The most powerful Anti-Malware technology available today

Discussion in 'other anti-malware software' started by Gobbler, Aug 23, 2010.

Thread Status:
Not open for further replies.
  1. Gobbler

    Gobbler Registered Member

    Joined:
    Jul 30, 2010
    Posts:
    270
    Can it be said that Sandboxing or Virtualization is the best Anti-Malware technology available today?
     
    Last edited: Aug 23, 2010
  2. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,080
    The problem with Virtualisation is that your computer can be infected and important data stolen before you restart the computer again.

    You should be protected against malware in every layer possible. There is not a single layer 100% effective

    Virtualisation
    Sandboxing
    Firewall
    AV
    BB
    ...
     
  3. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,960
    Location:
    Boston, MA
    Well said lordraiden. :thumb:
     
  4. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    to answer your question... IMO yes they are :thumb:
     
  5. Kernelwars

    Kernelwars Registered Member

    Joined:
    Aug 12, 2010
    Posts:
    2,155
    Location:
    TX
    virtualization / sandboxing :thumb: + encryption can meet the challenges
     
  6. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Malware.

    First, can it escape a sandboxe or vm?

    If it cannot, then you only need to handle these environments.

    Second, are you concerned about sensitive activities, such as banking where you have something to lose?

    If so, cannot a wiped environment always be considered clean?

    Third, are you concerned about malware in these environments if you don't bank etc in them?

    If so, then maybe delete the environment every time you use it.

    If not, you have nothing to lose, so continue on in the environment until such a time as you choose to delete it and start over.

    If the malware cannot escape the environment, what concern do you have?

    Primarily you should be concerned that you have sensitive data on the real system. The sandboxed or virtual environment can typically read from the real system, just not modify it.

    It is wise then to limit the sandboxed/virtual interactions to the real system with some sort of black or white list approach.

    It is also wise if you have many concerns to ensure from day 1 you keep the real system clean of any sensitive data, meaning use sandbox/virtual environment from day 1 and don't allow sensitive data in real system without a block to the virtual enivironments, from day 1.

    Yes, this might work if you choose to do so. Perhaps it is easier to use 5 layers of defense from 3rd parties though, all depends.

    Sul.
     
  7. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,434
    Location:
    Europe
    So :thumb: . And...

    - HIPS ( IMO better than BB )
    - software for disk image ( also for MBR ) created in an external support ( some rootkit could be stronger than HIPS and sandboxing, and/or it could result clean completely the system, or to be sure that is done ! ).

     
  8. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    So what's a 100%?

    Downloading and running several gigs of malware samples without a breach maybe.

    If so then Sandboxie "is" or "has" been 100% secure so far!
     
  9. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,080
    Good luck then, now explain a normal user what execute and what not in the sandbox, how a normal user is going to differenciate btw a roge av and normal one using sandboxie? should we sandbox the 100% of the executables of our pc?

    What if we trust in one installer or executable so we dont sandbox it and then the installer is malware? sandboxie is not going to alert us about this.

    Could be 100% (i dont think so) but is not very practical
     
  10. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Maybe you expect too much or just use SBIE differently.

    When I set it up for average people, I simply tell them to use one sandbox with firefox for certain activities, and use another with IE or whatever for other activities. They adopt the idea that one sandbox (IE) will be delete after they stop using it, and all data is gone, deleted, bye bye. They actually get it, that if they want to do banking, they only do it there.

    Then for thier other box, firefox or whatever, they understand (somehow) that it is all contained, and they must save to desktop or mydocs if they want to keep what they download.

    It is true that what you download can be a virus etc, but that does not effect the sandbox, but the real system (if designed logically and they adhere to it). If they follow instructions, keeping two seperate procedures for two seperate types of activity, they seem to comprehend it and get a pretty decent amount of protection.

    What they do with files outside of the sandbox, well, we are back to square one with that. You can trust an AV and hope it catches everything. You can shove it into a sandbox and deal with the fact that they can't recover as easily if not in desktop or mydocs. We all know the drill, average users just click 'yes' when prompted.

    I don't see using SBIE as more cumbersome that multiple security tools. If you take the time to educate users on file structure, SBIE can be better IMHO. I certainly don't encourage people to run everything in a sandbox. I encourage them to scan it with thier tools, and if they want to, start it in another sandbox that is designed to test things in. We will never be free of exploits, no matter if we use every tool on the market. Besides, while we can use 3 good tools, an average user either has to struggle to learn to use those tools or they will eventually do the wrong thing and become a statistic. I don't see there is a real answer for anyone who does not desire to learn. But for those who are willing to learn, you can use anything you want really and be safe. But that is a completely different that most average users.

    Sul.
     
  11. PJC

    PJC Very Frequent Poster

    Joined:
    Feb 17, 2010
    Posts:
    2,959
    Location:
    Internet
    Sandboxing or Virtualization are better than
    inadequate Signature-based
    and/or
    Infective Heuristics
    Scanners
    especially against 0-day Malware!
     
  12. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,080
    I just wanted to say that sanboxing is quite safe but shouldn't be the only layer of security, what if the computer is already infected? what if the malware do not come by the broswer?
    There are more sensible information, not only what you do with the broswer.

    For most of the people would be easiest, faster and cheaper use Ubuntu or any other distro.

    Other thing is that the maybe the people dont want to lose all the changes everytime they close the broswer.
     
    Last edited: Aug 24, 2010
  13. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Yes, quite true. It can be the only layer of security, but only to someone who knows what they are doing. But I would agree, if you place all your eggs in that basket, things can very well happen outside the sandbox that effect system integrity.

    Linux distro would be a great choise for people who don't have a specific software need on M$ platform.

    Sul.
     
  14. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Like some already mentioned, they can be all an experienced user needs. An experienced user may not need them at all, if they know how to prevent infections in the first place.

    For example, right now, I'm using a laptop belonging to relatives. They do not understand pretty much nothing about computer security. They do know viruses exist (for them all out there are viruses!), so if I scared them a bit... :D ... they might change ideas.
    Anyway, the laptop was poorly secured. Really poorly secured. Running in an Administrator account with no UAC activated and running Internet Explorer with a damn High IL.

    Well, as soon as I put hands on it (some time ago), I changed things a bit... Quite a bit, too be honest :).
    First, create a LUA account. Enable UAC, DEP, SEHOP with full protections. Then I installed Microsoft Security Essentials and have tweaked it to check for updates every 35 minutes; AVG LinkScanner, SpywareBlaster and Spybot - Search & Destroy immunizations.

    I've also changed a few settings in Internet Explorer, but not too much, so that it won't be too restrictive to them. The way IE8 is right now (Windows 7) will run with Low IL, because of UAC, restricting what will happen to the system in case of some vulnerability exploitation. Plus AVG LinkScanner and SpywareBlaster + Spybot's immunizations, it further increases security.

    I also installed Sandboxie, but havent created any sandboxes for IE, because I simply don't use it.

    But, I'll advise them to run, and run it along side Chromium browser, with my own profiles flavours.
    I have created 5 different profiles:

    - Normal Mode: No restrictions, runs in incognito mode. To access web sites deemed to be safe and that requires cookies! No space for adventures!

    - Email Mode: Set to automatically open whatever email service they use, and only allowing cookies, javascript, plugins for that service.

    - Youtube Mode: Set to automatically open Youtube and only allowing the required stuff like flash and javascript for Youtube, everything else blocked.

    - Cookies Blocked: The only restriction are cookies. To use for sites deemed to be safe, but that do not require cookies.

    - Safer Mode: Blocks javascirpt, java, cookies, plugins and some other stuff. This is to be used for most of they web browsing, when they just want to research and, obviously, got no idea where they will get.

    This latter one, along side with Chromium's own sandbox, will pretty much nullify any attack that may happen on this browser's vulnerabilties.

    Of course, for the other modes I've created, there's still AVG LinkScanner which will protect every browser. (In case, they don't want to use Sandboxie.)

    Sandboxing and Virtualization for these sort of users may become security through obscurity. So, more is needed.

    Edit: Every Chromium sessions starts in Incognito.
     
    Last edited: Aug 24, 2010
  15. jay2007tech

    jay2007tech Registered Member

    Joined:
    Jun 3, 2009
    Posts:
    9
    Put the computer in BSOD Mode:argh: LOL Because when you got the blue screen, even malware like TDSS can't operate
     
  16. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    IMO the most powerful combo is. . .

    1- Image system drive at least weekly & retain at least 5 or more images, on an external drive.

    2- Run real-time strong keylogger defense such as Spyshelter or Zemana Antilogger or SafeOnline

    3- Use a hardware SPI-enabled router

    4- Use a software firewall that strongly protects all possible outbound connections so that any outbounds MUST be specifically allowed by you, ad hoc.

    5- Do a daily scan with a file integrity checker that carefully checks (using strong hashes such as SHA-1) all key registry items, system files, & other key files.

    6- Scan daily with Hitman Pro or Bugbopper or Prevx-free

    7- Use DropMyRights (DMR) to run all internet-facing apps (browsers, email clients, ftp clients, updaters, etc).

    8- Read and learn more about security (a main reason I am a denizen of Wilders)

    NOTICE: The only real-time anti-malware apps in the above list are the anti-keylogger (#2) & the firewall (#4). With these apps, plus the on-demand scans (#5 & 6) & DMR (#7), a clean drive image (#1) renders you STRONGLY bullet proof.
     
  17. Kernelwars

    Kernelwars Registered Member

    Joined:
    Aug 12, 2010
    Posts:
    2,155
    Location:
    TX
    bellgamin:thumb:
     
  18. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    Yeah, the old dude is right. Hmm, actually I am older.:'(

    But 5 and 6 could be dropped for a good AV. But very good advice from the silver fox.:cool:
     
  19. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Maybe so - - - but can you wiggle your ears? :cautious:
     
  20. littlebits

    littlebits Registered Member

    Joined:
    Jul 7, 2006
    Posts:
    262
    The most powerful anti-malware protection is Yourself.
    Educate yourself to know what not to do is the best protection.

    New malware is released in the wild daily, so you can not depend on software alone to protect you.

    There are new forms of malware that can bypass sandboxing and virtualization. Although they are rare, they still exists.

    It just take one little venerability or program bug to let malware infect your system.

    Too many users think they can rely totally on software to protect them, but the best protection is the users actions.
    If you continue to click on bad sites or ads and download from untrusted sources, malware will find a way to infect you.

    No software can protect you 100%.

    Thanks.:)
     
  21. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    agree with lordraiden,m00nbl00d,Sully and ofcourse with bellgamin:thumb:
    m00nbl00d you also have good ideas:thumb:thanks for sharing
     
  22. roady

    roady Registered Member

    Joined:
    Mar 27, 2005
    Posts:
    262
    For internet banking and other very sensitive stuff,a Linux livecd will do well....reboot your windows,pop in that livecd and start your banking session....no virus or malware can write to that cd.....:thumb: :D
     
  23. pabrate

    pabrate Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    685
    That is great !
    Also ... I would add Iris Scan on every boot and 'just' fingerprint scanner when launching apps.
    Box would be locked with key of course, with laser beams around it at all times (except when using the box).
    Only problem is online banking, I can't switch internet OFF, I can make sure that there is no-one near me in 1 mile area, but even with fresh OS , zero-wiped and scanned with every AV that exists (just in case) , with tones of anti-keyloggers resident, HIPS's , BB's and whatnots, I just can't be sure man ... :D
     
  24. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    no, but I ca wiggle the hair in them.;)
     
  25. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Non-utilitarian sarcasm noted. But the fellow did ask for "most powerful."

    By the way, I used to go with a girl named Iris. She was very pleasant to scan.
     
Loading...
Thread Status:
Not open for further replies.