Virtualization/Rollback software test

Discussion in 'sandboxing & virtualization' started by Buster_BSA, Jul 1, 2010.

Thread Status:
Not open for further replies.
  1. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    Last edited: Jul 3, 2010
  2. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
  3. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,281
    Location:
    UK
    The free version of Returnil is very good. :)
     
  4. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    Does it take a snapshot of the system for me to rollback manually or it just drop any changes at reboot?
     
  5. Boost

    Boost Registered Member

    Joined:
    Feb 2, 2007
    Posts:
    1,294

    Drop changes @ reboot.
     
  6. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Thanks Rmus I remembered this and was busy looking back then you made this post and saved me some time.

    Also if I remember right, mj0011 was busy in a lot of PoC's :) at the time (and makes for some interesting reading) until she went on to work at 360.
     
  7. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    What's so astonishing? Grant system level access to a malicious process and malicious mischief happens. Is that a surprise?

    Should vendors be circumspect with regards to their performance claims? Of course. Claims of absolute protection when running with Admin level access are bound to eventually run into a brick wall. Users should be apprised when that happens (and kudos to all here that are facilitating that process), but panicked surprise at this turn of events is being overly dramatic.
    I agree that vendors need to address shortfalls with speed and transparency, and that appears to be lacking in some quarters in this regard. However, the existence of a potential vulnerability does not rubbish make. It simply reinforces a message that is rather prominent here and elsewhere. Let me reinforce it specifically as it appears here:

    The simple fact of the matter is that routinely running as an Admin level user is insane.

    That seems pretty clear and unambiguous. Is running LUA an invulnerable panacea? No, and that detail has also been discussed extensively throughout the site. However, while LUA (and SRP) is not a complete solution, the road to protection is enhanced and a path to recovery (if needed) is facilitated. Unfortunately (and this is the major problem with the Windows OS ecosystem), LUA is not the default type of account and it will never gain extensive utilization until that changes.
    What exactly do you want that isn't already easily available? Look, most people do not run their lives and plan their days around dealing with each and every potential vulnerability known to man. If they did, everyone would be walking around in bulletproof and fireproofed Kevlar encased Faraday cages - of course, that creates additional issues and we'd all need a Segway as well. And a parachute. And so on.... Let's return to reality and some levelheaded analysis.
    If the advice provided in Securing Your PC and Data is followed, does this vulnerability work?

    If you want a specific configuration - use mine: XP Pro, LUA/SuRun/SRP (basic)/Returnil Home Lux (drop all changes, antiexecute set to "Trust programs from real disk only" during virtualization, embedded AV disabled, System Safe enabled as needed).

    Blue
     
  8. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Blue, I think you're missing the point.

    A vendor is claiming that you are completely safe using their app regardless of admin/lua account.

    As for your recommended setup, not for me thanks. ;)
     
  9. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    and I explicitly note that:
    If you read Faronics documentation (at least the docs I have read), they don't make that explicit claim. The detail is left unsaid, so I agree that it's a reasonable inference for a casual user to make and additional guidance should be provided to users.

    However, I do believe a lot of these doomsday threads overstate the situation in that they appear to be working from the implicit assumption that there is a single magic bullet that will cure all your current and future security ills. Yes - the vendor literature tends to propagate that type of view, but it's simply not realistic.
    I realize it's not for everyone. Heck - some days it's probably not me either, but it's the one I've had for a couple of years now. However, that's not the issue - the issue is whether this particular vulnerability gets through the specific implementation of a light virtualization solution that I practice. If it doesn't, I'd say that the broad brush claiming rubbish needs at least some qualification. By the same token, if all the statements made in this and related threads regarding Deep Freeze are correct (and I have no reason to doubt their correctness), you'll get no argument from me that Faronics dropped the ball.

    The subject of this thread is valuable information, however a broad brush that paints this category of approach as "rubbish" misses the mark. To me, it's no different than when people seemingly confuse a "transient inconvenience" with "ruining my life". It's all too easy to engage in purely hyperbolic characterization on the Internet. There's certainly a hint of that in this generally useful discussion.

    Blue
     
  10. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    Hard to disagree with that.

    The manufacturers of rollback/light virtualization software have made far too strong marketing statements about the performance of their products (Faronics being a good example here), but then that is standard practice in the security industry - most companies in the security business make at worst outrageous and at the very least vague promises about the performance of their products. And honestly speaking, it's not that easy to code rollback software that can prevent a user with full admin privileges on the system from messing up the rollback and "permanently" changing the system.
     
  11. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,544
    Location:
    New Mexico, USA
    Okay, I haven't read all this thread yet. Been busy and haven't had time to keep up with all the forums on which I hang out.

    This thread caught my eye. I've read a couple of pages back.

    I haven't seen Bufferzone mentioned. Is BZ vulnerable, like all the others?
     
  12. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
    @Hugger et al

    ProcessGuard is what i use,

    pg.gif

    and it's still available. If you want it PM me ;)

    pg2.gif

    If anybody's wondering what antiboot.exe is

    antiboot.exe

    http://support.kaspersky.com/viruses/solutions?page=1&print=true&qid=208280748

    Just ran it out of curiosity, NO nasty found :p
     
  13. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
    Yes, the fact that system level is accessed at all, by whatever/however when "supposedly" it's isolated !

    As i asked Coldmoon in Post 55, and still waiting for his replies ;)

    System level is not supposed to be accessed, as it's supposed to be isolated, isn't it :D

    *

    For the record, i Really liked Returnil when i had it installed. But had to uninstall it due to problems with System Restore :( as noted and acknowledged in the RVS threads. I have high hopes for the next release though :thumb:
     
  14. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    Sure, no problem.

    I will test 2.0.0 version and also Power Shadow due a request from a user.
     
  15. roady

    roady Registered Member

    Joined:
    Mar 27, 2005
    Posts:
    262
    Great review!

    If possible,maybe a test of HDGuard would be nice......:thumb:
     
  16. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    BlueZannetti: I can not agree with you.

    Products like Deep Freeze or Returnil are being advertised as "indestructible" and "never affected by viruses, Trojans, malware and other malicious threats".

    That´s directly a lie and do you know the best part? They know it´s a lie!

    I´m sure that if you stop people in the middle of the street until you find someone using Returnil, Deep Freeze, Rollback Rx, Comodo Time Machine, etc and you ask him: do you feel completely protected with the software? Are you sure your software will stop everything? he/she will reply "yes" to both questions.

    What kind of security company let their users to believe they are secure when they are not?

    If that´s not a dramatic security situation I don´t know what´s it.

    Maybe because you are an advanced computer user you believe rest of people are too and that´s not true. A lot of people all around the world use the computer as they got it when they bought it.

    Tell me: How many computer manufacturers release the OS configured to be used in LUA?

    How many computer stores give the computers with Windows configured to be used in LUA?
     
  17. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    In my experience, just about any and every security company, or at least their marketing departments. Sure, if you speak to the actual coders and such, they may openly admit their product provides nowhere near 99 % (I won't even bother with 100 %) security, but the marketing speak tends to make either very big or very vague promises towards the "complete protection" direction. As with everything, there are some exceptions, but they're definitely in the minority. I certainly do agree with you that such misleading and outright dishonest marketing statements are wrong, but I'd also say they're "business as usual".
     
  18. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
  19. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    Compare any claim from a security company with this one:

    "never affected by viruses, Trojans, malware and other malicious threats"

    and you will see that there is a big difference.

    "never affected by viruses, Trojans, malware and other malicious threats" is like the old "100% virus detection".

    Do you know what happened to the companies that were using that in their publicity? They had to discontinue using that.
     
  20. roady

    roady Registered Member

    Joined:
    Mar 27, 2005
    Posts:
    262
    I stumbled upon it a few months ago,when I was searching for virtualization software that can keep changes after a reboot.....it's pretty useful for software testing/trying in real enviroments,instead of virtual machines......:thumb:
     
  21. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    HDGuard 8 included in the list of tested software.
     
  22. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    Added Wondershare Time Freeze 2.0.0 results.
     
  23. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    You have the question answered in the first post. ;-)

    btw... hardware solutions also use software, so I´m not sure if they are safe or unsafe.

    I never met anyone having one rollback hardware card.

    Years ago I was considering buying one myself but I thought that software based solutions were as safe as hardware´s based ones.
     
  24. dax123

    dax123 Registered Member

    Joined:
    Jul 2, 2010
    Posts:
    58
    I know a computer that uses hardware solution(not my computer though my university's :argh: , I'll try to access it and take a experiment.:ninja:

    and plus we can make technical benchmarks for continuous checking. like matousec does in HIPS.
     
    Last edited: Jul 4, 2010
  25. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    We should use other tools to verify things. Take a look at this problem here for example.

    I use WinDbg, WinHex, cff explorer, soft ice/driver studio - that sort of thing.
     
    Last edited: Jul 5, 2010
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.