Discussion in 'sandboxing & virtualization' started by Buster_BSA, Jul 1, 2010.
I'm looking forward for your results.
Results will be presented on the first post as I get them.
I know on Leach´s tests TDSS is able to infect a system protected with Shadow Defender.
I have used the very same sample he used in his tests but I was unable to reproduce the behaviour. In my tests TDSS is unable to survive the reboot when SD is protecting the partition.
TDL/TDSS can be a fickle beast sometimes due to build, unusual drivers on the system, software...
I had someone test Shadow Defender and tdl3 for me and dogma needed a reboot in a vm and on the host. TDL3 could not get passed the initial drop to tmp file with SD meaning while there was reference to the hidden driver there was not an active 'infection.'
Going back to an earlier sample and also using TDSS 4DW4R3 ShadowDefender protected just fine checked by WinHex.
edit : I have tested tdss and latest version of tdl3 with Shadow Defender and everything is gone after exiting shadow mode.
Question: Did anyone do recently a test like these ones we are doing right now? Let´s say on last 2 years.
What we can see: the vendors didn't.
Check please if your system is really infected before you go into reboot in shadow mode.
As you can see on first post I had no problems with rest of products. So I´m not doing something wrong.
Actually some did and then upgraded their products in various ways to address the reported issues. I would suggest looking through the older threads from 2007 - 2009 where a bypass was reported and then a fix released to address it. An interesting starting point would be the bluezannetti Light virtualization threads and then exploring other, product specific threads from that same time period.
Don't be so quick to lump all vendors and developers into the same leaky boat as there are dedicated people in this field that are not just interested in riding the popularity of virtualization, but instead are truly interested in designing solutions that will bring about the end of the malware war - once and for all...
Nope, please, you understood me wrong. I'm not talking about your or mine errors. I've just noticed a strange behaviour of the virus on my newly installed system in VirtualBOX. The critter won't infect the system in shadow mode. Moreover in real mode it may disappear from system after checking with TDSSKiller. So the first pass - system is infected, the second - the utility shows the system is clean! That's why I wanted to know whether behaviour of your sample is the same as mine.
Ah, sorry, I didn´t understand you correctly.
I will check later if system becomes infected while being in shadow mode.
ALL virtualization software should prevent the installation of drivers, on the REAL system ? But not just drivers, anything and everything ! After all, that's their modus operandi
At least some vendors are not asleep at the wheel, and have made efforts to combat the leakthroughs Still some way to go obviously for most but that's how it goes. As long as they are NOW taking these nasties Very seriously, that's good. Better late than never
I agree, false advertising always gets them bit in the but, sooner or later Same as the AV etc vendors who do it. In the case of virtualization vendors, i imagine they never thought such nasties would be coded and released. Therefore up until a few years ago, they felt they were able to prevent ALL types of nasties from leakthroughs, and could rest on their laurels.
Interesting times ahead, and not just for these nasties, but the ones to come, and they will no doubt
Virtualization software must wake up from laurels.
SafeSys remained pretty unknown and rarely found but TDSS came to stay and is kicking hard.
I am using CTM, Test results are not good for me.
Thanks for excellent test.
Do you still use deepfreze?
No, that is execution or driver blocking, not virtualization. The focus of virtualization is to roll back the system to a specific state or to simulate an environment.
I still use Deep Freeze, but not as anti-malware layer anymore, just to avoid system changes performed by "normal" applications.
Certain things I used to do I will not do them anymore.
My mind has changed after I discovered this issue.
But seems like driver blocking while virtualizing a system is the only method to acquieve a true roll back to previous state. Isn´t it?
Yes and no. That would be a valid method for maintaining the purity of the state you are trying to roll back to but is not required as a definition or "modus operandi" of virtualization itself. You can also achieve a pure roll back by maintaining a clean image or snapshot and then restoring the system to that state when required.
The real issue occurs when you cannot determine whether the state you are trying to roll back to is actually clean and this is why execution blocking and detection have a role to play, just not the role the traditional security industry would try to lead you to believe...
True, but then we would be talking about an imaging solution and not a virtualization solution. Right?
Sorry to chime in late; Buster thank you so much for your extensive testing session. I know that sandboxie is not LV software ofc, but I wanted to observe if the x64 version can do a good job at blocking drivers and also after tht, execution. again, apologizes for transgression, thought it would be interesting though.
I will try to test Sandboxie x64 but I don´t promise anything as actually I don´t have software to virtualize Windows x64.
I compared and they are the same.
In fact the contradition you found when testing Shadow Defender with TDSS becomes the same result compared to my test.
From your list I miss testing Powershadow.
I completely agree with your comment:
The result is not only frustrating. I feel fooled by Faronics and users from other software, except Shadow Defender users, should feel fooled by their respective vendors.
With the exception of Shadow Defender, rest of virtualizing software is completely useless. We go naked when we run an executable.
Conclusion: A disk imaging utility is secure. Almost all Rollback software is not.
I didn´t know any of the software I was testing today except Deep Freeze. Anyway I was able to install and test everything fine... until I reached Clean Slate.
I´m unable to configure it in a way that it will rollback changes made to system restoring it to a previous state.
So I need further instructions to configure and perform the test properly.
Would you be so kind to guide me, please?
This is not an accurate conclusion to draw as SD's virtualization technology has the same vulnerabilities as any other type of light virtualization solution. The key is to look at how it and the other solutions work to address those vulnerabilities.
Imaging is simply another tool in the chest, is not a stand-alone solution, and can be achieved using the same technology as is used in light virtualization (boot-to-restore). True security comes from how these tools are used and why they are used, not simply using them to create a backup now and then.
The disconnect I see here is trying to find the perfect virtualization program that can simply replace all other existing security technologies and strategies. Just as you would use a variety of tools to protect yourself physically, there is a similarity to protecting your PC from infection and ensuring it stays that way over time. The true test is whether the strategies and technology you use are proactive as a whole rather than just pilling on in the hope you hit the target.
We must be careful to confirm any results and not rely on the tools used in the test to confirm or denign an existence.