Using Sandboxes app a smart Defense Strategy ?

I referenced the relevant threads here recently.

Blue

 

Hi,

There's a difference between rollback softwares like DeepFreeze/Shadow User/Drive Vaccine and HIPS products which use sandboxing and virtualization technology.
Rollback softwares protect the hard drive from writing, and all that is writing during the session is vanished after a reboot.
HIPS products based on sandboxing/virtualization protect only programs, and then the system (depends on products and configuration).
Both can be combined for an extra level of defense.

Rollback softwares just keep the hard drive "clean" by preventing any infection (registry or files creation) from being permanent.
But the user is still vulnerable to many attacks: phishing, bank ID theft via a malicious code inserted in a legitimate web page, data theft, rootkit installation and stored in external devices, sniffing confidential data, exploits etc etc).
There's always a limit for each kind of security softwares.

Regarding DeepFreeze/ShadowUser/Drive vaccine, their protection can be easily disabled.
If someone has a physiacl access to the computer, he can for instance boot from a CDRom and remove the driver (PersiO.sys for DP for instance), go in the bios and change only one parameter, play with debuggers etc.
A guy from Argentina has also released a specific tool for those who have difficulties in uninstalling DeepFreeze:
http://usuarios.arnet.com.ar/fliamaconato/pages/emain.html

An insteresting rollback sofwtare is CenturionGuard which is combined with an hardware device to mitigate risks of deactivation:http://www.centuriontech.com/products/hardware/

@TNT: it does not matter if you have the same signature as mine.
But since this sentence is not yours, it seems necessary to "give to Cesar what's belongs to Cesar" (Bruce Schneier).

Regards

 

Well, I actually had not notice that.

Yeah, I thought most people knew it was Bruce Schneier's. I certainly was not trying to pass it off as mine at all. Anyway, since I don't want to have the same signature as somebody else on the board, I will change it. Just the time to think about what to put in there.

 

I really have no clue about why a router would have anything to do with protecting an application from being 'hacked'.

The kind of protection you get from a router is the same you get from a firewall. It's a given that a 'hacker' needs access to the system already to even try to bypass DeepFreeze or ShadowUser. You're talking about totally different things here.

What you're saying here is comparable to saying that a strong front door prevents a vault from being broken into: no. If you prevent anybody from getting in the house at all, of course you won't have to worry about even having a vault. If you let people get in, the front door won't protect your vulnerable vault at all.

So a router will protect your system yes, but it certainly won't make the protection against DeepFreeze or ShadowUser from being 'hacked' any stronger.

 

So basically it comes down to having physical access, in other words these programs originally written for public use, they turn out to be very safe for private use. But let's face it, any cracker with physical access to a computer can do just about anything time allowing.

My computer is really personal so apart from physical theft there isn't much to worry about if you have a layered defence along with SU or DF.

 

Hi,folks: So basically what you have said is this: Keep your PC very private, then its is safe w/DF or SU ? I do have a question to ask. I have a AS claiming it can detect any malware at kernel level. And I also notice that any def updates performed in DF's frozon stage will surprisingly remained after reboot. Does this suggest that this AS in question can really bypass DF's protection ? What if this AS app gets a jolt from badthing, then I probably can say bye-bye to my PC?

 

thanks Blue Zannetti.

TNT, you said:

Dont you think you're making a contradictory mess here?
Anyhow, all relevant things have been said in this thread,some uknown to me,many very interesting ones,and i told you how i view the matter and you keep coming back without considering what i implied and what others revealed,so i see no point going any further about this particular matter btw you and me.

 

No, actually I think you are, and I clearly pointed out why. You keep insisting proving a ridiculous point by mangling out parts of what I said.

You still don't seem to understand that Deep Freeze and ShadowUser are not network-related applications, and therefore it's irrelevant to consider network protection as part of the defense to protect them: you need to have already access to the system to even try to hack them.

If you can't bypass the "router protection", you can't even get into the system, no matter whether you have DF/SU or not: their presence in this case is absolutely irrelevant. Hell, you could have the most bugged and easily exploitable non-networked program ever but if you don't have access to the system (remote or local), you won't be able to exploit it; if you bypass the router's protection and gain access to the system, the router's presence is irrelevant to determine whether you are able to hack the program or not: the router certainly won't have rules that determine what kind of actions you're doing.

If you still don't understand this, it's only your problem.

 

I didnt 'mangle' anything.
I never considered ShadowUser as part of a network-related application.
Anyone can find this out by reading these posts.

you see,you're crying out the very same thing i said in the first post.
Now,i dont know why you picked me up for this logorroic show,but i wont follow you anymore, no time to lose.

 

To all:

Let's keep the discussion focused on the messages, not the messengers, and please bear in mind that English is a second or higher language for many.

A router protects you from unsolicited exploitation and pushes some of the screening load off your PC. In principle, the protection could include applications as well as the OS, but as a pragmatic matter is distinct from the function of programs such as SU, DF, and so on. The key thing to keep in mind is the unsolicited qualifier. If you allow malware to execute on your machine, and it starts to communicate with the outside world and upload/execute content, a router will view this as valid communication initiated from the LAN side.

Blue

 

Great. I have no time to lose on inane discussions either.

 

Great,indeed.

Blue Zannetti, my first post ,right after Ilya Rabinovitch one,went like this:

Ilya,who is a REAL expert to whom i have always to give credit,replied:

You wrote:

All very true and i agree,that's why i mentioned Jetico to take care of the applications and some other program to harden the OS,like those recommended in the Firewallleaktester site.

Most true again,that's why i mentioned BOClean as the main malware stopper along with an antivirus,but of course,it would be desirable to add and run (i do) a specialised anti-rootkit program,even if BOClean can take care of those,too.

What i mean,Blue Zannetti,is that if 'any software can be bypassed by a hacker'
WHY put an enphasys on Shadow User/Deep Freeze ,which never pretended to
protect from hackers in the first place BUT only from malware and/or irreparable mistakes made by the user?
Is not this a notable step forward towards helping security?
As i tried to imply in my first post, others are the network-oriented programs capable of giving some reassurance against intrusions of various kind, but as Kareldjag-also a great in Security matters-mentioned,
i think that if you add a 'rollback' software like Shadow User to either System Safety Monitor/Antihook or DefenseWall ( and you run a Router) you're reasonably safe.

 

One concern in this thread is that Shadow User and Deep Freeze can be by-passed:

I think you are referring to the fact that at this time, Unfreezer has not been updated, so that it will not work on Deep Freeze V.6.

and:

Like Unfreezer, this method requires the perpetrator to gain physical access to your computer.

Ilya Rabinovich is referring to actual code which, when executed, can disable these programs:

Before writing off these security programs, I would ask myself, how could such code execute itself? That is to say, how would this code get installed on my computer in the first place in order to be able to execute?

It reminds me of the so-called firewall leak tests, which, in many people's minds, rendered obsolete many firewalls. When I attempted to run the tests, they were blocked from executing, so they ceased to be of any concern to me.

Any software can be bypassed; you can sit at the drawing board and devise code which, when executed, can disable much security protection.

Rather than fear such stuff, I would ask, are you protected from intrusion by malware which could execute such code? Hopefully, the answer is yes, so that you wouldn't worry about what such code can do.

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​