Is virtualization the most ideal protection?

How many and which ? Have u reported these to Ronen Tsur the developper ?

 

I don't think you read my post clearly, not that it matters too much because the OP got their answer through all of the posts made here. SandboxIE DOES only differ slightly in virtualization. I specifically said there were configuration differences, therefore different protection. I also said damage could be undone by Returnil, but prevented by SandBoxIE. People need to get off the data theft thing, because if that kind of data is stored on a computer, and one that is exposed to the internet, then you are basically ASKING someone to steal it. By the way, SandboxIE is nowhere near a "HIPS-type virtualizer".

To the OP: SandboxIE+Noscript with Firefox will 99.999% destroy any chance that REALISTIC scenario malware causes you problems. If you want to get into any of the "theorycraft" that gets way too much attention here sometimes, be my guest. But if you want a realistic outlook of protection, image your system, don't store data on it that is valuable, and use Noscript and SandboxIE.

 

He needn't bother. I downloaded and ran it myself (it's a win32 trojan and named Antivirus 2008 (which my AV has caught and killed before anyway). Here's what happens:

1. My AV flags it with sirens blaring the moment it's unzipped. And to even attempt to install required shutting the AV off.

2. Inside SandboxIE it wouldn't even execute. Probably my config.

I also see through SandboxIE's forums this has not been reported. So if you want to see these "holes" plugged up, report it, if they actually exist.

Edit: Interesting note, Avast does NOT detect until the file is unzipped, nor does SAS/MalwareBytes say anything.

 

Ok, I tried this malware again. It's named "Spyprotector/Antivirus 2008". It's a .exe, again Avast jumps on it, but ONLY once unzipped, and neither SAS or Malwarebytes detects anything, unzipped or not. I:

A. Shut down Avast

B. Turned on Returnil (I'm not stupid)

C. Ran the .exe inside a default config of SandboxIE.

Results: "Failed to download", over and over again. So, until this thing actually runs, I don't believe SandboxIE has "a bunch of holes". If somebody else wants a go, PM me and I'll give the download site and MD5 to search for. I give up.

 

defensewall blocks this one dead too,blocking its driver installation also the antivirus 2009 too

 

Ahh, well, that pretty much ends that little worry

 

lol

 

When testing rogue apps here and after deleting the contents of the sandbox the rogue's taskbar icons remain till you place your mouse pointer on them then they disappear.

 

Never could get that far with the install. Was there anything actually still installed? Or was it a possible visual bug? I ask about visual bugs since if anything was actually still there, surely hovering your mouse over it wouldn't get rid of it.

 

Some rogues have several morphed installers where some will run sandboxed and others won't.

Apparently some of the zlob family are VM aware and won't run?
Malwarebyte's Forum

No, after deleting the sandbox contents it is completely empty, seems it's just the way windows works?

Happens in XP and Vista.

 

Well, the one I got sent to must have seen SandBoxIE and scrammed, lol.

 

Then why recommend sandboxie here
https://www.wilderssecurity.com/showthread.php?t=228927

If you find a weakness in sandboxie it is best to post here also.....
http://sandboxie.com/phpbb/

 

I'm about to take my possibility of an apology in another thread back. TechOutsider, your views are all over the place, and seemingly in the same 24 hour period. I'm a very confused person, lol.

 

If protecting bank details is "the" concern then just use Roboform or similar. Even though SB can protect data Virtualization per se is not intended to prevent data theft.

 

TechOutsider, can you please explain why you say your malware sample got out of SandboxIE here, but over here: http://www.sandboxie.com/phpbb/viewtopic.php?t=4556...?

 

Tested all the below (your) samples Sandboxed with all of em easily contained and deleted here.

In fact I had to use a less secure sandbox in order for them to even execute.

 

Is virtualization the most ideal protection?

In terms of protection: Yes!
In terms of usability: NO!

When virtualized you are protected against most malware/viruses and such (maybe not keyloggers).

The downside of virtualization is that your computer has lost it's usability unless it's a public computer. A personal computer has many folders to be excluded such as documents, pictures, videos and you might exclude some settings folders inside the Appdata folder or Program Files to prevent made changes to be reset after reboot.

In the end you have excluded so many folders from being virtualized, virtualization itself becomes useless.

Because of this Virtualization is only useful for people at work, public computers and security geeks (no offense).

On a personal computer you might be better off with Sandboxed Browsing, Anti-virus/Spyware, Firewall, HIPS, Common sense and Firefox with extensions such as Noscript.

That's my opinion.

 

Miyasashi

apart from the 2 extremes (1) only virtualization or (2) loads of A/V, A/S, Hips...

how about (1) Using Virtualization for general surfing. No need if going to places believed to be "safe" and (2) basic minimum protection the rest of the time ?

The dangers faced by most pc users are greatly overstated. A decent firewall ( I prefer hardware) and Firefox + NoScripts are more than enough.

 

Well I am surfing Sandboxed so I don't need Shadow Defender or Returnil for that.

I have Avira Antivir and Firefox w/ Noscript, Router with Firewall and SuperAntiSpyware on demand.

Nothing special but should work out fine, I could use HIPS or some behaviour blocker possibly.

But I have common sense and start every untrusted executable with Sandboxie.

So there are only a few ways to get viruses/malware:
1) Via usb-drives (highly unlikely to happen)
2) Via executables downloaded from the internet
3) Via scripts but blocked by Noscript unless I allow scripts to be run.
4) Stupidity =D

I am very rarely hit with malware/spyware but I always like it bigger, faster stronger!!

I am thinking of getting Defensewall since I heard some good things about it, trailing it at the moment .. it doesn't offer much functions but from what I read it must be pretty good.

Malware Defender would've been nice but it crashes =/

 

If you prefer to use Sandboxie to a virtualizer, a lot of people do, and probably that's the best way to browse.

I disagree, basically it is not true that one has to exclude many folders simply because you fail to mention the possibility to commit folders in real time while in shadow mode. In my experience shadow mode is also a way to keep my computer in top condition as with a reboot everything is returned to its original state, except of course for whatever had been committed to disk. Besides, if I'm not connected to the internet, and need to do extensive work with my computer I certainly won't enter into a shadow session.

Attached is my exclusion list that I have used also with ShadowUser for almost 4 years.

 

I don't understand how virtualizing folders would make a system useless. In both SBIE and Returnil, any changes you WANT to keep can be kept, and reverts changes you don't want, like malware. Your system acts exactly the same way it would without virtualization, it simply deletes any changes made to the system. And, again, those changes can be saved. I'm seeing more and more examples showing people don't quite yet understand virtualization technology, and that lack of knowledge is keeping them from using what very well could be the most powerful security available.

 

I recently clean-installed my computer and installed everything I need, so I don't really download new programs ... just updates for existing one's.

I am running Firefox sandboxed with Noscript and Adblock Plus and Avira Antivir (With guard on) and SuperAntiSpyware (On-Demand).

I have to be careful what I install, but like I said I am very rarely hit with spyware/viruses in the past few years.

I never mentioned the system would be rendered useless, I only implied that when excluding folders the effectivity of the program is lower than when not excluding anything.
For example: The user above you excluded the Avira folder some malware/viruses are targeted at Anti-Virus programs, it could be malware you don't notice what if you turn off Shadow Mode after? It could be messing up your computer.

It will most likely not happen, but that doesn't mean it can happen.


My opinion:
Virtualization is most effective when not excluding anything at all, but for a home-user it's hard to not exclude anything. Care to disagree?

 

Actually, yes, I do care to disagree. Virtualization is LESS effective when nothing is excluded. If nothing is excluded, then malware can get to those personal folders. It doesn't matter if they can do any permanent damage or not, they can still get to it. Which is why you have configuration options. How is it hard for a home user to not exclude anything? That doesn't make sense, it would be EASIER to not exclude things, and less safe. This is yet another example of not understanding virtualization and how it works.

All you have to do is spending less than 5 minutes scanning the help section of SandboxIE and other virtual apps, and you'll see that you can not only keep life simple and your work uninhibited by setting these apps up to keep bookmarks, downloaded files, whatever, but you'll also stay safe. If nobody is going to spend that less than 5 minutes understanding what these apps do and don't do, and how you can stay safe and still get work done, then no amount of advice from here or anywhere else is going to help.

This is what, the second, 3rd thread about virtualization in the last few days? And with every post almost, these apps somehow get harder and harder to use. I'm not trying to be rude to anyone, but there are some here that are complicating this stuff way, way too much, and confusing the hell out of the newer people asking about this stuff lately. Let's drop the theorycraft and get back to basics guys.

P.S,, you contradicted yourself with the Avira folder example and then saying virtualization is most effective when you don't exclude anything.

 

ok I'll bite

senario (A) nothing excluded . so all drives are protected. malware gets in. machine rebooted malware gone.
senario (B) file excluded. malware gets in. machine rebooted - malware still on machine.

how do you figure that (B) is safer ?

 

why is it difficult for the home user to not exclude anything ? If the user downloads something they want to keep then they simply commit with shadow defender.