
Devil, this time you got it wrong.
I work in a corporate environment. Most of the guys are programmers. They do not have not will (or even knowledge in this security area) to run scanners. They need their compilers clean and mean.
Our sys admins are struggling with the windows as it is, to say nothing of extra programs. If I installed, for instance, Prevx on people's computers, it would turn into a logistics nightmare in 20 min.
If your work environment are all die-hard linux-startrek fans and people who can and know how to setup windows from start, then you're set. But believe me, even educated people with computer knowledge are total noobs when it comes to spybot, msas, unhack me etc. Hell, even I know more than our sys admin in this field. I gave him the Bart PE disk...
Now, imagine an environment full of people who are not programmers. People in 40s and 50s, engineers who did not grow up with windows. Imagine the fuss and the frustration and confusion they will go through playing with these things.
Just as an example, people at my workplace use alt-prntscrn to copy desktop images and paste them directly into ppts. So you have bloated bmps. That's how much computer-friendly they are. Now imagine warnings from Process Guard, Online Armor etc. They would die in 3 seconds.
We are a department with about 40 people - only three guys, myself included use FF. Hell, only 3 who even heard of this thing called FF.
People at work need fire and forget environment. No meddling whatsoever. So it must be something totally transparent that will not popup even a single warning.
Mrk

 

Quick note about the actual idea presented in the first post, I actually agree fully.. I had been thinking about pretty much the same thing for a while now, although I never bothered to lay it out like this (well done). Although I don't think it's 100% fool-proof, I think it would be great step in the right direction. Hopefully we'll see something like this in the near future

I've used several of the virtualization programs, and while they do provide some great options and security, the full on virtualization programs were just not for me. If you get infected and have to wipe everything out, there's not much difference from formatting.. not that much of a time saver, and more of a hassle than it was worth in many other ways as well. For now I just set my Acronis True Image to do incremental backups every night.. this suits me far better and is good for things besides just security as well. It's not that much different than what has been posted above, except that I have much more control. I do agree that we can each find our own "perfect security" for our own situations, and I think the ideas outlined in the first post form the closest you can get for pretty much everyone, but ultimately there is no one solution that is going to be perfect for every environment out there... last I heard there was something like 100 million internet users, each of them is going to have unique environments with different needs.

 

Mrkvonic i'm not sure where you are disagreeing with me. Maybe you are mistaking my inital post which is about my personal computer and the corporate situation.

Nobody is crazy enough to recommend Online Armor, PG whatnot for a corporate situation. Besides if there are any "popups" it's not going to occur on the client side A scanner on a client side or server side is easy to use even for your "none-programmers".

My point is Erikalbert's obsession with SU is not the solution either, not unless you don't care if info is being stolen from your computers between SU reboots Heh if I had SU installed on my work computers, I would go surfing for porn, and whatnot, after all, all the evidence disappears with a reboot.

The best solution i suspect in a corporate environment is a highly restrictive windows system with software policy restrictions , employees should not be running all kinds of stuff on their computer except authorised programs anyway.

And yes, everyone needs is different, situation is different etc. But a certain indidivual has being saying SU is the only solution over and over again whether it is at home or at work for the majority of users. And this claim is based on what? zero experience......

 

Well I heard other stories in Malware Forums and how much time users lost running their freeware scanners, before they posted their HijackThis Logs.

Realtime protection is as good as the scanner is. If the malware isn't blacklisted, real-time protection won't make a difference.

OK. If I'm wrong, give me a list of Whitelist Scanner Names. I must have missed those at Wilders.
Which Whitelist Scanners are you using ? Any recommendations ?

Deviladvocate, read Mrkvonic's post. He knows the REAL work environment, just like me.
I work with INDIFFERENT users, who work with non-security applications to do their job. Any interruption of their job caused by Malware or Anti-Malware makes them angry and our computer department is always the scapegoat, even when the user is guilty. Do you really think these users will take the time to run any scanner ? Forget it. They want us to fix it and as fast as possible.
These users earn money for the company and are always put in the right, because money counts.
I really wonder what kind of job you do.

 

I agree.. virtualization alone may be a solution for a limted few, but I don't think it would be for most. It sounds great in theory, but once you really get a chance to use it for a while, things start to look different.

With some time and effort a person might be able to set it up so that it's convenient for what they do, but just throwing everything in the sandbox, as these things basically do by default, isn't always as convenient as it sounds when you start really acquainting yourself with how it works. That's why I like the idea of having something that uses some of the same principles, placing restrictions on certain apps and their child processes, but remaining system-wide and not entirely virtualizing the file system, not killing your data when killing the virtual environment.

Another thing to conisder with things like SU and DeepFreeze, etc. (someone brought this up in the DeepFreeze thread), is that if you were to get infected with a stealthy keylogger, you might not even know it was there. After reboot, you have no way of finding out what happened.

 

LOL @ ErikAlbert's obsession. Dream on.

 

I agree with ErikAlbert

Through my testings I've been able to stay what 'I' feel is 100% safe without any scanners, Host files, registry protectors, process guarders, anti hookers and anti key loggers. I do need a Firewall

Notice I said "100% safe" and not '100% infection free'

I go all over the net, to the darkest side and back every day. I go places and do things that most security experts say not to do. I taunt the hacker sites, I spit in the face of virus writers, I steal the bait of Trojans and leave their traps empty.

I do all this with the aid of Kerio 2.1.5, the Smoke & Mirrors trick of ShadowSurfer and Sandboxie. Sandboxie works just fine while in Shadow mode. I call it a Sandbox sandwich, surfing the net never tasted better, thank you.

I setup and operate ShadowSurfer and Sandboxie according to directions, is this a hassle ? I think not and its certainly less hassle than answering 100's of pop ups, that other security apps ask....

Lets take the latest Big News items as an example, Sony Rootkit and WMF exploit.

I'm in Shadow mode so I pop in my Sony CD, the rootkit gets installed first thing to C: drive. As per ShadowSurfer instructions I have partitioned my drive so I can save data. I rip the music to D: drive, reboot and my music is still on D: drive and C; drive is rootkit free, the best part is I didn't even have to know about the Sony rootkit for this to happen.

WMF ? HaHa that doesn't even stand a chance against Sandboxie & ShadowSurfer. Simple right click "Clear sandbox" and WMF is beaten like a bad dog, reboot and ShadowSurfer completely removes any history of WMF's failed attempts.

Anyhoo I could go on and on about test I've performed and the results are the same, each and every time victory goes to the virtual environment.

@the Devils and all their advocates, I don't want to hear about the "what ifs" "could be's" "mights" and all that stuff. You know some weird virus that'll go through ShadowSurfer & Sandboxie then lets have the name, an exploit ? spit it out....I'm willing to take on all challenges !

In the mean time until I bow out in defeat, ErikAlbert's so called "Dream" is my reality

Bye

 

Welcome to the club.

 

I call this attitude FREEDOM, especially considering that the Internet seems to be one of the last vestiges of the democracy.

Eversince I ran ShadowUser on my system (about 5 months) I didn't get one single dangerous situation, my system is always clean as a whistle and yes I have a traditional defense setup as well (I tend to reason rather like Spy1(Pete) than ErikAlbert).

What I'm about to say may sound selfish but I personally hope that programs like ShadowUser, Deep Freeze will remain fairly unknown to most internet users. When programs become too popular,they tend to be hacked no matter how good they are. Hence my view towards what might be seen as 'the perfect security' is to change your security system once it becomes either too popular or you get infected.

 

Thanks alot for your post !!!
Finally somebody that confirms my "dream" and has practical experience with a similar security setup. I wouldn't mind to use Sandboxie as well, because this is also a software based on virtual protection. Our security setup is certainly not worse than any other classical setup, theoretical even closer to a foolproof protection.

I'm not going to wait until these scanners have a blacklist of a million threats. These blacklists are growing way too fast and some of them have already more than 200,000 threats.
I'm a member at SWI since 2004.06.25 and in those days Spybot S&D had a blacklist of 12,000 threats and now about 34,000 in just 18 months (almost 3 times more) and that is just one example of a rather small scanner.
And the bad guys won't stop creating new ones, because they KNOW this too.
One day the hardworking users will lose their patience to run all these scanners. It's just a matter of time.
How many AV/AS/AT/AK scanners and HIPS softwares do you need to get the same level of protection of ShadowSurfer/ShadowUser and how much money and time will it costs ? Good scanners aren't cheap either.
It's logical and predictable that Blacklist Scanners don't have a future.
I like to think years ahead and I'm very glad, I'm not alone.

 

Did anyone else say different? Dear erik you keep saying the same things ,as if everyone rejects it, but refuse to answer my points about keyloggers and other malware running between sessions. I suppose a company doesn't really care if it secrets are stolen?

And the point about real time protection and scheduled scans is to refute your crazy nonsense about employees spending 4 hours scanning. Let me repeat again in case you are blind, this is nonsense.

For home user, look up prevx1 for example, but in corporate situations, any restrictive windows software policy is a "whitelist" scanner!

Sigh, this shows how much you know about computers and security software.
Why in the heck does indidiuval users have to run antivirus? Ever heard of server side scans over the network? That's plus a restrictive windows policy is the solution.Your problem is that you live in a world of the home user products, and you think a corporate solution would be exactly the same. You look at how say Antivir runs on your home computer, and you think it scales up to corporate solutions.

Your "computer department" must be really incompetent , i suppose you think their job is to issue indidivual security products and that's it?

But i really knew that given they hired you as a "application analyst" who claims to know nothing about computers, and yet knows more about applications than the programmer. Talk about the blind leading the blind.

I suppose that's true, just as true that you "understand" SU without even using it once!

@Fastgame, you mistake my intention. I'm a big fan of vmware, which in my view is even superior to SU for certain uses and VMware itself has had critical exploits, so SU will have them too, but that's not the point. Neither am I raining on SU's parade, in certain situations when used by certain users, it's great. But i disagree with the sentiment that SU is great for indifferent users.

But the belief that SU alone is sufficient has many problems, chief of which is that it works only if you don't care what happens between sessions! Erikalbert when cornered on this point, claims he doesn't care or that he would be careful enough to reboot between sessons.

Now, tell me do you think the INDIFFERENT users would be careful? Most likely SU would make them think they are 100% hackproof thanks to Erikalbert , which makes them even less careful. Would a user be diligent enough to reboot the system to do serious work after goofing off at work visiting a porn site ?

Would INDIFFERENT users care for handling SU such that new work is not deleted by SU on reboot?

INDIFFERENT USER: Erikalbert, SU flushed away all the important work i spent hours on, i don't care how you do it, get it back!!!

ERIKALBERT: *under his breath* darn you indiffferent user! I have no idea how it works, i havent tried it before either!

Scenario 2.

Erikalbert: Boss i got the perfect security solution for you, you don't need antiviruses or any other security feature. With SU, I can make sure that every 24 hours i can restore the system to original state (never mind that any decent company already has daily backups) but in between, any attacker can have free reign of our systems , they can steal all our data, passwords, gain control of our email servers to send damaging emails to customers.... And because we don't have any other intrusion detection systems we won't know, but how much damage can they do anyway in 24 hours right?

Boss : You must be joking right?

A prediction, Erikalbert will not address either of these points, but will continue say"blacklist can catch only what it has signatures for", a point no one denies.....

SU and deepfreeze like solutions works great in places with public terminals where there is no information of value anyway to steal. To use SU as the only security feature in a company is sheer stupidity.

 

If I recall correctly, ErikAlbert didn't say he was just going to use SU. He said he would be running a FW as well. So the keyloggers couldn't get their information back to base between reboots.

 

While I agree with the general sentiment that signature based scanners will eventually hit a brick wall, there's plenty of data available to put some firm perspective around this and using a product like Spybot S&D is probably not the best course.

As part of a (still on-going) high school project my son was trying to get some objective view of the malware and malware infection rates. Since there isn't direct access to that, I recall him examining Internet population growth rates vs. the growth rates of malware. As a good proxy for malware growth rate he looked at a few situations, one being the growth of the KAV signature database since he was able to pull statistics from as early as 2001 and since it is one of the more comprehensive databases available. Between the latter half of 2000 and today, he saw that there are basically three stable growth segments spanning Jan 2001-Dec 2002, Dec 2002 - Mar 2005, and Mar 2005 - present. During that time, growth rates as measured by the database doubling time has dropped from ~45 months to ~29 months to the present rate of ~ 20.6 months. Given what I've seen in comparative performance of KAV 5.0 vs. the beta release of KAV 6.0, a period of reasonable acceleration in growth rate, signature based approaches still have a lot of life left in them. More importantly, AV vendors have a much more detailed view of this information, it's trending behavior with time, and how it will extrapolate over a product lifecycle. They should have plenty of time to adapt and I would guess some of the new features in KAV 6.0 and similar products reflect such an analysis, coupled with a general competitive market feature set analysis.

On deviladvocates general technical analysis, I must say that I agree. Examine the vendor based positioning of products like ShadowUser and Deep Freeze, they focus on their use in areas such as (quoting from the ShadowCraft site)

They are quite explicit as to their overall objective:

Protection is not afforded within session, but between session with the product designed for rapid between session restoration to a predefined state. Naturally, this has a security implications, but that is really a secondary objective. The goal is PC maximizing PC uptime and minimizing IT maintenance. This is why vendors such as Faronics develop product line extensions such as Anti-Executable to provide genuine protection, but even here the presumption is that the PC starts from a known clean state when AE is installed.

Of the approaches described in this thread, if my goal was security, I'd go with the approach originally outlined by deviladvocate. If my goal was maximizing guaranteed PC uptime, I'd go with a product like SU. Please note, these are very distinct goals with some common outcomes

As I've said previously, products like SU quickly remedy only one aspect of an infectious malware episode - the persistence of the infection, that's it. As it happens, this is the aspect that receives the most coverage on boards like this as a user scrambles to return to their PC to a working state. Vendors such as Faronics have extended their offered functionality to include some aspects of realtime security by creating a local whitelist of applications assuming a known clean state, and this does provide genuine realtime security. But the system snapshot approach alone is no different than using an image backup alone as your sole security measure, and I can't imagine that anyone would claim that an image backup provides realtime security. Use of a firewall can provide substantial security, but that requires a fair level of knowledge and detailed configuration from the user. I wouldn't recommend that a casual user rely on it.

As for the large enterprise user, my own organization uses the scheme noted by deviladvocate, strict and centralized management of restrictive user policies. That happens to be coupled with an AV (desktop) or AV/firewall (mobile laptop). The near equivalent for a home user not wishing to explicitly tailor user policies is something like Anti-Executable, but this provides only an approximation of what can be accomplished by strict system policy management since it focuses exclusively on application execution.

Blue

 

I wouldn't state it in such definitive terms. Depending on the firewall, firewall configuration, and specific malware, it may or may not yield the desired result.

Blue

 

Actually I was testing ShadowSurfer, as a single end user. The Corporate world brings a whole set of rules/problems that for the most part are beyond the needs, discipline or education of the average Home user.

I went looking for trouble opposed to the regular "Home" user who tries to stay out of trouble. I never thought I was 100% hack proof, I'm looking for that point where I'm hacked. In my case being hacked is nothing more than lost pride. I have nothing to lose except some photos, game saves or maybe the key to ShadowSurfer.

"INDIFFERENT users" isn't just limited to VW, it applies to everything. Doesn't matter what software one uses, if you don't educate yourself on use/limits, apply discipline, there's a price to be paid. "INDIFFERENT users" roll the dice and play odds, sometimes you win and sometimes you lose.

Lets forget Virtual Ware, lets take "Perfect Security" to the highest level in a single user situation, lets use some real discipline.

I use a PC with a totally blank formated HD, I"m going to use Linux Live CD and do some online transactions. Now I'd think I would be pretty safe...I mean how could I be hacked or my stuff stolen ? surprise! I'm still at the mercy of the institutions I've dealt with and the security they have in place. In the end all my discipline, my security measures, could end up in the hands of "INDIFFERENT users"

The road to "Perfect Security" lies with how Society raises its children. Honesty and Respect for fellow man is the cure, until then......you roll the dice and play the odds

[edit]=spell check

 

One post removed.

It would really be great if for once we could discuss the subject @ hand and leave all this other garbage directed toward particular members for some other venue. Any further comments made with this tone\direction and the whole post will be removed whether the rest of the post has merit or not.

Thanks in advance for this consideration and request,
Bubba

 

Just wanted to state that I agree with most of what EA says . And FastGame as well . Well thought out .

 

Now lets summarize the use of ShadowUser on my computer.
We all agree that SU cleans your computer in 5 minutes.
It's obvious that between TWO reboots each installed threat can do its evil job.
That's why I asked myself, what harm can these threats do to me during that period.

1. Stealing my initials (EVM). Is that dangerous ?

2. Stealing my first name (Erik). Is that dangerous ?

3. Stealing my email-address. Is that dangerous ? It has been stolen so many times.

4. Stealing my files without secrets. I can encrypt these files if absolutely necessary,
but I wouldn't care if these files were stolen.

5. Stealing my files with secrets. I would create these files without internet connection
and store these files on a diskette or CD/DVD and certainly not on my harddisk.
I can disconnect my computer very easily : a button on my modem or the red button of ZoneAlarm.

6. Stealing my credit card. Normally, I don't buy on the internet. If I ever do this,
I will reboot my computer first and any threat, including keyloggers will disappear and then
I will use my credit card on a trusted site.

7. Stealing my password. Is that dangerous ? You need a special file to get access
to my bankaccount and that file is never on my harddisk.
If that file isn't there nobody, including me, is able to access my bankaccount, even when they have my password.
I also can reboot my computer right before online-banking as a second security measure.
I don't open my bankaccount every minut, just a few times during the week.

What's wrong with that ? and please don't start talking about anything else.
Seperate the problems from one another and don't mix them.
I want to know what is wrong HERE IN THIS POST ONLY without unnecessary comments ?

 

Oh, I won't dig a big discussion about all that was discussed in this thread, but there's one thing which may cause you troubles: I assume you don't mind about beeing infected, provided that everything is supposed to be gone at reboot. However, how will you be confident in the safety of your system when you're going to "commit changes" on your HD, without scanners to help you to determine it's status?

I mean you'll have to change your system, during software upgrade, and Windows updates. So you'll have to alter somehow your first shadow mode layer, isn't it?

Thus I guess you can't do without a/several (good old) scanner(s), if not a real-time scanner, just to know if you're not going to "record" malwares while updating your shadow mode session state.

Cheers,
nicM