Battle of the security programs...who wins?

Discussion in 'sandboxing & virtualization' started by Flexigav, Sep 22, 2012.

Thread Status:
Not open for further replies.
  1. Flexigav

    Flexigav Registered Member

    Joined:
    Sep 5, 2012
    Posts:
    57
    Location:
    Australia
    Many programs create virtual disks that are initiated first in the start-up line. It would seem pointless starting a system vitalization process after other processes have already been engaged, especially if they are of malicious intent!

    So I can only assume programs that set-up virtual environments like Shadow Defender, Deep Freeze, Time Machine, Returnil, WTF etc, do so before any other programs are executed at start-up.

    If my assumption is correct, then if more than one is enabled at the same time, who would get in first! It is a rhetorical question really. The real question is can any other program be loaded, executed and even have internet access before the virtual program kicks in at start up? Could one be stealthy working on your real OS in the background, while you work in the virtual environment unaware of what is happening in the real environment, because it got in first—before the virtual session was started! It might even have delayed the implementation of that virtual environment session for a few seconds to give it time to make a stealthy internet connection! Really a discussion more than a question!
     
  2. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    I understand the point you are making in relation to trusted system processes, but the question is wide of the mark concerning the way in which virtualization software protects the system against malware.

    Virtualization software can't be relied on to protect the system against malware that has already been installed outside of the virtual environment. If the user has allowed the real system to become compromised then remedial action needs to be taken to remove the malware.

    This post by chris1341 makes a similar point in relation to Sandboxie: https://www.wilderssecurity.com/showpost.php?p=2118824&postcount=28
     
    Last edited: Sep 23, 2012
  3. Flexigav

    Flexigav Registered Member

    Joined:
    Sep 5, 2012
    Posts:
    57
    Location:
    Australia
    Yes you would be right. My question was based on the paranoia of malware slipping in before you have a chance to initiate your virtual environment, but that would in all likelihood only happen as you say; after you have already been compromised and for that the ultimate peace of mind is backup!

    Cheers
     
  4. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    I run Faronics AE (Anti-Executable) along with Deep Freeze. I think your scenario is highly unlikely if your virtualized system is setup with the virtual app and a whitelisted AE.

    `
     
  5. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    And that's precisely the point I was making. When using light virtualization as part of a layered defense, malware is unlikely to get onto the system unintentionally so the question raised by the OP as to whether a malware process gets loaded before the virtualizer is hypothetical, and can be discounted for practical purposes.
     
  6. PJC

    PJC Very Frequent Poster

    Joined:
    Feb 17, 2010
    Posts:
    2,959
    Location:
    Internet
    Many people I know have stayed Malware-Free by using
    the FREE combo: Returnil + Sandboxie.
     
  7. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    2,176
    Location:
    in a remote land :)
    Reinstall a clean system, install Rollback RX, then Shadow Defender, then your AVs/FWs/suite.
     
  8. Mman79

    Mman79 Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    2,016
    Location:
    North America
    I don't see a lot of point in running both, and neither work for programs that require restarts (I think that is still the case.). From an ease of use and coverage standpoint, I would give Returnil the advantage...if it were not for the fact that it has more than once let files and other leftovers leak on to the real system. It's an annoyance for harmless leftovers, it's a problem if malware gets out of there.
     
  9. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,770
    Location:
    Nicaragua
    Thats one of the reason why I use Sandboxie for security and prefer to use LV programs (I use WTF/TTF) for trying other programs only.

    Bo
     
  10. Quassar

    Quassar Registered Member

    Joined:
    Oct 19, 2011
    Posts:
    47
    I still dont know which i should use on my 64 bit ssd :/

    for hdd answer is easy "Shadow defender" pwn all, time to exit Diskshot but not yet avaible in EN ver.

    I prefer do list and write "+" and "-" (ex. support 64 bit, SSD disc)
    for specific program like in anti virus and firewall comparsion sites.
    Can smb advanced user try do it ?

    BTW....How many we have disc virtualization programs to choice ??

    Shadow Defender
    Returnil Virtual System
    Wondershare Time Freeze
    ShadowProtect
    Toolwiz Time freeze
    DeepFreeze
    Diskshot
     
  11. PJC

    PJC Very Frequent Poster

    Joined:
    Feb 17, 2010
    Posts:
    2,959
    Location:
    Internet
    Extra Layer of protection...;)
     
  12. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    Whilst it is true that neither can be used to test software that requires a restart to install, they can be usefully combined because they are different types of program with different features.

    Because Sandboxie is an application sandbox with comprehensive policy restriction features that works at the file system level, it is ideally positioned as a browser protection utility. It can be used for testing software that doesn't require a reboot, but not for software that installs a device driver or service.

    Light virtualization programs, such as Returnil, that work at the disk sector level can be used to test software that installs a device driver or service, providing no restart is required. Because disk virtualization programs work below the level of the file system, they don't require updating as frequently as application sandboxes to stay compatible with updates to other application software such as browsers, etc. By keeping the system partition virtualized during normal use, the real system only changes when the user reboots to exit the virtual system in order to apply software installs and updates. For people who like to manage system change in this way, disk virtualization is a good option.

    I combine Sandboxie and Shadow Defender, and find both useful for different purposes.
     
Loading...
Similar Threads
  1. mick92z
    Replies:
    6
    Views:
    377
Thread Status:
Not open for further replies.