System virtualization... help

Just a quick question to those more knowledgeable.

is there a virtualization solution out there that works 99.99% or better?
I have read in this forum that some will not protect you outright.

I am currently using the free version of Returnil which has served me well in the past, but having read that it does not protect against all threats has made me feel uneasy
Well, I suppose what I really want is a software solution that is easy to use, and should I encounter malware be able to restore my pc to a clean state.

I have a paid version of Sanboxie, but I find it hinders me in trying out new software (programs not running)
I was thinking of programs like:
Powershadow, shadowdefender, something I can enable when required and restores to a clean PC on reboot.
Or is roll-back software better suited for my needs

 

Returnil is one. To the best of my knowledge the few attacks that can bypass light virtualisation program are not widely used by real-world malware.

 

Hello overangry:

I am far from an expert,and I suppose I reverse your system,using the free version of Sandboxie,and the paid version of returnil.
It is my understanding,best confirmed by Coldmoon on the Returnil forums,that the class of Malware known as "dog" trojans,represent the main, real, threat to Returnil virtualization.
These can largely be blocked by a limited user account.
At one point I achieved this via the "drop my rights", utility,but I now rely on the same feature in Sandboxie.
When I try out software,I normally just run it in Returnil.
I don't know, but i am pretty sure, if you plan to test malware etc,something like Virtual Machine would be an even safer bet.
I thank the learning curve in squeezing as much as possible from Sandboxie is somewhat steeper than with Returnil,and I hope you will look at some of the fascinating threads about that app here on Wilders.

 

Returnil already has AE module(HIPS) that protect against lowlevel disk writes. So basically, that covers all robodog type malwares like killdisk that targeted virtualizing solutions.

A hypothetical targetted attack which would use buffer overflow to run a shellcode to disable your virtualizing solution is a possibility. But the probability of that type of attack in real world scenario is very nill or near impossibility. The attacker must know of course that you are using any vulnerable software/s(w/c your proper security and privacy measures could prevent) and must have found a way to bypassed/disabled your firewall(perhaps via your trusted web browser with the default scripting and/or your untrusted p2p, both acting as servers and running with full administrative rights or via social engineering by clicking on attachments on e-mail for e.g.).

If you like, you can add another HIPS or sandbox to give redundant protections against lowlevel disk access as ypestis suggested.

 

Thanks for your quick and informative responses.

That has put my fears to rest, as the post I read was almost 1 1/2 years old.

I had been using sandboxie for 2 years, it's a great program but It was restrictive at times, and wouldn't allow some/all software to run as intended.

Is there a huge difference or advantage in testing software/malware on a VM opposed to in Returnal
Is it just as safe?

 

trismegistos:

Using Returnil v2.0.1.9002,the Anti-execute module provide is not enabled by default is it?
It is nessasary to go start/all programs/Returnil/Returnil tools/Returnil Anti-execute,
and enable and configure it?

 

I'm not sure of the software, it was a while back.
But my experience wth google earth sandboxed was a disaster, it has a browser that connects to the net. Sandboxing Google Earth made it unusable
Like I said sandboxie is great and I will use it again, but there are allot of new products available that let me test new software, without impairing it's use.

Thanks for the tip, I assumed it was available only for premium users.
Having briefly tested this feature, I have a few questions.

For me, Returnil is my last line of defence. If I allow access to an executable(in protection mode) will that file always have access rights, will it also allow that file access to my real pc

When I then reboot, will the access rules I created(in protection mode) still be valid?

 

Dear Overangry:

I am sorry i really cant answer your questions about Returnil Anti-Executable,as other than to try it out for a few hours,I really have not made use of it.
It seems that Coldmoon on the Retrnil Forums stated that the whole idea was something of a stop-gap,or work in progress in responce to the "dog"
malware,or some proof of concept vehicle.

 

Thanks for your quick reply, I'll try to find the answers browsing this forum. I'm sure it has been asked before.

 

1. You can control how AE functions using the AE White List and Black List. All files listed in the White List will automatically be allowed execute permission when AE is enabled. All files listed in the Black List will automatically be denied execute access when AE is enabled. This behaviour can be changed at any time by removing a file from the appropriate list. For files not in either list, you will be prompted when you try to execute the file unless AE has already determined that the file is safe in which case it will have been added to the White List automatically.

2. Granting execute permission with AE only allows the file to be executed. It does not enable the file to bypass the virtual layer and write directly to the real file system.

3. Changes to the AE Settings, White List, and Black List are automatically written to the real file system, so they are are preserved after a reboot.

 

Thanks pegr, that is exactly what I was after

 

You're most welcome.

Kind regards

 

These virtulization stuffs. I believe these are only good to safeguard your working and good 'os' and other 'files'. You can revert back to your 'originals files or os' like you do in 'windows recoveries'. But these 'virtualization' can not protect others from 'hacking' or 'peeking' into your computer while your on 'virtual' mode'. For instance while your are working 'on virtual mode' they can steal your say 'bank password' etc. I think along with this kind of softwares you still need Anti Virus softwares.

 

I agree.

ISR software (e.g. Returnil) shortens the time to removal and provides effective clean up after an infection, but doesn't prevent infection or stealing of personal information in the first place. For that you need other approaches, e.g. antivirus software, software restriction policies, behavioural/heuristic detection, HIPS, etc.

 

Overangry,

Online Armor, PrevX, DriveSentry, GeSWall and Returnil?

That is really to much (overlap OA, PrevX, DS)

When you go out doing shopping, you can get an accident. What passes OA, GesWall and Returnil lies in the same category. When you take a holiday and go by plain you have a small chance of crashing also. Security should be dealt by looking at two dimensions:
- probability
- impact

When you are using OA free, this implies (atleast previous versions I tested did not) that OA free does not protect at boot-up time. So when you want a free strong, easy to use FireWall, use Outpost Free, enable all protection.
This unprotected at boot up has a low probability of happening, but its impact is high when an intrusion uses this.

I guess you have only use freebies, so stick with a classic setup
- FW/HIPS = Outpost Free
- AV = Avira Free (set to check on write only, because you are using Sandboxie)
- Sandboxie for internet facing software (paid)

or
- DriveSentry (paid)
- GeSWall (paid)
- Windows FW

or
- PrevX (paid)
- Sandboxie (paid) or GeSWall Pro (paid)
- Windows FW

 

Kees1958, I have read your comments with interest.
I have known for some time that this is a little over the top...
I purchased DS because I believed it was a good product at a very reasonable price, the same applies for Geswall and Prevx. Returnal and OA are free versions. I didn't want to uninstall them because I feel I have wasted my money, well I have learnt from my mistakes...

I will try this configuration: Geswall, Prevx, Returnal with windows firewall.
I also believe that this combination will cover the lack of outbound connection protection in windows firewall. I hope that this assumption is correct?
I have noticed a slight increase in speed.
Again, thanks for your input.

 

Well when you have GeSWall Pro, set the Network to parameter in the resources section to Condidential. This prevents untrusted to go outbound.

You can still use DriveSentry, but disable the back ground scanner. This way you will be only using its HIPS module (file and registry protection), with the community advisor.

Add PrevX and set Heuristics AFTER Age, set all sliders to medium. This way PrevX will be your buddy when you install new programs.

You can skip Returnil in this setting

 

Well when you have GeSWall Pro, set the Network to parameter in the resources section to Condidential. This prevents untrusted to go outbound.

You can still use DriveSentry, but disable the back ground scanner. This way you will be only using its HIPS module (file and registry protection), with the community advisor.

Add PrevX and set Heuristics AFTER Age, set all sliders to medium. This way PrevX will be your buddy when you install new programs.

You can skip Returnil in this setting

Daily practise
a) GeSWall will protect you. Malware will be paralised
b) Run occiasional scans with DS and PrevX to romove any (by GeSWall) crippled malware before backup
c) When installing Software (set it to trusted with GW)
- Drive Sentry will tell you what regsitry and file access teh new one does and whether the community data base knows it yes/no
- PrevX will be your most important buddy (Heuristics After Age, meaning new executables are monitored, also after install)


PS, I am only running this at the moment https://www.wilderssecurity.com/showpost.php?p=1498298&postcount=5097 DW does not has the network feature (yet) of GeSWall)