Software Virtualization (Thinstall/Altiris SVS)

Discussion in 'sandboxing & virtualization' started by [suave], Nov 25, 2006.

Thread Status:
Not open for further replies.
  1. [suave]

    [suave] Registered Member

    Joined:
    Apr 5, 2005
    Posts:
    218
    Re: Thinstall - Anyone try it?

    I found a possible bug in ASVS.

    If someone can confirm it, I'll let them know at the Altiris forums.

    Bug: Files that are deleted from the base through a virtualized application are REALLY deleted from the base!

    Expected bahavior: The thing that is supposed to happen when a virtualized app deletes a file from the base is that file becomes hidden wihile the layer is active and a "Delete Entry" is stored for the deleted file in the "advanced layer properties".

    Steps to reproduce:
    1) Deactivate all layers.
    2) Open up notepad and save a random txt file to C:\test.txt
    3) Activate any layer that has a "File" -> "Save As" dialog (like firefox for example) or if you have a cmd.exe layer you can use that.
    4) Load up your layered (virtual) application.
    5) From within the layered application, choose File->Save As and from that dialog delete the C:\test.txt file that you created in step 2. (Or if you are using cmd.exe just delete C:\test.txt from the command line)
    6) The file should disappear from windows explorer.
    7) Deactivate the layer.
    :cool: Once the layer is deactivated, the file should re-appear. But is DOESN'T.

    The file has been permanently deleted from the base and no "Delete Entry" was stored for the deleted file in the "advanced layer properties". This means that any virtualized application has the ability to delete any file it wants to from your base.

    This is definitely a bug. I even read in the manual that this is not supposed to happen. So if someone else can confirm this I will report it to them right away.

    I'm using version 2.1 Beta 1 available > here<
     
  2. wilbertnl

    wilbertnl Registered Member

    Joined:
    Dec 29, 2004
    Posts:
    1,850
    Location:
    Tulsa, Oklahoma
    Re: Thinstall - Anyone try it?

    [QUOTE='[suave]'So if someone else can confirm this I will report it to them right away.[/QUOTE]
    I activate a ms-Money 2004 layer and starte ms-Money.
    Then I open a file, browse to my desktop and delete the test document DELETE.TXT.
    I close ms-Money and deactivate the layer.
    DELETE.TXT is gone.

    Tested with same release.
     
  3. [suave]

    [suave] Registered Member

    Joined:
    Apr 5, 2005
    Posts:
    218
    Re: Thinstall - Anyone try it?

    Thanks for confirming that for me wilbertnl.

    Then it is indeed a bug. I will report it to them right away.
     
  4. software-tester

    software-tester Registered Member

    Joined:
    Oct 23, 2006
    Posts:
    16
    Re: Thinstall - Anyone try it?


    suave i like your post it was quick,accurate & Concise !!!

    yes you can screw your system up with this method. It is just a test to see what
    will happen. if you do this or try that. & the feed back is good. We all like to push
    software to the limit.
    I must say i do some crazy things with software as we all do.
    Sometimes just to see the effect it has on the system. Most of us in this Forum
    test software in all mannor of ways & revert back to a good woking system
    when need be. I am interested to know what apps you use to track,monitor &
    observe the Behavior of software you are testing Thankyou.

    software-tester
     
    Last edited: Nov 30, 2006
  5. [suave]

    [suave] Registered Member

    Joined:
    Apr 5, 2005
    Posts:
    218
    Re: Thinstall - Anyone try it?

    Hi software-tester, glad I could help with that :)

    As far as your question regarding my methods. I have a seperate PC that I use only for testing software, malware, and all that fun stuff. I use Acronis True Image with Secure Zone and have 2 pristine XP images, one with network access, the other without (each used for different types of tests). I can screw around all I want as reverting back to my pristine image is a breeze with ATI (Although some people have reported problems with ATI, I've personally never encountered any).

    Applications I like to use for monitoring system changes are MultiMon, SilentNight Inspector, and most of the sysinternals monitoring tools found here. Port Explorer, CurrPorts and AdapterWatch are good for certain things as well. I also sometimes use any firewall with logging capabilities to log network activity and using a HIPS is always a good way to know what is going on in realtime. If you have any other tools/ideas let me know. But otherwise I'd like to keep this thread on the topic of "Software Vitualization".
     
  6. [suave]

    [suave] Registered Member

    Joined:
    Apr 5, 2005
    Posts:
    218
    Re: Thinstall - Anyone try it?

    After further testing/researching, I've figured out a new way to do this (which I like better). Here's how:

    1) Open SVSAdmin and create a New "Empty" Layer. Call it "VirtualCMD" (Or whatever you want).

    2) Open RegEdit (Start Menu -> Run -> regedit)

    3) Navigate to [HKEY_LOCAL_MACHINE\System\Altiris\FSL\1] (Replace 1 with the number of your layer. You will have different numbered keys in HKEY_LOCAL_MACHINE\System\Altiris\FSL\. Each number represents a layer. You will have to click on each one to find the one that contains the name of your layer ("VirtualCMD", or whatever you named it in Step 1 [see screenshot])

    4) Once you find the right number, and you are in that key, do Edit->New->Multi-String Value. Give it the name "OnPostActivate".

    5) Right-click it, choose modify and enter: "C:\Program Files\Altiris\Software Virtualization Agent\SVSCmd.exe" 04efbef0-da4e-48c0-994e-04e3c81a9b4c exec -path C:\Windows\system32\cmd.exe (Replace the string in bold with the GUID of your layer. You can find it in the registry under "ID" [see screenshot] or by right-clicking the layer in SVSAdmin and going to properties)

    6) Press OK and close regedit.

    Now you are done. When you activate your VirtualCMD layer, a virtualized cmd.exe will automatically launch and you can take it from there ;)
     

    Attached Files:

    • asvs.png
      asvs.png
      File size:
      19.3 KB
      Views:
      1,484
    Last edited: Nov 30, 2006
  7. wilbertnl

    wilbertnl Registered Member

    Joined:
    Dec 29, 2004
    Posts:
    1,850
    Location:
    Tulsa, Oklahoma
    Re: Thinstall - Anyone try it?

    I repeated this test in release 2.0.1393 and the result is the same. DELETE.TXT is gone forever.
     
  8. [suave]

    [suave] Registered Member

    Joined:
    Apr 5, 2005
    Posts:
    218
    Re: Thinstall - Anyone try it?

    Hey wilbertnl,

    That's insane. According to the manual this is NOT supposed to happen. And one would expect it not to happen as well (since virtualized software is supposedly unable to modify the system).

    I let them know at the Altiris forum:
    http://forums.altiris.com/messageview.aspx?catid=43&threadid=37296&enterthread=y

    You can sign up too and post your thoughts in that forum if you want to. ;)

    They haven't gotten back to me yet but it looks like they reply quickly judging by the other topics there. :)
     
  9. Genady Prishnikov

    Genady Prishnikov Registered Member

    Joined:
    Mar 9, 2006
    Posts:
    350
    Re: Thinstall - Software Virtualization

    Thinstall looks better all the time. (IF you inherited a lot of money from that long lost Aunt.) It really is too bad that Thinstall is so ridiculously expensive.
     
  10. [suave]

    [suave] Registered Member

    Joined:
    Apr 5, 2005
    Posts:
    218
    Re: Thinstall - Software Virtualization

    Hey Genady Prishnikov,

    I also like Thinstall and hate the price, but the more I use ASVS the more I seem to like it.

    What do you like about Thinstall? I want to hear some opinions from other Thinstall fans like you :D

    I want to know what makes you like it better.
     
  11. danrather

    danrather Registered Member

    Joined:
    Dec 3, 2006
    Posts:
    2
    Well, I just read through this thread and thought I'd post a couple of thoughts.

    Thininstall - this application is clearly targeted toward the Enterprise/Corporate space and is priced that way. As for price, we do not know how much it cost to develop it so at $5k it may still take them quite a while to get their ROI. The support required for home users would also be very cost prohibitive to a company.

    Altiris SVS as some sort of malware/sandbox. It's not designed for that. This is another Enterprise/Corporate application but the company has been gracious (or maybe in their grand plan) allowed it free for personal use. I use sandboxie when I want everything contained as that is what it is designed for. I checked the juice forums and it sounds like SVS is behaving as intended. There are differences between a bug and possibly a design decision that leads to a negative impact (and I think anyone who has done real software development will agree). As for the docs, they might not be accurate - the technical writers who do these docs are not developers and close to the code.

    And here is a little review of some of the sandbox apps and what they are capable of: http://www.techsupportalert.com/security_virtualization.htm
     
  12. [suave]

    [suave] Registered Member

    Joined:
    Apr 5, 2005
    Posts:
    218
    I agree with you that ASVS isn't designed as a sandbox, but it does handle the virtualizing part well. If you run malware in a real sandbox, the malware wouldn't be able to access any info from other apps/files on your hard drive and under most circumstances that would render the malware useless.

    With ASVS, if you run malware inside a layer, then the malware is actually active on your system for the time the layer is active. Once you deactivate the layer or delete it, it is as if the malware was never there. So yeah, it's not bulletproof solution against threats, but it does do what it's designed to do and that's getting your system back its original state.

    That link you posted is not such a good test. I don't think ASVS and ShadowUser should have been a part of that test. They are comparing products that are totally different from each other and testing them against things they aren't supposed to handle in the first place.

    Anyways, Altiris even states on their website that ASVS is NOT a security software. But nevertheless, due to the nature of the software it does provide a minimal level of security, just like ShadowUser does. That's how I look at it. :)

    Just to be sure, are you talking about the ability to permanently delete files through a virtualized application? If so, then yes I do strongly feel that this is a bug or at least an unexpected behavior that should be fixed. There is no reason for a virtualized application to be able to make permanent system changes. That goes against everything ASVS stands for. Once you deactivate a layer the system should be back to its original state without any modifications to the filesystem/registry.

    There have been a couple of reports about this problem at their forum, but it doesn't seem like they are acknowledging the fact that this indeed is a problem. It's even worse now that I know this is an ongoing problem since the previous versions. :(
     
    Last edited: Dec 4, 2006
  13. danrather

    danrather Registered Member

    Joined:
    Dec 3, 2006
    Posts:
    2
    If you look at they type of products that Altiris sells, I think you'll have a better understanding at where this fits in. My previous company used some of their software for software deployment and Sarb-Ox compliance. They are not creating products to work in the scope that you would like. It would be cool if there was such an option, and maybe there is since you apparently have the option of making the base layer read-only - it just doesn't work that way by default.

    The reason I posted that link is that it does demonstrate people trying to use a couple of non-sandbox applications as sandboxes. ASVS is close to it but definitely not one.

    How about as a different example, we go with something closer to how ASVS is more likely to be used. I have an Enterprise and I use this to deploy VSA's out to my users. I use it to "install" something like CCleaner or Tune-Up Utilities which are run to clean/fix things with the base layer. Should all that be put back when that layer is deactivated? I would hope not.


    Yeah we are talking about the same thing. I'll stand by my above example as the way I think ASVS is supposed to perform. Just because people think it is a problem, doesn't mean that it really is :)

    For arguments sake, let's say it really is a bug, and even an acknowledged one. There are no guarantees that it will or can get fixed. I don't know your background and don't mean to be perceived as insulting but as someone who has worked in the software/hardware/security/network industry in silicon valley for about 15 years, there are many factors to these things. Priority is probably the highest but that is influenced by things like how many customers are hitting it? how does it impact them? how much revenue do they bring in? can they work-around it or live with it? Then you have to look at do we have the resources to fix it? can it be fixed? how long will it take? what has to be dropped in order to fix it ? That's just off the top of my head, there are more I'm sure. These are things I've had to answer/question on the products I've worked with.

    So can't you make the base layer read-only from that particular layer? I'd be more pissed if I had to install something in the base layer because I would undo everything from a software layer.
     
  14. [suave]

    [suave] Registered Member

    Joined:
    Apr 5, 2005
    Posts:
    218
    That's a good example, I haven't thought of that. I also haven't been using ASVS long enough to have encountered a situation like that.

    Although, if you virtualize all your software, you shouldn't need apps like CCleaner as your base would already be clean. But it is also not likely that one would virtualize every software anyways. So lets say you did need to run CCleaner or another app that requires the ability to make permanent base changes. Then so it seems that some virtualized applications do infact need to be able to make those permanent changes to the base in order to be effective at what they do. But that still doesn't justify the need to let ALL your virtualized software have this ability. This is what the exculsions are for. For CCleaner I would just allow permanent base changes for that layer only to whatever folders it needs to delete files from, or even just add the whole C:\ to the exclusions and not worry about it as it is an application I trust.

    I'd rather have the ability to decide which layer gets to modify my system and which layer doesn't, rather than ASVS give all my virtual software the right to make changes without any way to disable that. That's why we have the exculsions. So that we can set permissions for certain apps. If I want I can give CCleaner (and only CCleaner) the ability to delete files from the base. But am supposed to be forced to give all my virtual software this ability?

    And besides, these permanent changes we are talking about are only for deleting files from the base. Everything else is working perfectly according to the manual which is why this must be a bug.

    Here are the things that ASVS currently does while you use a virtualized app:

    1) Any files you modify/create are NOT permanent.
    2) Any registry keys you modify/create/delete are NOT permanent.

    When if fact it should be:

    1) Any files you modify/create/delete are NOT permanent.
    2) Any registry keys you modify/create/delete are NOT permanent.

    It says this on their website, and also in the manual. As a matter of fact, the manual even goes through all the trouble of illustrating the example. They tell you to open up MSWord (or some other software that you have virtualized) and do a File -> Save AS. Then delete files from that save as dialog and then deactivate the layer and watch how the files come back. Well, they don't come back :)

    It's clearly a bug (at least in my opinion) and I don't think it will be possible for anyone to convince me otherwise.

    With that said, I want to ask you something. CCleaner cleans the registry by deleting certain keys. When you run CCleaner and clean the registry, once you deactivate the layer those registry settings come back (like they are supposed to). So how do you overcome this?

    I agree with you that some virtualized apps do need to make permanent base changes. But those particular apps don't only need filesystem "delete" access. They also need filesystem write/modify access and also registry write/modify/delete access.

    This is one of the main reasons why I think this is has to be a bug in ASVS. I mean, why give all virtualized apps the ability to delete files but not modify/write them. Why even give us an exculsions list when files can be deleted whether the directory is allowed or not. Why give false examples in the manual and make untrue statements on the website?

    Most of the threads at the ASVS forums have answers from the ASVS staff, but the threads about this particular problem seem to be ignored and I don't know why. At the least, they should explain why ASVS behaves this way. But maybe there is no explanation? Maybe this is something that they cannot fix, and at the same time don't want people to know about? I don't know. What else would be a reason for not giving us answers? By giving us answers, they will be admiting it is a problem and at the same time falsify their statements about ASVS and how it works. And the only reason that I could see for them not fixing this problem is because they can't. Maybe by fixing this it will cause ASVS to not function properly or something? Who knows?

    Anyways, here is a quote from the ASVS website:

    "Software Virtualization Solution allows you to instantly activate, deactivate or reset applications and to completely avoid conflicts between applications, without altering the base Windows installation."

    "Software Virtualization Solution ensures applications use correct files and registry settings, without modifying the OS and without interfering with other applications. This software management solution allows you to host multiple versions of an application on the same system without conflicts between older and newer files."


    That's not very true since virtual software does have the ability to delete files and therefore can modify the base which means that it is possilbe to introduce system conflicts as well as interfere with other applications on the system.

    No matter how much I read the manual, no matter how much I read the forums, no matter how much I read the website, no matter how much I think about it, I always come to the conclusion that this is a bug in the software and real unexpected behavior. Even the guy who wrote the manual thinks this way as well. And I'm sure the developers have read the manual as well. They know what it says. Why they aren't fixing it is the real question :p

    Edit: I'm so sorry for the long post. I didn't realize how much I was typing :rolleyes:

    Another Edit: It seems this bug has finally been acknowledged only 3 days ago. See AngelD's posts >HERE<. Now that it has been reported to the developers I am eager to see what happens :)
     
    Last edited: Dec 4, 2006
  15. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    First excited, now calmed down:D , but i am curious. Is the issue resolved?
    It's a big no-no. If it isn't resolved, SVS is not worth trying, since it's possible to mess up what cannot be messed.
    If it is, it's one of those excellent applications. Close to VM in fantasticability!
    But, it really has to perform perfectly. Programs running good in layers or not is another issue, but it has to be able not to mess the base.

    So, what's new in SVS's world?
    Suave, Wilbertnl, cthorpe, Notok?!
     
  16. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Link
    :mad: :mad: :thumbd:
     
  17. wilbertnl

    wilbertnl Registered Member

    Joined:
    Dec 29, 2004
    Posts:
    1,850
    Location:
    Tulsa, Oklahoma
  18. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Thank you wilbertnl:thumb: :thumb:
    Did they solve the problem?

    Lucas just gave me a slap in tha face:ouch:
    Symantec seems like Microsoft. Buying companys left and right. How can anyone manage this? Sure, they'll make tones, but what about the product... (i'm talking to the air for nothing, i know)
     
  19. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Well, I can only hope that Altiris doesn´t become the next Sygate.
     
  20. wilbertnl

    wilbertnl Registered Member

    Joined:
    Dec 29, 2004
    Posts:
    1,850
    Location:
    Tulsa, Oklahoma
    Which problem are you talking about?

    Altiris SVS isn't another sandbox solution, it is packaging software installations which you are able to activate/deactivate with a single click.
    When activated the software does interact with the core system.

    If you understand this concept, then Altiris will work like a charm for you.
     
  21. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    :thumb:
    :thumb:
    :thumb:Post 114, by Suave ; not behaving the way it should. I suppose it depends on the program we use. If it's Word alike, it should write to the base. Maybe they all should, but as he said:

    :doubt:
     
  22. randycoder

    randycoder Registered Member

    Joined:
    Feb 8, 2007
    Posts:
    4
    Disclaimer: I work for Altiris on SVS.

    What a great thread. Made my day.

    Just a comment on the file delete issue... Currently our primary customers for SVS are enterprise customers. Because of this, change in behavior must be taken very seriously and done at the proper major/minor release even if we think it is a bug. I do think that the current behavior is probably wrong and we will likely change it. (But I reserve the right to back-pedal if we get into our design and I remember why we did it this way in the first place ;)

    The reason I developed this software was for people like you and me. We got lucky in that Altiris doesn't have a channel to the end user and Scott and I were able to convince Altiris that it would be valuable to have power users out there using the stuff. So I don't see the "free for personal use" going away any time soon.

    I'll post some thoughts on Thinstall vs SVS a bit later.
     
  23. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Very good news :thumb:
     
  24. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    I understand, and appreciate the effort:thumb:
     
  25. Woody777

    Woody777 Registered Member

    Joined:
    Aug 29, 2006
    Posts:
    491
    Doe anyone have ths Serial. I can't find it>
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.