System virtualization... help

Discussion in 'sandboxing & virtualization' started by overangry, Jun 22, 2009.

Thread Status:
Not open for further replies.
  1. overangry

    overangry Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    309
    Just a quick question to those more knowledgeable.

    is there a virtualization solution out there that works 99.99% or better?
    I have read in this forum that some will not protect you outright.

    I am currently using the free version of Returnil which has served me well in the past, but having read that it does not protect against all threats has made me feel uneasyo_O
    Well, I suppose what I really want is a software solution that is easy to use, and should I encounter malware be able to restore my pc to a clean state.

    I have a paid version of Sanboxie, but I find it hinders me in trying out new software (programs not running)
    I was thinking of programs like:
    Powershadow, shadowdefender, something I can enable when required and restores to a clean PC on reboot.
    Or is roll-back software better suited for my needso_O
     
  2. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    Returnil is one. To the best of my knowledge the few attacks that can bypass light virtualisation program are not widely used by real-world malware.
     
  3. ypestis

    ypestis Guest

    Hello overangry:

    I am far from an expert,and I suppose I reverse your system,using the free version of Sandboxie,and the paid version of returnil.
    It is my understanding,best confirmed by Coldmoon on the Returnil forums,that the class of Malware known as "dog" trojans,represent the main, real, threat to Returnil virtualization.
    These can largely be blocked by a limited user account.
    At one point I achieved this via the "drop my rights", utility,but I now rely on the same feature in Sandboxie.
    When I try out software,I normally just run it in Returnil.
    I don't know, but i am pretty sure, if you plan to test malware etc,something like Virtual Machine would be an even safer bet.
    I thank the learning curve in squeezing as much as possible from Sandboxie is somewhat steeper than with Returnil,and I hope you will look at some of the fascinating threads about that app here on Wilders.
     
  4. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    Returnil already has AE module(HIPS) that protect against lowlevel disk writes. So basically, that covers all robodog type malwares like killdisk that targeted virtualizing solutions.

    A hypothetical targetted attack which would use buffer overflow to run a shellcode to disable your virtualizing solution is a possibility. But the probability of that type of attack in real world scenario is very nill or near impossibility. The attacker must know of course that you are using any vulnerable software/s(w/c your proper security and privacy measures could prevent) and must have found a way to bypassed/disabled your firewall(perhaps via your trusted web browser with the default scripting and/or your untrusted p2p, both acting as servers and running with full administrative rights or via social engineering by clicking on attachments on e-mail for e.g.).

    If you like, you can add another HIPS or sandbox to give redundant protections against lowlevel disk access as ypestis suggested.
     
    Last edited: Jun 22, 2009
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,041
    Sandboxie when configured right and used sensibly should provide outstanding protection and not impede software from running.

    It can be used to isolate the system, block internet access to anything but specified programs running in the sandbox, and block anything sandboxed from accessing your data. I sandbox all my browsers and Outlook.

    I also run Shadowdefender, which currently has the advantage that it can virtualize any hardrives, including external's that is sees on your system.

    Pete
     
  6. overangry

    overangry Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    309
    Thanks for your quick and informative responses.

    That has put my fears to rest, as the post I read was almost 1 1/2 years old.

    I had been using sandboxie for 2 years, it's a great program but It was restrictive at times, and wouldn't allow some/all software to run as intended.

    Is there a huge difference or advantage in testing software/malware on a VM opposed to in Returnalo_O
    Is it just as safe?
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,041
    What software did it give you trouble with.

    I also do run in a VM machine. Big difference is what you are testing isn't installed on your host. ALso in the VMware case, you have a snapshot feature which is fantastic.

    Probably as safe if not safer then all the other virtualization techniques.

    Pete
     
  8. ypestis

    ypestis Guest

    trismegistos:

    Using Returnil v2.0.1.9002,the Anti-execute module provide is not enabled by default is it?
    It is nessasary to go start/all programs/Returnil/Returnil tools/Returnil Anti-execute,
    and enable and configure it?
     
  9. overangry

    overangry Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    309
    I'm not sure of the software, it was a while back.
    But my experience wth google earth sandboxed was a disaster, it has a browser that connects to the net. Sandboxing Google Earth made it unusable:(
    Like I said sandboxie is great and I will use it again, but there are allot of new products available that let me test new software, without impairing it's use.
    Thanks for the tip, I assumed it was available only for premium users.
    Having briefly tested this feature, I have a few questions.

    For me, Returnil is my last line of defence. If I allow access to an executable(in protection mode) will that file always have access rights, will it also allow that file access to my real pco_O

    When I then reboot, will the access rules I created(in protection mode) still be valid?
     
  10. ypestis

    ypestis Guest

    Dear Overangry:

    I am sorry i really cant answer your questions about Returnil Anti-Executable,as other than to try it out for a few hours,I really have not made use of it.
    It seems that Coldmoon on the Retrnil Forums stated that the whole idea was something of a stop-gap,or work in progress in responce to the "dog"
    malware,or some proof of concept vehicle.
     
  11. overangry

    overangry Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    309
    Thanks for your quick reply, I'll try to find the answers browsing this forum. I'm sure it has been asked before.:)
     
  12. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    1. You can control how AE functions using the AE White List and Black List. All files listed in the White List will automatically be allowed execute permission when AE is enabled. All files listed in the Black List will automatically be denied execute access when AE is enabled. This behaviour can be changed at any time by removing a file from the appropriate list. For files not in either list, you will be prompted when you try to execute the file unless AE has already determined that the file is safe in which case it will have been added to the White List automatically.

    2. Granting execute permission with AE only allows the file to be executed. It does not enable the file to bypass the virtual layer and write directly to the real file system.

    3. Changes to the AE Settings, White List, and Black List are automatically written to the real file system, so they are are preserved after a reboot.
     
  13. overangry

    overangry Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    309
    Thanks pegr, that is exactly what I was after:thumb:
     
  14. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    You're most welcome.

    Kind regards
     
  15. sagitta

    sagitta Registered Member

    Joined:
    Jul 5, 2009
    Posts:
    1
    These virtulization stuffs. I believe these are only good to safeguard your working and good 'os' and other 'files'. You can revert back to your 'originals files or os' like you do in 'windows recoveries'. But these 'virtualization' can not protect others from 'hacking' or 'peeking' into your computer while your on 'virtual' mode'. For instance while your are working 'on virtual mode' they can steal your say 'bank password' etc. I think along with this kind of softwares you still need Anti Virus softwares.
     
  16. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    I agree. :thumb:

    ISR software (e.g. Returnil) shortens the time to removal and provides effective clean up after an infection, but doesn't prevent infection or stealing of personal information in the first place. For that you need other approaches, e.g. antivirus software, software restriction policies, behavioural/heuristic detection, HIPS, etc.
     
    Last edited: Jul 5, 2009
  17. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Overangry,

    Online Armor, PrevX, DriveSentry, GeSWall and Returnil?

    That is really to much (overlap OA, PrevX, DS)

    When you go out doing shopping, you can get an accident. What passes OA, GesWall and Returnil lies in the same category. When you take a holiday and go by plain you have a small chance of crashing also. Security should be dealt by looking at two dimensions:
    - probability
    - impact

    When you are using OA free, this implies (atleast previous versions I tested did not) that OA free does not protect at boot-up time. So when you want a free strong, easy to use FireWall, use Outpost Free, enable all protection.
    This unprotected at boot up has a low probability of happening, but its impact is high when an intrusion uses this.

    I guess you have only use freebies, so stick with a classic setup
    - FW/HIPS = Outpost Free
    - AV = Avira Free (set to check on write only, because you are using Sandboxie)
    - Sandboxie for internet facing software (paid)

    or
    - DriveSentry (paid)
    - GeSWall (paid)
    - Windows FW

    or
    - PrevX (paid)
    - Sandboxie (paid) or GeSWall Pro (paid)
    - Windows FW
     
  18. overangry

    overangry Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    309
    Kees1958, I have read your comments with interest.
    I have known for some time that this is a little over the top...
    I purchased DS because I believed it was a good product at a very reasonable price, the same applies for Geswall and Prevx. Returnal and OA are free versions. I didn't want to uninstall them because I feel I have wasted my money, well I have learnt from my mistakes...

    I will try this configuration: Geswall, Prevx, Returnal with windows firewall.
    I also believe that this combination will cover the lack of outbound connection protection in windows firewall. I hope that this assumption is correct?
    I have noticed a slight increase in speed.
    Again, thanks for your input.
     
  19. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Well when you have GeSWall Pro, set the Network to parameter in the resources section to Condidential. This prevents untrusted to go outbound.

    You can still use DriveSentry, but disable the back ground scanner. This way you will be only using its HIPS module (file and registry protection), with the community advisor.

    Add PrevX and set Heuristics AFTER Age, set all sliders to medium. This way PrevX will be your buddy when you install new programs.

    You can skip Returnil in this setting
     
  20. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Well when you have GeSWall Pro, set the Network to parameter in the resources section to Condidential. This prevents untrusted to go outbound.

    You can still use DriveSentry, but disable the back ground scanner. This way you will be only using its HIPS module (file and registry protection), with the community advisor.

    Add PrevX and set Heuristics AFTER Age, set all sliders to medium. This way PrevX will be your buddy when you install new programs.

    You can skip Returnil in this setting

    Daily practise
    a) GeSWall will protect you. Malware will be paralised
    b) Run occiasional scans with DS and PrevX to romove any (by GeSWall) crippled malware before backup
    c) When installing Software (set it to trusted with GW)
    - Drive Sentry will tell you what regsitry and file access teh new one does and whether the community data base knows it yes/no
    - PrevX will be your most important buddy (Heuristics After Age, meaning new executables are monitored, also after install)


    PS, I am only running this at the moment https://www.wilderssecurity.com/showpost.php?p=1498298&postcount=5097 DW does not has the network feature (yet) of GeSWall)
     
Loading...
Thread Status:
Not open for further replies.