Enough is enough

Discussion in 'sandboxing & virtualization' started by Franklin, Oct 13, 2007.

Thread Status:
Not open for further replies.
  1. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Couldn't help smiling. Just for grins yesterday I installed both my AV and AS programs and did complete scans - nothing. Then I used FDISR to "uninstall"

    What I am doing seems to work, but as always I think you have to understand each piece of software and it's limitations.

    If by my setup, you are refering to the disk drives, and space. For me time is money to a large degree, and while I can conserve image space by using differentials, they take longer. Extra disk space saves me time, so it's worth it.

    As to rebooting causing wear and tear, maybe, but I've not seen evidence of it. My newer machine which I use for lots of the testing sometimes gets rebooted many times a day. Never seen evidence of a problem.

    Cheers,
     
  2. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Right :)
    When you learn how malware is instaled, you see that safe computing will deal with the vast majority of malware. Yes, a trusted site may be hacked with an unknown 0-day exploit and you may visit it before it's cleaned. How big is that possibility?
    Do this check:
    - Do you have inbound protection (router, XP firewall, third-party firewall)?
    - Is your mail checked for spam/viruses at your mail provider?
    - Do you only open really solicited mail from really trusted addresses?
    - Do you read your mail as only text?
    - Do you use P2P safely (only for media and documents from trusted servers/trackers)?
    - Do you use up-to-date software (OS, browser, media players, document viewers, mail client)?
    - Do you have hardware DEP enabled (at least configured as OptiOut)?
    - Is your browser (preferably a third-party one with options to whitelist content on a per-site basis) configured properly?
    - Do you install only trusted software (with prior research), download them from trusted sources, check their digital signatures/checksums (if provided) and read their EULAs?
    - Do you check attachments and installers at Jotti/Virustotal and/or with your malware scanners?
    - Do you isolate the OS core from the applications using LUA/HIPS/sandbox?

    Also:
    - Do you fall victim of ads which say that you're infected (rogue antispyware)?
    - Do you install codecs from obscure sites to watch some video (Zlob/DNSChanger)?
    - Do you get fooled by ecards, hoaxes and fake news (Nuwar/Storm/Zhelatin)?
    - Is Britney.avi.exe (300 KB) a valid movie?

    Don't forget this
     
  3. glentrino2duo

    glentrino2duo Registered Member

    Joined:
    May 8, 2006
    Posts:
    310
    been running Returnil and Sandboxie for more than a month now with no problem.

    running it with CHX-I and FProt6, no other HIPS installed. I think it's pretty much set-and-forget setup.

    am trying out OA free at the moment though, with Program Guard disabled and all incoming allowed [I have CHX-I :)].
     
  4. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    A very similar setup here:
    No reboot-to-restore here. I don't like the concept, but that's just me.
    GeSWall free.
    Jetico 1 (firewall w/some HIPS functions)
    Antivir PE Classic on-demand here
    Agreed :)
     
  5. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,121
    Location:
    Mountaineer Country
    No need to defend yourself, most of my post was complimentary. At least I thought so. I'm just saying FD-ISR and the extremes you go to is not necessary to have a secure computer. Nobody questions your knowledge about imaging and ISR programs. Sandboxie or any sandbox program with the suggestions that lucas posted are all that is needed.

    @ Easter, thanks for the information. I can find 2 different 250 GB external hard drives for $75 now. Instead, I'm leaning towards getting a good external enclosure so I can pick up multiple drives to play around with. Gotta have more toys Lol. Thanks for the suggestions and I will keep them in mind for sure :).

    I meant I like the versatility you have in playing with new software or betas. My security is a bit similar to yours, but the depth you have with your snap shots and images is much greater. The same can be said about Erik's setup. Your setup just makes sense and seems efficient. I need to learn more about HIPS though.

    @ Lucas, good post and you've reminded me that I need to read the link that you posted. I have been putting it off for months now. I've been spending too much time here at Wilders :D . I can say I do all the things in your check list. Plus I've added immunizations with a Hosts file and 2 other programs.

    Thanks all,
    innerpeace
     
  6. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Then relax and enjoy the web, while keeping an eye on emerging threats and the discussions at Wilders ;)
    If you've played a bit with Linux/Unix, you'll notice that almost all the items in the check list are OS-agnostic.
    You can have as many layers as you want, if you follow these steps:
    - You understand what each layer can and can't do.
    - You can manage the prompts/decisions thrown at you by a given layer
    - Check if there's overlap between layers. This is key to ensure a stable machine. Nowadays, security apps include too much features which cause overlap.
    - Don't use layers which slowdown the machine.
    That's a topic which merites a thread of its own: How to harden the OS core against common exploited vulnerabilities without crippling the OS itself. It's another layer of protection, a layer which doesn't consume resources, but it may cause troubles.
     
  7. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Glad to share some hopefully useful ideas. A new HD as budget permits in time is a very worthwhile investment of course, and for that matter so are new memory modules, but it sure doesn't hurt to collect some (discount) used extra hard drives and make them useful again which you can use for either storage facilities or testing apps/configs on; like i prefer to store Paragon images (at least a pair) and since their compressed, they really don't soak up too much space at all.
     
  8. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    What is extreme about re-installing my computer from scratch off-line ? Any user/vendor did this at least one time. That is not extreme, that is normal.

    What is clean ?
    As long I use legitimate softwares to install my computer off-line, I consider my computer as clean, including the images, I've taken during that time.
    Legitimate softwares spy on us too, but not with malicious intentions and I don't care about that, because my government, my bank, my supermarket, ... spy on me too.

    I have 5 clean basic images to (re-)create my system partition :

    A. WinXPproSP2A.spf = WinXPproSP2 + WPA + WGA
    That image allows me to (re-)install Windows without doing it manually anymore. SP restores that image in less than 1 minut, which is better than a manual install of 60 minuts (= waste of time)

    B. WinXPproSP2B.spf = WinXPproSP2A-image + All common snapshot softwares.
    That image contains all softwares, I use in my off-line and on-line snapshot.
    So I don't have to re-install these softwares anymore, when I want to rebuild
    the images of my off-line and on-line snapshots.
    All these softwares are configured and know where to store their data on my Data Partition.

    C. WinXPproSP2C.spf = WinXPproSP2B-image + All off-line snapshot softwares + FDISR
    That image contains all my off-line snapshot softwares + FDISR with only one snapshot. That is the snapshot, I use for doing my job and hobbies in absolute silence and without any internet troubles.

    FDISR allows me to create a clean archive of my off-line snapshot.
    That archive allows me LATER to clean my off-line snapshot.

    This archive doesn't clean infections, because it's an off-line snapshot, but it cleans all the junk objects (registry, folders, files, ...) created by the softwares, while they are doing their job.
    Other users use registry cleaners and other cleaners, I don't.
    I do one copy/update from archive to snapshot and my off-line snapshot is clean.

    Cleaning softwares don't clean your computer completely, because they don't know what needs to be cleaned for EACH EXISTING software, that is impossible.
    Only ISR-softwares clean your computer completely, in my case FDISR.

    D. WinXPproSP2D.spf = WinXPproSP2B-image + All on-line snapshot softwares + FDISR
    That image contains all my on-line snapshot softwares + FDISR with only one snapshot.
    FDISR allows me to create a clean archive of my on-line snapshot.

    That archive allows me LATER to clean my on-line snapshot, including any malware that changed my harddisk.
    I use a frozen on-line snapshot, but that is just a matter of convenience. Experienced FDISR-users know that a frozen snapshot is nothing but an automatic copy/update from archive to snapshot, which can be done manually also. So there is nothing special about "frozen snapshot".

    E. SYSTEM.spf = complete and clean system partition, based on C. and D.
    I'm not going to explain how I create this image, only FDISR-users would understand this. It's just a matter of putting things together, nothing but mouse-work.

    I keep all these images on my off-line external harddisk and on DVD's.
    As long nothing happens, I don't need these clean images, but when it does I only have to restore SYSTEM.spf and I'm back in business with a clean computer without junk objects, without malware and working properly.

    Of course it took time to create this, but I have to do this only one time and after that I can re-use these images as many times I want to save my computer or do experiments of any kind and create other images for experiments.

    With such a collection of clean images, I don't need to worry about anything anymore, except HARDWARE VIRUSES.
    I'm not worried about malware, like Killdisk, that destroys the contents of my system partition. That's peanuts.
    My "WD Zero Tool" does a better job than KillDisk, it zeroes my harddisk completely as if it was a new harddisk.
    I only have to restore my SYSTEM.spf and I'm back.


    Once I go ON-LINE, month after month and I have to depend on my security softwares to protect me, then I consider my computer as possibly infected due to :
    - malware that passed through my security softwares
    - malware that wasn't detected and removed
    - my wrong decisions
    - my wrong judgements
    - my mistakes

    Well, then I prefer to restore my clean SYSTEM.spf to get my clean computer back and I can do this at any time : every day, every week, every month, ...
    Do you have such a clean image ? :)
     
  9. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,121
    Location:
    Mountaineer Country
    No, I have only a system restore partition and the system restore disks that came with my now two year old e-machines with OEM XP SP2 pre-installed. Up until last year at this time I was running NIS 2006 with Spybot and ad-aware as my 2 on-demand scanners. I didn't know what a HIPS or Sandbox was much less a virtualization program.

    My last hardware purchase was a router and a stick of RAM. I've spent a lot of time here at Wilders and 2 other forums reading and the programs I have in my signature indicate that I'm doing pretty well compared to a year ago. I'm trying to paint a picture of the obstacles and money I would have to spend to have your setup. e-machines wouldn't even let me get a copy of Windows so I would either have to make my own copy or buy a new one. Then I would have to get FD-ISR and a 2nd hard drive for storage. I actually have plans to get a 2nd HD soon along with a cd/dvd burner (mine quit burning properly). All of that would be a fortune to me as a home user.

    For the money though, it is hard to beat running Sandboxie for a good security layer that protects the average user. Maybe if FD lowers their price to $25, then it would be a no brainer. Perhaps they will have a sale :). For now, it is just a luxury to a home user and perhaps a necessity to a savvy business owner or software tester. It is definitely very cool for a piece of software :thumb:. It's just out of my reach for the time being.

    I did learn something from your post I have been wondering about.
    Your setup up is well thought out. You have spent a lot of time perfecting and testing it. While you were doing that, I was spending my time learning about security softwares. With my setup, it was a necessity, I'm sure you can agree with that. For me, it is practical just the same as your setup is practical to you. I can only work with what I have, so that's what I do.

    innerpeace
     
  10. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    innerpeace FD-ISR is certainly a neat program BUT hardly essential. You say you have a Router ? I assume that means a hardware Firewall as well ? If so I'm curious why you are saying that "with mys set up, it was a necessity" "it" being security software ?

    If you or others want to run Security software then fine, If Erik sees FD-ISR as enough then also fine. To me it is really all largely unimportant. Using a Hardware Firewall and Firefox (no scripts) + a good deal of common sense ( don't open attachments from strangers, don't go looking for illegal software etc) then I would argue that it is very difficult to get contaminated. I really don't expect to see Killdisk 7 on the Bloomberg site or to get a mythological hardware virus that is going to eat my ram or ......... and if I did ever get something this damaging I doubt if any current AV, AS or HIP would be much use against such a wonder bug.
     
  11. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,121
    Location:
    Mountaineer Country
    Yes, it's just a wired NAT router. Yes, both the router and security software are a necessity, that is until I understand the truths. I've been told to layer up, so that's what I did. Now, I'm at the point where I'm slowly peeling back the layers and looking at alternative solutions. I'm slowly evolving with further knowledge and the realization that the "what if's" are rare.

    I agree! Also, what works for one person may not work for another. That's what is fun is learning about all the different ways people here at Wilders secure their computers. Your able to trust Firefox because of your knowledge. If I knew more about the threats, I would have more faith in it myself. Until then, I trust and have faith in those that have the knowledge and tell me to run Firefox. I also know I can trim down the proggies in my sig. The only reason I'm running a few of them is because I won them. They don't seem to conflict, so I use them. I would actually feel comfortable with my router, OA2, Firefox (no-script) and Sandboxie.

    innerpeace
     
  12. tradetime

    tradetime Registered Member

    Joined:
    Oct 24, 2006
    Posts:
    1,000
    Location:
    UK
    I wholly agree with this approach, one man's solution will not necessarily be the best for another as we run different applications and have different surfing habits, etc. I think it's just a case of looking at what is discussed on places like Wilders and deciding for yourself what you feel comfortable with. Not that long ago it seemed the objective was to get as much security as would run together on one computer. Now we seem to have come full circle where most interest is generated by those who run the least amount. That's not to critisize either approach, PC's are almost as individual as people with the combos of applications installed and activities undertaken. At the end of the day, the user has to live with his selection, and it has to function to his satisfaction and instill him with confidence in its security.
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I agree that Sandboxie is a great tool, but personally I don´t think that virtualization is necessary per se, HIPS who restrict apps via policies (without virtualization) will also do the job. And Returnil has never been interesting to me since I hate rebooting my machine, so I never really understood the whole appeal.
     
  14. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    There is definitely a good case to be made on the benefit of NOT having to reboot and yet enjoying the freedom to install software which otherwise demands a restart, as well as dumping changes without any reboots needed.

    If only they can eventually accomplish this inside a virtual environment.

    Another interesting approach according to a recent somewhat related post made by Peter2150 in one of his replies, or was that Blue, is that StorageCraft's ShadowUser can carry changes across a reboot keeping within a shadowed session.
     
  15. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    The appeal to me is that I get to decide when and how C: changes. Returnil or DeepFreeze 6 are always on on my machines. Just now Firefox has advised that 2.0.0.8 is available and it thinks that it has updated. When I reboot I will be back to 2.0.0.7 until I decide to make the change. Nothing would get me to go back to and unfrozen C: Almost every session I find that I'm downloading and making temporary test changes, I make mistakes which don't matter any more. No need for any anti-spyware programs or anti-virus to be loaded - just load a program every so often - confirm that everything is ok - reboot and the program is gone. How about defragging. Reboot and you are back to a well defragged machine.

    Now when it comes to my wife and sons -- no longer having to waste hours putting right the damage only they could do.

    For me Returnil and or DeepFreeze are more than enough.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.