The ErikAlbert Approach - A test

Not me, but I'm not an expert either. The only thing I can think of, is the user himself, who can download an infected file, install it, run it after approval of AE and freeze it. Then your computer will be infected forever.
The user is really the weakest link in any security setup and that means me, ErikAlbert.

 

If a user is confident of not making that mistake, then she/he doesn't need much more than something to prevent remote code execution to download/install an executable.

There must be many such users, which probably explains why so many people have just one or two security products. See the "What is your Setup" Thread.


----
rich

 

That's what i was thinking how did that virus actually get onto your locked drive.

 

Wilders isn't the real world, most members are already informed.
At malware forums, like SWI, you see the real average users at work : one HijackThis log after another and all these qualified helpers are addicted to solve these logs, like crossword puzzles.

 

If you will qualify that statement to read, "some real average users" I will concur. I know many "average" users who never get infected.

BTW - in other threads you've mentioned how you trust your sources for software.

Will we get to the point where Erik Albert's R.I.P.S. will consist of just one security product: Sandboxie (along with FDISR and Firewall for protection)?


----
rich

 

One of my average user clients telephoned - he had managed to rotate his desktop thru 90 degrees and needed a bit of help. A few days ago another lost his outlook pst. Another thought his wireless keyboard was broken - just because he had not recharged the batteries. So far none of them have managed to get infected. Perhaps we should reclassify average users into those who don't know enough to get infected and those who know enough to get into trouble - but not out of it ?

 

My intention is always to get to minimal setup,and thanks to our fellow members i learned a lot about how to do that. Security is a necessity to protect personal stuff and if settled to my content it will stay that way for a long time.Maybe your situation is different but 95 % of PC time i got to work on it to make a living.so security in my case is a necessity but not a toy to play with as is the case with most average people i guess.

 

Inter-Protocol Cross-site scripting...

The time period between the recovery of two snapshots is still a field for exploits. The sandbox will enclose the malware, but can sandboxing stopping it from acting?

/C.

 

Concerning PC Security for a moment. I'm not as quick to panic and discount PC Security just like the KillDisk trojan test from a few months back.

Was the test virus that compromised PC Security's LOCK of common type or similar in nature to KillDisk? Because unless you really go looking for trouble in dark areas of the web or else locally test POC's and other various viruses, a user surely takes into account that they wouldn't chance damaging their DATA partition anyway and of course would first disconnect it manually before doing some research like this unless like Peter2150, you're trying to break into a LOCK program deliberately to test it's RAW protection capabilities of the app alone.

I guess what i'm getting at here is that since i already Team up PC Security with the likes of SandboxIE & my HIPS or AE, i got a front line already ahead of any tampering with PC Security and my DATA partition being "Hid * Locked" is completely safe IMHO. At the very least from any in-the-wild viruses/malware/rootkits which require an executable to fire anyway.

So in answer to Erik's disappoinment of PC Security i just like to add for the record, PC Security in and of itself like any other security program is never intended to serve as your ONLY means of protection. I will continue to enjoy the additional benefits of PC Security and is my belief anyone else can too, so long as you are implimenting the classic layered approach.

How this all plays into my FREEZE snapshot is anybodys guess though, since i just created one yesterday. Before now i simply haven't seen the need to delay my system boot up while it Copy/Updates the FROZEN snapshot from whatever wrote to it during use. I always depended on Power Shadow/Returnil for a simple and quick Boot-To-Restore! But keep in mind i been using SandboxIE exclusively for months now and it's that extra advantage with it that keeps everything else reasonably isolated from ANY infections.

 

That's a point from one opinion but IMO that's not sufficient enough reason alone to simply discount a very useful program that indeed does protect my DATA partition just because of "one" test with a single piece of malware deliberately implimented to compromise the software's function and show it was easily penetrated.
Like you suggest yourself and i repeat again, ALONE, any software no matter what can be penetrated/compromised. Eventually we'll see this with SandboxIE too although i hope not anytime soon, but it's inevitable because ANY software will always have some weakness someplace because of it's very makeup which is machine code.

I just feel it's not fair to bash off and discount such a program based on such a test aimed at it alone. Although it does open ground for some concern it's no real limitation unless a user depends on it as a sole means for protection. The odds are just too much higher in favor of it's usefullness then against it and especially when combined with the technologically advanced security programs we enjoy today in the form sandboxes, virtualizations, ISR's, HIPS, etc.

 

The 'walls (GW and DW) are policy-based sandboxes. This means that they don't create a virtual container where all disk related operations done by sandboxed apps are redirected.
To the untrained eye, this may look as a vulnerability, since malware files are saved to the real disk, although they can't do anything.

Erik,
You were advised to do this (control access permissions through your sandbox) some months ago

 

PC Security failed badly against a malware. Eric was using it to protect himself against exactly the same type of malware( multi-partition/ multi-drive malware). That,s enough to discard it.

 

Good to hear! Since I´m not using a VM myself, these virus testings have been very interesting to follow. But isn´t there any risk for your samples to compromise the host OS? I´m wondering because I would like to make some experimental testings myself, but hesitate because of the risk.

/C.

 

I have still to hear of a malware breaking off VM.

 

Just in case, I think I will dedicate a separate machine for these activities...

/C.

 

Thanks for the test Peter. Sandboxes are very powerful.

This is why is better to recommend Sandboxie to novices. If you don't know what are you doing you can mess things with DW and GW (more so with GW because it lacks the rollback option of DW). The upside of policy sandboxes is better performance (since there aren't any disk redirections) and somewhat better protection against user-mode keyloggers. Convenience vs speed
However, in a real world scenario, the virus file would come through isolated applications (mail client, web browser) so the chance of shoot in the foot errors are far fewer.

 

That's right and Peter said the same thing. I thought that locking wouldn't allow any writing on my second harddisk [D:].
I never expected that PC Security would fail to do this and Peter proved it wasn't true. I used PC Security because that was enough in theory, instead of using Sandboxie.

After all locking is a SIMPLE thing to do, while all security softwares are complex and that means more bugs, more failures.
My idea was good enough, the security software failed and proved AGAIN that security software can't be trusted.
That's why I've spend so much attention and time on RECOVERY, not security and I keep my frozen snapshot, in case Sandboxie fails and because my frozen snapshot does alot more than just removing malware during reboot.
I don't see a frozen snapshot as perfect because removing malware during reboot is TOO LATE in theory and that's why I still have security software on board, that act IMMEDIATELY to stop the execution and that is an indirect
protection of my data partition [D:] as well.

To me nothing really changed. I trusted PC Security and now I have to trust Sandboxie. I don't see any difference. The only reason why I changed from one software to another is that Peter proved that PC Security couldn't do the job. If Peter's test had proved that PC Security was completely safe, I was still using PC Security.

For the record : I'm not blaming anybody that PC Security failed, except the developper. I'm an adult, not a kid and when I decide to install a software, I'm the one and only one, who is responsible. I made a big mistake and it won't be the last one and I have no problem with admitting a mistake and correct that mistake. I installed Sandboxie immediately after Peter's test, because I couldn't trust PC Security anymore. I'm lazy, but I'm also a man of immediate action, if necessary.

I also uninstalled DefenseWall to avoid conflicts between DefenseWall and Sandboxie.
The question is : is DefenseWall as good as Sandboxie or better than Sandboxie ? And I'm not talking about the fact that DefenseWall is quiet and doesn't show as much as Sandboxie.
Keep in mind that DefenseWall is also able to protect my data partition [D:], but I found locking a better idea in those days.