Virtualization/Rollback software test

Buster_BSA
could you please test the updated version of Time Freeze?

http://www.disk-utilities.com/time-freeze/

 

in the virtualization/rollback software industry, paid products conquers, no?

 

The free version of Returnil is very good.

 

Does it take a snapshot of the system for me to rollback manually or it just drop any changes at reboot?

 

Drop changes @ reboot.

 

Thanks Rmus I remembered this and was busy looking back then you made this post and saved me some time.

Also if I remember right, mj0011 was busy in a lot of PoC's at the time (and makes for some interesting reading) until she went on to work at 360.

 

What's so astonishing? Grant system level access to a malicious process and malicious mischief happens. Is that a surprise?

Should vendors be circumspect with regards to their performance claims? Of course. Claims of absolute protection when running with Admin level access are bound to eventually run into a brick wall. Users should be apprised when that happens (and kudos to all here that are facilitating that process), but panicked surprise at this turn of events is being overly dramatic.

I agree that vendors need to address shortfalls with speed and transparency, and that appears to be lacking in some quarters in this regard. However, the existence of a potential vulnerability does not rubbish make. It simply reinforces a message that is rather prominent here and elsewhere. Let me reinforce it specifically as it appears here:

The simple fact of the matter is that routinely running as an Admin level user is insane.

That seems pretty clear and unambiguous. Is running LUA an invulnerable panacea? No, and that detail has also been discussed extensively throughout the site. However, while LUA (and SRP) is not a complete solution, the road to protection is enhanced and a path to recovery (if needed) is facilitated. Unfortunately (and this is the major problem with the Windows OS ecosystem), LUA is not the default type of account and it will never gain extensive utilization until that changes.

What exactly do you want that isn't already easily available? Look, most people do not run their lives and plan their days around dealing with each and every potential vulnerability known to man. If they did, everyone would be walking around in bulletproof and fireproofed Kevlar encased Faraday cages - of course, that creates additional issues and we'd all need a Segway as well. And a parachute. And so on.... Let's return to reality and some levelheaded analysis.

If the advice provided in Securing Your PC and Data is followed, does this vulnerability work?

If you want a specific configuration - use mine: XP Pro, LUA/SuRun/SRP (basic)/Returnil Home Lux (drop all changes, antiexecute set to "Trust programs from real disk only" during virtualization, embedded AV disabled, System Safe enabled as needed).

Blue

 

Blue, I think you're missing the point.

A vendor is claiming that you are completely safe using their app regardless of admin/lua account.

As for your recommended setup, not for me thanks.

 

and I explicitly note that:

If you read Faronics documentation (at least the docs I have read), they don't make that explicit claim. The detail is left unsaid, so I agree that it's a reasonable inference for a casual user to make and additional guidance should be provided to users.

However, I do believe a lot of these doomsday threads overstate the situation in that they appear to be working from the implicit assumption that there is a single magic bullet that will cure all your current and future security ills. Yes - the vendor literature tends to propagate that type of view, but it's simply not realistic.

I realize it's not for everyone. Heck - some days it's probably not me either, but it's the one I've had for a couple of years now. However, that's not the issue - the issue is whether this particular vulnerability gets through the specific implementation of a light virtualization solution that I practice. If it doesn't, I'd say that the broad brush claiming rubbish needs at least some qualification. By the same token, if all the statements made in this and related threads regarding Deep Freeze are correct (and I have no reason to doubt their correctness), you'll get no argument from me that Faronics dropped the ball.

The subject of this thread is valuable information, however a broad brush that paints this category of approach as "rubbish" misses the mark. To me, it's no different than when people seemingly confuse a "transient inconvenience" with "ruining my life". It's all too easy to engage in purely hyperbolic characterization on the Internet. There's certainly a hint of that in this generally useful discussion.

Blue

 

Hard to disagree with that.

The manufacturers of rollback/light virtualization software have made far too strong marketing statements about the performance of their products (Faronics being a good example here), but then that is standard practice in the security industry - most companies in the security business make at worst outrageous and at the very least vague promises about the performance of their products. And honestly speaking, it's not that easy to code rollback software that can prevent a user with full admin privileges on the system from messing up the rollback and "permanently" changing the system.

 

Okay, I haven't read all this thread yet. Been busy and haven't had time to keep up with all the forums on which I hang out.

This thread caught my eye. I've read a couple of pages back.

I haven't seen Bufferzone mentioned. Is BZ vulnerable, like all the others?

 

@Hugger et al

ProcessGuard is what i use,



and it's still available. If you want it PM me



If anybody's wondering what antiboot.exe is

antiboot.exe

http://support.kaspersky.com/viruses/solutions?page=1&print=true&qid=208280748

Just ran it out of curiosity, NO nasty found

 

Yes, the fact that system level is accessed at all, by whatever/however when "supposedly" it's isolated !

As i asked Coldmoon in Post 55, and still waiting for his replies

System level is not supposed to be accessed, as it's supposed to be isolated, isn't it

*

For the record, i Really liked Returnil when i had it installed. But had to uninstall it due to problems with System Restore as noted and acknowledged in the RVS threads. I have high hopes for the next release though

 

Sure, no problem.

I will test 2.0.0 version and also Power Shadow due a request from a user.

 

Great review!

If possible,maybe a test of HDGuard would be nice......

 

BlueZannetti: I can not agree with you.

Products like Deep Freeze or Returnil are being advertised as "indestructible" and "never affected by viruses, Trojans, malware and other malicious threats".

That´s directly a lie and do you know the best part? They know it´s a lie!

I´m sure that if you stop people in the middle of the street until you find someone using Returnil, Deep Freeze, Rollback Rx, Comodo Time Machine, etc and you ask him: do you feel completely protected with the software? Are you sure your software will stop everything? he/she will reply "yes" to both questions.

What kind of security company let their users to believe they are secure when they are not?

If that´s not a dramatic security situation I don´t know what´s it.

Maybe because you are an advanced computer user you believe rest of people are too and that´s not true. A lot of people all around the world use the computer as they got it when they bought it.

Tell me: How many computer manufacturers release the OS configured to be used in LUA?

How many computer stores give the computers with Windows configured to be used in LUA?

 

In my experience, just about any and every security company, or at least their marketing departments. Sure, if you speak to the actual coders and such, they may openly admit their product provides nowhere near 99 % (I won't even bother with 100 %) security, but the marketing speak tends to make either very big or very vague promises towards the "complete protection" direction. As with everything, there are some exceptions, but they're definitely in the minority. I certainly do agree with you that such misleading and outright dishonest marketing statements are wrong, but I'd also say they're "business as usual".

 

I'd never heard of HDGuard before, thanks

Hang on, what's this ?



http://www.hdguard.com/en/hdguard/description/34-hardware-software-comparative.html

There it is in plain view, claiming 100% Maybe it is ? we'll soon find out when tested

 

Compare any claim from a security company with this one:

"never affected by viruses, Trojans, malware and other malicious threats"

and you will see that there is a big difference.

"never affected by viruses, Trojans, malware and other malicious threats" is like the old "100% virus detection".

Do you know what happened to the companies that were using that in their publicity? They had to discontinue using that.

 

I stumbled upon it a few months ago,when I was searching for virtualization software that can keep changes after a reboot.....it's pretty useful for software testing/trying in real enviroments,instead of virtual machines......

 

HDGuard 8 included in the list of tested software.

 

Added Wondershare Time Freeze 2.0.0 results.

 

You have the question answered in the first post. ;-)

btw... hardware solutions also use software, so I´m not sure if they are safe or unsafe.

I never met anyone having one rollback hardware card.

Years ago I was considering buying one myself but I thought that software based solutions were as safe as hardware´s based ones.

 

I know a computer that uses hardware solution(not my computer though my university's , I'll try to access it and take a experiment.

and plus we can make technical benchmarks for continuous checking. like matousec does in HIPS.

 

We should use other tools to verify things. Take a look at this problem here for example.

I use WinDbg, WinHex, cff explorer, soft ice/driver studio - that sort of thing.