Enough is enough

Sandboxie and Returnil are the two best security apps anyone can use.Oh well, according to me anyways!

From SB's FAQ's:
Think of your PC as a piece of paper. Every program you run writes on the paper. When you run your browser, it writes on the paper about every site you visited. And any malware you come across will usually try to write itself into the paper.

Traditional privacy and anti-malware software try to locate and erase any writings they think you wouldn't want on the paper. Most of the times they get it right. But first the makers of these solutions must teach the solution what to look for on the paper, and also how to erase it safely.

On the other hand, the Sandboxie sandbox works like a transparency layer placed over the paper. Programs write on the transparency layer and to them it looks like the real paper. When you delete the sandbox, it's like removing the transparency layer, the unchanged, real paper is revealed.

 

Very well said and accurate analogy i must say Franklin.

How very true, i recently read in the AV forums where at some point in the future, even they are considering integrating either a sandbox of sorts or another form of virtualization to compliment a better total solutions package for consumers/users. With that said i also voiced my reservations regarding Suites, because if at any point something malicious or even some system conflict happened to disable such a multi-level program, ALL those defenses would go down together unless they fashioned some way for them to work independantly of each other, which we all know doesn't exist ATM if ever.

More OT: The latest release of Retunil combined with SandboxIE on top of my FD-ISR snapshots almost make me drool
Not yet inclined to ever consider relieving my units of HIPS, because mainly they are as educational as protective, but that analogy you just made really does ring true as perhaps the best possible detterent short of an image restore.

And consider this, those apps you just mentioned are pretty much in their respective current versions about as solid as any XP user will ever need for the life of their equipment can only going to get even better, if there is such an animal.

 

Just off the top of my head 2 scenarios:

1.You receive one of those phony e-mails purporting to be from your bank, insurance company... telling you they need to get some personal information from you and providing a link to "their" website. Not suspecting a thing (obviously not a regular at Wilders) you follow the link and fill in the requested information, perhaps also providing them with your bank account and credit card numbers.

2.While surfing you get infected with a keylogger. During this session you also purchase something online, filling in the requested information (name, address,...) and your credit card number. The keylogger happily records this information and sends it to some evil person who gladly makes use of it.

In both of these scenarios neither Sandboxie or Returnil will protect you. After a reboot or after emptying the sandbox the keylogger will be gone, but by then it is to late. The damage has been done.

I admit that an informed user would not be deceived by #1 and the chances of #2 happening are slim, but both are real possibilities. As good as these products are they are not sufficient on their own, or even when used together.

 

Chances are, if you are a clueless user, nothing will protect you.

 

I think we can all agree that #1 requires a level of stupidity that really rules it out. So how about #2 ? How do key loggers get on ? As I have never knowingly seen one I'm not sure exactly how how serious the problem might be.

Just a couple of thoughts though (1) if a key logger gets on during a session when I am not going to my bank, credit card it will be gone at reboot and not there when I log on for the next session which reduces the probability even more. (2) If key loggers are of concern there are a number of account/password programs which will enter all details from secure storage without any keyboard keys being used - just a mouse. Or there any mouse loggers ?perhaps that might make it difficult for the key loggers that get on during a bank/credit card session ?

Even with Returnil I still use a hardware Firewall, Firefox and have all mail delivered by a provider which removes spam and checks for nasties. Other than that no other security programs used. No Hips, No software firewall, no resident AV, or AS. I've only been running this way for 8 months so too early to tell.

 

Yes I suspect that is safe to say, since someone as clueless as to fall for that probably has never heard of either Sandboxie or Returnil.
As for the second one you should always empty the sandbox / reboot returnil immediately prior to going to a secure site (ie bank / online payment) particularly if you do not have aditional protection. I find this a good practice anyway.

 

What is that payment/bank site is compromised? Happens often enough and might one day strike at any of you. It seems almost as if those without an av feel proud to be without it as if it's some kind of virus itself.

 

What if I'm are doing productive work with my computer, instead of merely surfing for fun & games? I don't want to do productive work on a "transparency", right?

For instance, let's say I am updating my websites & receive an email requesting reciprocal links to a certain site. Now I want to visit that site to see if it's worthy of a link. Do I switch to DeepFreeze's frozen mode before visiting the site, then afterward switch back to thawed again so my work doesn't get lost? Bloody inconvenient doing all that when I'm trying to get some work done.

When I work, I choose to work "thawed" all the time, & I sometimes must do *risky* actions in conjunction with that work.

Bottom Line- Sure, I use DeepFreeze & Image for DOS. It would be foolish not to. HOWEVER, I'm not quite ready to drop DrWeb, or SSM, or Asquared. Ergo, the inference that Returnil/Sandboxie are all the security anyone needs is rather too narrow, I think. If the inference was unintentional -- my apologies-in-advance for mis-interpreting.

 

I love Sandboxie and have it configured to save my Firefox bookmarks and to update my Adblock Plus filters, granted I guess this is a breach of the sandbox. I still haven't installed Returnil since it would require reboots (which are questionably hard on your system) to install anything, or am I misunderstanding this program?

 

I share your enthusiasm for both programs. They seem to give you an advantage against the bad guys for the time being. Programs like these came about because normal anti-whatevers couldn't keep up with the malware writers. I too still wouldn't drop my usual protections, but I think I see how some users or certain changes could be made so it could be done fairly safely. Sandboxes and Virtualization are the future.

Ratchet, You can turn Returnils protection on at any time 'on the fly' without a reboot. There is also an option to run Returnils protection all the time. The only time you need to reboot in Returnil is when you want to turn protection off or reboot to 'clean' changes. I hope that makes sense.

innerpeace

 

Innerpeace, what I mean is, I want to save a new favorite in Firefox or I want to update to the newest version of say Picasa. Wouldn't I have to reboot to get out of the Returnil protection. As you know, with Sandboxie you just download the file while sandboxed and then recover it. I see the security advantage of Returnil but it just seems inconvenient compared to Sb.

 

It's a good practice to do online shopping/payments/banking from a clean browser session (emptied sandbox, reboot-to-restore, clean image, LiveCD)

 

Hi again and sorry, I mis-understood you. I honestly only use Returnil when I go to unsafe or new places or when I want to try a new program that doesn't need a reboot to install. If you wanted to run Returnils protection all the time you would need to move/store Firefox's profile to Returnil's VP or an alternative partition. Remember, Returnil only protects the System partition, usually C:.

Assuming your using protected mode all the time. If you wanted to update or install a new version of a program with Returnils protection enabled, it would first have to be downloaded to the VP or the alternative partition so it would survive the reboot. Then you would have to turn off Returnil's protection by rebooting. The data would be safe because it is in the VP or alternative partition and not in the protected system partition. Install your new program with protection off and then turn on protection after installing if you wish.

Ideally, Returnil would work very well if you completely separated Windows and your programs on your system drive C: from your documents/data (like your FF profile) on another partition. That is above my head and seems quite a task to accomplish. It seems even harder as there are constant updates and upgrades from many of the programs I have installed. I think that is why a bunch of us update everything after powering up our machines and then turn on Returnil's protection manually.

If I turn on Retunil's protection, it is because I'm doing something that I expect to be reversed upon reboot. It doesn't matter if I'm browsing the dark side or installing a media player or browser I want to try. Returnil is my last line of defense. I still expect my other layers to function, but Returnil has the final word. I hope this helps.

 

Quick question with Returnil. What does the virtual partition do?

If it does what I'm guessing it does (a storage area created specifically to store files you don't want to get reversed upon reboot), is it required if you have already manually created a separate partition?

 

No, it isn't required

 

Thanks.

 

"(a storage area created specifically to store files you don't want to get reversed upon reboot)" That is accurate. And no, it is not required when installing. You can save data anywhere else but the Returnil protected system partition like an alternative partition, thumb drive, cd/dvd, external hard drive. When mounted the VP is just like any other partition. You can move files to and from it at will. You can do the same with an alternative partition. The advantage of the VP is you can make it portable (take it with you) and use it on other machines that have Returnil installed.

This is taken from the help file.

 

After re-installing my computer, I have

- 5 clean images for restoration only
- 2 clean archives for restoration only
These give me my clean computer back and were the only reason, why I re-installed my computer from scratch,
You can't create such images after being on-line too long.
These are the ones, I only trust.

- 1 off-line snapshot
- 1 frozen on-line snapshot
These let me do my job and hobbies, especially my off-line snapshot.

- 1 daily image
- 2 daily archives
- 1 daily freeze storage
These are for daily backup/restore, but I consider them as possible infected in theory, because security softwares can't be trusted, they fail too much.
My freeze storage is supposed to correct the failures of my security softwares.

No Returnil yet, because Returnil can't handle installations of new softwares, that require a reboot.
FDISR can handle this, because it has an actual and previous freeze storage.

 

Hi Erik, how much time and money do you have in your setup? Most users can secure there computers for free. Nothing can be trusted 100%, but we can all get close. I don't have FD-ISR or even an image, but I bet both of our security is close to 99%. After all, we are just limiting the window of opportunity that the bad guys have. We are talking 1/10s or 1/100s of a percent difference here. If I'm being naive then please educate me. My setup is based on help from others and I'm always willing to learn. That's why I am here .

How do either one of us know if we are infected? I know the steps you have taken by other posts like offline installs, downloading from trusted sites, but nothing is 100%. I'm no expert so I scan with many different types of scanners regularly and find nothing. Trust me, I would love to have FD-ISR and a big external drive to play around with and I do see the advantages. It it not necessary though. Heck, neither is Returnil. Returnil, Sandboxie and FD-ISR each have their individual bright spots, but all serve their purpose and their users well. They are extra layers that are different and nothing else.

We all have our favorites, budgets and different uses of our computers. For the money, it's currently hard to beat a free setup with an image which also can be had for free nowadays. I'm speaking about the average user and not a machine for business purposes.

FWIW, I would love to have Pete's setup, with Easter's extra hard drives and your knowledge. I'll get there one day if I still enjoy this hobby, but I do currently have a 'close to' secure computer to the best of my knowledge. Your setup just has more depth. If we're constantly striving for perfection that doesn't exist, we may miss the 'fun' that is happening now .

Cheers, innerpeace

 

Yes, nothing is 100%, Mrkvonic considers even Windows as spyware.
If members start reasoning like this, I don't feel the need to discuss this any further. I'm not going to defend myself and certainly not in a foreign language.

 

Greets Always innerpeace.

If you can find any local PC Shops around that aren't profit heavy then you're in a fairly good position to pick up used hard drives like i done this past year. Even Flea Markets or a Yard/Garage Sale occasionally put up on the table a maybe lousy looking neglected PC, but inside that heap box all i want is the HD and whatever else might be salvageable. You can do the same, but it is sometimes risky, like recently i shelled out 35 greenbacks for a used 80GB Maxtor that after getting it home and plugged in, HDD Regenerator program showed "BAD" sectors and even reallocating them didn't help , i returned that one for another, this time a 80GB used WestDigital, and those results were even worse as in "click" "click" "click". So when i went to return it they told me nothing was wrong with that drive but must be my cable, Pffffffttt. I did manage to get a CD Boot test done on it and it was exclamation point RED! as in toast too.
I insisted, of course they must replace it and so this time they gave ME the choice of selecting and i found of all things a pretty clean 2003 Hitachi 80Gb that i'm using right now to reply in this post.

Some small shops like this one are so overloaded with business that they just don't have the time to really analyze in-depth whether Hard Drives are reusable or not, they just stack them up and at times even toss them out when they might be perfectly fine after a good sanitize. LoL

 

Are you suggesting that rebooting might be "bad" for a system ?

Also re Firefox - you can move the Firefox profile to another partition or drive . Ruturnil just "freezes" C:

 

Yes - I'll plead guilty to that. If you define a virus as something that does harm then yes I do find many security programs as doing harm - they slow down my very old machines. There is also an other type of harm that the security does - it perpetuates the myth that you will get pregnant the instant that you log on if you don't use such and such a package.

So Yes I do feel proud to be able to say that I run 7 machines day after day and have never been infected ( Infected as defined by NOD 32, SuperAntispyware....... and many other on demand tests) over many years.

My daily work machine has a hardware firewall, Firefox, Returnil, Acronis Images and nothing more now for 8 months. If there is an anti virus program, anti spyware program that I can run on demand that will find any nasties I will try it.

This is not a macho, mine's bigger than yours, claim. I just get increasingly irritated by the claim that 19 layers of security are needed to check on my overdraft.

Enough IS Enough for many.

 

I only rarely used FD-ISR on one machine but when I do I just use throw away snap shots - A few minutes to make a copy - install new program, play for a while and then delete. Another snap shot is protected by Returnil - so I don't see any issue about Returnil not being able to be used for installations that require a reboot - just do it on a temporary snapshot.

 

From the perspective of having to reboot to install this and that program, all I can say is that some of you chaps must install an awful lot of software. I realise the issue does come up from time to time, but not on a major scale surely. I run Returnil and FD-ISR together with no problems, the only minor thing is that you can't "Boot to Snapshot" from a session lock, but this is a minor inconvenience.