Virtualization/Rollback software test

Oh I'm sorry about that I haven't a clue as to how this feature works tbh. I am/was interested in how cleanslate fairs in a variety of tests becuase I was considering it as a legitimate replacement for SD if its abadoned. But I guess Ill stick with shadowdefnder for some time now

 

Same here -- I and others discovered this issue several years ago.

Here is some background information which you might find useful:

In June, 2008, Wilders member QQ2595 from China posted here about the cs.exe malware as being similar to the Robot Dog malware:

https://www.wilderssecurity.com/showpost.php?p=1260887&postcount=62

https://www.wilderssecurity.com/showpost.php?p=1234098&postcount=24

https://www.wilderssecurity.com/showpost.php?p=1219502&postcount=12

And from the same post, this prophetic statement:

https://www.wilderssecurity.com/showpost.php?p=1167833&postcount=30

[Deep Freeze uses these types of filters]

https://www.wilderssecurity.com/showpost.php?p=1159409&postcount=63

In January, 2008, I became aware of this MBR rootkit:

Master Boot Record rootkit
2008-01-08,
http://isc.sans.edu/diary.html?storyid=3820

I contacted Faronics and was told that they knew about this and it seemed similar to the Robot Dog malware which they had obtained.

I requested to be notified about their test results, but never heard back.

Meanwhile, I began my own research and after perusing some of the developer forums, I concluded that there was no fix for this vulnerability in this type of ISR rollback product. It would have to be redesigned. I also learned that Faronics had known about this since November, 2007.

Evidently Returnil developers felt the same way about ISR as a standalone, and Coldmoon (Mike) of Returnil posted this in June, 2008:

https://www.wilderssecurity.com/showpost.php?p=1260143&postcount=21

In other words, the only protection for this type of ISR is to block the malware from executing in the first place.

I had already been advising people to install Anti-Executable along side with Deep Freeze, and I discovered that many of my friends involved in computer security were also doing similar with different products.

While I was sorry not to have heard anything back from Faronics, I left it as their problem, and I'm disappointed that they have continued to advertise Deep Freeze's robust protection.


----
rich

 

Very interesting, what about LUA, group policies (whitelist, like default-deny SRP), and other built-in system hardening?

Is there anything that can bypass those?

 

You might ask Buster to test in a LUA. My understanding of the malware that writes directly to the disk controller is that it needs Administrator privileges.

See here for the analysis I quote about the TDSS rootkit tricking the user for Administrator privileges:

https://www.wilderssecurity.com/showthread.php?p=1705163#post1705163

----
rich

 

Personally, i'm not in the slightest bit concerned about getting infected, as i have several good quality solutions in place. The main one is NOT electronic/software, but me. I don't allow things i'm not sure about to run. The main reason i would choose VS is for privacy, not security. Meaning, every time i shutdown/reboot, my previous unwanted work/session/s etc are permanently deleted

***************

@Coldmoon

RVS 2010 Home Lux/Classic/Free and RVS 2010 Enterprise Premier/Classic

http://www.returnilvirtualsystem.com/rvs-home-free

So i'm trying to understand how the installation of drivers/anything/everything can happen to the REAL sytem, if it's the Cloned system that stuff is installed etc in ?

TIA

 

So wait, does restoring snapshots or system images wipe these types of viruses??

Does returnil utilize and construct a system image of the underlying OS or does it utilize a buffer area on the dis to save changes?

I think theres a big difference

 

Sorry if this is redundant, I'm really tired, but I read something about anti executable software to be used in conjunction with SD, Deepfreeze etc..
I know of AE. Who else makes anti executable software?
And do I need it if I'm using Sandboxie instead of SD?
Thanks.
Hugger

 

If we can not trust in Kaspersky´s tool and DrWeb CureIt (the tool I use to confirm SafeSys infection), what do you suggest then?

 

Thank you very much for putting all the information together.

I´m astonished! I don´t understand how is possible that information of this importance has been ignored and remained unknown for the big majority for so long.

Obviously, vendors like Faronics contributed to this situation ignoring the problem and acting like if everything was fine. Reading the publicity of the products nobody would think there is a vulnerability/weakness in the software that make them rubbish.

Rmus: I think that users like you, that were aware of the problem, could have done much more to spread the word about the problem. e.g. there should exist a sticky post titled "The truth about virtualization software" where is explained the problem that this kind of software has.

With who should we contact to get it posted?

This problem has been ignored for too long and I think it´s time to address it properly.

Regards.

 

SafeSys is aware of VBOX and partial sandboxes (like sandboxie). it doesn't infect the system if it detects the sandbox.
in under LUA, it removes itself.
i don't know about TDSS but maybe they does, too. (i guess)
VPC works.

we should test these on real machines, not just on the virtual environment.
actually, we can't totally trust the VPC result. we don't have a enough samples, too.
I wish i can contact with virus author


Well, we can contact LV authors again and see if they have a willingness to solve these problem.(or can it be solved)

 

can someone clarify
Seems from this that Shadow Defender is the only roll back program that does not allow the installation of Drivers?

 

SD hooks fsd / classpnp / atapi while others doesn't. maybe that can be the answer.
and it doesn't mean SD prevented driver installation. the risk still exists.
we can safely assume SD just prevented that kind of viruses. maybe other malware can bypass SD.

anyway sandboxie is safer because it doesn't allow driver installation obviously.

 

That´s only a guess. We need a technical explanation of why SD is able to stop these malwares on their tracks.

Sadly SD´s author is MIA.

 

and that makes me so sad. we need him.

 

Not sure if this is the case, on a Win7 real system it behaves the same way.

You are right. I made a test against SD in a real environment yesterday to clarify differences in test results, here's why I'm not sure if your first guess is correct.

And thus we have a question. From one hand SD prevented infection somehow on original XP, but we couldn't test the restore functions. From the other - if system is really infected SD behaves none better then the rest of the tested software.

 

Somehow the system is not infected before rebooting.

We don´t know how SD prevents the infection. I don´t think it´s a specific protection against the malwares we use for testing. I think that because the TDSS sample we use was released after the release of the SD version we are using if I´m not wrong.

We also don´t know if a malware able to bypass that protection would survive after rebooting.

It´s very sad that SD author is not available to give support.

 

but isn't it just a matter of testing to see if we can load drivers with SD?

if SD does allow drivers to load and is able to block the malware then one would think that all the other Roll backs would be able to do the same.

 

That was a good idea.

I did next test:

Installed SD and entered in shadow mode.

Installed Sandboxie (which installs a driver)

Sandboxie works fine. Applications can be sandboxed normally.

So SD does allow drivers to load but it has some kind of mechanism to block the malwares.

This is really interesting. How does SD know when to block a malware and when to allow a legit software?

 

Yea I just tested sandboxie with SD and it does allow drivers.

Maybe SD has just blocked these specific virus samples from loading driver?

 

As I told if I´m not wrong the TDSS variant we are using for testing was released after SD .325 was released. If it´s like that it could not be possible to have a specific detection for that sample. It could be possible that SD has a generic routine to detect TDSS variants.

I would be surprised because many antivirus, like Kaspersky, doesn´t have it. If you read the first post you will see that KAV misses the sample we are using. It´s true that other av vendors detect it generically.

We need the help of someone that knows the product in depth or the author to clarify what´s going on.

 

If you are willing to consider Comodo Firewall, D+ can be configured to function only as an AE with very few alerts by disabling the Sandbox, leaving Image Execution Control enabled, and unchecking all of the Monitoring settings.

If Sandboxie is configured to apply Start/Run and Internet Access restrictions then, for sandboxed applications, Sandboxie provides sufficient protection on its own. If running Sandboxie on a 64-bit platform, the Drop Rights restriction should also be enabled. SD is still useful though for system-wide protection.

 

Wow! is Shadow Defender FREE?

 

and Shadow Defender 1.1.0..326 exists

http://www.shadowdefender.com/download/SD1.1.0.326_Setup.exe
http://www.shadowdefender.com/download/SD1.1.0.326_Setup(x64).exe

 

Nope,one of the best programs a person can use though IMO

Glad I have it

 

The license is lifetime, but future development is at present uncertain; see here: - https://www.wilderssecurity.com/showthread.php?t=275972