Best virtualization/rollback software?

Hi all,
I know of a few and was wondering which is the best most bulletproof program on the market currently?
There's a couple timefreeze programs,deepfreeze,comodo time machine, rbrx,returnil & shadow defender...are there anymore?
Currently I use toolwiz timefreeze because it's free and seems to have a good rep.

 

I don't know that there's a "best" one. By reading the threads here you can tell which programs are popular and why, but none of them are bulletproof. I used Comodo Time Machine for a while and it worked fine for me. I also had no problem uninstalling it however some people did. CMT alters the MBR (maybe they all do?) and if it's not restored properly the system becomes unbootable. Typically this type of program creates issues for disk imaging and defragmenting as well. I suggest that whichever program you use you understand how to remove it and how to backup/image the system. Sooner or later it's going to go south on you. And by the way, it best not to ask which program is "best" - so-called "A Vs B" discussions are discouraged (the admins often close the thread). Better to discuss uses and features.

 

There is a huge difference between virtualization and rollback software. If you are looking for the best of each then you might want to ask 2 seperate questions. Trying to find the best virtualization/rollback software is like trying find the best apple/orange.

 

Perhaps you can provide a working definition. The OP mentioned using toolwiz time freeze - do you consider that virtualization or rollback software?

 

Time Freeze is light virtualization, just like returnil, Shadow Defender, Wondershare Time Freeze and some more. Then there are snapshot software like Comodo Time Machine and Rollback RX. So far Shadow Defender seems to be the only one able to withstand TDSS rootkits.

I use Shadow Defender as well as Rollback RX. Rollback RX snapshots allows you to easily switch between different states of your protected drive in seconds, and undoes non-malicious system changes. You can also install and test different software safe in the knowledge that you won't have to uninstall them if you don't want to keep them: All it takes is a reboot and restoration of an older snapshot, nd in a few seconds your system is back exacly as it was at the moment you took the snapshot.

Shadow Defender on the other hand is my safety net against malicious software that Rollback will not be unable to withstand alone. I use both programs because they provide different functions for me.

Add Avast! free antivirus and Comodo Free HIPS/Firewall to the mix and you'll be sorted. Sandboxie and MAlwareBytes' AntiMalware are also good for a really paranoid mix.

 

Rather than 'Best' which is very difficult to qualify I would be inclined to argue about what situations are best suited for virtualization or rollback technology. I can only write about what I use of course, Shadow Defender and Rollback Rx, two fairly popular applications at Wilders.

Shadow Defender is excellent for users who are generally browsing without having to worry about any changes brought about by malware or user's mistakes, a quick reboot and the system is recovered exactly as it had been before starting the session.

Now this very strong protection of SD of completely deleting the corrupted session on reboot is sometimes problematic on a 'working' computer. Let me give you an example. Last week I had been working for more than three hours collecting data from different USB flash drives (third party flash drives), and for security reasons I had created a snapshot for this situation using RB Rx.

Everything went well, and I thought the material should be safe as I had Avira and MBAM in real time (one can never be sure of course) but given the time factor, it is good enough. Then for some unknown reasons after transferring one of the last flash drives to my computer, Windows Explorer crashed, and would restart corrupted, I couldn't do anything about the files, and I thought, God I'm going to lose all the work (3 Hours).

Now if I had used Shadow Defender It would have been game over, as not being able to 'commit' the work, rebooting would have wiped out everything. In these conditions RB Rx is excellent, as rebooting the system (not rollback at this stage) not only settled the problem (which was not malware related) but retained everything including my new work. Even if malware had created the problem it is better to have an infected snapshot from which data can be later retrieved than nothing at all on a clean computer (incidentally I could have rollback the system and later retrieved important files from the corrupted snapshot).

Most situations can be managed by both SD and RB Rx, but as configurations mistakes and system corruption tend to be a lot more widespread than malware (at least in my experience) RB Rx seems more versatile than SD.

 

As another user of both RB and SD I agree that RB is the more versatile of the two, but also more vulnerable! SD is an excellent security complement to RB, since TDSS (and other) rootkits have been able to penetrate RB and just about every ISR/LV app, except for SD.

Scott

 

My apologies for not wording it correctly...I wasn't sure what to call it because they have a bit of both in those programs, I appreciate all the comments also

 

Thanks Scott that's good to know about SD

 

Do you use SD all the time or on demand?

 

Hi buckslayr,

I don't mean to answer for CyberMan, but fwiw I enable SD whenever I'm about to surf the net (not when I'm running local apps), whereas RB is running all of the time!

Scott

 

Toolwiz Time Freeze, it's free for any kind of use and actively being developed

 

I activate shadow mode before I go online, or if I want to test a suspicious/potentialy unsafe program.

 

Yes, but until it is shown that TTF can contain TDSS rootkits from penetrating it's virtualized environment I for one will continue to use Shadow Defender, which is the only LV software that's been proven capable of doing so!

Scott

 

Have you tested this yourself? I ask because TDSS continues to "improve" and if SD is no longer being developed it seems likely that at some point it will be compromised.

 

Actually I conducted SD-malware tests as part of my job (in my capacity as a software engineer in our QA Dept). In late 2007, when LV apps were still in their infancy the concept seemed like a promising solution for 3 of our IS concerns:

1. User-Induced Errors. We needed to improve system uptime by undoing accidental user-changes to our standard system.
2. Change Management. We needed a fast but safe means for testing updates, patches, and new applications.
3. Malware Protection. We were looking for a better malware protection approach than the typical antiviral software available at the time. The LV concept promised to minimize system downtime/damage due to malware outbreaks by preventing malware from ever being written to the hard disk.

So we decided to evaluate 3 such LV apps, Deep Freeze, Returnil and Shadow Defender. We started our testing in late 2007 and completed the first stage in the Summer of 2008. While all 3 LV apps proved to be a good solution for items 1 and 2, of the 3 only SD fully satisfied item 3. The TDSS-1 (TDL-1) rootkit had recently appeared on the scene, so we obtained a copy and 'infected' 3 systems each protected by one of those 3 LV apps. Only SD was able to contain this rootkit, completely discarding it upon system restart.

Based on that initial test phase, our company bought a number of SD licenses in late 2008. Since then we have continued to test SD's malware protection ability, including TDSS (TDL) variants 2, 3, and 4. As of our last test phase, conducted in Sept. 2011, none of the tested malware has been able to penetrate SD's virtualization!

Sorry for being so long-winded, but you did ask...

Scott

 

Good to know.
I've been a satisfied SD user for about 2½ years now and have never been let down.
If your company does anymore testing with SD in the future I would be interested in the results. (as would others here I'm sure)

 

I'll do that, but don't let what I've reported make you complacent as no single security app is invulnerable! While SD is very good, I'm sure there's something out there that can penetrate it (I just haven't found/tested it yet).

Scott

 

Thanks for that.
Yes I know that no one security app should be relied on solely, which is why I use and believe in the layered approach.

 

I love me some layers. I do like shadow defender. It's one of the programs I stumbled upon and can't seem to let it go.

 

Thanks, the in-depth explanation is exactly what I wanted

 

Scott, thanks for that detailed explanation. Btw, which Shadow Defender version is being used at your company (I would assume you use the same version)?

 

Hey SD, I would say that you're a fan!!!

The answer to your question is kind of convoluted. At work we use a modified version of SD; we didn't want anyone using Exclusions or Commit Now so we had those funtions disabled. We started with a modified version of 1.1.0.261 (to the best of my recollection) evolving to a modified version of 1.1.0.325. At home I use the standard v1.1.0.325 (although I never exclude or commit anything)!

Good night,
Scott

 

A quick question regarding this discussion.

I am running RollBack Rx along with ESET Smart Security, I would run SD as well when browsing but find the need to reboot to get out of SD a bit of a pain. I have never been hit with TDSS (at least not to my knowledge) and was wondering if ESET is able to defend against this or should I REALLY be turning on SD every time I surf the net.

 

Hi bg,

As to whether or not ESET is able to defend against rootkits (and in particular, the TDL variants) I really don't know. Perhaps if you submitted that inquiry in the ESET forums, someone there may be able to provide a definitive answer.

But as you probably know, I'm also an RB user (along with SD). I always enable SD before surfing the web and seldom find any reason to get out of Shadow Mode before shutting down because my emails and other downloads are saved on my D-partition (which I do not protect with SD).

Hth,
Scott