Boot-to-Restore software+Sandboxie or Instant System Recovery software+Sandboxie?

Discussion in 'sandboxing & virtualization' started by AlexC, Jan 8, 2011.

Thread Status:
Not open for further replies.
  1. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,280
    In another thread called "Sandboxie and what else?":

    In simple words,or not, whats the difference between boot-to restore software and instant system recovery?

    To run beside Sandboxie and without AV, which offers the most reliable protection? What are the advantages and the disvantages in using one or another?
    Thanks!:thumb:
     
    Last edited: Jan 8, 2011
  2. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    boot-to restore softwares let you use your computer in "virtual" mode; everything you do in virtual mode disappears once you reboot.
    which means you have to be careful to save your documents and stuff.

    instant system recovery apps are like Windows System Restore on steroids.
    more like a cross between a System Restore and imaging.
    it's like imaging in a fraction of the time a real image takes to restore.
    you still have to use imaging, as you don't want putting all your eggs in one basket, so to speak.

    if you are gonna use Sandboxie then a proggie like Rollback RX might be a good match.

    meself, i like Shadow Defender but you have to try for yourself to see what suits you the most.
     
  3. ruinebabine

    ruinebabine Registered Member

    Joined:
    Aug 6, 2007
    Posts:
    1,097
    Location:
    QC
    (to add my 2 cents on moontan's excellent post in layman terms.)
    I'm fortunate lucky one using FD-ISR Classie (not available anymore :-( ) and I was re-reading its help file because I am thinking about offering my second license to a relative. She speak only french and I wanted to translate some of this file for her. Anyways I think that there are nicely put explanations there about those 2 concepts (FD-ISR can use both). Forget me if using the help file of a "defunct" software bothers you...
    HTH
     
  4. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    on another note:

    if you use imaging as your favored way of "backing up" and don't mind the time it takes to restore an image then instant system recovery apps might be too much overlap and a waste of money if you need to purchase.

    also, it just my opinion, but i don't see much sense in running a "light" sandboxing app like Sandboxie inside a bigger sandbox (Boot-to-Restore softwares).
    too much overlap again...
     
  5. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,280
    Thanks!

    So if i understood with Instant System Recovery software, a "snapshot" of the system is created that can be restored during boot.

    But is a "snapshot" the same or as safe as a "image" (like in Macrium reflect, for instance)? Can the system be fully restored througth that "snapshot", including the MBR? o_O
     
  6. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    no its not.
    in the case of Rollback RX the software needs to be installed first.
    some people do a sector by sector image to save all their snapshots.
    im not so big on that because of the time and filesize required to to this kind of images.

    in the case of RX, yes, although im not sure about the MBR.

    if your hard drive has only 20-30 megs of data and you dont need to install and uninstall often i would just stick with regular imaging.

    but ultimately, your decision on what app to use all depends on your workflow and how you like to use these type of apps.
    its always a good idea to try a demo first...
     
  7. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    There are reasons why it can make sense to use Sandboxie in conjunction with a boot-to-restore program. By its nature, an application sandbox such as Sandboxie has to be a more restrictive container than the typical boot-to-restore program in order to work. Sandboxie also has a comprehensive flexible set of policy restriction features. When properly configured, Sandboxie creates an environment that is extremely difficult for malware to bypass.

    This makes Sandboxie ideal for high risk applications such as browsers. On the other hand, boot-to-restore programs are more flexible when it comes to testing software that doesn't require a reboot - for example, they allow services and drivers to be installed. Boot-to-restore programs are also useful for people who like to exercise control over system changes. I keep my system partition virtualised most of the time but I also use Sandboxie on demand for web browsing.

    In the end, as you say, it's a matter of personal preference. :)
     
  8. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    @ pegr

    you're right.

    sandboxie is a great app, one of my favorite.
    i like that it is being actively developed.
     
  9. Serapis

    Serapis Registered Member

    Joined:
    Nov 15, 2009
    Posts:
    241
    instant system recovery - such softwares are not intended to be used for security and are targeted and easily bypassed, if used for that purpose. They rely on a phantom filesystem that can be detected and broken into by viruses.

    Such softwares like EAZ an rollback (sister products) are also notorious for instability and file corruption.


    Boot to restore is where its at with security. These products are more prepared against attacks incliding MBR targetting. Here is some suggestions with summaries:

    Deepfreeze - susbscription ware, no free version. not easily configured to commit files. No exclusion mechanism = you will have to activeley monitor and remember to move files to flash drive.

    PowerShadow - pay ware, english version long dead and not actively supported. Modifies sector 13 on HDD, for activation purposes.

    Returnil - Way too slow IMO for such a product class. Free version missing essentialfunctions such as filemanager exclusion.

    ShadowDefender - A personal fave, and extremely robust. Lifetime license. Even if not suppported, it works on the latest OS's which will be good to go for years.

    My $0.02, hope it helps. Anyone who disputes my facts better give good examples:D
     
  10. ruinebabine

    ruinebabine Registered Member

    Joined:
    Aug 6, 2007
    Posts:
    1,097
    Location:
    QC
    [OT=]
    Ha, it's new to me! Now I can understand why I always had problem to totally uninstall this one back then, and I always had to resort to a backup system image to really get rid of it!
    So, interestingly, it should mean that a thorough uninstaller like Totall Uninstall was (or is?) not able to take care of this kind of hd low level alteration.
    [/OT]
    I agree on this, and it's the main reason why I use FD-ISR (always ON) and Shadow Defender (on demand) both together.
     
  11. Keyboard_Commando

    Keyboard_Commando Registered Member

    Joined:
    Mar 6, 2009
    Posts:
    690
    All I use with my Win7 64bit:

    1) Win firewall
    2) Sandboxie + Restrictions + Regemented always being careful with files coming out of sandbox.
    3) Peerblock
    4) A few different on-call scanners
    5) DEP

    That's all I use. I've turned off Windows Defender service and UAC, still use an Admin account ... I am REALLY flying by the seat of my pants, apart from Sandboxie, I suppose. This isn't a call of 'come and get me' to the bad guys or any boasting, btw. Just an advert for Sandboxie maybe (not getting payed though) *cough cough*

    But the only reasons I feel ok with this set-up is because:

    I use Macrium Reflect (simply because it works for me). If you can find as near as possible cast-iron backup plan then I think you can entrust in Sandboxie and very little else for your computer security. Just like traditional AV's protection is liable to maybe one day let you down, one day I might get well and trully screwed over by a zero-day, or Sandboxie specific exploit in the sandbox. The risks are there, I know.

    Overall though, Sandboxie, like pegr said in his post ... Sandboxies potential restrictive offerings, but not in the default settings (which I wouldn't use for my browser in their default state) ... Sandboxie can lock an internet application down tightly. Only drawback is ... you need to put some effort into learning the restrictive extra sandbox settings. No pain, No Gain. It's a lot less bothering with signature updates and running application bloat, yay!.
     
  12. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,280
    Thank you all for your help.

    I´ve decided to give it a try with Shadow Defender (hope one day the developer returns). Seems to be the best (simple, light, possibility to set permanent exclusions) and its hard to find a real alternative.

    I´ll use Sandboxie execute/internet restrictions in browser sandbox in order to increase security against virus, keyloggers, and eventual malware that can bypass boot-to-restore software.

    One detail: is possible to set IE8 favorites and history to be excluded frow the shadow mode? what are the folders that should be added?
     
  13. Serapis

    Serapis Registered Member

    Joined:
    Nov 15, 2009
    Posts:
    241
    The easiest way I found to keep important links is to simply copy paste them in an excluded text file. Remember that every potential exclusion leads to holes in the virtual protection = Not Good. Doing it my way will ensure a much more safer setup with smaller potential for bypass + reduced attack surface area.

    PS. Use Chrome! Google disabled the Unique identifier/ phoning home by default. Its lightning fast, once you try it you'll never look back :D
     
  14. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    I've been using SD for over a year now, with zero problems so far,works great.

    That is the way I have SB setup also.
    I can't think of anything that is known that is able to bypass Shadow Defender, but you never know. So it is a good idea to anticipate for such a scenario.

    Not sure on those settings.
    I do not use the exclusion list within Shadow Defender.
    Instead I have a folder on my desktop specifically for anything I want to bring back to the real system,using the commit now feature within Shadow Defender, but before that happens I will check everything with many scanners. To be extra careful the same folder is set to force sandbox so anything brought to the real system if opened in this folder will still be sandboxed and still protected from the real system until I am fully convinced it is totally safe.
     
  15. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Hi Serapis,
    You need to be clear about a number of things before you can make a blanket statement like this and also ensure that you are addressing those comments in the proper scenario:

    1. "Returnil" is the name of the company and not a designation for any specific solution line we have.

    2. There are the product lines with different target audiences: A) Returnil System Safe Pro/Free, B) Returnil Virtual System Pro, and C) Returnil Virtual System Lite

    3. Use of too many programs is the most common reason for performance issues.

    RSS is designed to be a stand-alone solution even though we have made it compatible with other AV solutions. This does not mean that we recommend using RSS with other solutions, just that it works well and is done to support our customers with concurrent licensing for other products or for use in environments with unique, but rare characteristics where an additional AV solution may be useful for some reason.

    RVS Pro is a virtualization only alternative to RSS with added protection against circumventors that is NOT matched in SD. IOWs, SD is just as vulnerable as any other "light" virtualizer which should become more and more evident to normal users as time passes without continuous development and support.

    RVS Lite is more like the older RVS 2008 versions but includes hardening and protection against the type of malware that works to get around virtualization.

    Now to address your concerns that the free edition of RSS should include the File Manager. We consider it to be a premium feature as it is not the simplistic and exploitable "Exclusions" approach used by other products AND there is no interference with saving of important files/data on a non-system disk (the Returnil Virtual Disk which is free to all is of this type), partition, or backup drive. Exclusions have nothing whatsoever to do with security and in many cases, introduce a weakness. Our approach IS security focused where the real disk remains protected throughout the creation, editing, and saving processes. With exclusions, you simply remove virtualization from a target file, folder, etc. By not allowing saving of SELECTIVE content to disk in the free version, we still maintain the security by not allowing these changes to be applied while in Virtual Mode.

    Mike
     
  16. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,280
    @Serapis
    Thanks for the tip about the text file.
    I´ve already tried Google Chrome but i finish returning to IE8.

    @LoneWolf
    Already exists malware that can bypass virtualization software.
    Check this tread: https://www.wilderssecurity.com/showthread.php?t=276152&page=2&highlight=bypassing
    That´s why, among other reasons (keyloggers, other malware....), i think Sandboxie properly configured is a complement to Shadow Defender and not a overlap.
    The way you have configured Shadow defender (only one "way out", sandboxed, and scanning before bring back to the real system) is the safest IMO, but I cant do that due to usability questions.
     
  17. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,280
    IMHO, the possibility to set permanent exclusions would have very interest to the average user, for who usability is very important and would also increase the number of people interested in Returnil.

    In Pro version, is possible to set Returnil to save files to the real system automatically (exclusions) every 1 minute. Why not give the user at least the non-default possibility to make it permanent? (user could be warned with a big red sign saying that is not advisable, and that the choise is at is onw responsability).

    Thanks
     
  18. Serapis

    Serapis Registered Member

    Joined:
    Nov 15, 2009
    Posts:
    241
    1. I know it's a company name
    2. I also know of the different product lines
    3. Couldn't agree more, which is why less components in a LV product is better. I tried both Returnil pro and SD with the same setup and found SD's footprint lower.

    I hope you are not offended by me merely stating my experiences with other LV products compared to yours (which is the aim of this thread). Every statement made is based on fact rather than opinion. The only subjective statement I made was that Lifetime licenses are a much more attractive option than subscriptionware IMHO.

    Now that we have cleared misconceptions. Let me reiterate the fact that in the last TDL outburst Shadowdefender emerged unscathed without any additional mechanisms to protect from these crafted rootkits.

    Immediate exclusion does not pose any security risk that I am aware of. Please link me to the malware that exploits that feature.


    Apparently Tony is still around, but maybe a little caught up in some personal matters. Don't hold your breath about SD dying just yet. ;) In the event of Shadowdefender not being developed anymore its still good enough for years to come. Combined with sandboxie, it can't be beat :D :D
     
    Last edited: Jan 11, 2011
  19. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Don't confuse the number of components with performance related to too many concurrent applications. RSS is not a bundled product, it is a single, high performance, and completely integrated security solution that does not need any help protecting your system and network. SD is just a part of a layered approach while RSS is an entire strategy in and of itself.

    You can't compare apples to oranges. To make any kind of meaningful comparison you would need to test RVS Lite 2011 (very small footprint btw with RVS Pro 2011 being nearly as small) v. SD and DF. To make a comparison to RSS you will need to install and run the following in addition to the boot-to-restore solution you select:

    1. AV, and
    2. AE/HIPS

    Please try SD or DF with any solutions you like in the above categories at the same time and then report back on overall performance.

    There is nothing "immediate" about it as that would imply some form of protection at some point for those files and folders excluded. Excluding anything means that it is not virtualized. This means that the boot-to-restore is irrelevant as a security measure for the content excluded.

    Now think about the malware that can and does make changes to commonly excluded System folders like Documents, Music, Pictures, and Favorites. How is anything in those areas protected if they are not virtualized? With the RSS/RVS 2011 File Manager, that content is protected throughout; pre-save, during save, and post-save.

    With the above in mind, it is not necessary to make a list of potential infecters as the process to infect and much of the malware able to infect your documents, favorites, etc are already well known.

    Things are not always what they appear or what some would wish them to be and as there is nothing official reported about the situation, simply supposition at best and rumor at worst. Until/unless there is something official published by the company that owns the SD project, there will be valid doubt.

    Also keep in mind that changes in the design and capabilities of malware are changing at an ever increasing rate. I seriously doubt ANY security solution can retain its relevance for years following the end of active support/development (EX: ShadowUser).

    Not at all. I was just trying to be succinct in my reply, it may have appeared terse and such was not my intention.

    Kind regards
    Mike
     
  20. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Hi AlexC,
    Yes, it would be convenient and might even increase the use of RSS and RVS Pro, but would be less secure by default. There is a continuous struggle between convenience and security that causes one to be sacrificed to increase the other. We have worked hard to strike a balance where usability is also a priority consideration that dictated the development of support for saving content to the real disk, but we chose as secure a method as possible.

    Mike
     
  21. SafetyFirst

    SafetyFirst Registered Member

    Joined:
    Jan 26, 2007
    Posts:
    462
    Mike, do new versions of RVS support virtualization of non-system partitions?

    Can RVS and/or RSS work with FDE?

    Thank you
     
  22. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    No, only RVS Lite 2011 currently supports multi-disk virtualization.

    Yes, all versions support full disk encryption but on XP you may run into a situation where restore point snapshots do not display in the RSS System Restore (full restore) section. Once the encryption is released, the restore points are shown properly within the GUI. IOWs, the snapshots still exist and are not effected, just not listed in the RSS GUI in that very specific scenario.

    Mike
     
Loading...
Thread Status:
Not open for further replies.