Virtualization question.

Discussion in 'sandboxing & virtualization' started by ErikAlbert, May 12, 2007.

Thread Status:
Not open for further replies.
  1. EASTER.2010

    EASTER.2010 Guest

    Don't worry about it Erik. I still use FileMapp byBB which is by far more relic then ScriptDefender but i'll tell you what, it was THE ONLY program that registered a "hidden" file was released in System32 before it went stealth when i tested a rootkit on my system.

    Otherwise, no program would have ever even known of it's existence including some popular ARK's.

    Latest is not always the greatest and oft times more than not, something which might be considered outdated by most still can carry the mail if you catch my drift. ;) I still use Kerio 2.15 and can't even get a nibble like a port scan.
     
  2. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Logical question regarding Script Defender :

    If I can add the file extension .REG, I assume I can add ANY file extension in Script Defender, not only script file extensions.
    Which would mean that Script Defender is more like an Extension Defender. Am I right about this ?
    Thank you in advance.

    PS: SD has a dumb uninstaller, but that is common for most softwares.
     
  3. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Yes, you can add any extension and SD will intercept it.
    When you install your favourite media player, you associate it with .mp3, .wav, .avi, .vmv extensions. SD does the same with scripts extensions. Very simple, eh?
    You only need SD due to AE's lack of script interception.
    Prior to uninstalling, you must reset the associations.
     
  4. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I know, but I don't understand why I have to remove intercepts, the programmers of SD should have programmed this in the uninstaller of SD. :(
     
  5. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    I'd call it a "functional bug".
    For example, if you're going to uninstall SpywareBlaster, you must disable the protection first.
    I'd be concerned of these "bugs" in paid software. SD and SWB are freebies (and very good ones), so I can't complaint.
     
  6. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,246
    Hello,
    To answer the original question:
    Programs running in virtual environment can do only what the environment permits them. If the virtual environment allows its contents to modify files on the host system - then they will - but that's kind of contrary to virtualization - as opposed to physicalization.
    Mrk
     
  7. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    The purpose of virtualization is, that a malware installs itself in an environment, where it can do NOTHING, not even sending data over the internet.
    If the developper of the virtualization software didn't succeed in doing this, then his software doesn't work properly and needs to be corrected.
    Virtualization is supposed to work like that and I don't want anything else, otherwise I can better work in a real environment.
    I understand that it isn't easy, but that's the ART of programming and there are alot of differences between programmers from very bad to very brilliant. :)
     
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    If that were so,then you could not surf the internet, because to connect to a web site, the browser has to send out data (DNS request, your IP address).

    Or are you thinking of something else?

    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
  9. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,246
    Hello,

    The purpose of virtualization is to create a virtual layer of hardware for programs to run on and use. If this layer permits internet access, then malware installed in it will have internet access.

    Example: if you allow NAT for a virtual machine in VMware Server, anything installed in a guest OS will be able to dial out. But if you set the virtual machine to host only, then it will not have this access. Very simple.

    Mrk
     
  10. Huupi

    Huupi Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    2,024
    Wish i am the virtu developper who can make the thing you wish,i become richer than uncle bill in no time !!
     
  11. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    What looks impossible at first sight, doesn't mean it is impossible, you just have to think LONGER or have better brains than the rest. Never heard of inventions ?
    You can't boot in an archived snapshot of FDISR either according the manual, but it is possible once you know how FDISR works.
     
  12. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    At work we call this a mistake of an application analyst, but lots of programs are created by programmers only. Programmers aren't analysts and a good analyst/programmer (one person) doesn't exist, they are usually a good analyst or a good programmer but seldom both. They are cheaper for the boss. :)
     
  13. Huupi

    Huupi Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    2,024
    As you stated many times around this Wilders " i never trust any security app "or words alike,in practical implications virtual is of no difference as compared with the host and virtual has to be treated like the hostsystem,there is no magical "something in there" what makes the difference,and for sure protect your virtu you do like mothersystem,and also i differ in opinion with you that someday some time in the future technical advances lead to total protection,remember the gloomy dudes are also advancing, maybe the super coders already reside on the darkside,its all about money and i have no illusions.
     
  14. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    I'm sorry, but that's your wish of what virtualization should be like, not what it really should be. Depending on the virtualization software you use, you can tell it to virtualize a network connection, or disable it completely. Virtualization is a very powerful tool whose usage is not limited to malware containment. It wasn't designed specifically to combat malware at all, but due to its operating principles it ends up doing just that very nicely, though I guess you wouldn't know that. :rolleyes:
     
  15. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,246
    Hello,
    Erik, you quoted me by accident. I did not write that virtu sentence. Huupi did.
    Thanks,
    Mrk
     
  16. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    :) I noticed that too. I thought i was going nuts!
     
  17. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Wonder if PowerShadow loads the system into memory like the Returnil Virtual App?Hence some users reporting their systems running faster in PS mode?
    Returnil Virtual System
     
  18. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    The precursors to current virtual technology were the various RAM disk drivers. People would work in a RAM disk because of the speed. One of my programming friends compiling in a RAM disk, for example. On bootup, you allocate a RAM disk (virtual), and it would go away on next bootup.

    A very innovative product was vRamDir, which I used for many years in the mid '90s. It's its difference was that you were not limited to the normal 32MB RAM disk size, rather, you could allocate as much RAM as you wanted, depending upon how much free RAM was available on you system.

    In those days (mid '90s) processor speed was not as high as today, and it was like flying to do word processing and graphics in a RAM disk, or virtual directory, in the case of vRamDir.

    We never thought of it as protection against malware, because only the directory you specified was loaded into RAM, where today, working on an entirely different principle, the entire partition or system is loaded into RAM, as in the case of Returnil.

    I stopped using vRamDir once CPU speed increased to the point where my working in a real environment was fast enough.

    I notice that vRamDir is still available - the same file dated from 1996! Designed for Win9x, I doubt it would work on NT systems.

    http://www.btsoftware.com/products/vramdir.htm

    I still have my install file, although I never use it, but I do remember those days of working in RAM!

    regards,

    -rich
     
  19. flinchlock

    flinchlock Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    554
    Location:
    Michigan
    My guess, it does something like the *nix chroot command.

    Under the folder C:\$ISR, there are folders with just a number, ie: 0, 1, 2, etc

    Under those number folders is apparently a complete copy of each snapshot.

    So, I am guessing it does a "chroot C:\$ISR\2". This fakes out XP to think the partition starts below C:\$ISR\2.

    I am also guessing the VSS service keeps the current running system in sync with the appropriate numbered folder.

    The Copy/Update command just does a "simple" difference between each number folder to figure out what to keep/change/delete.

    What do you think of my goofy idea?

    Mike
     
  20. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I'm used to use imperfect security softwares and not to find what I really want.
    That's why I replace my current system partition with a clean, trouble-free and malware-free partition during each reboot and that removes every mistake of my security softwares.
    I only need my security softwares to save the period between two reboots as good as possible.

    These developpers of virtualization softwares would save me alot of time, if they described their softwares in an objective way and telling the full truth. What it does and above all what it not does. It would save me alot of posts as well. :)
     
  21. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Erik, sometimes we just miss that, but they do write those things:
    http://www.vmware.com/solutions/whitepapers.html
    See Virtualization Overview for instance.
    I've lost track of this thread, so one final sentence:
    VMware is not like SandboxIE. They are similar in some aspects, but NOT the same by a long shot.
     
  22. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Well, I guess their description also relies a fair bit on the user knowing what virtualization is in the first place. Are you going to take on antivirus software vendors for not telling you that making your morning coffee is not part of their software's functions?
     
  23. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    In stead of praising their software into heaven, they better tell the users what it doesn't do. This has nothing to do with making coffee. I might be less-knowledgeable, but I'm not stupid. :)
     
  24. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Well, there's a lot that virtualization doesn't do. They could write a bible on what virtualization doesn't do.

    My point was simply that some things are too redundant for vendors to mention. It would be nice to provide a Virtualization 101 on their website for users who have no idea what the concept is, but the truth is, I wouldn't be too shocked if they didn't.
     
  25. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    The principle of virtualization is quite simple : trap the malware in an environment where it becomes useless. But it's already clear to me that they didn't succeed in doing this and that's why you have a bible on what virtualization doesn't do. :)
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.