DeepFreeze & Returnil 2008 Per. Ed. in Vista SP1

Discussion in 'sandboxing & virtualization' started by AwareSoul, Mar 25, 2008.

Thread Status:
Not open for further replies.
  1. AwareSoul

    AwareSoul Registered Member

    Joined:
    Jan 16, 2006
    Posts:
    14
    Out of curiosity, for testing purposes, can I simultaneously run DeepFreeze in "frozen" mode and Returnil 2008 personal edition in "session lock" mode in RAM without any problems? The reason that I am asking is because I would like to avoid having to install VM or VirtualBox. Thanks in advance.

    AwareSoul
     
  2. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    I would be curious to know their compatibility myself because i'm wondering the same thing.

    RETURNIL is Fantastic! theres no doubt about that, and so is DEEP FREEZE, right now i'm chugging along testing COMODO D+ with EQS as well as Returnil and SandboxIE and feel like my PC is in Fort Knox!!

    Very Good Question because that would be another Perfect Security scenario IMO. I use FD-ISR with RETURNIL and those are 100% completely compatible.

    I smell some very TIGHT protection on the horizon here with teaming up apps like you mentioned.

    Anyone?
     
  3. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    I agree returnil is great and convienent but I really like deepfreeze.I also installed on the kids box. If it was not for deep freeze what a mess It would have been for me to fix. My kids managed to mess up a pc more in hour then I have In 12 yrs from virus -malware even as much as missing files one boot to restore like nothing happened.pretty impressive products.:thumb:
     
  4. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Hello AwareSoul and EASTER,

    I am presently trailing DeepFreeze(DF) Std. under Vista 32 SP1 alongside DefenseWall, Primary Response SafeConnect and Returnil 2008 personal ed.(virtualization in RAM by default). Having concurrently run DF in "frozen" mode and Returnil in "session lock" mode , I have yet to experience any conflicts. The reason that I decided to experiment with DF and Returnil is because the former virtualizes the disk and the latter virtualizes the current session in RAM(if set to default). While it remains to be seen and until proven otherwise, my current thinking is to use this ISR combination as an alternative to VM and VirtualBox for a testing environment(on-demand).

    For those who are interested in DF, the only chink in its armor is the fact that it does not protect the MBR or the partition table outside of
    Windows. Unfortunately, Faronics technical support has informed me, to the best of their knowledge, that there is no plan to release a modified Deep Freeze that will protect against this shortcoming in the future. Fortunately, on the other hand, Returnil does protect against low level disk access intrusions.

    Regardless of what security applications one is running, one important thing to keep in mind are their limitations. This is the kind of thinking that goes into implementing an effective layered defense strategy.

    FYI, the only minor glitch that I found with DF in Vista 32 SP1 is the initial installation and restart. I experienced a "single" BSOD in which I submitted a minidump file to Faronics to examine. Fortunately, after another reboot, DF appears to be functioning properly and I have yet to see another BSOD. Hope this helps.


    Peace & Gratitude,

    CogitoErgoSum
     
    Last edited: Mar 25, 2008
  5. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country

    assuming this works what is achieved ?
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    This is useless approach and will give no additional benefit at all.
     
  7. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
    I'm trying to figure out what additional protection you get by running both simultaneously?
     
  8. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    I'll give you one.

    You run a known very destructive file infector virus, forget MBR stuff because Returnil handles that very well. Let' say the file infector once initiated corrupts ALL the DEEP FREEZE executables and supporting files, with Returnil also running in MEMORY; that disgusting piece of garbage cannot access a real executable to scramble it's code, and after a single reboot you've safely evaded corruption or worse. With only DEEP FREEZE, if the file infector bites ALL it's files then it's all but finished requiring an Image Restore.

    Do you still want to know what the additional protections you get by teaming these up together?

    BTW, thanks for the verification of compatibility that DF + Returnil safely co-exist and compliment a solid strategy against just such a possibility that severe.
     
  9. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    and what happens if a really disgusting piece of garbage manages to scramble Returnil as well ? :D

    So the idea of running both is just in case one doesn't work ? By the way would I still run Sandoxie inside safespace or would that be a bit OTT if used with 2 firewalls and couple of AV's and 3 only partially conflicting Hips ? all backed up every 15 minutes with Shadow Protect 3.6 ?
     
  10. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    In that case we're throwed right back at square one again :D

    Which means, ISR archives or Image Backups saved to external drives, the same old song and dance you might say.

    The key remains failsafe Self-Protection for such apps, if there really is such a safety mechanism that can prove itself immune. :cool:
     
  11. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    I think I will continue to use both DeepFreeze and Returnil but on different machines with Acronis 10 and Shadow Protect as my "true" security - no offense to those who do not see these as security programs.
     
  12. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    I have to agree.

    Since there exists yet no foolproof front line defenses no matter how intelligently crafted, image programs are the only True Security Apps in the respect that they offer the security of being 100% capable to eliminate damages and corruptions from attacks or whatever by restoring the system EXACTLY as it was, and the FUN part is that no malware can disrupt their progress since we apply them externally and only after we've deleted and wiped the afflicted drive/system.

    Yes, the only real true security system which holds the highest percentage of reliability.
     
  13. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I don't see any benefit either of combining DeepFreeze and Returnil on one computer, it's DeepFreeze OR Returnil, not AND.
    Both softwares have the very same basic goal : keeping your SYSTEM partition unchanged after reboot.
    2 x UNCHANGED = 1 x UNCHANGED. What is the daily practical benefit of this double unchanged ? Unchanged = Unchanged. Period.

    Although I don't like the combination FirstDefense-ISR + DeepFreeze/Returnil, this combination makes sense, because FirstDefense-ISR out-of-the-box does not keep your system partition unchanged. FirstDefense-ISR needs to be prepared to do this and the closest solution is using a frozen snapshot, which keeps your system partition also unchanged. Other solutions in FDISR are an archive or a secondary snapshot.
    Some members didn't want to use a frozen snapshot and replaced it with DeepFreeze, Returnil, etc. It's also known that DeepFreeze and Returnil offer a better protection than a frozen snapshot and are faster in execution.

    You might think that DeepFreeze removes changes, that Returnil doesn't remove or vice versa, which is in theory possible.
    In that case you better restore a CLEAN IMAGE or ZEROING + CLEAN IMAGE.

    Restoring a clean image is the only way to be 100% sure, that your system partition is clean.
    Why ? Because a clean image is never on-line, while DeepFreeze, Returnil, etc. are constantly on-line and therefore vulnerable to new sneaky malware, that one day will compromise DeepFreeze, Returnil and any other similar software.
    That's why System Images are so important, they guarantee a clean system partition, not DeepFreeze or Returnil or any similar software.

    Clean FDISR-archives are the same as clean images, unfortunately FDISR is dead.
     
  14. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Exactly!

    And is the way i been using FD-ISR archives (Genuine Edition :D )

    There is no other substitute known to man short of an image restore like Eric points out.

    No way i would trust ANY other ISR's to do what i know FD can do with it's archives.

    DeepFreeze + Returnil? That's a combo i don't consider because i happen to be one of the fortunate ones to have the original FD-ISR by Leapfrog/Raxco.

    I do however impliment Returnil RVS 2008 inside the snapshot and only use it thru Session Manager as an on-the-fly virtualization when doing research because it's Picture Perfect Protection/Restoration.
     
  15. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Using Returnil in a normal FDISR-snapshot makes sense as an alternative for a frozen FDISR-snapshot.

    DeepFreeze + Returnil is absurd and would be the same as using Returnil in a frozen FDISR-snapshot, which is also absurd.
     
  16. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Not dead, just out-of-reach and no longer available for sale in it's previous spectacular form.

    Like me, you're also one of the lucky ones who got in on it before the wind finally blew the door shut.

    Just ask users like Peter2150 :D
     
  17. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,422
    Location:
    New Mexico, USA
    I have a license for Returnil, but at the moment am running DF, Faronics AE and Sandboxie. Being a borderline idiot regarding computer software, I'd be curious what these 3 offer in the way of solid security. I'm experiencing no slowdowns whatsoever on my computer, and in the several months I've run this combo (almost a record for me) no problems at all.
     
  18. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Hi Chuck

    Looks like you have yourself a fairly tight and well ordered setup since their also running perfectly stable and light together.

    Lately i been alternating between two drives here, both are running Returnil which i only use for Session Manager along with SandboxIE and EQSecure (HIPS) pair firewalled with Kerio.

    The other i been selective and took on CFP D+ along with EQSecure 4.0 Beta with Alcyon's Rules to see how they fair together when i throw some pepper on it.

    I not been disappointed yet and they run well together too. LoL

    I have an entirely different armor on another PC where i use Faronic's AE + DF together along with, again EQS. This is my airtight setup and it sure holds up that way. I normally don't do much testing with that one.

    These others though, i put through the wringer.

    Windows Defense Programs are finally being created which close a lot of the many loopholes and gaps, plus it helps to run Limited User too. I'm still green where concerns SuRun, but boy does it take the edge off and the bite out of some malwares.
     
  19. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I have a similar setup.
    1. A frozen FDISR-snapshot = your DF, but DF is probably better in certain areas.
    The advantage of FDISR is that I always can rollback to a clean system partition, using clean archives.
    That's why I don't use any scanner anymore. I clean my system partition in 2 minuts, while a scanner takes 20-25 minuts and that is just one scanner.
    My clean archives don't remove only malware, they clean my registry, history and junk files and they restore anything that doesn't work anymore, including my stupidities and all this in one hit.
    So after each reboot all my misery is over and I have a very clean system partition and saved alot of time in cleaning and removal of malware.

    2. Faronics AE on HIGH security, except the Delete Prevention is disabled, otherwise I get errors in FDISR.
    AE is an immediate killer of any unauthorized executable and most malware are executables.

    3. DefenseWall HIPS as an alternative for your Sandboxie.
    I'm also a licensed user of Sandboxie. The trouble is I can't choose between DW and SB.
    I use DW or SB mainly to LOCK my Data Partition (second HDD) when I start surfing with IE or FF in order to protect my personal data files : no reading, no writing, no stealing possible and that is a very strong protection, while you are on the internet.

    To verify my approach after more than six months without scanners, I ran all popular AV/AS/AT scanners one-by-one and they didn't detect anything, except false positives. One of the f/p's was ShadowProtect :D :rolleyes:

    So I wouldn't worry so much as long you can stop the execution of malware between two reboots.
    I have no experience with DF in practice, but in theory it should be the same as a frozen FDISR-snapshot.
    You need AE and SB to stop or isolate the execution of malware if they pass through your security between two reboots.
    One thing is certain : a malware that succeeded to install itself will have a very short life if you reboot more than once a day.
    You can't run scanners many times a day, because they take too much time, but rebooting takes less than 2 minuts and your computer is clean again, without false positives and missing signatures.

    Since I'm doing this, I never had a cleaner and good functioning computer, than this one, which cures itself automatically during each reboot.
    If something doesn't work anymore due to experiments or whatever :
    - I don't have to ask myself what caused the problem
    - I don't have to do any research or reading to solve the problem
    - I don't need an expert to solve the problem
    - I don't have to fix the problem.
    I simply reboot and I'm back in business and not only my problem is fixed, but also my computer is clean and malware-free.
    All this in less than 2 minuts. I save alot of time this way and more time for thinking and positive activities.

    Reading your post you must have the same experience. :thumb:

    The only thing you have to ask yourself is AE and SB enough to stop the execution of malware.
    But I can't answer that question.
     
    Last edited: Mar 28, 2008
  20. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,422
    Location:
    New Mexico, USA
    Thanks EricAlbert and Easter.

    Eric, for backup, I have a Paragon HDM backup on another drive. If anything should happen and something somehow get through Sandboxie and defeat AE and DF, I'll invoke Paragon.

    I have a copy of Raxco FDISR, the last version. For some weird reason, I'd find myself running it for a couple of months, then getting the urge to switch so would install DeepFreeze. Lately, I notice I'm running DF more and fdisr less and less.

    EASTER, I've looked at EQsecure, but just don't understand those things. I've tried various HIPS programs and gave up on all of them. A frozen system with an AE as backup for a virtual type thing like Sandboxie seems to work.
     
    Last edited: Mar 28, 2008
  21. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    Go on Chuck - live "dangerously" - DeepFreeze and Paragon may be more than enough ? when did AE last stop something nasty happening ? or how often do you find Sandboxie containing the plague ?
     
  22. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    FD-ISR has a much longer learning curve than DF.
    FD-ISR has only technical rules and the user has to decide himself HOW to use it and that takes time, imagination and experience. That is probably the main reason why FDISR is terminated, because average users want something more simple.
    My very last way of using FD-ISR is totally different from my very first way, while DF has only 2 possibilities : frozen mode and thawed mode, which is in FD-ISR just an additional function, while all the rest is missing in DF.
    I will never use DF as long I can use FD-ISR.
     
    Last edited: Mar 28, 2008
  23. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Hi Chuck57

    EQS is likened to a Template, and i agree, after all the time it took me to Learn SSM at the start, EQS was going to be another chore to add all the rules it needs to make it's contribution to computer defense worthwhile.

    May i add the member Alcyon is generously made available a Very Nice and Concise Ruleset for all 3 protection settings, Registry, Files, and Applications and his BlackLists are the best i seen.

    If, and i mean if, you would decide to try EQS, implimenting those rulesets by Alcyon will relieve you of a lot of time learning it i think.

    It's just me, but personally no matter what snapshot i use or any other program like DefenseWall or SandboxIE, or even DeepFreeze and so on, i just refuse to be without a HIPS. I can do without a behavioral blocker but a HIPS informs me exactly what is firing up and where and offers me the user ULTIMATE CONTROL of interactions going on within my Windows Xp system.

    I read your categorized reply above earlier and i relate with a lot of those implimentations, especially AE. Very good read, especially about DW & SB too.

    While Deep Freeze is exceptionally formidable and runs with simplicty and ease on my machine, FD-ISR is more flexible i think. Like you point out it takes some imagination and a little effort, but FD-ISR's archives are indeed like GOLD, they can instantly return your system again to a fresh state and eliminate the need for scanners, cleaners, and all that time it takes to run them, and even then can users be assured those apps got it all?

    FD-ISR does get them all. :cool:
     
Thread Status:
Not open for further replies.