Virtualization question.

Read the pdf!
Containing malware is a side effect, because of how it operates. Still, how do you figure "they didn't succeed in doing this"?

 

Wrong. Like I said, virtualization was never designed as an anti-malware tool to begin with. Its creators never said, "Oh, let's invent a new way to safely stop viruses and malware." It was created so that users could have an isolated environment to test and experiment around with, without leaving any permanent effects on the host system. This is useful in a number of ways, and a side-effect of the functions of virtualization was that users could execute malware inside this isolated environment without harming the host system.

So as you can see, your principle of virtualization is dead wrong. The whole concept of it is not as simple as trapping malware.

 

Hi ErikAlbert,

I didn't know what VM was really about, until I read/listened to these Steve Gibson's articles (quite verbose, but rather entertaining):
Ep 50: Virtual Machine History & Technology
Ep 53: VMWare

http://www.grc.com/SecurityNow.htm

 

That is very clear to me now. In other words softwares like Sandboxie and PowerShadow don't belong in the Anti-Malware forum, I mentioned this several times already, but most members seem to consider them as anti-malware.

 

I sensed that question would pop:

While we were talking about VMware type of virtualisation, we were not talking about sandboxes that use a form of file system virtualization (something in those lines).

SandboxIE is a security program, just that it is not the answer for everything.
And at what it does, i still have to hear anyone reference malware that evades SandboxIE, ie, installs itself on your system through it.

Same goes for VMware. Concepts exist, but i didn't read anyone say here's trojan_killer_rootkit_bufferoverflow_app.exe that really does evade VMware.

 

ErikAlbert,

I realized your opening post is actually about Sandboxie & PowerShadow virtualization, though discussion steered to VM on Page 4.

I should have included "Ep 55: Application Sandboxes" in my post above, sorry.

 

It was in fact about all virtualization softwares. I just wanted to know how good they are. The bottom line is, that I don't really need them.
Keeping your harddisk UNCHANGED has nothing to do with security IMO.
FDISR isn't a security software either although it keeps my harddisk also unchanged.
Keeping your harddisk unchanged is a form of recovery, nothing more than that and recovery isn't security.

 

FDISR does allow changes. You revert them, yes. I give up.

 

Well, if my parents had to surf the net using IE on their PC, then sandboxie would actually help keep out some nasties. So in that respect it would be considered anti-malware.

 

Restoring an IMAGE is also reverting changes, but Image Backup isn't security either. I would also use Image Backup on a computer without internet.
You are confusing security with recovery.
If a burglar breaks my window that has something to do with security.
If I replace the broken window with a new one, that is called recovery.

 

Nope, you are. FDISR reverts changes, SandboxIE prevents them.

Still possible that some things occur, sure. But they are reduced to fewer possibilities. Rootkits for one are not possible.

 

Sandboxie isolates the nasties, that's not the problem.
Can the nasties do their evil job, that's the question.
Installation of malware is harmless and increases only the volume of your harddisk, the execution of malware is the real problem, which needs to be stopped.

 

Let's say during 1 session of surfing the net, the sandboxed IE homepage gets hijacked, some bad registry entries get added etc (I really don't know how malware & sandboxie interact, what's possible or not in that respect).

So everything's back to normal after flushing the sandbox, would sandboxie be considered anti-malware? Since their "evil job" here only lasted 1 session.

 

Everything is back to normal, which means that the malware was able to do its evil job, but Sandboxie RECOVERED the situation. That's not security, that is recovery.

What happens when a malware is sandboxed and the malware is supposed to steal private info.
Will Sandboxie allow this or not ? That's the crucial question. If Sandboxie allows it, the harm is done and you can't revert that.

 

Sure it is security if running that malware inside Sandboxie prevents it from wiping out your harddisk contents. What you are talking about is more in my opinion of a privacy protection. The terminology and what it means to anyone of course varies from person to person.

 

But for that example, IE homepage was hijacked but then it's not. So from my parents' POV it's not hijacked.

Actually I totally understand your stance (recovery vs security). But the privacy bit, I'm not too sure if Sandboxie actually prevents access to them.

 

Ask Tzuk, the developper of Sandboxie. If he doesn't know, nobody knows.

 

Peter, I'm only trying to find out what virtualization softwares are worth by asking questions. IMO they don't stop the execution of malware at all, they only REMOVE them. That's recovery, not security.

 

You need to differentiate technical data from marketing data. According to the marketing data from AV vendors, you shouldn't need more than a AV and a firewall to be hack-proof/malware-proof.

In simple terms:
- If the virtualization solution allows everything inside it, things don't get broken. Extreme case: VMware/Virtualbox. They're so flexible that they allow an OS to be installed.
- If the virtualization solution doesn't allow everything, things start to broke. You can't install an app which requires kernel drivers/services inside Sandboxie.

If the guest is completely separated from the host, the virtualization solution is perfect. That's why no known malware can do any harm if it's executed inside Sandboxie (although I prefer Geswall)
But malware can have access to data inside the sandbox (i.e. the browser cache, cookies), so you're still exposed to identity fraud.

The answer:

 

Lucas,
In other words, if I don't encrypt my private data, Sandboxie will allow a malware to steal it.

 

Encrypt it and/or use the Closed File Path setting.

 

The "paper metaphore" from Sandboxie FAQ:

And regarding keyloggers:

Sandboxie FAQ

 

You may find this Hard Disk Encryption Revisitted interesting about TrueCrypt

Mike

 

Terrific solution for housewives.