Enough is enough

Discussion in 'sandboxing & virtualization' started by Franklin, Oct 13, 2007.

Thread Status:
Not open for further replies.
  1. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Sandboxie and Returnil are the two best security apps anyone can use.Oh well, according to me anyways!

    From SB's FAQ's:
    Think of your PC as a piece of paper. Every program you run writes on the paper. When you run your browser, it writes on the paper about every site you visited. And any malware you come across will usually try to write itself into the paper.

    Traditional privacy and anti-malware software try to locate and erase any writings they think you wouldn't want on the paper. Most of the times they get it right. But first the makers of these solutions must teach the solution what to look for on the paper, and also how to erase it safely.

    On the other hand, the Sandboxie sandbox works like a transparency layer placed over the paper. Programs write on the transparency layer and to them it looks like the real paper. When you delete the sandbox, it's like removing the transparency layer, the unchanged, real paper is revealed.
     
  2. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Very well said and accurate analogy i must say Franklin. :thumb:

    How very true, i recently read in the AV forums where at some point in the future, even they are considering integrating either a sandbox of sorts or another form of virtualization to compliment a better total solutions package for consumers/users. With that said i also voiced my reservations regarding Suites, because if at any point something malicious or even some system conflict happened to disable such a multi-level program, ALL those defenses would go down together unless they fashioned some way for them to work independantly of each other, which we all know doesn't exist ATM if ever.

    More OT: The latest release of Retunil combined with SandboxIE on top of my FD-ISR snapshots almost make me drool :p
    Not yet inclined to ever consider relieving my units of HIPS, because mainly they are as educational as protective, but that analogy you just made really does ring true as perhaps the best possible detterent short of an image restore.

    And consider this, those apps you just mentioned are pretty much in their respective current versions about as solid as any XP user will ever need for the life of their equipment can only going to get even better, if there is such an animal. :cool:
     
  3. Gene Benson

    Gene Benson Registered Member

    Joined:
    Apr 19, 2003
    Posts:
    26
    Just off the top of my head 2 scenarios:

    1.You receive one of those phony e-mails purporting to be from your bank, insurance company... telling you they need to get some personal information from you and providing a link to "their" website. Not suspecting a thing (obviously not a regular at Wilders) you follow the link and fill in the requested information, perhaps also providing them with your bank account and credit card numbers.

    2.While surfing you get infected with a keylogger. During this session you also purchase something online, filling in the requested information (name, address,...) and your credit card number. The keylogger happily records this information and sends it to some evil person who gladly makes use of it.

    In both of these scenarios neither Sandboxie or Returnil will protect you. After a reboot or after emptying the sandbox the keylogger will be gone, but by then it is to late. The damage has been done.

    I admit that an informed user would not be deceived by #1 and the chances of #2 happening are slim, but both are real possibilities. As good as these products are they are not sufficient on their own, or even when used together.
     
  4. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    Chances are, if you are a clueless user, nothing will protect you.
     
  5. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    I think we can all agree that #1 requires a level of stupidity that really rules it out. So how about #2 ? How do key loggers get on ? As I have never knowingly seen one I'm not sure exactly how how serious the problem might be.

    Just a couple of thoughts though (1) if a key logger gets on during a session when I am not going to my bank, credit card it will be gone at reboot and not there when I log on for the next session which reduces the probability even more. (2) If key loggers are of concern there are a number of account/password programs which will enter all details from secure storage without any keyboard keys being used - just a mouse. Or there any mouse loggers ?perhaps that might make it difficult for the key loggers that get on during a bank/credit card session ?

    Even with Returnil I still use a hardware Firewall, Firefox and have all mail delivered by a provider which removes spam and checks for nasties. Other than that no other security programs used. No Hips, No software firewall, no resident AV, or AS. I've only been running this way for 8 months so too early to tell.
     
  6. tradetime

    tradetime Registered Member

    Joined:
    Oct 24, 2006
    Posts:
    1,000
    Location:
    UK
    Yes I suspect that is safe to say, since someone as clueless as to fall for that probably has never heard of either Sandboxie or Returnil.
    As for the second one you should always empty the sandbox / reboot returnil immediately prior to going to a secure site (ie bank / online payment) particularly if you do not have aditional protection. I find this a good practice anyway.
     
  7. GES/POR

    GES/POR Registered Member

    Joined:
    Nov 26, 2006
    Posts:
    1,490
    Location:
    Armacham
    What is that payment/bank site is compromised? Happens often enough and might one day strike at any of you. It seems almost as if those without an av feel proud to be without it as if it's some kind of virus itself.
     
  8. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    What if I'm are doing productive work with my computer, instead of merely surfing for fun & games? I don't want to do productive work on a "transparency", right?

    For instance, let's say I am updating my websites & receive an email requesting reciprocal links to a certain site. Now I want to visit that site to see if it's worthy of a link. Do I switch to DeepFreeze's frozen mode before visiting the site, then afterward switch back to thawed again so my work doesn't get lost? Bloody inconvenient doing all that when I'm trying to get some work done.

    When I work, I choose to work "thawed" all the time, & I sometimes must do *risky* actions in conjunction with that work.

    Bottom Line- Sure, I use DeepFreeze & Image for DOS. It would be foolish not to. HOWEVER, I'm not quite ready to drop DrWeb, or SSM, or Asquared. Ergo, the inference that Returnil/Sandboxie are all the security anyone needs is rather too narrow, I think. If the inference was unintentional -- my apologies-in-advance for mis-interpreting.
     
  9. ratchet

    ratchet Registered Member

    Joined:
    Feb 20, 2006
    Posts:
    1,912
    I love Sandboxie and have it configured to save my Firefox bookmarks and to update my Adblock Plus filters, granted I guess this is a breach of the sandbox. I still haven't installed Returnil since it would require reboots (which are questionably hard on your system) to install anything, or am I misunderstanding this program?
     
  10. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    I share your enthusiasm for both programs. They seem to give you an advantage against the bad guys for the time being. Programs like these came about because normal anti-whatevers couldn't keep up with the malware writers. I too still wouldn't drop my usual protections, but I think I see how some users or certain changes could be made so it could be done fairly safely. Sandboxes and Virtualization are the future.

    Ratchet, You can turn Returnils protection on at any time 'on the fly' without a reboot. There is also an option to run Returnils protection all the time. The only time you need to reboot in Returnil is when you want to turn protection off or reboot to 'clean' changes. I hope that makes sense.

    innerpeace
     
  11. ratchet

    ratchet Registered Member

    Joined:
    Feb 20, 2006
    Posts:
    1,912
    Innerpeace, what I mean is, I want to save a new favorite in Firefox or I want to update to the newest version of say Picasa. Wouldn't I have to reboot to get out of the Returnil protection. As you know, with Sandboxie you just download the file while sandboxed and then recover it. I see the security advantage of Returnil but it just seems inconvenient compared to Sb.
     
  12. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    It's a good practice to do online shopping/payments/banking from a clean browser session (emptied sandbox, reboot-to-restore, clean image, LiveCD)
     
  13. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Hi again and sorry, I mis-understood you. I honestly only use Returnil when I go to unsafe or new places or when I want to try a new program that doesn't need a reboot to install. If you wanted to run Returnils protection all the time you would need to move/store Firefox's profile to Returnil's VP or an alternative partition. Remember, Returnil only protects the System partition, usually C:.

    Assuming your using protected mode all the time. If you wanted to update or install a new version of a program with Returnils protection enabled, it would first have to be downloaded to the VP or the alternative partition so it would survive the reboot. Then you would have to turn off Returnil's protection by rebooting. The data would be safe because it is in the VP or alternative partition and not in the protected system partition. Install your new program with protection off and then turn on protection after installing if you wish.

    Ideally, Returnil would work very well if you completely separated Windows and your programs on your system drive C: from your documents/data (like your FF profile) on another partition. That is above my head and seems quite a task to accomplish. It seems even harder as there are constant updates and upgrades from many of the programs I have installed. I think that is why a bunch of us update everything after powering up our machines and then turn on Returnil's protection manually.

    If I turn on Retunil's protection, it is because I'm doing something that I expect to be reversed upon reboot. It doesn't matter if I'm browsing the dark side or installing a media player or browser I want to try. Returnil is my last line of defense. I still expect my other layers to function, but Returnil has the final word. I hope this helps.
     
  14. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Quick question with Returnil. What does the virtual partition do?

    If it does what I'm guessing it does (a storage area created specifically to store files you don't want to get reversed upon reboot), is it required if you have already manually created a separate partition?
     
  15. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    No, it isn't required :)
     
  16. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Thanks.
     
  17. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    "(a storage area created specifically to store files you don't want to get reversed upon reboot)" :thumb: That is accurate. And no, it is not required when installing. You can save data anywhere else but the Returnil protected system partition like an alternative partition, thumb drive, cd/dvd, external hard drive. When mounted the VP is just like any other partition. You can move files to and from it at will. You can do the same with an alternative partition. The advantage of the VP is you can make it portable (take it with you) and use it on other machines that have Returnil installed.

    This is taken from the help file.
     
  18. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    After re-installing my computer, I have

    - 5 clean images for restoration only
    - 2 clean archives for restoration only
    These give me my clean computer back and were the only reason, why I re-installed my computer from scratch,
    You can't create such images after being on-line too long.
    These are the ones, I only trust.

    - 1 off-line snapshot
    - 1 frozen on-line snapshot
    These let me do my job and hobbies, especially my off-line snapshot.

    - 1 daily image
    - 2 daily archives
    - 1 daily freeze storage
    These are for daily backup/restore, but I consider them as possible infected in theory, because security softwares can't be trusted, they fail too much.
    My freeze storage is supposed to correct the failures of my security softwares.

    No Returnil yet, because Returnil can't handle installations of new softwares, that require a reboot.
    FDISR can handle this, because it has an actual and previous freeze storage.
     
  19. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Hi Erik, how much time and money do you have in your setup? Most users can secure there computers for free. Nothing can be trusted 100%, but we can all get close. I don't have FD-ISR or even an image, but I bet both of our security is close to 99%. After all, we are just limiting the window of opportunity that the bad guys have. We are talking 1/10s or 1/100s of a percent difference here. If I'm being naive then please educate me. My setup is based on help from others and I'm always willing to learn. That's why I am here :D .

    How do either one of us know if we are infected? I know the steps you have taken by other posts like offline installs, downloading from trusted sites, but nothing is 100%. I'm no expert so I scan with many different types of scanners regularly and find nothing. Trust me, I would love to have FD-ISR and a big external drive to play around with and I do see the advantages. It it not necessary though. Heck, neither is Returnil. Returnil, Sandboxie and FD-ISR each have their individual bright spots, but all serve their purpose and their users well. They are extra layers that are different and nothing else.

    We all have our favorites, budgets and different uses of our computers. For the money, it's currently hard to beat a free setup with an image which also can be had for free nowadays. I'm speaking about the average user and not a machine for business purposes.

    FWIW, I would love to have Pete's setup, with Easter's extra hard drives and your knowledge. I'll get there one day if I still enjoy this hobby, but I do currently have a 'close to' secure computer to the best of my knowledge. Your setup just has more depth. If we're constantly striving for perfection that doesn't exist, we may miss the 'fun' that is happening now :).

    Cheers, innerpeace
     
  20. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Yes, nothing is 100%, Mrkvonic considers even Windows as spyware.
    If members start reasoning like this, I don't feel the need to discuss this any further. I'm not going to defend myself and certainly not in a foreign language. :)
     
  21. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Greets Always innerpeace.

    If you can find any local PC Shops around that aren't profit heavy then you're in a fairly good position to pick up used hard drives like i done this past year. Even Flea Markets or a Yard/Garage Sale occasionally put up on the table a maybe lousy looking neglected PC, but inside that heap box all i want is the HD and whatever else might be salvageable. You can do the same, but it is sometimes risky, like recently i shelled out 35 greenbacks for a used 80GB Maxtor that after getting it home and plugged in, HDD Regenerator program showed "BAD" sectors and even reallocating them didn't help :( , i returned that one for another, this time a 80GB used WestDigital, and those results were even worse :oops: as in "click" "click" "click". So when i went to return it they told me nothing was wrong with that drive but must be my cable, Pffffffttt. I did manage to get a CD Boot test done on it and it was exclamation point RED! as in toast too.
    I insisted, of course :mad: they must replace it and so this time they gave ME the choice of selecting and i found of all things a pretty clean 2003 Hitachi :rolleyes: 80Gb that i'm using right now to reply in this post.

    Some small shops like this one are so overloaded with business that they just don't have the time to really analyze in-depth whether Hard Drives are reusable or not, they just stack them up and at times even toss them out when they might be perfectly fine after a good sanitize. LoL
     
  22. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    Are you suggesting that rebooting might be "bad" for a system ?

    Also re Firefox - you can move the Firefox profile to another partition or drive . Ruturnil just "freezes" C:
     
    Last edited: Oct 14, 2007
  23. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    Yes - I'll plead guilty to that. If you define a virus as something that does harm then yes I do find many security programs as doing harm - they slow down my very old machines. There is also an other type of harm that the security does - it perpetuates the myth that you will get pregnant the instant that you log on if you don't use such and such a package.

    So Yes I do feel proud to be able to say that I run 7 machines day after day and have never been infected ( Infected as defined by NOD 32, SuperAntispyware....... and many other on demand tests) over many years.

    My daily work machine has a hardware firewall, Firefox, Returnil, Acronis Images and nothing more now for 8 months. If there is an anti virus program, anti spyware program that I can run on demand that will find any nasties I will try it.

    This is not a macho, mine's bigger than yours, claim. I just get increasingly irritated by the claim that 19 layers of security are needed to check on my overdraft.

    Enough IS Enough for many.
     
  24. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    I only rarely used FD-ISR on one machine but when I do I just use throw away snap shots - A few minutes to make a copy - install new program, play for a while and then delete. Another snap shot is protected by Returnil - so I don't see any issue about Returnil not being able to be used for installations that require a reboot - just do it on a temporary snapshot.
     
  25. tradetime

    tradetime Registered Member

    Joined:
    Oct 24, 2006
    Posts:
    1,000
    Location:
    UK
    From the perspective of having to reboot to install this and that program, all I can say is that some of you chaps must install an awful lot of software. I realise the issue does come up from time to time, but not on a major scale surely. I run Returnil and FD-ISR together with no problems, the only minor thing is that you can't "Boot to Snapshot" from a session lock, but this is a minor inconvenience.
     
Thread Status:
Not open for further replies.