Virtualization/Rollback software test

Discussion in 'sandboxing & virtualization' started by Buster_BSA, Jul 1, 2010.

Thread Status:
Not open for further replies.
  1. Serapis

    Serapis Registered Member

    Joined:
    Nov 15, 2009
    Posts:
    241
    Buster I have heard a brief rumor that SD .326 doesnt cut it against the infections... Maybe if you can test this beta version plz
     
  2. dax123

    dax123 Registered Member

    Joined:
    Jul 2, 2010
    Posts:
    58
    Clean system (with no protection) -> infection -> reboot -> Kaspersky detects it [replace hdd w clean one]
    Protectied system -> infection -> reboot/rollback(reboot) -> Kaspersky checks it
    I tested LVs with these methods, all my samples couldn't evade kaspersky's detection.
    you can see the result here

    if kaspersky can reliably detect those rootkits in clean system then we can trust this tool, isn't it?
    is that logic incorrect?

    edit: I saw the article.
    I use VPC and each time the test ends i destroy my hdd and copys clean hdd, and do the another test.
    if it is a real environment we have to change it though
     
    Last edited: Jul 4, 2010
  3. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    :thumb: same.

    edit :
    btw it is not about not trusting, it is about methodology so there is less likely a mistake, or having to go back to confirm work and getting lost because of the process used.
     
    Last edited: Jul 4, 2010
  4. dax123

    dax123 Registered Member

    Joined:
    Jul 2, 2010
    Posts:
    58
    Test performed against SafeSys/TDSS. despite some rumors, my result was clean.
     
  5. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,976
    Add another 2 products that fail to restore a clean state in the list:

    FirstDefense-ISR - SafeSys = Fails to restore the system | TDSS = Fails to restore the system
    (note: the secondary snapshot remains clean, but updating the infected one does not restore it on a clean state).
    Roxio BackOnTrack Suite - SafeSys = Fails to restore the system | TDSS = Fails to restore the system


    Panagiotis
     
  6. Leach

    Leach Registered Member

    Joined:
    May 5, 2010
    Posts:
    84
    This was a VirtualBox test this time with the original WindowsXP SP3 with the latest today's updates installed. I might call my first test "rumor" or a dream but I'm quite sure I'm not sleeping right now. The picture shows the system state after infecting the system with TDSS in shadow mode and a reboot.
     

    Attached Files:

  7. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    748
    Yes, I readed the same and I was going to verify it.
     
  8. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    748
    If imaging solutions also fail to restore a system to a clean state then the issue with SafeSys/TDSS/and similar malwares is worst than we thought.

    I will try to make a test with Macrium Reflect which is the software I use to make/restore disk images.
     
  9. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,976
    No imaging sollutions do not fail (if you restore the full image).

    But file synchronization sollutions like FD-ISR, B.O.T.'s instant restore, Windows System Restore, and file backup applications based on sync will fail.

    File size and date/time attributes of the infected files remained unaltered and this caused the restoration to fail.

    Panagiotis
     
  10. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,557
    If it fails... I'll go crazy :D
     
  11. Boyfriend

    Boyfriend Registered Member

    Joined:
    Jun 7, 2010
    Posts:
    1,070
    Location:
    Pakistan
    It is sad to know that none of the virtualization/rollback software provides complete protection, as advertised and promised. After reading this thread, I lost my trust in Deep Freeze 7 :mad:
    I am thinking now about Shadow Defender and Returnil (with AE).

    Thanks guys and Wilder security for such test and comprehensive information :thumb:
     
  12. Leach

    Leach Registered Member

    Joined:
    May 5, 2010
    Posts:
    84
    You shouldn't go crazy guys and make SUCH tests... :D
     
  13. dax123

    dax123 Registered Member

    Joined:
    Jul 2, 2010
    Posts:
    58
    oh you posted :eek:
    nevermind no offence I just quoted his term :blink:
    anyway I couldn't test with virtualbox it keeps making BSOD. maybe i'll try again.

    {Snip - Blue}
     
    Last edited by a moderator: Jul 4, 2010
  14. Leach

    Leach Registered Member

    Joined:
    May 5, 2010
    Posts:
    84
    It's OK, was surprized. What system are you using then, please, VirtualPC, VMWare?
     
  15. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    To all:

    A couple of OT post snipped.

    The forum isn't a malware trading clearinghouse. What you do on your own is up to you, as are the consequences. However, please refrain from using the forum for requesting and/or engaging in malware sample trading.

    Along a similar vein, if you want to communicate with someone via PM, perhaps a direct PM to them, rather than a forum post requesting that they PM you, is the most efficient path to follow.

    Thanks in advance.

    Blue
     
  16. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    You tested FDISR freeze, correct?
    Thanks for this confirmation. I did not test FDISR, I knew it would fail this, I hope that does not sound condescending as that is certainly not my intention.
     
  17. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,976
    I tested every aspect of it. Normal update from secondary snapshot, update from archive, and Freeze. (freeze is nothing more than 2 snapshots + archive).
    With freeze you will have the most interesting result. One reboot will be clean, the next one infected, then clean again, infected again and so on. :D
    Well, FD-ISR was the one program that I did not expect to fail in this test (even though I already new it's limitation of file size and time/date, since I had encountered it with a preboot custom screen image I used last year).
    -These two malware do not hit the mbr, and do not try to infect the snapshot directory.

    Panagiotis
     
  18. dax123

    dax123 Registered Member

    Joined:
    Jul 2, 2010
    Posts:
    58
    I tested some TDSS samples to my production machine.
    Shadow Defender 1.1.0.325 has no problem protecting the system.
    various TDSS cleaner shows my system is clean.
    however I've got to have more gut to test 326 version since it's not a public release :doubt:


    Sorry and I won't make it happen again. :'(
     
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Assuming you are dong the fdisr restore from an archive, if you went into safe mode, deleted as much of c:\ as you can, and then restored the archive.

    Little less efficient, but I bet it might work.
     
  20. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,976
    Well, if you already know that you are infected, you can delete only the infected files and updating it will fix it.
    Or even delete the snapshot alltogether and recreate it.
    The problem is when you are unaware of the infection.

    Panagiotis
     
  21. vhick

    vhick Registered Member

    Joined:
    Jan 21, 2006
    Posts:
    224
    Location:
    Noypi.........
    What is Shadow Defender have a folder exclude? The result is still the same?

    Thank you...
     
  22. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,156
    I can't see how Macrium Reflect would fail the test if you have a Macrium Reflect backed up image on another harddisk which isn't plugged into your pc.
    Its impossible for malware to travel thru the air onto another harddisk which isn't connected to your pc.

    FDISR I'm not surprised that this has Failed I have kill disk viruses which can bypass that.

    SD so we still don't have any technical explanation as to how SD Passes yet?
     
  23. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    748
    I was thinking when backup image is on same PC.

    Almost for sure Macrium will pass the test but you never know for sure until you test.
     
  24. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,156
    It's always a good security policy to have a backed up image on a separate unplugged harddisk that way it isn't possible for malware worms etc to copy itself over to the other harddisk and infect the backed up image itself.
     
  25. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    748
    It´s also a good security policy don´t run the OS with admin rights but you know many people don´t do that. In fact most users don´t work in a LUA.

    What I mean is that the question is if the malware can survive to imaging solutions in a certain circumstance. A circumstance that probably will be the one where most users are if you understand what I mean.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.