Discussion in 'sandboxing & virtualization' started by marthe224, Apr 21, 2006.
Which is the most effective and easiest to use?
Depends what you wnat to achieve - I'd look at Defense Wall
I can't answer your question, but don't decide/buy too quickly.
A product like ShadowUser (SU) requires some preparation and you should read the recommendations in the manual first, because it isn't just installing SU and use it, like other softwares.
1. One of the recommendations is to separate your Operating System from your personal files.
If you don't know anything about partitioning and always worked with ONE partition, the famous "C:", then you have to learn, how to partition your harddisk. You need at least two partitions to work with SU.
Some SU-users still use only ONE partition, because they didn't care.
2. Separating your Operating System from your personal files, isn't just partitioning only. You have to move certain folders to the second partition. Which folders? How to move them?
3. There are also recommendations for using harddisk defragmenters.
So be prepared for SU, because it isn't that simple.
Thank you for your speedy reply! I installed the trial version to take a look at it.
What happens if I do not partition? I do not particularly like the fact that you have to reboot. Have you looked at sandboxie? I like it but I don't understand how to save a bookmark to my real drive.
You don't need to partition to use shadowuser. However, shadowmode protects the system on a volume basis, so if you partition your system or have multple hard drives you could have some running in shadowmode and others not.
If you have a single partition, then you can specify exclusions on a folder basis and achieve the same affect, entire hard disk is protected except for example, the "My Documents."
Don't forget to look at Shadowsurfer, it seems to be still available for free , and must be easier to use than the ShawdowUser version (no exclusions to deal with, etc).
like starfish said, it depends on ur needs. ShadowUser sandboxes an entire partition (usually C:\), whereas sandboxie is for individual programs.
I have tried to exclude certain things in Shadow like my doc but the add button is greyed out and I don't know how to save a bookmark in Virtual firefox sandboxie to my real drive.
You can set up exclusions and perform other administrative setup such as scheduling in shadowuser only if you are in standard mode (not in shadowmode).
However, you can at anytime commit files or folders to the hard disk by using the context menu (right click the file or folder and select commit).
The final goal of SU is to protect your whole system partition, so that your system partition is CLEAN again after each reboot.
If you allow changes in the system partition, because you didn't separate your personal files, your system partition becomes more vulnerable.
If you don't care about that, then use only one partition in spite of the recommendations of SU and it is of course alot easier to do it this way. Easier isn't always the same as better, you only have quicker results.
Between TWO reboots any possible infection can do its evil job, if it has time enough. Keep that in mind.
Of course, after reboot, all these infections are gone.
So SU works a little like FD-ISR and RollbackRx, but has only ONE snapshot, while FD-ISR/RollbackRx have more than one snapshot.
And you can NOT compare SU with Sandboxie or Virtual Sandbox.
You keep referring to this possible window of infection between two reboots: I honestly fail to see your logic - rebooting from shadow mode into standard mode or rebooting from shadow mode into shadow mode - takes around one minute on my system.
Hardly the time to do anything, and even if one could, what if I may ask? The virtual volume is deleted and anything in it good or bad has no chance to affect anything.
The only danger is if you commit or save anything to an excluded file, and if a virus is saved with it, only then it could execute within your 'real' drive.
Your approach denies the need of an antivirus, IMO in this particular case it is absolutely necessary to have one.
The other day, somebody gave me a slide presentation on CD to check with my computer. I had it in shadow mode, and as soon as the CD rom was allowed to run, NOD32 instantly flagged a trojan. I did run the CD in shadow mode anyway but I didn't save the presentation as I originally planned.
If you boot in ShadowMode at 9:00 AM your system partition will be clean.
You work 8 hours on your computer (surfing, downloading, ...) and you shutdown at 5:00 PM.
Although you are all the time in ShadowMode, your computer can be infected during these 8 hours and it's possible that these threats can do their evil job during these 8 hours, if you don't have any other protection.
Am I right so far?
Of course if you have additional protection they will probably stop these infections from doing their evil job.
In other words, SU doesn't really protect you, it just gives you a clean snapshot after reboot.
FD-ISR, Rollback, DeepFreeze and any image restore do basically the same thing only the method is different.
The only difference is ONE or MORE snapshots and that gives you other possibilities, but no protection.
My problem is that I still need the classical security softwares to protect my computer and that's bothering me, while it doesn't bother you. That's the difference between you and me.
I only have ONE MORE software with softwares like SU, FD-ISR, etc., that's not what I want, I want LESSER security softwares.
Assuming the computer you are building is something more then a Pentium III, you should be building something with enough power to reasonably take you into the future. You have been wandering around these forums with this "problem" for quite a while.
Build your machine, test SU,FDISR,Rollback, and pick one. Then pick several of the classic AV's or HIPS(your choice) test them, and pick one. Then get on with life.
This isn't life's biggest problem.
You might want to take a look at a new product being introduced that is in Beta testing. Go to http://www.computersinmotion.com Check out their product called SafePods.
That's the kind of software, I'm looking for. No AV/AS/AT/AK scanners, no HIPS, no firewall(?), no definition updates.
I only wished, it was true or is it true
It's just another sandbox product for IE. Might be good, but again no way I'd depend it alone. If it leaks??
Yes it could leak, BUT ...
1. there is no proof of it, yet.
2. AV/AS/AT/AK-scanners don't detect/remove everything, so they are leaking too and that is proven in the past.
3. Firewalls aren't foolproof either, I still remember the article about "Firewalls are made of straw."
4. HIPS depends highly on the user's knowledge and these users are leaking too.
It seems to me, that these sandbox softwares have never been tested seriously, they just ignore them as possible alternative.
"Oh it's a sandbox, it cannot be good. It's new and everything that is new, cannot be trusted."
The classical softwares however are generally accepted, including their regular mistakes.
Do sandboxes really have so many leaks more, than classical softwares ?
I would like to see some scientific proof of this.
I tested Sandboxie, and it seemed okay, until it had a conflict with my system. It turned out that all the "sandboxed" files were keep in a hidden directory under documents and settings, and were easily accessed. That certainly doesn't in my mind represent a secure alternative. I haven't looked at Sandboxie recently, but I don't see it offering anything over Rollback and/or FDISR
FD-ISR and RollbackRx don't protect you against malwares, doing their evil job.
They just put your system back in a healthy state. That's not the same, because between two healthy states, malwares can do what they want, unless you have additional security softwares to stop them.
Sandboxes are supposed to prevent the execution of malwares in your real system.
Of course there are sandboxes and sandboxes, just like there are AV's and AV's, one is better programmed than the other one, but that is common for all softwares.
Maybe you should have bothered looking at some documentation first, 'cause that how it works: every registry and file is written to "Documents and Settings\[user]\Application data\Sandbox" (and subdirectories) instead of going directly to the real system location. You can then terminate the sandboxed application and flush all the data and your system is exactly like it was before.
As for being "easily accessed", they are being "easily accessed" only by applications that are not sandboxed. Since these should represent the trusted applications, why should that bother you?
I did read it, and I did know it, and yes it can be flushed. But the point is there are no special protections and privileges. For normal use that is probably fine, but for higher risk uses, I just am not sure I'd trust it as much as other solutions.
There are special protections and privileges. First of all, it blocks anything from going kernel level, so it can't be terminated from within the sandbox. Second, it won't allow anything in the sandbox to be written to the actual system. Sure, it does not protect from READING, just from writing to the system. I've tried Sandboxie with a lot of actual malware, and it never failed. Sure, it might have some problems, just none that I'm aware of.
Personally i use ShadowSurfer, at least it's on call when i decide to use it which is very rarely but adequate enough for my own needs i think.
What I want is a replacement for all AV/AS/AT/AK-scanners and if possible also HIPS.
My knowledge is too poor to be sure that sandbox softwares are at least equal or better, than the classical solutions.
They don't need to offer a 100% protection, because that doesn't exist.
I only want lesser security softwares on my computer and sandbox softwares could make that possible.
I know already that scanners and "HIPS without sufficient knowledge" aren't good enough.
What about sandbox softwares? Nobody takes them serious and they were never tested versus classical solutions and that's what bothering me. Sandbox softwares never got a fair chance to prove themselves.
I want some scientific proof of this, done by security experts, not personal user opinions, these are worthless to me.
If I was a security expert, I would use all my knowledge to prove that sandbox softwares aren't good enough to replace classical solutions. If I wasn't able to prove this, sandbox softwares might be a good alternative solution.
I have tried Sandboxie and ShadowSurfer / User.
Sandboxie had some compatibility issues and was less intuitive than the other two. Furthermore, Sandboxie does not protect the whole system.
I'd say go for ShadowUser.
Separate names with a comma.