Toolwiz Time Freeze

Discussion in 'sandboxing & virtualization' started by sg09, Dec 1, 2011.

  1. 1000db

    1000db Registered Member

    Joined:
    Jan 9, 2009
    Posts:
    718
    Location:
    Missouri
    Has Toolwiz TF been professionally tested? I thought it was a newer product and have heard of no recent virtualization tests.
     
  2. Night_Raven

    Night_Raven Registered Member

    Joined:
    Apr 2, 2006
    Posts:
    388
    Professionally tested? No, I don't think so. However, I myself did do some tests on a 32-bit Windows XP in Microsoft Virtual PC 2007. I used two droppers/samples I have of TDL3 and TDL4. I normally use Oracle VM VirtualBox for generic tasks but TDL doesn't behave well in it (it is VM aware or just buggy VirtualBox drivers, I don't know) so I used the Microsoft one instead.

    First I checked whether TDL successfully infected the system by running each dropper and then scanning with the latest version of TDSSKiller with the option to detect the TDSS file system enabled as well. Results were positive - both rootkits successfully infected the system.

    Then I reset the system to the original clean state, start it, install the virtualization application, reboot (if needed by the product), activate the virtualization, run the dropper, stop the virtualization (discarding changes of course), reboot, scan with TDSSKiller to see what the situation is.
    Repeat this paragraph for every virtualization application twice - once for each TDL version.

    Only Shadow Defender manages to withstand to the rootkit completely. This applies to all 3 latest versions: 1.1.0.325, 1.1.0.326 and (the controversial) 1.1.0.331.
    Returnil System Safe Free seems to prevent the rootkit installation but allows the TDSS file system to be created. This should be basically a success/pass, as the file system should be harmless without the actuall rootkit. However, both rootkits did cause freezes/crashes of the virtual machine. Such did not occur with the other virtualization applications.
    Wondershare Time Freeze, Toolwiz TimeFreeze and the older Returnil Virtual System Personal Edition 2.0.1.9002 all fail and rootkits were present after the reboot.

    It's not a professional test so it might not hold any merit for some/many of you but it's good enough for me and I decided to share the results just in case.

    P.S.: I wanted to test the TDL4 rootkit on a Windows 7 x64 virtual machine but since the rootkit doesn't like VirtualBox and Microsoft's products don't support 64-bit guests I couldn't do it. I just couldn't be bothered to install VMware Player today, to me it's much more of a hassle than Virtual PC is: larger download, longer installation, more settings, manual edit of the VM file, etc.
     
    Last edited: Dec 10, 2011
  3. 1000db

    1000db Registered Member

    Joined:
    Jan 9, 2009
    Posts:
    718
    Location:
    Missouri
    Thanks for the info. No it may not be a professional test but is certainly worth notifying the developers of. They seem very responsive. I've done some similar testing with rogue AV's and Toolwiz TF did well against those; but then again they are not as sophisticated as the TDSS baddies.
     
  4. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,974
    Location:
    Boston, MA
    It may not be professional but it mirrors similar results that wondershare time freeze and toolwiz ( similar in technology to time freeze) are ineffective to TDl root kits. So far the only thing that I have found is effective is shadow defender. Its too bad too because I do love being able to disable time freeze on the fly.
     
  5. Technical

    Technical Registered Member

    Joined:
    Oct 12, 2003
    Posts:
    471
    Location:
    Brazil
    My personal opinion is that Toolwiz is more a tool, a set of features, to test clean software and fully uninstall it rather than a protection/security application.
    That fact of the driver does not load at boot time (MBR) could be related to the failure against rootkits. But I'm not an expert on it.
     
  6. JoeBlack40

    JoeBlack40 Registered Member

    Joined:
    Apr 1, 2009
    Posts:
    1,584
    Location:
    Romania
    For now,that's exactly my purpose in using ToolwizTF.And it's :thumb: with this job.
     
  7. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    File Protection looks very useful.
     
  8. sg09

    sg09 Registered Member

    Joined:
    Jul 11, 2009
    Posts:
    2,811
    Location:
    Kolkata, India
    It still fails in that category: run the Trustware test and you will see. If you protect "Documents" folder containing files and sub-folders, the test can read files name but not sub-folders name.
     
  9. majoMo

    majoMo Registered Member

    Joined:
    Aug 31, 2007
    Posts:
    994
    Yes, to read files name is feasible - but isn't attainable to open or to change them.

    So TTF'file protection feature is effective.
     
  10. sg09

    sg09 Registered Member

    Joined:
    Jul 11, 2009
    Posts:
    2,811
    Location:
    Kolkata, India
    Sometimes file names still have sensitive information. I don't understand why sub-folder names are not readable.
    Anyway if you add a folder in a protection list, it means that it should make it read-write protected like Outpost's file/folder protection.
     
  11. majoMo

    majoMo Registered Member

    Joined:
    Aug 31, 2007
    Posts:
    994
    I can agree... :cool:

    With 'Toolwiz TF', folder protection is a 'Disable Acess' method. E.g. 'Wondershare TF' has two methods: 'Disable Acess' and 'Disable Changes' - and WTF, with 'Disable Acess', doesn't allow to open the protected folder itself (no sensitive information indeed...).

    BTW, be carefull when choosing the protected folder; system folders should not be protected never ('My Documents' also IMO): a BSOD could comes out with a 'fltMgr.sys' file source.
     
  12. Technical

    Technical Registered Member

    Joined:
    Oct 12, 2003
    Posts:
    471
    Location:
    Brazil
    I always laugh at it :D
     
  13. sg09

    sg09 Registered Member

    Joined:
    Jul 11, 2009
    Posts:
    2,811
    Location:
    Kolkata, India
    I already had a similar BSOD in a test machine. Can you please explain the reason why fltmgr.sys has to do something with "Documents" folder?
     
  14. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,997
    Location:
    Poland - Cracow
    @sg09
    http://www.personalcomputerfixes.com/general-errors/how-to-prevent-fltmgr-sys-blue-screen-errors/
    I think if you have your own/private files in default place (C:\Documents and Settings), you shouldn't block access to this area. This folder contains other folders which are probably very important to proper work of system (LocalService, NetworService). Much better is to move privat files (whole content) in other non-system disk. The same I can say about downloading files to the desktop what is default option of system or some programs.
    The other reason to not have own files in C:\ - when system is crashed or corrupted all private files saved on it can be lost.
     
    Last edited: Dec 14, 2011
  15. sg09

    sg09 Registered Member

    Joined:
    Jul 11, 2009
    Posts:
    2,811
    Location:
    Kolkata, India
    Thanks..:)
    I rarely save any important files in "documents"..:) I did so to only test the efficiency of TTF against Trustware test.
     
  16. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,997
    Location:
    Poland - Cracow
    I did the same...but in very deep past :) To the moment when my system was first time crashed and corrupted ;)
    OK...I've understood :thumb:
     
  17. CyberMan969

    CyberMan969 Registered Member

    Joined:
    Apr 21, 2011
    Posts:
    589
    WTF always makes me smile, a most unfortunate acronym if there was ever one...

    BTW I just checked on their website and they're still pushing v2.0.3. This version has been released ages ago, a sign that the company behind the software lacks the coding talent to develop what they have further.

    The same thing happens with the unknown ...hacks who have acquired Shadow Defender. Those people - whoever they are - will keep selling Tony's code for as long as they can without any hope of further development. At least the people behind WTF are answering e-mails and offer support. The current SD owners are a total disgrace.

    I just hope Tony is still alive somewhere. It's funny how the mindset of doing business is so different in China. There are certain business ethics that would be unacceptable in the western world, but they are considered OK over there. I have had extensive business dealings with Chinese companies in the past so I speak from personal experience. Transparency of operation is not always important to them, and the way the westerners do things are often seen by them as a sign of weakness - just another part of the often complicated Chinese mindset.
     
    Last edited: Dec 17, 2011
  18. woomera

    woomera Registered Member

    Joined:
    May 21, 2004
    Posts:
    212
    their main dl link for time freeze is on cnet, im not even gonna download and try it.
     
  19. PJC

    PJC Very Frequent Poster

    Joined:
    Feb 17, 2010
    Posts:
    2,959
    Location:
    Internet
    Tell me about it...;)
    I've had the same experience...:mad: Never again...:(
     
  20. sg09

    sg09 Registered Member

    Joined:
    Jul 11, 2009
    Posts:
    2,811
    Location:
    Kolkata, India
    Here is the official download link.
    -http://www.toolwiz.com/index.php?sdmon=software_download/Setup_TimeFreeze.exe-
     
  21. QQ2595

    QQ2595 Registered Member

    Joined:
    Jan 6, 2008
    Posts:
    159
    I think the file protection issue sg09 met was because of the wildcard rule.

    If you add c:\aaaa\* to their protection list. you will see all the subfolders and files from c:\aaaa\. but if you add c:\aaaa* to the protection list, the aaaa folder will be protected too.

    I hope James can offer a rule edit button to let users to make their own protection rule. such as c:\aaa\*.doc. that will be great.
     
  22. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,997
    Location:
    Poland - Cracow
    Very useful info...thanks :thumb:
     
  23. kupo

    kupo Registered Member

    Joined:
    Jan 25, 2011
    Posts:
    1,121
    Anyone tried installing it in Windows 7 x64? Running the installer does nothing. ><
    Can someone provide me the version 1.0.0.0 of Toolwiz Time Freeze? I still have problems with the latest version. I tried their System Care and I also can't install it. I tried their other products and it installed perfectly.
     
    Last edited: Dec 28, 2011
  24. sg09

    sg09 Registered Member

    Joined:
    Jul 11, 2009
    Posts:
    2,811
    Location:
    Kolkata, India
    I have installed the latest version on my Win7 Home Premium x64 w/o any problem. I haven't tried system care! Also I don't have the first version. May be you can register to their forum and ask help or simply mail to James at james[at]toolwiz.com
     
  25. kupo

    kupo Registered Member

    Joined:
    Jan 25, 2011
    Posts:
    1,121
    I've finally installed it. Forgot I have EMET and the DEP is the one that's crashing the installer. ><
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.