Virtualization w/ Apps Change Controls:

Discussion in 'sandboxing & virtualization' started by apathy, Jul 27, 2009.

Thread Status:
Not open for further replies.
  1. apathy

    apathy Registered Member

    Joined:
    Dec 10, 2004
    Posts:
    461
    Location:
    9th Circle of Hell(Florida)
    Semi Virtual Environment

    After reading Blue's post the 5th time about virtualization I came to an idea.
    I own both Returnil and SD. I would like to be in shadow mode most of the time and have Defensewall protecting my nether regions ;). Is there a way that I can choose applications that have the ability to have write access in shadow mode. Those apps of course would be untrusted by DW for safety.

    If this is possible it would be a death to drive by downloads and other nasties.
     
    Last edited: Jul 29, 2009
  2. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    Re: Semi Virtual Environment

    Since DW will have all your browsers untrusted by default, any malware delivered to your pc via driveby download will also be untrusted, hence it wont have any low-level disk access and so cant compromise SD. So those two products should give you the kind of protection you are looking for out of the box. Atleast thats how I think it works.

    Could anyone else shed some light on this?
     
  3. apathy

    apathy Registered Member

    Joined:
    Dec 10, 2004
    Posts:
    461
    Location:
    9th Circle of Hell(Florida)
    I've been trying out this combo, SD & DW.
    I am in Shadow Mode the whole time but have certain directories
    exempt. I noticed some strange side effects from doing so.
    I exempted my firefox/thunderbird folders and I noticed that my profile
    was all out of whack. If I can figure out how to do this properly I think
    it would be *near* bulletproof protection.
     
  4. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I have been using SD in shadow mode 24/7, with exceptions to many places, including the bookmarks/configs of my browsers. I have not noticed anything out of whack. I don't have DW though, I use SRP instead.

    Sul.
     
  5. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    Hey Sully,

    Does SD work with LUA?
     
  6. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    AFAIK it works with any scheme. Maybe you only need to think more about what it does. It is designed to let keep track of what has changed since it entered shadow mode. Then on a reboot (or shutdown) it makes sure those changes are no longer present. When you exclude directories or files, they are allowed to be kept when you reboot.

    If this is what it does, it matters not if you are Admin, Power User or User, because each groups rights are not tampered with by SD. Only the state of what was changed is forgotten or remembered.

    Sul.
     
  7. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Re: Semi Virtual Environment

    Why bother allowing an untrusted app to write anything to the System in the first place? The concept behind using ISR is that you intend to keep both changes and writes to that part of the disk to an absolute minimum. I suggest changing your specific program configurations to save user data on an alternate partition or drive as it is safer by default...

    Mike
     
  8. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Re: Semi Virtual Environment

    I have a question, as you are one who would know. Why would you be concerned whether 'something' wrote to your exceptions? I mean, if you are using SD or Rnil, and you are shadowed, and your exclusions are lets say MyDocs and a custom directory like c:\MyStuff, why would you care? In context, assume that there is no sensitive data there to lose or get stolen, only mundane things you are storing; game profiles, pdf files, .mp3's. If all my important things are backed up or on removable media etc, is it really a big deal that 'something' might like to create/modify/delete in my exceptions.

    If I make an exception for all of program files or windows or system32, then it is a different matter. I have thought a lot about this. Regardless of whether or not my browser if protected with LUA, SRP in Admin (drop my rights style) or some other tool like HIPS or DW, what can happen? If the registry and system critical files (program files, windows, root) are going to be 'wiped' of changes on the next boot, is there a concern?

    Now don't get me wrong. I am asking because I have only recently paid any attention to these programs in much earnest. I know there are more ways to use them than I will probably do, but in interset of getting informed opinions I ask this question.

    Sul.
     
  9. apathy

    apathy Registered Member

    Joined:
    Dec 10, 2004
    Posts:
    461
    Location:
    9th Circle of Hell(Florida)
    Re: Semi Virtual Environment

    Thanks for the advice Coldmoon,

    It would probably be better to put all your browser/email/etc and it's data on another partition and stay protected. I'll give this a whack on one of my other pc's and see how it goes. Btw coldmoon Returnil 2010 is excellent. I can't wait till it beta testing is finished. It's nice to have a malware scanner built into Returnil.
     
    Last edited: Jul 30, 2009
  10. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    Thanks for the explanation Sully. I guess windchild has got me a little paranoid with his comments about badly coded apps not working in LUA when they should. So even if what you say makes sense, if the developer has coded his app to require certain admin rights to function out of laziness or whatever, even where said apps dont really require those rights, then they will have trouble functioning in LUA, am I right?
     
  11. apathy

    apathy Registered Member

    Joined:
    Dec 10, 2004
    Posts:
    461
    Location:
    9th Circle of Hell(Florida)
    Ok I'm working on this.. I may continue this topic in the Returnil 2010 beta section. I changed my application data folder to drive d as well as my documents. If you don't know how there is a tutorial here:
    http://pcworld.about.com/od/windows1/Move-Your-Data-to-a-Safer-Sep.htm
    I am going to stay in safe mode in Returnil the whole time and report any issues or side effects. Coldmoon, if I stay in safe mode 24/7 will basic settings I change on the fly not be saved? I figure as much and can do so outside of safe mode but I want to be sure.
     
  12. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    Hi Apathy,

    You shold make a separate thread about this on wilders. Ilya Rabinovich, the DW programmer does visit this site, so if he sees a thread about DW he will respond. If there is any sort of conflict he will figure it out and fix it. Or if the conflict is at SD's end he will inform you of this and then youu can get in touch with their developers to fix it.
     
  13. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    It will depend. Many programs might merely need to be elevated with SuRun. Some are more low-level and flat wont' run in LUA. I think more importantly is the question, what does the program do, and how would it become compromised. I think it is likely many programs you can use SuRun with, and yes they may be elevated to admin, but may not pose a threat. I mean, for example if you had a cd-burning application that wanted admin rights to run to access a driver or something, do you normally see that as a great big security hole? I don't. Other programs, maybe a torrent client, now you are talking a different story. I don't think it is as clear cut as having a 'properly coded' camp vs. an 'improperly coded' camp. I agree with the philosophy that Windchild and others who support LUA talk about, but I don't stop using something if it does not meet that philosophy. But I do question it and not just go blindly about.

    Sul.
     
  14. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    does SuRun and PgS works good together?thanks
     
  15. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    They can. Remember, PGS is only a front end to SRP. SuRun is RunAs on steroids. When you use SRP, you are making specific path rules (normally) to some programs. You use SRP to restrict or allow. SuRun on the other hand is used to elevate a program up to Admin rights.

    When in a LUA, you use SuRun to start control panel or cmd prompt as Admin. If you use PGS/SRP to deny access to cmd.exe, then SuRun will not do much for you because you are denying cmd.exe from running. Typically in LUA you would use SRP for a default-deny tool. If you wish to deny running of anything in c:\myfolder, and you try to start it with SuRun, I believe it would depend on your settings. I have not tried it, and it brings up a good question. So perhaps you could perform a test.

    Use SRP to deny by default, or a specific rule to deny a test directory, say c:\test_dir. In this test dir have a few programs you would want to use as admin. Then try SuRun. If your SRP rules state (which they should) that SRP applies to users and not admins, it will be interesting to see which rule fires first. Does SuRun start in context of the user, thus SRP prohibits SuRun from starting anything in the test dir, or does SuRun start in the context of admin, thus the SRP rule for test dir allows SuRun to elevate the test program(s).

    A good question I would say, but that depends on a few factors.

    Sul.
     
  16. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    thanks for fast replying:thumb:
     
  17. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    I see. Thanks for the response Sully.
     
Loading...
Thread Status:
Not open for further replies.