Light virtualization: Returnil/PowerShadow/ShadowDefender/ShadowUser Pro

Discussion in 'sandboxing & virtualization' started by BlueZannetti, Dec 30, 2007.

Thread Status:
Not open for further replies.
  1. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Erik,

    That's your opinion and I believe you're wrong. It appears that anything less than a 100% guarantee of coverage is not enough in your mind, and if you're exposed to 100% of the malware in existence, that's true. However, I'm not exposed to 100% of the malware in existence, so I'll take my chances with a current and pragmatic solutions.

    Again, I'm approaching this from an actual use situation. In that case, I view every step that requires a user initiated action to be a liability. For example - in comparing user initiated on-demand scanning vs. realtime monitoring - the result is the same if the same setting are used, but the former requires the user to deliberately initiate the scan while the latter happens as a matter of course. That renders the latter approach more robust in most hands over time. Both approaches work, but it comes back to a concept we've discussed time and time again - user discipline. My experience is that situations occur in which users lose discipline - they happen with me and they likely happen with you. For that reason, I believe that approaches which are predicated on maintaining a high level of discipline should be avoided by most users.

    Blue
     
  2. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    Sorry to disagree but my systems would not be enhanced by an AV they would simply be slowed down by an outdated idea. The virus that is going to get me one day will not be one of the X billion on the white list but a new one that sneeks thru. If Returnil or DeepFreeze work "properly" the virus will be gone at reboot. If they Returnil or DeepFreeze do not work then I restore an image. If that doesn't work then I rebuild.

    what is the point of light virtualization if we add back all the AV, AS, HIP, firewall, Anti exec security ?
     
  3. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,090
    Location:
    North Carolina USA
    well yes and no. On my laptop I only use SD. It is turned off and on frequently. On my desktop it is left on for a fews before ever rebooting, so I am only using Avira for the guard. Just to tell me if something pops up and I need to reboot. I dont scan with it and no it wont catch everything, but it really doesnt slow anything down so it is like added insurance.
     
  4. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Blue,
    What discipline ? I only have to reboot and every change is gone.
    If I open Firefox to surf on internet, it's automatically sandboxed and my data partition is locked automatically.
    The only problem I still have are NEW objects, they require discipline, if you want to install them permanently.
     
  5. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Blue,

    Would you try SafeSpacePersonal also, can be configured to virtualise a partition (with a folder to save changes) also, the default mode (Windows, + Programs Files directories).

    Reason for asking is I appreciate your contributions and you also evaluate safespace, the criteria against which it is reported are more or less the same.

    Thx
     
  6. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    If one goes back and adds all that stuff aagin, you're right, it's pointless.

    But here's an alternate scenario - rather than taking that AV - and only the AV - and maxing out it's settings so that everything is scanned/monitored/sliced/diced in every way imaginable, use settings with a very light touch. Use one with a light touch to start with and keep the settings low. The impact will not be apparent, and if it is, find a solution in which it's not apparent.

    For many user's, they may not need even this level of intervention and light virtualization alone will suffice. It depends on personal usage patterns. It's not unlike folks who successfully run without an AV or any other elaborate setup at the moment - that works for some, but not others.

    Light virtualization is simply one possible avenue to use to simplify and remain secure at the same time.

    Blue
     
  7. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Precisely my point. The discipline that you've just noted in the quote.

    Blue
     
  8. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Perhaps later today or so. I have a clean partition that I can use.

    Blue
     
  9. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,090
    Location:
    North Carolina USA
    and that is how I have Avira set up, to only scan defined files and the rest very light. I own it, it doesnt impact speed, so why not use it. You just never know when it might just,,,,,,,,,,,,,,

    Keep in mind, when the left and right were created, a middle was included to.:D
     
  10. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    It is not the AV you should concentrate on as there is not that much difference between the consistent leaders as far as overall protection is concerned. It is the scope of the AV's role that requires adjustment in a strategy that includes virtualization.

    The emphasis moves from the need for constant monitoring on the local machine to one where analysis of incomming/new content should be the focus. Virtualization does not detect or distinguish between what is good and what is bad; you invoke the System Protection and all changes are treated equally based on the user's preferences (drop all changes, save some changes, or save all changes).

    This leaves an important role open for an "expert analysis" solution somewhere in the chain, just not at the local machine level outside of regular in-depth verification scans (think of your weekly or nightly on-demand full system scan as reference). In every system you still require some form of feedback as to status and efficacy of the system itself...

    Mike
     
  11. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    That is exactly the discipline that EVERY USER has to practice, when he installs NEW objects, no matter what security he has.
     
  12. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,090
    Location:
    North Carolina USA
    totally agree and good post.:thumb:
     
  13. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    An important detail to be sure, and one that underscores that any systemic approach has to examine the roles of each part and that as a users approach evolves, interdependent parts may need to change.

    Blue
     
  14. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    True, but you are explicitly ignoring what I view as an important distinction, and that's whether the discipline involves an active user initiated event or not.

    One can accomplish the same end result with either a passive safety net provided in the environment or by having the user to explicitly invoke that safety net an an exception as they deem it is needed.

    Blue
     
  15. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    I would caution that layers for the sake of layers is not the way to go. Complexity for its own sake can become self-defeating when looked at the extreme. Layers are about ballance and management of risk rather than being a brute force approach...

    Your goal should be the best line-up with the fewest resources based on your individual needs as one size does not fit all...

    Mike
     
  16. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Layers, to a point, are good. However, I think we've all seen many cases in which layering without taking the time to assess what was being layered on top of an existing configuration resulted in some very unfortunate outcomes - up to and including lost data and the need to perform a complete reinstall of a system.

    It's important to keep the point made by ColdMoon in front at all times. You are creating a system in which there are clear, as well as hidden, interdependencies. Changing one part may necessitate adjusting how the other parts are used (or that they are possibly no longer used).

    Blue
     
  17. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,981
    Location:
    California
    I've added some some thoughts on using Deep Freeze Standard Version for Home use:

    http://www.urs2.net/rsj/computing/tests/DF/index.html#thoughts


    ----
    rich
     
  18. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Kees1958,

    Here's what I see - bear in mind that this was a quick examination:
    • First of all, applications such as SectorEditor will not successfully launch if launched as a SafeSpace protected application
    • If the application per se is not protected, it will launch and run as expected
    • If I virtualize the boot partition (D:\ in this case on physical disk1) I can perform low level sector edits (of the MBR for example) on this partition. The edits performed are simple ones that will not impact functionality (basically text strings that are part of the MBR). They survive a restart, so these are permanent changes on the disk. The situation is probably not a lot different than that seen with ShadowDefender - it's a specific case that has to be handled that was not a part of the initial design objective. I've not used this application extensively and haven't read through the documentation, so I hope that I've not configured it inappropriately.
    Blue
     
  19. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    Each user makes his/her own decisions. My question is "why would you or anyone feel naked without an AV, HIPS, Sandbox, AS, AT, Software Firewall..... ?" If the answer for each piece of software used is " well last week my AS picked up XXXX" and "last month my HIPS reported ZZZZ" then using that software would make sense to me. If I had ever seen a real life virus, If I had ever downloaded a program with spyware, if I had ever had a software firewall tell me that a program that I had not authorized was trying to communicate with... If I had ever had any of these problems I might still run these types of programs BUT as I haven't, I don't (see sig for security details)

    As I have no idea as to how others operate or their degree of discipline I am NOT saying that everyone should surf naked. I am saying that it is possible and suggesting that everyone requires that any program run earns its keep and has a real reason for being there. I like DeepFreeze and Returnil. I prefer them to Sandboxie. Others will prefer the reverse. Others will use both and add Anti executable. Others will add even more. All each user really ought to do is ask how little do I need rather than trying to look like the Michelin Man.
     
  20. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    I'm looking at using Shadow Defender or Returnil but I know this is not going to give me total security on it's own. I do know that they will do a good job of making sure that when I reboot my system, any nasties I have picked up since the last reboot are removed. Although that gives me a nice warm feeling that my clean system remains clean, I recognise it is not the whole answer. How do I know my system is clean in the first place and how do I keep it clean?

    At some point in time I will have to change my system to install new applications. This is where I need an expert scanner to tell me that the new application contains no malware. Having passed this test, I would like to install the application but tag it as untrusted with limited rights, just in case. I would also like to keep an eye on all my applications for suspicious behaviour. If there were no suspicious behaviour detected for some time, I would conclude that my system is clean and the application is safe.

    SD/Returnil do not provide analysis or monitoring capabilities. Without these, I think they may eventually be doing a good job restoring my system to a malware-infected state each day.
     
  21. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Good remark. You should take measures to see if your strategy is working in the long-run. If you don't take these measures, you will fall into blind faith (i.e. I reboot the system or wipe the sandbox and all problems are gone).
    I replace regular on-demand scannings with integrity checking. It isn't a solution for the average user, but it's much more powerful than blacklist scanners.
    In the end, all the strategies seem similar with:
    - Imaging: for the disaster scenario.
    - Light virtualization/shadow softwares: regular cleaning (at reboot).
    - On-demand scanning ("weak"), integrity checking/forensic analysis: is my strategy really working?
    - Real-time AV/AM ("weak"), anti-exec, behav. blocker, HIPS, sandbox, LUA: daily battle with untrusted objects.
    - Safe surfing/computing: brain-based content filtering (what should/shouldn't I run/accept/open/launch)
    - Router: isolate your private LAN from the Internet.
    Optional:
    - Virustotal/Jotti/Threat Expert/Norman Sandbox: expert analysis of new objects (requires good discipline)
    - Network access control (i.e personal firewall): only allow the necessary network comms and deny the rest (requires some network knowledge)
    - Hardening: limiting/closing the entry points of malware and/or a failsafe measure to other security layers (excessive/incorrect hardening may cause that some functions/processes stop working properly)
     
  22. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    Hi Lucas. What program do you use for integrity checking?

    Merci!
     
  23. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Sadly We as Security Forums across the net have left the basics of secure surfing sitting on the corner while We rush to the nearest wally world to grab the latest fix of the week for our additional layer :doubt:

    I realize that's far beyond the scope of this thread and will save the rest of thoughts for a more appropriate thread....How one can surf safely without a resident av or hips or sandbox or anti-spyware

    Bubba
     
  24. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    - Tiny Watcher
    - Runscanner
    - FileCRC
    - IceSword
    - Rootkit Unhooker.
    Others are Rootkit Revealer, Rootkit Hook Analyzer, Autoruns, Hijackthis, Sentinel, FileMap, FileChecker, NIS File Check, etc :)
     
  25. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    Thanks Lucas. I use Tiny Watcher, IceSword and TrendMicro's Hijack This too.

    You may also like this MD5 Checker, with option to compare the files in a folder with the results of an older check. No installation needed, runs from a folder. Freeware.

    http://www.brandonstaggs.com/filecheckmd5/
     
Loading...
Thread Status:
Not open for further replies.