Does ISR actually make sense on a desktop?

Just thinking about ISR:

- If you pick up some driver rootkit, and it successfully loads its driver, it can mess around on the same privilege level as the ISR software, AFAIK.

- You could use other security software to prevent driver loading. But if you're using a HIPS already, why bother with the further inconvenience of ISR?

- Meanwhile, ISR software makes it a pain to apply patches. If this leads to less frequent application of Windows and third-party software patches, it increases your risk of getting hit by an exploit.

Isn't the result basically a net increase in risk?

(Not to knock ISR software BTW - it is probably quite good for kiosks and such, where you don't want user data to be saved. I just don't see how it applies to desktops.)

 

No clue what ISR stands for.

 

Instant System Rollback, e.g. Returnil and Shadow Defender. It puts the entire OS in a copy-on-write sandbox, which is erased on reboot.

Edit: I think the best known one is Deep Freeze by Faronics. Deep Freeze is marketed more for backup and maintenance than security though. Returnil and others are usually marketed as desktop security software.

 

But HIPS is all but useless. There are ways around it/to fool it, and on the system of a typical user, it gets shut down, ignored and just generally might as well not be there.

ISR software is in fact very easy to use (save for some that don't work well with software that needs to reboot). Need to update? Turn the program off, update, turn it back on. It can prevent most malware from sticking around, but driver-level stuff/rootkits can cause them trouble. Also, some (very few so far) examples of malware are aware of virtualization, and will behave themselves while it is present. Some ISR programs also have "leaks", in that things you install in virtual mode can sometimes leave traces behind on the real system.

All that said, they are still something I'd suggest over HIPS to most people.

 

HIPS was just an example of other security software. Sandboxie would probably be a better example.

Hmm, I suppose I can see this. Preventing persistence doesn't necessarily prevent data theft, OTOH if you reboot before doing any banking or such, that would reduce the risk...

The main problem I see is that there are many ways to gain elevated privileges on Windows; IIRC including some design flaws in UAC for instance. Once malware has admin access and can load a driver, it's game over for the ISR software.

(And it obviously goes without saying that ISR would provide little protection if used on XP with an admin account.)

 

I don't call them ISR as I think they apply better for snapshot-based programs like Rollback RX/Eaz-Fix/CTM. I prefer to call them Light Virtualization or Partition Sandboxes. Well, that's just me though.

Whether something makes sense, that's up to the user. For me, I think they have a place on a desktop which is usually static. You know...some people like the state of their machines to remain the same. There are those who want the temporary files, logs, registry changes to be cleared at each reboot. Security is often marketed as a benefit and to an extent, they do provide an easy way out for those malware that don't bother. The security by obscurity element is there. I prefer to think of it as a by-product rather than a main feature.

Like everything else, almost anything can be bypassed. People don't stop using AV, AE, HIPS, Sandboxie, VirtualBox/VMWare, EMET, etc just because they can be bypassed or add attack surface. Different people see risks and value in the tools they use differently.

To shorten it: As long as you are aware of the limitations, know the risks and do not expect more, why not?