ZoneAlarm Free + ShadowUser

Discussion in 'other anti-malware software' started by ErikAlbert, Oct 7, 2005.

Thread Status:
Not open for further replies.
  1. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Keep in mind that this thread is pure hypothetical. I didn't do anything yet. I didn't decide anything yet.
    Consider it as a dream of a user or maybe a nightmare/daymare for security experts. :)

    I'm thinking of a new security set on my computer : ZoneAlarm Free + ShadowUser and that's it.
    I know, it sounds CRAZY, INSANE, UNACCEPTABLE etc. etc. etc., but remember it's my computer.
    On the other hand, it seems to me that not many members actually use ShadowUser (SU), which means there isn't much practical experience with SU either and those who use SU don't complain and are satisfied.
    As far as I know, these SU-users install SU as an additional software together with all their AV/AS/AT/AK-scanners and/or pro-active softwares and that's exactly what I don't like to do.
    So I'm going to TRUST ShadowUser for 100% and act like a newbie on the internet in ShadowMode and of course I will install/run/un-install scanners and run online-scanners occasionally, but only for one reason : to CHECK how
    good or bad ShadowUser really is.

    I will NOT use :
    - any definition/heuristic-based scanner (AV/AS/AT/AK)
    - IE-SPYAD (no restricted zones) or HOSTS File, which will be empty.
    - any shield
    - any proactive software
    - any other sandbox software, like AntiMalware, DefenseWall, Sandboxie, ...

    I keep on using :
    - win2000proSP4 (fully patched).
    - MS Internet Explorer with default settings.
    - Mozilla Firefox as browser, but without extensions and with default settings.
    - Mozilla Thunderbird as email-software.
    - ZoneAlarm Free as firewall and of course ShadowUser as sandbox software.

    I choosed SU, because SU puts my whole harddisk in a virtual environment.
    My choice is certainly not based on expertise, I always follow my intuition when I don't know anything about it.
    I also don't consider SU as THE solution, but I like the philosophy behind SU and I don't like the rest of the solutions.
    So there is nothing else for me, until somebody invents another solution better than a virtual environment and then I ditch SU.

    A virtual environment has several BIG and VERY WANTED advantages for users and certainly for less-knowledgeable users and I can't put these advantages aside, because they don't exist in the traditional solutions.

    Preventive
    Prevention is always better and smarter than curing and SU is a full prevention, until the opposite is proven in practice.

    99% Foolproof
    Scanners collect malware in definition databases and when the malware isn't in the database, they try to find it with the heuristic method and when that doesn't help you are infected.
    SU puts your harddisk in a virtual environment and ANY infection will be removed after reboot, which means any existing type of malware and any new type of malware.
    In other words : a 99% foolproof protection in theory, until the opposite is proven in practice.
    I couldn't say 100% foolproof, because that will never exist, neither in computers, nor in real life.
    Also SU and other sandbox softwares will ever be a target of the bad guys.

    No Scan Time
    1. Because scanners collect what the bad guys do, that collection will increase CONSTANTLY.
    Some scanners already have more than 200,000 definitions.
    There was a time Spybot had about 12,000 definitions and now it has more than 29,000 definitions.
    A2 was almost nothing in the beginning and has now more than 170,000 definitions.
    And that happened in just 14 months, when I joined SWI and later Wilders.
    2. Although all good AV/AS/AT/AK scanners detect/remove grosso modo the SAME malwares, they are differences in quantity and identity and that's why you need more than one scanner of each kind, which results in an absolute minimum of 8 scanners (2 x 4) and each of these scanners have their own scan time and it doesn't matter if the malware is there or not, the scan time remains the same.
    3. Due to competition, the scanner companies refuse to combine these definitions in one single database for each type of malware.
    So all these scanners together take alot of unnecessary time to do their job.
    In computer science they call this REDUNDANCY, which is a SIN, because you don't detect the same threat more than once, computers are made to avoid redundancy, unless the security companies don't want this.
    4. All what users want is doing their job from 9 to 5 and anything that keeps them away from doing their job, irritates/angers them and malware + anti-malware is one of these irritating things.
    So these users hate security, unless it doesn't bother them and all traditional solutions are irritating.

    SU requires only a reboot of 5 minutes to remove everything and the reboot time remains the same, while the total scan time of scanners only will increase in the future until the users lose their patience.

    Quiet
    SU is also very quiet, because there is nothing to report, no updatings, no annoying questions, no YES or NO decisions to make.

    Freedom
    I want my freedom back on the internet, the same freedom I had in my newbie time, unaware of any threat, because I'm too curious and I like to try everything on internet, even when it's "dangerous".
    I also want to visit every websites, infected or not.
    My own discipline on the internet is killing me, because I don't like to be carefull and I don't want to become paranoid either.

    SU gives me that freedom back, because I can do whatever I want, without getting hurt and that's what alot of users want. They want to ENJOY the internet.

    Reassurance
    Scanners don't give me the feeling that my PC is clean and the fact that scanners report nothing doesn't mean anything to me, because I know how these scanners work.
    So these scanners give me constantly a false feeling of having a clean computer.

    SU gives me that reassurance, until the opposite is proven in practice.

    Simplicity
    SU has a philosophy that is easy to understand for everybody.
    After a simple reboot, any malware is gone and you can start all over again.

    Cheap
    ShadowUser costs $69.99 which looks expensive, but when you want the best scanners and other softwares, you have to pay alot more than $69.99.


    I have to go now, because my shrink and two male nurses want me back in my cell. :)
    Any thoughts are welcome of course.
     
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Congratulations! I think it's an ideal setup.

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  3. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    hi Erik - first of all i suggest you demand that the male nurses are changed to female ones. ;)

    i've never used SU so i'm not familiar with it - what happens if you want to update your bookmarks, download an mp3 or a jpg or install a new program? are they all lost on reboot? is it possible to keep what you have downloaded or installed? (if yes then you could let a trojan into your system) the main reason i uninstalled sandboxie was because i couldn't update bookmarks and downloading meant transferring files from the virtual folder. i think sandbox software is ideal if all you want to do is surf.
     
  4. beveryafraid

    beveryafraid Guest

    I hope you don't get one of those old school destructive viruses that format all your paritions. :)
     
  5. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
  6. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    As long it's only formatting, I can restore my harddisk. I have everything on CD to restore my harddisk.
    It would be interesting to know what SU would do when these viruses are installed in the virtual environment.

    In a virtual environment, you can try everything, but that doesn't mean you have to install or keep it.
    Using SU doesn't mean that everything is suddenly malware-free, but without SU I can't even try things without getting infected.
    I only want to try and see things one time, without keeping or installing them. That's enough for me.

    Some people like to believe that running every scanner on their downloaded file is enough to consider this file as clean.
    I don't trust these scanners, because they are far from complete. They make you think your downloaded file is clean.
    There is big difference between "thinking" and "knowing".

    Toploader are you sure, YOU are protected against these very rare hardware attacks ?
    Those viruses are written for specific hardware components.
    So the hardware component has to be on your computer, the virus must be there on your harddisk and needs to be
    activated, before such virus is successfull. I never had such a virus on my harddisk, not even in my newbie time.
    This is just a matter of having very bad luck.

    In the past there were a few major outbreaks of malwares, that damaged alot of computers world-wide.
    Where were all these very well updated AV softwares during these outbreaks ? Sleeping or what ?
    Whatever the reason was, it's predictable that scanners would fail in such a situation for several possible reasons : no anti-dote available in time, no updating in time, no scanning in time, ...
    What I would like to know is what SU would do during these major outbreaks.

    There isn't much practical experience with SU available, because everybody uses the traditional softwares and they only use SU as an additional software together with the traditional softwares and they don't use SU all the time, which makes it impossible to prove how good or bad SU really is.

    P.S.: I will ask for female nurses, but most of them look like men without a p... :)
     
  7. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    hi Erik - i think hardware viruses are the way forward - why go for software when you can screw the hardware? - however as you say - easier said than done - i think the only truly safe way to surf is to have a virtual internet connection where you THINK you are surfing the net but you are in fact hallucinating thanks to the psychedelic blue pill provided by the agency nurse (always demand an agency nurse) ;)
     
  8. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    BTW Erik - you have us all curious now - what websites are you going to visit with the new found freedom that SU will give you? (hypothetically speaking of course) ;)
     
  9. BILL G

    BILL G Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    80
    Location:
    MN USA
    NO GUTS NO GLORY ZAF works for Me SU ?
     
  10. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    772
    I've been using Shadowuser (and am a reseller) for quite a while now and tested with similar products as well

    Like: Deepfreeze , Illusion, and Watch-IT

    Of course the setup can work, but you must not forget this:
    When running in Shadowmode you can NOT write data to the disk
    and keep it there after switching mode (for security reasons/techn. it can)
    Example: If you use Outlook/ or -express ,(which is near my personal opinion the most unsafe mailclient), you can get a virus on your system,
    If you KEEP this email. (exclude the directory in ShadowUser)
    then this is really asking for trouble.

    It can work if you only use webmail, and have you data somewhere else
    where it can not be infected.

    I am using a simular setup for lab-pc , i don't have to worry about the
    system getting infected, and i can use Windows XP

    (normally i use FreeBSD and Solaris on systems which contain sensitive data)

    That seems to work fine, but it took me a long time, to create a setup
    which was usable, example: if you want to use a virusscanner on the PC mentioned, you have to update it sometimes.(exclude which dirs?)
    If you want to add software (must go out of ShadowMode)
    you are taking a risk ! etc.
    So if you combine it with True Image (:cool: with an external USB disk
    (that is what i do) and simply unplug the disk when not needed
    you can backup AND ARCHIVE your diskimages there (in NON-shadowmode / after loosing all the wrong changes),
    if there is a problem (after installing new software etc.)
    it is very easy to attach the usb-disk and restore a diskimage
    from a date/time before the last change.

    So i don't think it is a bad idea.

    At this moment, i am testing Watch-IT which is a hardware-device
    PCI-card or USB-stick that does the same is ShadowUser,
    but also protects your pc's BIOS
    And is of-course less expensive.
    And it can restore a 40GB disk in 2 seconds!!!!! (like the shadow image)

    * * But Watch-IT still gives a lot of checksum errors etc. and has a limited
    amount of changes it can handle * *

    Deepfreeze and Illusion are just not as good as shadowUser (less advanced).

    The only thing i think is REALLY WRONG with shadowUser, is the fact
    that it has NO REAL user/password protection.

    I personally am convinced that a next version will have it's OWN
    username and password protection system.

    Now this is not available, it uses the VERY weak Windows user info.
    which is of course not a real protection.

    That is why ShadowUser can't be used in a cyber/Internet Cafe or School
    like they do with DeepFreeze and Illusion and Watch-It.
    Everybody can switch modes themselves.

    BTW ShadowUser is not compatible with tools like DriveCrypt Plus Pack etc.

    So take care of these two things:

    1) be carefull while switching out of ShadowMode
    (while installing software or updates)

    2) Be VERY carefull with Excluding directories !

    Success !
     
  11. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    @tuatara,
    Thanks for your post. At least you have practical experience with SU.
    Because SU doesn't allow any change on your harddisk (in ShadowMode), it's logical that allowing the GOOD changes can be a problem. Once you have solved that problem and take the necessary precautions each time, it might work to use SU as a stand-alone protection together with a firewall.

    BUT I'm just not sure enough, because I'm not the right person to do this experiment.
    I'm not afraid to do this, but my knowledge about malwares is too poor to assure other members that SU is really safe enough to use it as a stand-alone protection.
    So if I ever do this for real, I would do it for myself only, just because I'm not a security expert.

    @toploader,
    :D All curious ? You mean just you. :D I'm glad you remembered the word "hypothetical" in my first post.
    It's a pity, I have only one computer and not a second computer for testing, like some members have.
    Another problem is that I have to buy SU ($69.99) and I don't like to pay for security softwares, but for SU I would make an exception, considering the many advantages.
    Another problem is that I'm not a security expert. So I don't even know how to control this experiment.
    If SU would make mistakes due to bugs and infect my computer, I wouldn't even notice it, unless my scanners would detect it.
    I'm just not the right person to test SU in an extreme situation.

    Choosing and visiting infected websites is the easy part. IE-SPYAD and all these HOSTS files have enough websites to keep me busy for more than a year.
     
    Last edited: Oct 8, 2005
  12. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    perhaps you can persuade your wife to give you SU as a birthday present Erik. ;)

    like you i don't like paying for software - i like to see how much is possible with the free stuff.
     
  13. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,456
    This kind of setup isn't for me because I like to have a protected system, change a lot of things on system, test programs, etc...

    But if you just install and don't change anything until the next format, good luck because you can be infected and damage your system, some private info can be sent... :)
     
  14. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    About what kind of infections and damages are you talking ?
     
  15. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    772
    VaMPiRiC_CRoW has a very good point here, in our labpc, the only thing we worry about, is that the data gets infected or corrupted by a virus etc.

    In that situation ShadowUser is perfect, because it can always undo
    the harm, and we can trust our system again.

    Another thing is, that while in shadowMode your system GETS infected,
    since there is no confidential data on the labpc we don't mind,
    even if some data was sent to the world in the meantime.

    There is no private data and there are no creditcardnumbers etc. on it.

    So VaMPiRiC_CRoW has a point:

    After Deactivating ShadowMode the changes are gone,
    but Private information can already be sent (if there is any)
     
  16. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Sorry, but I still don't get it.
    It is normal that your system gets infected in the virtual environment of SU, when ShadowMode is ON, because you are installing and trying a downloaded infected software for example.
    BUT all these infections are GONE after rebooting your computer, including the infected software.
    So I don't see the trouble, because everything is back to normal after reboot.

    Here I fully agree with VaMPiRiC_CRoW and you.
    But that's why I made my computer as impersonal as possible.
    My first name, my initials and email-address are the only personal data on my computer.
    If some temporary infection succeeds in sending one of these THREE personal data, it will be useless for the receiver.
    So I don't see a problem there either.

    I admit that not everybody is able to do the same thing like me on his computer, but that wasn't the goal of my thread either.
    I only want to know if a security set with only a "Firewall and ShadowUser" is possible or not :) .
     
  17. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,456
    Like you already know and tuatara said, until you restart your system you can be infected and sent personal information, but since you say that on that computer you don't have problems with personal data...
     
  18. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I assume there are enough softwares to protect your personal data and in that case you need an additional software to protect your personal data, but I don't need that one.
    They steal my email-address all the time on the internet, which causes only more spam-emails.
    But I don't consider spam-emails as a problem. Opening and closing Thunderbird is enough to remove all my spam-emails.
    If everybody would act like me, spammers/scammers would die out like dinos without any effort.
    USERS keep spammers/scammers alive on the internet.
     
  19. I fully agree!!
     
  20. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    772
    I can understand the above, it really depends on where you use your computer for.

    ShadowUser (in this case, see thread title) is perfect for a fileserver
    or a labPC with no personal or confidential data on it.
    For the record you can install software in ShadowMode and keep
    the data after a reboot! (for testing software that needs a reboot after install). And you still can undo the changes when you don't like the installed prog, by switching modes.
    But if you test a lot of software you better use something like
    True Image (i use: v. eight ). This works perfect for that.

    Another thing where you can't use ShadowUser for (in this case, see thread title) is
    on your home-family pc to prevent your kids from messing op your pc.
    Because it is too easy to switch out of ShadowMode (even for small kids).
    And then you are totally unprotected (except the FW of course).
     
  21. beetlejuice69

    beetlejuice69 Registered Member

    Joined:
    Mar 16, 2005
    Posts:
    780
    In SU can`t you set a password for mode control?
     
  22. Yes full image backups are good. Peter favours firstdefense-ISR but that's similar i think. But than again, vikorr who i believe tests a lot of software uses SU, so who knows..

    Then there is VMware which is yet another option. But I don't like the idea of vmware, because I understand you start from the scratch, and you got to build up the whole thing again as if you got a brand new computer. Lots of work. If I use it, i would have to build it up (install windows, install other software) so it runs exactly like my current setup? so is there a fast cloning option?

    Imaging software, is easier. But vmware is nice if you need a test environment to test some trojan. But not so good to test compatiability, unless you set it up to be exactly like your base setup?


    I'm a bit confused about shadow user

    Shadow user seems to be closer to Antimalware, though it is tending towards the true image/ghost side of things as well.
     
  23. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    I've tested very few programs. Online Armor, AntiMalware and that's about it...Prevx1 if you wish to call it a test also, although it's supposedly a simple upgrade from Prevx Pro.

    Why not give up bringing me up in your posts? Most everything you say shows no knowledge of who I am, what I do, or the reasons for them.

    Personally I don't find any benefit in talking to you, and have no wish for you to discuss me in any fashion, so I would ask that you please stop using my name in any of your posts.
     
  24. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Do you know of specific instances where this has happened, either to you or someone you know? No hypotheticals, please - name of trojan or worm that ran the payload.

    You read all kinds of statements about your personal data being sent out, and there is understandably a lot of fear about this, but I'm skeptical that this occurs with people who have secured their systems, especially with a properly configured firewall.

    Trojans often piggyback out on another program. I found one that attempted an outbound connection using Windows Explorer, and was blocked by the firewall:

    https://www.wilderssecurity.com/showthread.php?t=94927

    Worms often use their own SMTP mailing engine, as in the recent SoberQ and was blocked by the firewall when I tested it:

    https://www.wilderssecurity.com/showthread.php?t=100754

    The few real trojans/worms (not demos), I've been able to test have been easily thwarted from carrying out their payload.

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  25. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I think it's very possible! I've run a similar setup for a long time.

    What makes this possible is the way you've set up your entire approach to security as outlined in your first post.

    Keep track of how things go, and post back with your observations!

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
Loading...
Thread Status:
Not open for further replies.