Returnil/Deepfreeze/Shadow Defender + Altiris SVS = persistent shadowing :)

Discussion in 'sandboxing & virtualization' started by xheffalumpx, Apr 3, 2008.

Thread Status:
Not open for further replies.
  1. xheffalumpx

    xheffalumpx Registered Member

    Joined:
    Dec 12, 2007
    Posts:
    62
    Following a previous thread about Sandboxie and games I concluded it wasn't very useful for games. However, thanks to various forum posters I ended up looking into Altiris SVS and how it virtualizes applications. This has finally got me to the solution I've originally been looking for a while now: how to virtualize your system partition while still being able to add (and remove) extra programs/games, and keep them seperate from each other.

    I realise this is probably possible using software like Rollback RX but I wanted to avoid those - one reason being costs, second because of how, for example RX needs to have control over the filesystem. Other ones which have been suggested are FirstDefense but I can't get that anymore.

    Well after experimenting and trialling various programs I've come to a solution which I'd like to share - thoughts welcome :)

    -------------------
    You will need
    * At least two partitions. One for your System which we will freeze. Another which will be unfrozen.
    * Altiris SVS - http://www.svsdownloads.com/ top two
    * Altiris SVS Personal License - http://www.altiris.com/Download/svsPersonal.aspx
    * Returnil (free or otherwise) or your choice of "freeze and rollback" type of program, Shadow Defender or Deep Freeze are the only other two I've looked at and should work fine.


    Procedure
    (Now assuming you have a clean and fresh Windows XP)

    Assuming your system partition is C: and your unfrozen data partition is D:

    1) Get your XP baseline set up. This will be what you will consider to be "always needed" and "just how I like it" Windows set up. Update it, install any apps you'll consider as permanent - that you want all the time not virtualized - and whatever else you need to do which will be part of your permanent baseline.

    2) Optional step but recommended. Make an image snapshot using Acronis or whatever imaging program you have. Acronis Trueimage 8 is around for free. I'll find the link for that after this post.

    3) Install Altiris SVS using this command line from the cmd.exe command prompt (make sure to be in the same folder as where you downloaded it)

    msiexec.exe /i Software_Virtualization_Agent.msi PRODUCT_KEY=xxxx-xxxx-xxxx-xxxxx INSTALL_ADMIN=1 D_FSLRDR=D:\fslrdr

    You'll need to get a personal license key as mentioned above. Adjust path to the .msi file as necessary. Reboot when asked.

    4) Create the following batch files. These will be used to maintain necessary registry settings for Altiris and your Desktop, which would otherwise be lost when rolled back by your freeze program.

    C:\WINDOWS\system32\GroupPolicy\User\Scripts\Logoff\SaveRegistry.bat
    ------------------
    @echo off
    SVSCMD * D -F
    del D:\fslrdr\fsl?.reg /q
    del D:\fslrdr\desktop.reg /q
    reg export "HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags\1\Desktop" D:\fslrdr\desktop.reg
    reg export "HKEY_LOCAL_MACHINE\SYSTEM\Altiris\FSL" D:\fslrdr\fsl1.reg
    reg export "HKEY_LOCAL_MACHINE\Software\fslrdr" D:\fslrdr\fsl2.reg
    ------------------


    C:\WINDOWS\system32\GroupPolicy\User\Scripts\Logon\RestoreRegistry.bat
    ------------------
    @echo off
    reg import D:\fslrdr\desktop.reg
    reg import D:\fslrdr\fsl1.reg
    reg import D:\fslrdr\fsl2.reg
    SVSCMD auto_* A -NDR REF
    ------------------

    5) From start->run->gpedit.msc to bring up the Group Policy object editor and expand User Configuration\Windows Settings\Scripts (logon/logoff)

    6) Add the scripts created above. Doubleclick "Logon" on the right. Click Add. Click Browse. Select RestoreRegistry.bat. Click OK then OK again to close the window. Repeat this for "Logoff" and select SaveRegistry.bat for that.

    This will result in SaveRegistry.bat being run when you log off windows and RestoreRegistry.bat being run when you log in.

    7*) Install your choice of Returnil/Shadow Defender/Deep Freeze and where possible configure them to relocate or exclude C:\Documents and Settings and your Desktop/Favorites/My Documents.

    7.1) At this point I recommend making an additional disk image so you can roll back to here in case you need it

    :cool: Freeze and reboot!

    9) Your system partition will now be frozen and you'll be using SVS to add new applications from now on.

    10) Use SVS Admin Tool to add Layers (virtualized applications). Tip: to keep desktop icons how you want them just Activate the layer, make a copy/paste of the icon(s) then Deactivate the layer. The copies will disappear, leaving the relevant icons on the desktop. Then just go into Edit Advanced Layer Properties for the layer inside SVS Admin Tool and remove the Desktop .lnk entries from inside that layer. Export the layer to your second partition for future use.

    Note if you want the layers to autostart just rename them with auto_ in front of them for example auto_3DSMax
    --------------

    And there you have it. A system partition that is maintained in a static state, while still allowing applications to be added and removed - with the benefit that those apps are isolated as well and can freely be turned on and off with no remnants left anywhere :) While still being able to update My Documents, Favorites and whatever else you choose to keep maintained and updated. SVS layered applications keep their own settings and data too (just how SVS works!)


    * If you're unable to relocate C:\Documents and Settings\* or you want to keep specific files and folders excluded from being rolled back you can use Microsoft's Junction utility to redirect those locations and files to your D: partition.

    http://www.microsoft.com/technet/sysinternals/FileAndDisk/Junction.mspx

    So for example I like to have C:\Program Files\Agnitum\configuration.cfg excluded from any roll backs. I just make a copy of it to D:\mydata\configuration.cfg and use Junction to link/redirect the original file to the replacement.

    Do this BEFORE freezing! Result is you can use Returnil free + Junction + Altiris SVS and get a free solution :)

    Shadow Defender is very nice in that you can selectively exclude files and folders from being rolled back so Junction is not needed. I think Deep Freeze has a similar tool available but it might not have such granular control.


    * Add: here's that offer where you can get Acronis Trueimage 8 for free http://www.acronis.co.uk/mag/pcpro/ati8pe :) So total free solution is possible!
     
    Last edited: Apr 6, 2008
  2. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Interesting.

    I'm gonna try this project out and see what fairs since it looks to have the basics all in place.


    Thanks xheffalumpx for sharing your find. Many of us will have to see exactly how well this can be useful for us, but on the surface from these details seems to be a really good one.
     
  3. xheffalumpx

    xheffalumpx Registered Member

    Joined:
    Dec 12, 2007
    Posts:
    62
    I've been running this setup for a couple of days now without any problems :)

    The basic premise is to have your main rollback program shadowing your system partition and SVS sort of "hotswaps" in additional applications. The batch files are there so SVS doesn't lose all its settings when your C: drive rolls back, plus using the svscmd to stop and start the layers automatically. You can edit RestoreRegistry.bat before freezing if you don't want the layers to auto start; just put REM and a space at the start of the last line to comment it out - but leave SaveRegistry.bat as it is because you'll need to automatically disable layers before shutdown (so the registry is properly updated)

    This means all SVS layered apps are self contained and retain their own settings between reboots but at any time you can disable the layers and your C: drive is as if the application never existed on your system.

    This works because SVS is storing a cached copy of the app in the fslrdr folder on your data drive - and changes are only retained in that layer in fslrdr.

    So far I've successfully layered in a game, Teamspeak voice chat, Trillian (instant messenger), 3D Studio Max 9 and Firefox. Firefox was downloaded as a pre-layered app from the above site.

    3DS required dotNET 2.0 which I couldn't successfully install in a layer - so I had to add .net 2 to my baseline by turning off all layers and then turning off shadowing, installing .net then enabling shadow mode and turning on layers after that. With .net in my baseline though I could then go ahead and add 3DS into a layer just fine.


    If for some reason you want to make additional changes to your actual baseline this is the procedure
    1*) Turn off all Layers using SVS Admin Tool. DELETE all the layers. If you want to save layer data, export before delete.
    2) Turn off your shadow program and reboot
    3) Now you are back to the start, to the point where you originally froze your system and can add whatever you need to add
    4) Optional step but recommended to make a new/incremental disk image using Acronis etc.
    5) Turn on your shadow app for C:\ (make sure to keep your data drive excluded!)
    6) Reboot and using SVS Admin Tool import layers and re-enable them

    * Important to remove/delete the layers as this will prevent the batch file from auto loading them when you reboot after step 2. If you want to save the contents of the layer, just export/re-export it again before you delete it. You can also remove the auto_ prefix to stop a layer from auto starting.

    OR you can just turn off shadowing and roll back using your disk image to 7.1 in the post above. Be sure all layers are disabled/deleted before you add your new baseline components and especially before you refreeze.

    Now you've successfully done a relatively clean update of your baseline but still managed to keep the additional applications seperate from the system and baseline image :)

    Once you've grasped the concept and poked around to see how things are stored and where, it's a fairly straightforward concept at heart. Essentially you get dual protection, even if your system is unfrozen layered applications will run in their own little world. Handy if you need to change your core baseline at any time! Please do let me know how it works out!
     
    Last edited: Apr 6, 2008
  4. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Like others i'm curiously optimistic on this new approach. Has anyone experimented with this set up and can confirm it's usefullness themselves?

    It will take me a few days to ready a hard drive myself to set it up since i'm down with pneumonia right now which is now past it's worst stage i think and i'm on the upturn of this illness.

    But i am extremely anxious to give this a thorough testing and if found effective will likely ground it permanently on one of my hard drives as another useful alternative security method.
     
  5. xheffalumpx

    xheffalumpx Registered Member

    Joined:
    Dec 12, 2007
    Posts:
    62
    Hope you get well soon Easter!

    I've refined the procedure slightly by changing the RestoreRegistry.bat file. The last line will now only autostart layers that have auto_ as their prefix. Any layer that is not named like that will not start automatically. This makes it a bit more friendly to control which layers you want auto-starting.

    I've been using it thoroughly with 3D Studio Max in a layer with no ill effects. Benefit of this approach is if I want to just try something out for one session only I just install it normally. Then when I reboot my system gets rolled back and that app is gone.

    If I want to try something out longer I install it into a layer. That way when I reboot the layer remains but it is still safe and isolated and can be disabled and deleted whenever. The system will ultimately revert back to how it was when you first froze it (if you have layers disabled!)

    You can set up Global Excludes inside SVS Admin Tool so that it won't sandbox certain files or folders. Anything saved in these areas will not be saved in the layer but in the outer environment. Since we've configured the main rollback program to exclude My Documents as well, for example, and also in SYS Admin Tool this means anything saved in My Documents will remain on your system even after removing layers and rebooting. You can set up your own fine tuned Global Excludes to suit.


    In conclusion:
    1) For just one off testing in one session, install normally. Your rollback program will roll back when windows reboots.
    2) For longer term testing or isolating apps/games, install into a layer. Layers are isolated worlds in themselves. All changes are retained only inside that layer. When a layer is disabled or deleted the outer environment is as it was before.

    Think Matrix within a Matrix if that helps - just like the movie :)


    As an additional thought, something similar can probably be achieved using Sandboxie instead of Altiris - you just need to preserve the Sandboxie.ini file and have its sandbox on your data drive I believe. Altiris seems to be able to sandbox some things Sandboxie can't though. Typically I've used Global Capture while installing an app so that SVS captures system-wide changes made by that app. This allows sandboxing of items which might not be capturable if you just monitor one single install .exe.
     
    Last edited: Apr 6, 2008
  6. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Thank You for the get well greeting. If those 70 degree temps expected this week ever make it here, i'll be mending at warp speed and should be back 100% soon again. Sick stinks, yuck.

    I am really surprised no one is weighed in on this setup because from the looks of what i read it's really a useful alternative with a totally different spin then users been used to.

    Very nice effort indeed and generous of you to share it.

    EASTER
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    I find it interesting to watch what people can do, but for me it is overly complicated and thus at risk from human error. I just use Virtual Machines and it's simpler.

    Pete
     
  8. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Newer ideas are always scary untill one takes the time to try it themselves.

    While it's always easy to go VM, that's NOT for everyone. In fact VM's can't really serve more than testing softwares and in cases of malware research some of them won't run in VM's period.

    Plus VM's put a huge drain on resources/memory not to mention require additional space and is why it's more efficient to just use an alternate testing hard drive as opposed to VM's and thus removes all limitations which can be found in VM's.
     
  9. InVitroVeritas

    InVitroVeritas Registered Member

    Joined:
    Mar 5, 2008
    Posts:
    64
    I'll give it a try.

    It's a very clever way to complement Returnil/PowerShadow (current) limitations regarding session saves across reboots. And vice-versa, Returnil/Powershadow complement SVS virtualisation, in regards to security.

    I wouldn't use Sandboxie, though, with such a setting. Security wise, it's already a good start and my preference would go with my usual pattern : LUA (as usual) + SuRun, and maybe and a lightweight behavior-blocker to silence my paranoia.

    Performance wise at least, I've also given up on Sandboxie when it come to cpu/memory intensive 3D cgi applications (though, admittedly, that was some time ago), while in SVS these works like a breeze.
     
  10. xheffalumpx

    xheffalumpx Registered Member

    Joined:
    Dec 12, 2007
    Posts:
    62
    It probably just sounds more complicated than it is because I've gone into extra detail about the steps involved and tried to cover the use of apps like Returnil free or perhaps DeepFreeze which might not allow the granular control of what to exclude from rollbacks that Shadow Defender does.

    The idea is really quite simple in that all I've done is relocate the sandbox that SVS uses and update the registry/desktop via scripts - otherwise everything would be rolled back by your freeze program. It's just the details which make it sound more complex than it is. Once it's up and running there's no maintenance required - just a case of adding apps you want "persistent" as layers. Plus I've detailed what needs to be done if you want to update your baseline for any reason.

    SVS doesn't actually copy files to your C: drive, it just adds symoblic links to them pointing to the D:\fslrdr folder. Hence the batch files simply remove and restore these links and update the fslrdr folder as necessary when you log in/out (this is what the SVSCMD does)
     
  11. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    I agree you need adequate resources, but VM machines are very useful beyond testing.

    Like I said, I am intrigued by what has been accomplished here, but just doesn't fit me. Also I confess my only experience with SVS was less then lack luster. I saw a lot of blue.:rolleyes:
     
  12. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    I for one admire the fact that in this set up of yours you take an unorthodox approach not many would even bother with since, like Peter2150 for example, are quite content to settle with their VM's which they are more familiar with obviously.

    But, this alternative method certainly is not without equal benefits and merits consideration for those inclined to step out from the norm, and in many ways really isn't that so difficult to impliment once everything is in place.
     
  13. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    HI EASTER, hope your feeling better!
    Don't really want to say much more than Pete that VM machines are very useful beyond testing...there are alot of uses and products out there if you care to learn and with today's machines running VMs have less impact although I never really had any problems with performance using 512mb, 1 processor in the past running VMs.
    I also use Altiris SVS but not for awhile now. Thanks xheffalumpx for this thread in regaining my interest - hey I'll try it out.
     
  14. xheffalumpx

    xheffalumpx Registered Member

    Joined:
    Dec 12, 2007
    Posts:
    62
    About the use of a VM instead, yes that's certainly another way of doing things. However that really is a completely self sealed environment which, as far as I know, is akin to running stuff on a completely seperate computer.

    This approach also has the benefit that you can see how programs interact with your existing environment, without damaging it or polluting it with extra stuff. You can just disable/delete the layer(s), reboot and everything is back to how it was when first frozen.

    Plus you can export a layer to an archive which can be handy. If you want to reload something much later there's no need to reinstall anything - just import the layer and it's good to go :) Portable apps in effect.
     
  15. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    I bought today a new hard drive to try this method out on. I hope it proves out to be worth the effort.

    I got the system partition all in place, now all i need to do is work the batch files into the method thru Gpedit.
     
  16. xheffalumpx

    xheffalumpx Registered Member

    Joined:
    Dec 12, 2007
    Posts:
    62
    Been about a week for me now without any issues. Some programs which install drivers are problematic to sandbox, but that's an issue with Sandboxie as well. Not really sure what can be done about those if you want to keep them more than one session.

    Just to note those batch files don't have to be in the location specified. You could actually place them on the D: drive unfrozen - gpedit lets you browse to the actual files. This will let you edit the batch files if you need to, without having to stop the shadowing of C:

    I'm going to be away on assignment this weekend going abroad for a month! So hopefully I've been thorough enough to answer any questions and possibilities which might arise. It's fairly flexible how you want to arrange things.

    I've since also found out that Altiris offer SVS Logon Hook which is an addon for the paid version of SVS (not free) - http://juice.altiris.com/article/1507 - this negates the need for batch files and also lets you control layers/groups of layers via event triggering. I didn't look into this further since I couldn't find any trial download but it's an option should anyone wish to pursue this approach further.
     
  17. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Well, on the surface it looked a bit daunting but went full ahead with this approach on a new drive i picked up, partitioned and set it all in place, and all in all a rather unorthodox but nevertheless workable alternative method.

    It'll take some extra getting used to for me i think but at least all the pieces are in place and so far looks good.

    You really put some thought into this method so thanks for sharing it with everyone.

    Most users will probably select the other programs you mentioned, and i have them too, but i'm always up for a very different approach to those apps.
     
  18. xheffalumpx

    xheffalumpx Registered Member

    Joined:
    Dec 12, 2007
    Posts:
    62
    No problem :) My main motivation was to find some way to be able to keep a sort of persistent shadow session, or at least be able to keep certain apps seperate from the system - instead of just for one login session. I've been told there is only one app which allows this but that's old and might not have everything I wanted. Until Shadow Defender, Returnil or something else provides this feature this works for me :)

    Probably the easiest combination is Shadow Defender + SVS, because then you don't need Junction and can exclude things like My Documents etc. to suit. Also if you need to change the batch files you don't need to relocate them or stop/start shadow mode - just edit them, then right click and commit.

    The first day or so it takes a little getting used to but I'm now very comfortable with how things work. For single session testing, just install like normal. For anything I want longer, stick it in a layer. Then when I'm done just deactivate or delete the layer and everything rolls back smoothly to the day the system was frozen. In my case it's also been helpful since I can install an app I might use now and then into a layer, set it all up how I want, then export the layer. Then I can just import and activate it whenever I need - no more reinstalling and reconfiguring :)
     
  19. Juha L

    Juha L Registered Member

    Joined:
    Dec 25, 2007
    Posts:
    48
    I got everything else, but didn't quite understand the purpose why all layers need to be deleted if I want to make changes to base?

    Is it because otherwise there would be changes to the base registry due to layers autoloading? But wouldn't it be easier to just edit the script to disable autoloading of layers prior to making changes to base, and thus you wouldn't need to do the export-delete-import layers phase?
     
  20. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Is anyone using this setup in practice and can tell me about the benefits, compared with the past ?
     
  21. connect4

    connect4 Registered Member

    Joined:
    May 20, 2008
    Posts:
    101
    This method is very intriguing:

    Please correct me if I am wrong, but is this method basically the following:...


    1. Setup your windows like normal, and create your "baseline setup" which is basically *all your clean applications etc

    2. Freeze this computer using Returnil or Powershadow etc

    *Freeze computer = not being able to modify or change your administrative files like %windows% or %program files% or the Registry

    *Just as If I were to install Returnil, and then if I turn it on, everytime I would restart my computer, C:\ Drive would "Roll back" exactly to the Freeze Pt.


    3. Now instead of just Freezing the computer, you would use Altiris SVS to *CONTINUE to add programs and games(*By installing it to a different drive?)
    *Without Affecting C:\ Drive

    4. *Now your C:\ is virtually mal-ware proof
    *However, your D:\ Data files is still vulnerable


    Am I correct here?
    Can I continue to install programs through Altiris while keeping my C: mal-ware proof?




    Here is another question: is this method similar to the methods used in the following websites?
    http://www.joewang.net/articles/perfect-xp-system
    http://juice.altiris.com/article/4155/protecting-your-pc-against-unknown-malware
     
    Last edited: Jun 10, 2008
  22. Scoobs

    Scoobs Registered Member

    Joined:
    Sep 21, 2005
    Posts:
    110
    xheffalumpx, thanks for posting this. It sounds very interesting and I think I'm going to give it a try.

    Microsoft's Junction sounds like a very useful app.

    I have a couple of very simple questions. You say
    Is that
    SVS Client 2.1 HF2 Personal and Trinket 1.0.0.10? They seem small apps and they seem free. Is that right?

    Also the link to the Licence seems in turn to go to a "download 120 day trial" link - is that right?
     
  23. xheffalumpx

    xheffalumpx Registered Member

    Joined:
    Dec 12, 2007
    Posts:
    62
    Hi,

    Sorry for the delay in replying. I think I mentioned I would be abroad on assignment for a couple of months. I just got back and am taking a little time to let my body clock readjust :)

    I'll try to answer some outstanding questions! If I miss anything please excuse me and point it out as I'm slightly out of gear at the moment lol

    Altiris software as mentioned is free for personal use so yes, free downloads included.


    The basic method is exactly as you mention connect4 except your understanding of Freeze should be thus: By "freeze" I mean actually activate your freeze program so it takes a snapshot at that point in time and always rolls back to that point every reboot. Altiris is used to add any additional apps while your Freeze application keeps everything as it was. Think of it as your baseline + a sandbox which lasts between sessions.

    I checked Joe Wang's page and yes that method and this one are very similar! His scripts are slightly different but otherwise it's the same idea.

    JuhaL: yes you can simply edit the registry scripts before unfreezing your baseline. It's a very simple process to simply turn off/delete the layers and probably best to do so as this clears any registry settings used by Altiris (which would otherwise get frozen when you refreeze)

    I hope this answers any outstanding questions! This particular computer has been turned off while I was abroad but now I'm using it again with no problems with this set up still in effect.
     
Loading...
Thread Status:
Not open for further replies.