Virtualization question.

I know TrueCrypt already and ditched it when I discovered that TC only protects me against physical theft, not on-line theft.
Once the encrypted container or volume is mounted, you are vulnerable for on-line theft.
I expected from encryption something else.

 

Do you usually store your private data in plaintext on your hard disk?

 

I don't have any PERSONAL private data on my harddisk.
And the recent complicated login procedure of my online-banking makes any keylogger useless.

 

So why all the fuss about preventing data theft, if it doesn't affect you?

SandboxIE stops SOME form of keyloggers, but not all, since it's a form of incomplete virtualization. Complete virtualization will utterly fail against all types of keylogging attacks - but then, they can only steal whatever's in the virtual machine, and are unable to touch anything on the host. To hopefully stop the bush-beating, if an anti-keylogger solution is what you're after: there are three main methods to stop them. At execution (don't run suspicious programs), at where it injects global hooks or monitors APIs (use a good HIPS program), and at where it transmits data (use an outbound firewall). Any one of them should do the trick.

 

I'm not working for myself only.
I already said that I don't need anti-keylogger solution. Keyloggers can't catch my bank password, it changes constantly.

 

Then hopefully you'll find one of the solutions listed above useful for protecting whatever data you need to.

 

At first sight, I don't need virtualization softwares. They don't prevent the execution of malwares, they remove it and I have already a removal solution.
I'm looking for softwares that stop the execution of malware, nothing else.
Thanks EVERYBODY !!!

 

Pardon my asking, but unless you're using an unpatched copy of IE and/or have autorun enabled on your system...

Why do you need software to stop the execution of malware? In what way is not double-clicking on them not working for you?

 

Do you mean that ANY kind of infection requires a double-clicking to execute itself ?

 

Well, erm, if we exclude the two auto-execute vectors mentioned above...

Duh?

 

Only two kinds ? Hard to believe.
How do I recognize a bad object, to avoid double-clicking ?

 

I don't know. That depends a whole lot on how you use your computer and what kinds of files you usually deal with. But applying the same policy as you use to create your Anti-Executable blacklist might be a good start.

I'm pretty sure those are the only two auto-execute vectors. Did I miss any? Depending on what other software you use, they might have vulnerabilities that expose them to arbitrary code execution, but outside of IE, they've been exceedingly rare so far, at least from what I know.

 

I have Anti-Executable + Script Defender to protect me against double-clicking on bad executables. I don't see the difference between good and bad objects, unless I'm an expert. I have too many system files on my system partition, they look all the same to me.

 

If you've scanned your system and made sure it's clean, then all you need to do is be careful of what you download and of files you get from external media. The fact is, Anti-Executable doesn't know what bad executables are either - it just prevents you from running what YOU tell it to block. And if you know what to tell it to block... how hard is it to just not run those same executables?

 

@ErikAlbert

Good Day sir.

It's early but whats your impression of ScriptDefender so far. have you tested it against ANY scripts? Safe ones only of course. Reason i ask is if it covers more boundaries then my ScriptSentry you will have contributed to changing my own coverage for those.

 

Security

1. freedom from danger, risk, etc.; safety.

2. freedom from care, anxiety, or doubt; well-founded confidence

Synonyms: assurance; safeguard
________________________________________

I can make the case that recovery is a part of a security strategy: in a worst-case scenario - loss of the computer by fire or theft - knowing I can recover my files from an off-site backup gives me "well-founded confidence" and "freedom from care, anxiety." My files are secured.

Reboot-to-restore is also a type of recovery, which I consider to be a significant part of a security strategy. Not just from malware, but from any changes to the system partition. Eg: corrupted files - once happened to me - Secedit.sdb - an error message just popped up while I was typing. It turned out to be a "Corrupt Group Policy Database File" - not uncommon with Win2K. Being able to reboot-to-restore saved me a lot of time from having to go through Microsoft's procedure. I consider that as much a part of security (= keeping secure, safe, unchanged) as protecting against malware.

Actually, a lot of the discussion in this thread has drifted away from your original post about virtualization, in which you stated,

Don't you think that if you need to "isolate an infection" you are admitting that an infected file had somehow gotten on to your hard drive? Do you really think that could happen with your setup and user common sense?

If you think through the ways an infected file could get on to your hard drive:

1) Through a port. Your Firewall takes care of that

2) Email, either by enticing you to open an infected attachment, or to click on a link. You've indicated many times that you would never get tricked into that

3) Web-based exploits -1: download a trojan by remote code execution. I don't know what browser you use, but if not IE, most of these exploits might not even run. Nonetheless, Anti-Executable takes care of it. Same with any other attempt to sneak in an executable: auto-run on a CD or USB drive, for example.

4) Web-based exploits -2: recent XSS and the sending out of login data: you've made it clear you don't keep personal information on your HD and that your bank's passwords methods are fool-proof.

Aren't you thoroughly covered? How else could an infected file get on to your computer? Give me an example.

In the very unlikely case that would happen, you have your reboot-to-restore solution.

BTW - just curious why you've added Script Defender? Give me an example of how you think a malicious script file could get on to your computer? How would it run other than being double-clicked? Why would you double-click on an unknown script file?

5) Trustingly installing a program. The last point of entry of an infected file. Here, I think you are covered, because you are the only person besides myself (unless I've missed it) that holds to this philosophy:

I don't see any weaknesses in your setup. Why not just enjoy computing/surfing with what you have and don't be a worry-wart
(= tobber?)

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

I am glad to have such dudes like Eric here on wilders,he forces us to think and re-think about all that matters,i have learned a lot in those endless threats,thank you all !!

 

I'm not as knowledgeable as you are and many other members at Wilders.
My knowledge about malware and anti-malware is very poor and I don't see the difference between good and bad objects. So I depend on advices from other members.
They told me in this thread, that Anti-Executable doesn't protect you against these file extensions :

.HTA,.JS,.JSE,.REG,.SHB,.SHS,.VBE,.VBS,.WSF,.WSH

And that's why I added Script Defender (= Extension Defender) to protect me against any extension that isn't included in Anti-Executable.

If you can explain to me that I don't really need Script Defender, I'm prepared to ditch it. The less security softwares I have on my computer, the better.

The original purpose of this thread was to find out, if virtualization could be useful for me or NOT as an additional protection to STOP EXECUTIONS of any kind of infection in order to save the period between TWO reboots.
Installation of infections is not a problem, because I boot-to-restore and nothing can beat that, which also means that I have neither problems with detection of infections, nor problems with removal of infections. It's no secret that scanners sometimes DETECT infections, but fail to REMOVE or only do a PARTIAL removal of the infections. I don't have that problem anymore.

My conclusion is that I don't need virtualization softwares, because they only ISOLATE and REMOVE infections, but they don't stop the execution of infections, maybe a few, but not worth to talk about.
If they would have stopped the execution, then I would have called them security softwares, but that's not the case, they RECOVER by REMOVAL and I have this already, not the same way, but the result is the same.
Even PowerShadow recommends to keep your security softwares on their website. Why ? probably because PowerShadow doesn't stop the execution either or not sufficiently enough.

I only hope that other much more knowledgeable members than me, think about the value and risks of virtualization softwares.
They are nice regarding removal, no doubts about that, but maybe not so nice anymore when they still allow execution.
I agree that you can cover the failures of virtualization softwares with other security softwares, like a firewall to stop the sending of private data over the internet executed by a sandboxed infection, but users have to be aware of this.
I was only talking about virtualization software ITSELF without any other security softwares involved.
Once you know the weaknesses of virtualization softwares, you can solve these weaknesses with other security softwares.

I was just trying to get an idea of the benefits of using virtualization softwares, nothing more than that.
If I was a security expert, I wouldn't be here asking questions. I don't know much about Windows, Internet, Malware and Anti-Malware, but I have my analytical, logical brain and that helps me to solve problems even when I don't know much about the subject.

Many thanks for your last post, which gives a good view of the possible infection sources.
My design is still rough and needs to be polished, but those are unimportant details : a better software setting here and there, a better procedure for installing new softwares or keeping changes, ... whatever. It can't get worse only better and better.

 

"execution" with very restricted rights. Yes. The worst keyloggers don't work, only browser specific vulnerabilities and such should do something.

 

If the browser is sandboxed, the sandbox should also protect the browser against its own vulnerabilities. That is my logic of course.

 

Erik,
An article about how malware can infect computers.

Your logic is flawed. f the sandbox checks every bit of code trying to protect the browser against its own vulnerabilities, it becomes a blacklist scanner. Code can execute (almost) freely inside the sandbox.

Installing/configuring Anti-Executable isn't housewives-proof either.
Almost all security software should be installed and configured by a user with some knowledge.
AE and Sandboxie are very user-friendly; once they're properly configured, they don't annoy with cryptic pop-ups/prompts.
Firewalls and execution interceptors (classical HIPS) are the less user-friendly apps among security software.

 

Technically i don't know how Tzuk would do it without bloating it. It's not SandboxIE's job to monitor the browser. Its job is preventing anything inside the sandbox from doing harm outside it.

I don't know if AE can prevent that either. Rmus should know the answer though. But i do know that AE could be very uncomfortable to use. I have to turn it off just to do something new.
Note that i like AE's concept too.

 

You are welcome.

As an analyst, you would agree, I'm sure, that establishing a set of criteria against which to evaluate data, is a good strategy.

I've often used the phrase, security strategy, which I feel should be one's starting point, and selection of products follows as a result of deciding what type of protection takes care of a specific attack point.

Herbalist says essentially the same thing:

https://www.wilderssecurity.com/showpost.php?p=1004849&postcount=18

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

I like AE's concept too, because it is based on a whitelist and that makes it an evergreen and without daily updatings.

I have two kinds of whitelists :
1. AE's has a whitelist of all executables on my harddisk
2. The Freeze Storage has a whitelist of all objects on my harddisk, including the executables.

The only difference is that :
1. AE reacts immediately when an unauthorized good or bad executable tries to do its job.
2. The Freeze Storage reacts only on reboot, when it restores my frozen snapshot.
As long I don't reboot a frozen snapshot allows everything, because FDISR is not a security software.

At this moment AE is on HIGH security, which means that it
1. blocks unauthorized 16-bit executables
2. blocks unauthorized 32-bit executables
3. blocks unauthorized drivers and .dll-files
4. Protects AE's folder from access and tampering.

I did not mark "Delete Prevention" and "Copy Prevention", because I don't need them.
If an authorized executable is deleted or copied, the freeze storage will correct this during reboot, because a freeze storage doesn't allow any change, including executables.

Another more important reason is that FDISR doesn't like both settings, while it is copy/updating a snapshot and this results in errors.
During copy/update FDISR :
1. adds objects
2. deletes objects, which is probably in conflict with AE's "Delete Prevention"
3. replaces objects, which is probably in conflict with AE's "Copy Prevention".
I'm still studying this by observation, but it IS a problem.

AE is indeed uncomfortable, but I consider this as temporarily, after awhile everything becomes a habit.
Each security setup is uncomfortable, you only forgot the inconveniences, because you got used to them.

I don't know about the other security softwares, but AE is the first security software, I've ever seen, that protects and hides ITSELF so well. Most security softwares are an open book for everybody : good guys, bad guys and evil objects.