Discussion in 'sandboxing & virtualization' started by Buster_BSA, Jun 27, 2010.
ShadowDefender is not bypassed by SafeSys.
Thanks for testing.
Kills Icesword and heaps of other apps through Image File Execution Options within the reg.
You can enter the below to your own reg so that safesys.exe will never run on your machine.
View attachment Safesys Install Log.txt
Bufferzone free contains safesys.exe .
Franklin: What did you use to generate Safesys Install Log.txt?
Thanks for the safesys.exe reg entry details
If they alter the file name i presume this won't work ?
So i guess we might be able use the same method in such a case, and other "similar" nasties ?
Out of curiosity, how does clean slate fare against this critter?
(At the time) not seeing any changes in a virtual machine tweaked an interest to look further on a test machine. Also having a vested interest in Faronics software, I fired over an email to them.
At first I got a reply saying that they could not replicate findings others had and that was pretty much an end to it until after I sent them my new findings and received a reply comparable to what I've read here.
There's some info online about safesys, what history and information I documented at the time pretty much mirrors bkis :
Specifically I can add that autorun.inf is copied to disk, autorun to registry and a file appears in tmp with random name, dogkiller is then the driver that does the work. As mentioned by Franklin the key "Image Execution Options" is made and block a lot of tools. The worm spread easily because it takes advantage of spoolsv.eve.
bkis original page with Yahoo 360 fake
Just got back - ZSoft Uninstaller.
Yep, it will stop any exe but a simple name change renders it useless.
Do you still have their reply? What did they say exactly? And when did they say it?
Exactly the same statement in the link from your second post in this thread, the one Smokey posted over BBR.
Then it´s amazing that almost one year later they release a new major version of Deep Freeze and the vulnerability is still there.
Maybe you could mail them and ask again.
I have been told that Faronics replied about SafeSys issue telling that their developers are investigating the malware.
One year investigating the malware and still no solution!
IMO they don't have the copy of that malware...Better u send it again.
They must know about Marco Giuliani´s article so they had enough time to mail him asking for a copy of the sample and technical details if necessary.
Faronics doesn´t have any excuse at all.
For a security company this issue is a big scandal!
I couldn't agree with you more. I think Faronics have totally messed up and dropped the ball with this situation. As for contacting them again I don't think it will change anything in the near future although I will, but more talk, articles online may.
Shadow Defender has been bypassed by TDSS rootkit along with Wandershare Time Freeze
Leach: Bad luck for Shadow Defender users because seems like the product will not be supported anymore.
Is there any software like Deep Freeze or Shadow Defender which is not bypassed by TDSS or SafeSys?
I've been asked to repeat the test against Shadow Defender with full DEP enabled. Will include Sandbox RX later, it's being developed right now, I had a contact with developers and I'm pretty sure they check this forum time to time.
Sorry, you are definitely wrong here. DefenseWal ldo not ask user for a correct action.
And, BTW, I did test SafeSys against DefenseWall.
Just for reference, the posts focusing on TDSS rootkits bypassing other isolation based products are now in their own thread:
Let's use that thread for the TDSS / TDL tests and issues, and keep this one about the Deep Freeze problem.
Can you share details of your test method, and a screenshot of the DefenseWall alert?
I didn´t test myself, so that´s my mistake, sorry.
Sorry, what alert? It was running as untrusted and just silently blocked, that's it.