You do NOT need any other security software...

Discussion in 'other security issues & news' started by nadirah, Dec 31, 2005.

Thread Status:
Not open for further replies.
  1. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Now, I've thought of a perfect idea. Why virtualisation helps your computer in so many ways!
    By using Shadowuser from: http://www.shadowstor.com/products/ShadowUser/

    By setting it up correctly, you can fool around with all sorts of nasty code, just reboot and back to normal! :D:D
    Now this may be the best solution of all!
     
  2. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,342
    Location:
    US
    But how does one save Favorites/Bookmarks?

    Acadia
     
  3. Az7 - v2

    Az7 - v2 Guest

    Simple, But the folders into ( Execlusion List ).
     
  4. FastGame

    FastGame Registered Member

    Joined:
    Jan 15, 2005
    Posts:
    715
    Location:
    Blasters worm farm
    Hi, I don't use Shadowuser but I use Shadowsurfer. I think both eliminate the need of most security software...except AV & AT to scan downloads you decide to keep :)

    The AV also helps you run longer in shadow mode without reboot because nastys are eating you up.
     
  5. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    No, they don't. You can't be careless even if you use virtualization software.

    A program you download has keylogger (and without further protection you have no way of knowing it's there, or blocking it), you could be spied for hours. A trojan uses your machine as a base for sending spam e-mail, it could do for thousands of e-mails. A spyware looks for information on your computer, it'll find it and communicate to the remote server.

    Virtualization software won't help with many software issues. You can't encrypt important information with virtualization software. You can't block malware from doing its nastry tricks. You can't recognize malware anyway. Virtualization software is effective only when used consciously with other protection.
     
  6. FastGame

    FastGame Registered Member

    Joined:
    Jan 15, 2005
    Posts:
    715
    Location:
    Blasters worm farm
    Sorry, I never said "careless". And yes Shadowsurfer does eliminate most security software on my PC, "careless" (now that you mention it) or not.

    Thats why I said you still need an AV & AT, I forgot about FW (sorry) I use Kerio 2.1.5

     
    Last edited: Dec 31, 2005
  7. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Most malware is now made to be stealthy and benefit the attacker financially. Although virtulization software can be part of a good setup, I wouldn't trust it alone. At the *very least* I would want something that would let you know when something is trying to install a driver and/or hook. I think a more reasonable minimum would be a good AV and a firewall like Look'n'Stop that can block sending info via thread injection, dll injection/hooks, etc etc. Virtualization software simply provides an easy method of cleaning up.
     
  8. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,381
    Location:
    West Yorkshire, UK
    But what happens until I reboot (would other machines on my network be safe)?
    Also hwo would I know if I actually got malware or AV ?

    Seems a good idea for people who like to play, but not sure in a practicle real world use.
     
  9. Kye-U

    Kye-U Security Expert

    Joined:
    Jun 11, 2004
    Posts:
    481
    I can't live without Proxomitron :p

    You take Proxomitron away from me, I die.
     
  10. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    605
    Location:
    Australia
    Kye-U,
    I agree proxo is a very functional little application and something that I do tend to have installed (even at work). That and IE-Spyad are pretty useful for most PC's, because you never know when an IE component will get fired up by a program even if IE is not your default browser

    To broaden its appeal and usefulness I think that proxo needs is a nice little auto-update application so that it can be setup to run and get its rule updates completely unattended. That way it could be more easily setup on PC's that you help support (like friends, parents etc) where the owners want the security to be more invisible
     
  11. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    5,554
    I would have to agree with Notok here. You are safe with something like that, in a way. But what happens in the meanwhile prior to you rebooting? If you just have that, and nothing else, now some hacker or trojan is sending information from your machine to another remote location.

    Don't get me wrong, programs like this have there place, but I would not use it alone for security. As has been stated here on Wilders many times before, a layered defense is the best option imho.

    Proxo is pretty nice as well, but I stopped using it some time ago. It slows down my browsing/surfing to much for my liking. Maybe at some point in the future I will try it again, but I for one can live without it. :)
     
  12. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,342
    Location:
    US
    ...and what about a bios virus? Going back in time will not protect you from one of those babies.

    Acadia
     
  13. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I've been watching a video from Tech Ed 2005 which is a microsoft sponsered thing. Called anatomy of a hack. Leaves any doubt about the need to have both inbound and outbound protection. He showed attacking a network with a hardware firewall and no outbound protection. Amazing what he was able to do, and how much more difficult it would have been with outbound on the firewall.

    Would I run with just FDISR or SHadow.... and consider myself safe. NO!!!!!!
     
  14. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I will be ShadowUser user in the future.
    Between two reboots, I assume malwares are capable of doing their evil work,
    but I asked myself, what kind of evil work can these malwares do to me ?

    1. Stealing my initials ? They may have them.

    2. Stealing my email-address ? They may have it, it has been stolen so many times. My spam-emails prove it all the time, but I don't consider spam-emails as a problem anymore.

    3. Stealing my personal files ? They may have them.
    If my personal files contain a secret or very personal info, I wouldn't be so stupid to put it on my computer.

    4. Damage my softwares, that's also possible until I reboot and my harddisk is back to normal..

    5. Stealing my password of online-banking. That is indeed a serious threat, BUT ...
    5a. If I access my bankaccount right after reboot, my harddisk is malware-free, including keyloggers and I only need my bankaccount a few times a week.
    5b. Even when, they have my password, they need a special file to access my bankaccount.
    If that file isn't there nobody can access my bankaccount, including myself and that file is NEVER on my harddisk.
    So it won't be that easy to hack my bankaccount.
    I'm a target of malware like anybody else, but I'm a BORING target.

    An AV/AS/AT/AK scanner runs usually one time per day and between two scans any threat can do it's evil work also.
    So you need a real-time protection, but real-time protection is as good as the scanner is and we all know
    that scanners don't protect you completely.
    If you want quality scanners with real-time protection, you usually have to pay for them and ONE scanner isn't enough and if you think it's enough, you create an illusion of being safe.
    HIPS might be better, but requires also knowledge and the majority of users don't have that knowledge, including me.

    I'm looking for solutions that make less-knowledgeable users happy.
    My users at work are even worse than less-knowledgeable user, they are indifferent and don't care at all.
    It's a challenge for me to satisfy these users too and SU/DeepFreeze MIGHT be the answer and it should be a challenge for the security industry too, unfortunately they don't care.
    I need a simple, very silent, time-saving and almost foolproof solution, that fits in the normal actions on a computer (like reboot), without too many softwares and that doesn't require any knowledge.
    SU has all these properties and NONE of the classical solutions have all these properties.
    I'm not a security analyst, but I certainly know what I and many average users want. That is one of my skills :)
     
  15. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    It occurs to me that to run like that with any semblance of safety, you would need to be fully aware of the risks involved, and what SU can and cannot do for you. The issue that comes immediatly to my mind is liability. I've talked to too many id theft victims for whom the bank refused to help because they weren't running an antivirus. If one of them had been doing so at my advice, I would likely be held liable for that. Programs like SU are great, but I would never recommend someone use it as a sole defense. Add in a good AV and a firewall that can silently block without alerting (such as Look'n'Stop) can give you the same effect, with much greater safety. It's one thing for you alone to run like this, knowing full well the risks and how to deal with them, but are you comfortable with the idea that this advice may be taken by those that aren't aware of those risks, and that may not be fully capable of dealing with them?
     
  16. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    ErikAlbert,

    It is always gratifying to find one's solution, but it's also important to appreciate the nature of the solution.

    ShadowUser really isn't a security solution per se, it's an approach for extremely rapid redeployment to a defined state, much like FirstDefence ISR and DeepFreeze. They all remedy the persistence of an infectious episode, but alone they do nothing to mitigate the consequences incurred during the infectious event.

    As you've described your desires, it does seem to fit as long as you adhere to the self imposed discipline performing tasks such as on-line banking immediately after a restart. In essence, your self-imposed discipline is the mitigating factor to limit the liklelihood and consequences of an infection.

    For many of us, this same solution is likely not to fit. I do a fair amount of on-line shopping and so on. I really can't imagine browsing/window shopping and then restarting to clean things up before initiating a secure shopping session. Could I do it? Sure, it's just a matter of discipline. Of course, all the security related activity discussed at this site is a matter of discipline, as are the backup measures we put in place when our primary discipline lags.

    I think these approaches are great for public access PC's. I also believe that DeepFreeze/AntiExecutable is a powerful approach in the right situation, which could be a home user. FD-ISR looks to be an excellent general recovery tool. I tend not to view them as mass market home user solutions since they do place a rather heavy burden on the user to maintain a strict disipline in their PC use practices.

    Like many things in life, one size does not fit all, but you have provided a fairly concise description of a case in which SU does reasonably fit an individual. You did capture most of our desires when you noted that
    but it seems to me that moving to solutions like SU/DF/etc. just moves where the discipline, caution, and knowledge are exercised, it doesn't necessarily remove that these measures do need to be executed by the user.

    Blue
     
  17. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I don't use SU yet, because I don't have my new computer yet.
    I will start with a "Router + Firewall + ShadowUser" as protection without any other security software.
    If it turns out that I need more than that, I will change my security set but not without very good reasons.

    I consider this as a PERSONAL EXPERIMENT, not as an advice for other users (I mentioned this in other posts too.)
    I would like to know how good/bad SU really is and I'm not going to make it easy for SU.

    Upto now, nobody at Wilders was able to explain me what is wrong with my new security set.
    Some members warned me for hardware viruses, but these threats are very rare and very hardware related.
    If your AV scanner doesn't find them, you are also infected with these hardware viruses.

    The rest of threats are objects (registry, files, ...) that change the contents of your harddisk, but those are removed during the next reboot.
    I really would like to know which malware is able to pass through the virtual environment of SU.
    I know it happened to VMware and it will also happen to SU, but these problems can be fixed.
    They fix so many problems in other security softwares, because each software is vulnerable without any exception.
     
  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Erik

    You left out one big risk. Someone finding your machine available and using it for criminal activity. With a short time between reboots, that might not be a big risk, but if you leave the machine up 8 hours, then that risk probably goes up significantly.

    Pete
     
  19. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    That's NOT malware related and that problem needs another kind of solution.
    I prefer to separate problems from one another.
    A computer without internet connection, can also be cleaned by a visitor.
     
  20. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I understand, that SU isn't really a security solution, like scanners, HIPS, ..., but I don't have much choice to accomplish what I have in mind :
    A simple, very silent, time-saving and almost foolproof solution, that fits in the normal actions on a computer (like reboot), without too many softwares and that doesn't require any knowledge.
    FDISR is NOT the same. FDISR requires different actions to restore your system, while SU requires only a simple reboot.
    Everybody knows a reboot, but not everybody knows how to recover their harddisk with FDISR.
    I don't know what kind of actions you have to do with DeepFreeze. If it is a simple reboot, than DeepFreeze is a good alternative.
    If SU fails, I will probably use FDISR or image backup to restore my harddisk, but that is a SPECIAL situation, because SU isn't supposed to fail.
    If SU fails, it's a bug inside SU or a malware, that is designed to compromise SU, but that is a problem, that will be fixed by ShadowStor, just like Mozilla fixes the security holes of Firefox.
    Even when the bad guys steal my password, they still need a special file to get access to my bankaccount and that file is not on my harddisk.
    I understand, that not everybody has the same bank, but your harddisk is supposed to be clean after a reboot.
    So there isn't a big risk they will steal your password.
    Online-banking is my only dangerous activity on the internet, where money is involved.
    I don't do on-line shopping. I assume many other people do, but that doesn't matter.
    I doubt that classical solutions are able to prevent stealing your credit card number.
    An installed keylogger or other malware between TWO scans is in theory able to steal your credit card number and you don't scan your PC every minut.
    If I reboot my PC before an online-shopping, I'm pretty sure my harddisk is clean.
    If I scan my PC before an online-shopping, I'm not sure my harddisk is clean, because scanners aren't perfect.
    I don't say it's practical to reboot your PC before an online-shopping and nobody will probably do it, but that's not the point.
    I think, you run the same risks with or without SU, if you do alot of online-shopping.
    Because I'm not SU-user yet, it's too early for me to start a discussion about this.
    I don't have any practical experience with SU and I have only a theoretical knowledge.
    If security is your job/hobby and/or you need to change your harddisk all the time, I assume that SU is a handicap.
    I don't avoid the discussion, I just don't know enough, theory isn't the same as practice.
    ----------------------------------------------------
    The beauty of SU is that you know exactly what it does : no changes on your harddisk. The only problem is to keep the GOOD changes.
    So SU gives me a black/white vision and that means purity and certainty for me.
    I could have taken any other alternative, like DeepFreeze, but SU is my choice for several reasons.
    Time will prove how right or wrong I was. I trust my intuition, when I'm not sure of anything.

    The classical solutions are a big mess IMO.
    Which software protects you against which malware ?
    How many scanners do I need to protect me against keyloggers ? One, two, three, ... is that enough ?
    Nobody at Wilders can tell me for sure how many AK-scanners I need to get rid all of them, if that is even possible.
    I only get a list of possible AK's and that's it. The same with AV, AS and AT and endless discussions about which scanner is better than the other.
    All these scanners detect/remove certain malwares, but most people don't even know what.
    Is my PC malware-free after running 15 scanners ? I'm not sure.
    Each time a scanner tells me I'm malware-free, I think "What about the malwares, you didn't detect ?"
    Choosing the right combination of security softwares is a nightmare.
    No wonder that security suites are so popular, not because they are better, but because they are easier.
    Processguard : YES or NO ? I have 50% chance to give the right answer. I admit it's better than the lottery.
    Sorry, but that's not my style. I can't live with that kind of insecurity. :)
     
  21. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Agreed. However, the end result - restoration of a system to a known previous state - is the same. An image restoration yields the same result as well. Don't focus on how you get to the end result, just where you end up. I lump them all together to emphasize what this approach does accomplish - it yields a system in a known and defined (not necessarily clean, but let's assume that) working system - and what it does not accomplish - it provides no mitigation between the occurrence of an infection and the next system restoration.
    I don't disagree with your analysis. I'd only comment that security applications provide continuous mitigation which is not dependent on continuous user discipline, while an SU only type approach shifts the mitigation solely to active adherence to strict user discipline.
    Understood.
    On the other hand, keyloggers do not magically appear on your system. They have to be installed. That installation has to result in specific operations that will result in keys being logged. Having the keys logged is only the first step. For that information to be useful, it must be forwarded to some location off the PC. Various detection approach work at the different points in this chain to apply a remedy and any of the remedies applied will work.
    The comparative performance discussions do tend to focus on effectively meaningless fine differences. Unqualified celebration of detection rate differences of say 99 vs. 97% is misguided. There's really a lot of detail behind the numbers before you can firmly state that the 99% result is different from, or even better than, the 97% result. Mind you, I'm speaking very hypothetically here and I will tacitly assume like everyone else that the 99% detection is at least on par with the lower result, but in fact it is important to recognize that this involves an implicit assumption that all missed samples for both products have the same wild prevalence and impact. That's one reason I view detection rates in somewhat broad tiers rather than finely graded percentages.
    This is a valid point, now what is meant by malware free? Simple residency of flagged files on your PC does not mean you are infected. Too many people survey various products, note that a rescan of their system by product X reveals a collection of flagged files, and immediately jump to the conclusion that they've been compromised. Nothing could be further from the truth. Malware files are comprised of the same ones and zeroes as any other computer file. To do something, it must be executed and performing tasks. Simple residency on the disk means little, so there is a next level check available which I realize is not terribly accessible to the casual user.
    If your aim is to plug every possible contingency on a PC, I'd agree. If your aim on the other hand is to be reasonably protected, I wouldn't say that it's very complicated at all.
    They are also arguably better than many of the piecemeal solutions that I continually see cobbled together. Suites are a good solution for the masses.
    For the masses, I tend to agree. Measures such as PG tend to be a cointoss; augmented by a comprehensive expert-based whitelist and it's no longer a cointoss although the closest that comes to this ideal is probably AntiExectable (and even that seems to require an initial pristine state to work from).
    My only point is that you are moving how you take action and where you take it; not that action must be taken and that ultimately user decision is involved. After all, you will decide if and when to restart to clean the system; you will decide whether your initial state is a validated clean state; you will decided whether or not to relax discipline to get things done in an expedient manner. The level of user action required is high, which is absolutely fine as long as user discipline is maintained.

    Blue
     
  22. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Sure it's malware related. How do you think the bad guy's get control of the machine.

    Note also FDISR does have a freeze option. I've never used it but it looks like you can even store the frozen archive on an external drive.
     
  23. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,342
    Location:
    US
    Correct, in fact that is the recommended method in the Help files, it's faster that way.
     
  24. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    5,625
    Location:
    Milan and Seoul
    I have read many posts by ErikAlbert and his conceptual approach towards finding the perfect ideal software in an ever fast changing world of malware.

    Unlike him, I have been using ShadowUser for 5 months in conjunction with AV + FW + HIPS + Registry protection. This is not new and has been dealt in many other threads, what I find interesting in ErikAlbert's analyses is not his minimalist approach, but arguably the possibility to operate a computer without any AV (or any signature based application), almost a sacrilegious suggestion to a security minded person these days.

    I for one consider NOD32 my most important protection along with ShadowUser but I'm also wondering what would happen if I just used for example ShadowUser + HIPS + FireWall and a registry protector? Basically there would be no more updates, no more yearly payments, a sort of set it and forget it situation.

    I also tend to agree that to run ShadowUser as a single security application gives more protection to the indifferent user than perhaps an Antivirus application on its own.
     
  25. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    For anyone reading this thread, the most important take home message for me is that ErikAlbert has taken the time perform some self-education, assess what he wants, articulate a solution within those boundaries, and to start the process of rationally implementing it with the full understanding that the solution is fluid and dependent on the existing challenges and how the articulated solution performs.

    I don't doubt that in the right hands this approach is viable. The simple fact that very advanced users are able to run AV free and not suffer overwhelming infections is basic confirmation that it can be done. But like any activity, because it can be done doesn't mean I can do it successfully. For example, if I implemented it as my family approach, I'm fairly certain that grief would eventually follow. It might not happen for a few months, but it would happen.

    The Grail would certainly be a single turnkey approach to the problem that works for anyone, unfortunately that appears beyond reach at the present, which means that users have to educate themselves on matters that they would probably rather avoid and make some choices based on the level of direct action they commit to employ in the solution.

    Blue
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.