Best virtualization/rollback software?

Discussion in 'sandboxing & virtualization' started by Overkill, Apr 12, 2012.

Thread Status:
Not open for further replies.
  1. Overkill

    Overkill Registered Member

    Hi all,
    I know of a few and was wondering which is the best most bulletproof program on the market currently?
    There's a couple timefreeze programs,deepfreeze,comodo time machine, rbrx,returnil & shadow defender...are there anymore?
    Currently I use toolwiz timefreeze because it's free and seems to have a good rep.
  2. Victek

    Victek Registered Member

    I don't know that there's a "best" one. By reading the threads here you can tell which programs are popular and why, but none of them are bulletproof. I used Comodo Time Machine for a while and it worked fine for me. I also had no problem uninstalling it however some people did. CMT alters the MBR (maybe they all do?) and if it's not restored properly the system becomes unbootable. Typically this type of program creates issues for disk imaging and defragmenting as well. I suggest that whichever program you use you understand how to remove it and how to backup/image the system. Sooner or later it's going to go south on you. And by the way, it best not to ask which program is "best" - so-called "A Vs B" discussions are discouraged (the admins often close the thread). Better to discuss uses and features.
  3. bgoodman4

    bgoodman4 Registered Member

    There is a huge difference between virtualization and rollback software. If you are looking for the best of each then you might want to ask 2 seperate questions. Trying to find the best virtualization/rollback software is like trying find the best apple/orange.
  4. Victek

    Victek Registered Member

    Perhaps you can provide a working definition. The OP mentioned using toolwiz time freeze - do you consider that virtualization or rollback software?
  5. CyberMan969

    CyberMan969 Registered Member

    Time Freeze is light virtualization, just like returnil, Shadow Defender, Wondershare Time Freeze and some more. Then there are snapshot software like Comodo Time Machine and Rollback RX. So far Shadow Defender seems to be the only one able to withstand TDSS rootkits.

    I use Shadow Defender as well as Rollback RX. Rollback RX snapshots allows you to easily switch between different states of your protected drive in seconds, and undoes non-malicious system changes. You can also install and test different software safe in the knowledge that you won't have to uninstall them if you don't want to keep them: All it takes is a reboot and restoration of an older snapshot, nd in a few seconds your system is back exacly as it was at the moment you took the snapshot.

    Shadow Defender on the other hand is my safety net against malicious software that Rollback will not be unable to withstand alone. I use both programs because they provide different functions for me.

    Add Avast! free antivirus and Comodo Free HIPS/Firewall to the mix and you'll be sorted. Sandboxie and MAlwareBytes' AntiMalware are also good for a really paranoid mix. :D :D :D
  6. Osaban

    Osaban Registered Member

    Rather than 'Best' which is very difficult to qualify I would be inclined to argue about what situations are best suited for virtualization or rollback technology. I can only write about what I use of course, Shadow Defender and Rollback Rx, two fairly popular applications at Wilders.

    Shadow Defender is excellent for users who are generally browsing without having to worry about any changes brought about by malware or user's mistakes, a quick reboot and the system is recovered exactly as it had been before starting the session.

    Now this very strong protection of SD of completely deleting the corrupted session on reboot is sometimes problematic on a 'working' computer. Let me give you an example. Last week I had been working for more than three hours collecting data from different USB flash drives (third party flash drives), and for security reasons I had created a snapshot for this situation using RB Rx.

    Everything went well, and I thought the material should be safe as I had Avira and MBAM in real time (one can never be sure of course) but given the time factor, it is good enough. Then for some unknown reasons after transferring one of the last flash drives to my computer, Windows Explorer crashed, and would restart corrupted, I couldn't do anything about the files, and I thought, God I'm going to lose all the work (3 Hours).

    Now if I had used Shadow Defender It would have been game over, as not being able to 'commit' the work, rebooting would have wiped out everything. In these conditions RB Rx is excellent, as rebooting the system (not rollback at this stage) not only settled the problem (which was not malware related) but retained everything including my new work. Even if malware had created the problem it is better to have an infected snapshot from which data can be later retrieved than nothing at all on a clean computer (incidentally I could have rollback the system and later retrieved important files from the corrupted snapshot).

    Most situations can be managed by both SD and RB Rx, but as configurations mistakes and system corruption tend to be a lot more widespread than malware (at least in my experience) RB Rx seems more versatile than SD.
  7. Scott W

    Scott W Registered Member

    As another user of both RB and SD I agree that RB is the more versatile of the two, but also more vulnerable! SD is an excellent security complement to RB, since TDSS (and other) rootkits have been able to penetrate RB and just about every ISR/LV app, except for SD.

  8. Overkill

    Overkill Registered Member

    My apologies for not wording it correctly...I wasn't sure what to call it because they have a bit of both in those programs, I appreciate all the comments also :)
  9. Overkill

    Overkill Registered Member

    Thanks Scott that's good to know about SD :D
  10. buckslayr

    buckslayr Registered Member

    Do you use SD all the time or on demand?
  11. Scott W

    Scott W Registered Member

    Hi buckslayr,

    I don't mean to answer for CyberMan, but fwiw I enable SD whenever I'm about to surf the net (not when I'm running local apps), whereas RB is running all of the time!

  12. kupo

    kupo Registered Member

    Toolwiz Time Freeze, it's free for any kind of use and actively being developed ;)
  13. CyberMan969

    CyberMan969 Registered Member

    I activate shadow mode before I go online, or if I want to test a suspicious/potentialy unsafe program.
  14. Scott W

    Scott W Registered Member

    Yes, but until it is shown that TTF can contain TDSS rootkits from penetrating it's virtualized environment I for one will continue to use Shadow Defender, which is the only LV software that's been proven capable of doing so! ;)

  15. Victek

    Victek Registered Member

    Have you tested this yourself? I ask because TDSS continues to "improve" and if SD is no longer being developed it seems likely that at some point it will be compromised.
  16. Scott W

    Scott W Registered Member

    Actually I conducted SD-malware tests as part of my job (in my capacity as a software engineer in our QA Dept). In late 2007, when LV apps were still in their infancy the concept seemed like a promising solution for 3 of our IS concerns:
    1. User-Induced Errors. We needed to improve system uptime by undoing accidental user-changes to our standard system.
    2. Change Management. We needed a fast but safe means for testing updates, patches, and new applications.
    3. Malware Protection. We were looking for a better malware protection approach than the typical antiviral software available at the time. The LV concept promised to minimize system downtime/damage due to malware outbreaks by preventing malware from ever being written to the hard disk.
    So we decided to evaluate 3 such LV apps, Deep Freeze, Returnil and Shadow Defender. We started our testing in late 2007 and completed the first stage in the Summer of 2008. While all 3 LV apps proved to be a good solution for items 1 and 2, of the 3 only SD fully satisfied item 3. The TDSS-1 (TDL-1) rootkit had recently appeared on the scene, so we obtained a copy and 'infected' 3 systems each protected by one of those 3 LV apps. Only SD was able to contain this rootkit, completely discarding it upon system restart.

    Based on that initial test phase, our company bought a number of SD licenses in late 2008. Since then we have continued to test SD's malware protection ability, including TDSS (TDL) variants 2, 3, and 4. As of our last test phase, conducted in Sept. 2011, none of the tested malware has been able to penetrate SD's virtualization!

    Sorry for being so long-winded, but you did ask... ;)

    Last edited: Apr 18, 2012
  17. LoneWolf

    LoneWolf Registered Member

    Good to know. ;)
    I've been a satisfied SD user for about 2½ years now and have never been let down.
    If your company does anymore testing with SD in the future I would be interested in the results. (as would others here I'm sure)
  18. Scott W

    Scott W Registered Member

    I'll do that, but don't let what I've reported make you complacent as no single security app is invulnerable! While SD is very good, I'm sure there's something out there that can penetrate it (I just haven't found/tested it yet). ;)

  19. LoneWolf

    LoneWolf Registered Member

    Thanks for that.
    Yes I know that no one security app should be relied on solely, which is why I use and believe in the layered approach.
  20. kjdemuth

    kjdemuth Registered Member

    I love me some layers. I do like shadow defender. It's one of the programs I stumbled upon and can't seem to let it go.
  21. Victek

    Victek Registered Member

    Thanks, the in-depth explanation is exactly what I wanted :cool:
  22. The Shadow

    The Shadow Registered Member

    Scott, thanks for that detailed explanation. Btw, which Shadow Defender version is being used at your company (I would assume you use the same version)?
  23. Scott W

    Scott W Registered Member

    Hey SD, I would say that you're a fan!!! ;)

    The answer to your question is kind of convoluted. At work we use a modified version of SD; we didn't want anyone using Exclusions or Commit Now so we had those funtions disabled. We started with a modified version of (to the best of my recollection) evolving to a modified version of At home I use the standard v1.1.0.325 (although I never exclude or commit anything)!

    Good night,
  24. bgoodman4

    bgoodman4 Registered Member

    A quick question regarding this discussion.

    I am running RollBack Rx along with ESET Smart Security, I would run SD as well when browsing but find the need to reboot to get out of SD a bit of a pain. I have never been hit with TDSS (at least not to my knowledge) and was wondering if ESET is able to defend against this or should I REALLY be turning on SD every time I surf the net.
  25. Scott W

    Scott W Registered Member

    Hi bg,

    As to whether or not ESET is able to defend against rootkits (and in particular, the TDL variants) I really don't know. Perhaps if you submitted that inquiry in the ESET forums, someone there may be able to provide a definitive answer.

    But as you probably know, I'm also an RB user (along with SD). I always enable SD before surfing the web and seldom find any reason to get out of Shadow Mode before shutting down because my emails and other downloads are saved on my D-partition (which I do not protect with SD).

    Last edited: Apr 20, 2012
Thread Status:
Not open for further replies.