Virtualization question.

Discussion in 'sandboxing & virtualization' started by ErikAlbert, May 12, 2007.

Thread Status:
Not open for further replies.
  1. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    AFAIK the principle of sandboxing and virtualization (Sandboxie, PowerShadow, ...) is to ISOLATE infections, so that they cannot install themselves on your real harddisk.
    So these security softwares keep your harddisk clean, because they prevent installation and this is the best kind of protection, because if an infection installs itself, you have a much bigger problem, you have to detect and remove it in time, before it can execute its evil job.

    Although the infections are isolated, my question is still, can these infections still do their evil job or NOT ?
    Isolation is nice, but only nice when the execution is also impossible. :)
     
  2. Huupi

    Huupi Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    2,024

    Have no illusions about that,we live in the world off anti/anti/anti/anti missiles so to speak,and one day everything get hosed,its the game off bad smart guys against good smart guys,and there is no winner !!
     
  3. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    In other words these softwares don't do a full job and can't be trusted either. That's what I thought too, not only regarding virtualization, but also the rest of security softwares.

    That's why I replace my system partition with a new one during each reboot, because I can't depend on security softwares, too many holes.
     
  4. EASTER.2010

    EASTER.2010 Guest

    Again i beg to differ with a defeatist attitude. Yes many will say it's fact and only a matter of time but they been completely absent from the scene of security meetings such as these longer than most to subscribe to such a notion.

    If the facts truly be known, the WINNER!! as they say is really YOU! or US!

    "IF" you have ALL the right pieces (programs) in place AND/OR Duplicates of your system/drive onto METAL hd's.........you've already 100% completely and without remedy, defeated the best efforts/purposes of even the most cleverest/sharpest Windows coder of intrusion or distraction programs on the face of the earth.

    I've said it many times before and will say again for clarity right here and now. Up and untill that very day that some exploit developer or Team of them can ever effectively hijack the very electric current that flows into these electronics reaching our computer machines, their efforts are limited at best to only the uninformed and unlearned user/business.

    Theres really no illusion to this at all, nor wishful thinking, it only takes a sincerely determined and concerted effort on the well informed end user's part to totally secure their data AND machine from ever being compromised aside from it being physically removed off it's premises. All too simple.
     
  5. Huupi

    Huupi Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    2,024

    Hey Easter 2010,as example you place great confidence in power shadow,and one off the clever coders abandoned the company and joins the ranks of the bad guys,he knows exactly how to compromise the stuff,and in no time your blessed virti is not virtiual at all,dont forget it's all about money',no ethics involved,we live in a greedy world so the cyberworld is no exeption !!
     
  6. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Well, I still don't have a straight answer to my question.

    Is an isolated infection able to do its evil job or not, in case the virtualization software isn't compromised yet ?

    I don't see the installation as a problem, because I can remove the installation. So that problem is already taken care of.

    I see the execution as a serious problem, because once it's done, I can't undo the execution.
     
    Last edited: May 12, 2007
  7. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
    If there is no other protection in place, malware can do whatever its programmed to do once executed in a virtual environment.
     
  8. EASTER.2010

    EASTER.2010 Guest

    Hey Huupi, no matter at all. Power Shadow is but a single program and if you read these forums regularly you should know by now EVERYONE uses a Layered Approach anyway. It's the safest way to go don't ya' know.

    Besides, i got FD-ISR snapshots plus a Library of ARCHIVES so what?

    And even then, i keep "Perfectly Clean & Intact" IMAGES of my entire drives/partition stored in my closet. :D

    So no matter, and POWER SHADOW still works PERFECT!

    There is then now & therefore no more fear EVER of contempt or compromise to my system, :D either forced attempts from outside interests or self inflicted because FirstDefense keeps my archives in the exact order as when they were created. :D

    IF i ever need to return my active system to some prior state, it's accomplished in record time as in seconds!!
     
  9. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Please no discussion about compromised security softwares, ALL security softwares can be compromised without exception and it has been proven. Image Backup solves such problem and the owner of the software will fix it too.
    That's why Windows and other softwares have so many patches. :)
     
  10. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Finally one answer. Thanks for your opinion. I still think that Anti-Executable and DefenseWall do a better job than virtualization softwares, because they stop the execution.
     
    Last edited: May 12, 2007
  11. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    The infections can still execute and deliver their payload, but their effects are limited to the virtualized environment. If a malware executes inside a sandbox quarantined by SandboxIE, the effects will be gone when you delete the sandbox. If a malware executes when you are in Shadow Mode using PowerShadow, whatever the malware does will be reversed after a reboot. In no way, barring bugs in the virtualization software, will malware be able to effect any changes outside the virtualized environment.
     
  12. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Is an isolated malware able to send info to the thief over the internet ?
     
  13. EASTER.2010

    EASTER.2010 Guest

    Good point Erik because whatever material (files/programs) are prevented from "FULL" entry in the first place the same has nowhere to lodge let alone communicate with your ($M's buggy) system, which enforces my support of HIPS all the more because they COMPLETELY SUSPEND! interaction before any damage or change can even happen.

    Something To Note:

    This regards executables alone no matter the file extension $M designed in them to double the same as an executable file, any of them. Because whatever we view on the screen absolutely MUST enter our file system (Temporary Internet Files) or there would be nothing to see or read.
     
  14. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    On condition that users know how to make decisions in HIPS, which is a problem for most average users.

    I can't translate this very well in Dutch. So I don't really understand this.
     
  15. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
    If not intercepted by a firewall then malware can send whatever to wherever.
    IMO sandboxing's main use is to isolate any possible infections. Virtualization's main use is to allow the user to do whatever they like without fear of corrupting their working base system.
     
    Last edited: May 12, 2007
  16. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Unfortunately, yes. This is one point where virtualization will fail you, because they only stop changes from being done to the local computer.
     
  17. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Wouldn't your firewall throw up an outbound alert?

    How long before a suit offers AV, AS, FW, HIPS and virtualization.
     
  18. EASTER.2010

    EASTER.2010 Guest

    True and true again as both replied above.

    Virtualizing is more adept to FLUSHING like you do your toilet after use. Simple analogy but you get the point.

    That's the reason for "resident" antispyware & antivirus programs etc. They work to identify (if they can) something registered as malicious and potentially harmful.
     
  19. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Hi ErikAlbert,

    I will have a go to translate this for you:

    Something To Note:
    This regards executables alone no matter the file extension $M designed in them to double the same as an executable file, any of them. Because whatever we view on the screen absolutely MUST enter our file system (Temporary Internet Files) or there would be nothing to see or read.

    Het is goed om voor elk uitvoerbaar bestand (maakt niet welke extensie Microsoft er aan heeft gegeven) dezelfde dubbele voorzorgsmaatregelen te nemen. Ik denk dat dubbele slaat op Anti-Executable + DefenseWall (of wel alleen programma laten starten na expliciete bevestiging van de gebruiker met beperkte rechten voor bestanden die van onbetrouwbare bronnen af komen).

    Tenslotte wordt alles dat we op ons beeldscherm zien eerst op onze computer gezet (bijvoorbeeld de tijdelijke Internetbestanden) of geladen (in geheugen).

    Groet Kees
     
  20. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    that's one of the main reasons Erik that I still depend on scanners (AV/AT/AS) because between reboots malware can do it's tricks ... (the way you have your setup I mean) ...

    I guess the main reason for stopping this is having Anti-Executable? Am I right?

    but there is far more nasty out there then *.exe, ...

    that's why your setup has a serious vulnerability imho ...

    But I have no illusions about mine either ... mine is filled with wholes as big as XP en Vista ;) ...
     
  21. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    As far as I can tell, Anti-Executable stops more than .exe files. However, I have no idea if it only looks at the extension or checks the mimetype as well - if it's the former, I can certainly think of a way or two to possibly get past it...

    If used in tandem with virtualization software or a good HIPS, a firewall will eliminate the need for things such as scanners or Anti-Executable. A good firewall should always be part of your security setup anyway.
     
  22. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Anti-Executable recognizes more than 80 executables and each executable has a quintuple verification : File Size, File Type, File Location, Creation Date and Code Sample.
    That's a pretty strong protection to stop installation and execution of malicious executables. Anything what doesn't fit is simply refused by Anti-Executable.
     
  23. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    indeed, that's what I was thinking too.

    it's like you said ... a firewall should stop (and LnS does) / fix a lot of nasty stuff.

    take care,
     
  24. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Well, I have a problem with trusting scanners, but I guess you must know this already. My security is mainly based on whitelists and stopping execution. After reboot I have my unchanged system partition back anyway.
     
  25. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Thanks alot Kees. :cool:
     
Loading...
Thread Status:
Not open for further replies.