Shadow Defender bypassed by TDL rootkits???

Page 2 of 3 Previous  1, 2, 3  Next

View previous topic View next topic Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by ssj100 on 4/7/2010, 12:37

Just tested a Rootkit dropper file with Shadow Defender 1.1.0.326 (and repeated with 1.1.0.325 with the same results below):

1. Freshly installed guest Windows XP, SP3, 32-bit, VirtualBox VM (all run sandboxed with Sandboxie haha)
2. Shadow Defender installed and Shadow Mode enabled (tried with both "Enter Shadow Mode on Boot" and "Exit Shadow Mode on Shutdown" with the same results below)
3. Rootkit dropper file executed
4. Windows appears to restart spontaneously
5. Once past the Welcome screen, a Windows error appears:

6. On clicking for more details, we get this:

7. As you can see, there appears to be newly created files!
8. On browsing to find those files, I come across a folder called "WER57c3.dir00". Inside this folder, there are 3 files called "Mini070410-01.dmp", "manifest.txt", and "sysdata.xml"
9. A full scan with MBAM reveals no infection

I don't know about you guys, but my initial impression is that this isn't a good look for Shadow Defender. I guess you could argue it's good because it prevents malware infection (this time around and according to MBAM), but how come I got a Windows error, and furthermore, why do I have a newly created folder called "WER57c3.dir00"? Shouldn't Shadow Defender put my system back into the state it was before on reboot?

A few things need to be noted though - I tested this in a sandboxed VirtualBox - perhaps the error came about due to the (complicated) testing configuration and has nothing to do with the rootkit dropper. If so, I suppose Shadow Defender could be excused for allowing "WER57c3.dir00" to be created after reboot?

I have to repeat again, this type of technology (light virtualisation) doesn't give me the same peace of mind as eg. Sandboxie. In fact, sometimes I feel this type of technology makes me more anxious about my system every time I reboot!

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by Guest on 4/7/2010, 17:27

I still like (and use) Shadow Defender (I have always used it with Sandboxie) but I felt most disturbed (with Shadow Defender)when I lost settings at times to virus checker connections etc or lost registration to programs. Some people complained of problems with this sort of software and unexpected stuff (on re-boot) when hard shutdowns occured (for other reasons) during Shadow Mode.
I love Sandboxie because it is always stable (even in beta form) and I can have almost instant access to the developer who listens and reads the forum and if a "glitch" occurs it will often be fixed within hours; It is my topmost cherished software and I loved it from day one.
There were some conflicts with Shadow Defender in the past but Tony and Tzuk ironed them out. Sorry if I strayed slightly "off topic" Smile
ssj100 wrote:
I have to repeat again, this type of technology (light virtualisation) doesn't give me the same peace of mind as eg. Sandboxie. In fact, sometimes I feel this type of technology makes me more anxious about my system every time I reboot!

Guest
Guest


Back to top Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by noorismail on 5/7/2010, 01:51

ssj100,
With the guest XP crashing so soon after you execute the malware,it makes it hard to say that
Malwarebytes not detecting it after reboot,means very much.
Have you heard, or know, that it does?

If not,and you still have that snapshot in VirtualBbox it might be a good idea to install Avira and scan.


Do you thank that second file,is a mini-dump,that may be created in the
boot sequence prior to ShadowDefender kicking in?

Rather like my question about the entries in the system section of the event viewer,that were created after each reboot,even in ShadowMode?

I do agree you with.
My understand is NOTHING left over from a previous ShadowMode session,
after reboot.

It aint so.

noor

_________________
ShadowDefender 1.1.0.323 Sandboxie 3.49, NAT router.
Open DNS with "Malware/Botnet Protection",
MalwareDefender,Malwarebytes on demand.
avatar
noorismail
Moderator
Moderator

Posts : 193
Join date : 2010-06-23

View user profile

Back to top Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by ssj100 on 5/7/2010, 04:25

With regards to MBAM not detecting it, I'm meaning it didn't detect it because Shadow Defender probably did its job properly. Before I entered Shadow Mode, the malware file (executable) didn't even exist on the testing system (it was on a network drive or equivalent).

Regardless, I am guessing that the crash and subsequent error message and creation of files is probably due to my testing configuration rather than Shadow Defender not doing its job. I guess the only way to be sure is to do the test on my REAL system (something I am tempted to do given I can restore an image fairly easily with Drive SnapShot!). I read on other forums that they may be testing to see if these rootkits can bypass imaging back-ups. I highly doubt they can, since it would mean they survive a (quick) format of the drive/partition.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by noorismail on 5/7/2010, 05:55

ssj100, I hate to keep whipping the print spooler service,dog to death,but mention of it still comes up in the forums related to this.
On your real system,I thank you said in the past,it is disabled,but on the guest XP install in the VirtualBox,everything in services is default,as Billy G intended,right?
You do not tweak the services in the VirtualBox XP?

noor
avatar
noorismail
Moderator
Moderator

Posts : 193
Join date : 2010-06-23

View user profile

Back to top Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by ssj100 on 5/7/2010, 06:24

Print spooler service is enabled in my VirtualBox XP. I think all the other services are default except Automatic Updates and Security Center are disabled.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by Coldmoon on 5/7/2010, 19:24

ssj100 wrote:Yes, it appears that Shadow Defender is the only program of its type that protects the system against these rootkits. Just goes to show that single developer software is the best haha.

~snip for relevancy of reply~

It's also interesting to see Coldmoon (Returnil associate) make comment. His arguments appear (not surprisingly) very biased and watered down (in an attempt) to grey out the FACT that Returnil is BYPASSED well and truly. I wouldn't be surprised if he's searching for Tony to ask him how the heck Shadow Defender works haha. Coldmoon's argument appears to be that Returnil's light system virtualisation component cannot be relied upon as the only layer of security etc etc.

Hi ssj100,
Your conclusions for both are incorrect.

1. SD is just as vulnerable as any other light virtualization solution and uses internal antimalware features to protect against newly discovered bypassers. The difference is that we are honest about the issue and include our AM functionality in a way that can be seen and adjusted as required by the customer.

2. We don't need Tony's help as the approach/technology he is using is similar to the older type we used in the pre-2008 series which was hardened with the add-on utilities in 2008and has been vastly upgraded in both the 3x line with the Virus Guard and hardened in the RVS Lite 2011 (was Labs) series which is closer in design to the previous 2008 series.

3. We/I have been consistent in regards to acknowledging and addressing every report of a bypasser and have not tried to hide or obfuscate the issue in any way. Take for example the fact that we have also been extremely up-front when discussing the inherent vulnerabilities of each component as a stand-alone solution. There is no such thing as a silver bullet!. True security comes from understanding your risks and then working to mitigate those risks as efficiently as possible. To truly test LV solutions against these types of malware you need to understand what is really going on with the software and understand HOW it does what it does...

With Kind regards
Mike

Coldmoon
Security Professional
Security Professional

Posts : 15
Join date : 2010-07-05

View user profile

Back to top Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by ssj100 on 5/7/2010, 19:33

Hi Coldmoon (Mike), and welcome to the forums! Thanks for the clarification. Apologies for my comments if it caused confusion/insult - some of the comments were made in the spirit of humour (particularly the one about asking Tony for help).

You are of course correct that there is no such thing as a silver bullet, but perhaps there is such a thing as a silver "security approach/setup".

By the way, I'm sure most of us here would appreciate it if you could explain how Shadow Defender is not bypassed in the tests here:
http://ssj100.fullsubject.com/shadow-defender-f3/light-virtualization-software-partial-sandbox-test-t166.htm

Keep in mind that Shadow Defender does not have an antivirus component, nor does it have an anti-execution component. Given this, how come Returnil 2010 fails while Shadow Defender passes? Keep in mind that the aim isn't to test anti-execution or blacklisting technology (if it was, we'd also be testing MBAM, Avira, Farconics Anti-executable 3, SRP/AppLocker etc), but it is a test of Light Virtualisation and Rollback technology.

In other words, please elaborate on this (important part underlined):

1. SD is just as vulnerable as any other light virtualization solution and uses internal antimalware features to protect against newly discovered bypassers. The difference is that we are honest about the issue and include our AM functionality in a way that can be seen and adjusted as required by the customer.

The bolded part above implies that other vendors are not being honest (in particular Shadow Defender), which is a very interesting way of putting it. Care to elaborate on that also? Thanks.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by Coldmoon on 5/7/2010, 19:59

noorismail wrote:Really I am surprised that Returnil2010 failed with all the added bells and whistles.

Hi noorismail,
No, RVS passed through the activation of the AE in that specific test at Wilders and proves our approach as both valid and efficient. The AE did exactly what it was designed to do and blocked the execution of the malware and thus prevented the infection.

And ShadowDefender passed,just no-one really can say how!

See my previous post in response to ssj100 - whether it is explicitly stated or not, to protect against these types of malware you need some form of execution blocking and/or targeted antimalware at the very least. In RVS we are working to combine the best parts of each component solution to address the specific weaknesses in the others without resorting to a suite approach or the old school Symantec approach to simply bundle solutions under a GUI.

I do thank Returnil is going toward a suite paradigm.

No, that would be the lazy approach and would have no innovation or even creative thinking behind it. RVS is not a shotgun approach, rather it is extremely targeted with each component part designed to not only cover the weaknesses in the other components but to also work hand-in-hand with the other components. For example, the Virus Guard can rely on the virtualization for seamless removal of malware from the virtual system while the AE blocks activation of malware that could effect the real system regardless of the virtualization. This is just one example of how they can combine to provide real protection without resorting to high overhead running multiple stand-alone programs at the same time.

Maybe they preceive some upper limit with what can be done with just
light virtualization.

There are limits to any technology or approach and we are up-front about this. As RMUS reported in the Wilders thread, these limitations have been known, discussed, and addressed in various ways since at least 2007 (see some of ErikAlbert's posts from that time). Our earlier 2007 versions included a simple antimalware component as does SD now that required a new build released for every update. In 2008 we strengthened it and also provided simple blacklist updates directly from our servers to address this and allow some flexibility regarding updating the list rather than always needing to release a new build. In 2010 this process was further enhanced by including an antimalware detection engine.

Or, maybe they had just rather bolt more stuff on, than refine
the base tech.

As posted previously, simply creating a "dog pile" approach would be useless. The real vision is to create a true layered approach in a single solution, not a collection of programs under a GUI (Ex: Symantec circa 2003).

ShadowDefender seems to certainly have done more with less,for the moment.

Not true as you are confusing hidden AM/AE functionality with some type of magical change in the virtualization technology itself.


Kind regards
Mike

Coldmoon
Security Professional
Security Professional

Posts : 15
Join date : 2010-07-05

View user profile

Back to top Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by Coldmoon on 5/7/2010, 20:03

Keep in mind that Shadow Defender does not have an antivirus component, nor does it have an anti-execution component. ..

This is what I am trying to tell you - SD does have AM functionality, just that it is done "under-the-hood" rather than being up front about it.

Mike

Coldmoon
Security Professional
Security Professional

Posts : 15
Join date : 2010-07-05

View user profile

Back to top Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by ssj100 on 5/7/2010, 20:14

Coldmoon wrote:
Keep in mind that Shadow Defender does not have an antivirus component, nor does it have an anti-execution component. ..

This is what I am trying to tell you - SD does have AM functionality, just that it is done "under-the-hood" rather than being up front about it.

Mike

Thanks for the clarification. Any chance you could go into more detail about what this AM functionality comprises?

This is some interesting stuff for me, mainly because it seems to correlate with my own security setup/approach:
1. Default-deny anti-execution (Returnil's anti-execution component)
2. Containment (Returnil's Light Virtualisation component)
3. Minimise number of third party security programs installed to reduce conflict risk (hence the "suite" concept)
4. Intelligent handling of newly introduced files (well, this is down to human judgement. Fact is, if someone wants to execute a file willy nilly on their REAL system, nothing can stop them particularly if they know all the passwords haha)
5. Regular Image back-ups (this is missing for Returnil, although I've read that you are implementing snapshot/rollback technology in future releases. However, this is simply not the same as byte for byte Image back-ups)
6. Never run with administrator rights by default (this isn't really up to Returnil haha)

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by Coldmoon on 5/7/2010, 20:42

ssj100 wrote:
Coldmoon wrote:
Keep in mind that Shadow Defender does not have an antivirus component, nor does it have an anti-execution component. ..

This is what I am trying to tell you - SD does have AM functionality, just that it is done "under-the-hood" rather than being up front about it.

Mike

Thanks for the clarification. Any chance you could go into more detail about what this AM functionality comprises?

This is some interesting stuff for me, mainly because it seems to correlate with my own security setup/approach:
1. Default-deny anti-execution (Returnil's anti-execution component)
2. Containment (Returnil's Light Virtualisation component)
3. Minimise number of third party security programs installed to reduce conflict risk (hence the "suite" concept)
4. Intelligent handling of newly introduced files (well, this is down to human judgement. Fact is, if someone wants to execute a file willy nilly on their REAL system, nothing can stop them particularly if they know all the passwords haha)
5. Regular Image back-ups (this is missing for Returnil, although I've read that you are implementing snapshot/rollback technology in future. However, this is simply not the same as byte for byte Image back-ups)
6. Never run with administrator rights by default (this isn't really up to Returnil haha)

1. True

2. True

3. Be careful here as the word "Suite" implies a traditional approach of putting full versions of various programs together under an "over-GUI". The approach we are championing is to look at what parts of these component programs actually enhance or compliment the functionality of the other component parts to achieve long-term protection for the user. This is why you do not get a popup asking whether to deny or allow in 2010 and in the Lite 2011 series this just has a flexible mode where a network administrator can temporarily allow something for research. compliance, investigation, or simple troubleshooting while not having to remember if they changed a rule later on. IOW, the rules reset at restart and there is less potential for a wrong answer to result in opening a vulnerability later on.

4. That is addressed by both the AE (block it if you don't know it and don't bother me with confusing popups) and/or through the Virus Guard where a direct warning of detected malware can give the user time to restart the system and avoid getting infected with a roll back.

5. This is the 4th leg of the chair we are working on with our new multi-state restore engine to allow restoration to a specific state through snapshots (yes, multiple) that can also be used for testing programs/policies/configurations changes across restarts of the computer. Further enhancements will allow restoration of system and user generated files from other Returnil snapshots, Windows installation disks, and other images such as factory restore etc.

6. When the user becomes involved and allows something deliberately or runs under the default admin user account, there may be nothing that any software solution can do to protect the user against themselves. We have tried however to put in triggers and alerts through the AE and AM functionality that greatly reduces the long-term impact of these decisions such as not remembering whether something was allowed or denied in the Lite 2011 series and to configure the AE in 2010 to simply trust or dont' trust - no need to make a decision about it, it is just blocked or allowed to run as it would normally.

Regarding how the AM/AE functionality in SD works - it is just a simple type of targeted "lab" antimalware engine that will block what it is programed to block and does this silently.

Mike

Coldmoon
Security Professional
Security Professional

Posts : 15
Join date : 2010-07-05

View user profile

Back to top Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by Ruhe on 5/7/2010, 22:09

Hopefully all users of the affected software (here) send dozen of mails to the vendors to enforce fixing this asap.
avatar
Ruhe
Valued Member
Valued Member

Posts : 261
Join date : 2010-04-16
Location : Germany

View user profile

Back to top Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by Coldmoon on 5/7/2010, 22:25

Ruhe wrote:Hopefully all users of the affected software (here) send dozen of mails to the vendors to enforce fixing this asap.

If you discover anything that bypasses or compromises any protection feature in RVS we want to know about it ASAP so don't be shy Wink We can't fix it unless we know about it and that is also true for any other vendor's product you may use. For us, we value all feedback; especially negative feedback as it allows us to properly focus on what needs improving.

Our only goal is long-term protection for the user and their PC. To that end, please send your reports to support (dash) tech (at) returnil (dot) com so we can get them into our tracking system that much faster. Having to track down posts in various forums only delays that process; and time is of the essence here...

Thanks in advance for your reports
Mike

Edit: spelling

Coldmoon
Security Professional
Security Professional

Posts : 15
Join date : 2010-07-05

View user profile

Back to top Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by noorismail on 5/7/2010, 22:34

Thank you Coldmoon for your through answer,and patience with me.

While a passionate advocate of light virtualization,I am far from knowledgeable.

If I could,I would like to ask you a question.

In the 2008 version the AE module,once enabled,worked in and out of protected mode.


It is my understand the AV portion of 2010 works only in protected mode.

I realize Returnil has never told users to abandon real time anti-virus,
and most users probally also have a full time AV along with Returnil.

But in my case,the one time I would have a need for real time AV,would be when I am OUT of protected mode in a light-virtualization program!!

Is there any plan to extend the AV protection accross mode changes?
Or an option to do so?

That was what I expected when I awaited 2010,and was somewhat disappointed.

I echo the welcome to the forum!!

noor

PS# What exactly is the "labs" version of Returnil?
And is there a way to test it. I miss my 2008!!


Last edited by noorismail on 5/7/2010, 22:41; edited 1 time in total
avatar
noorismail
Moderator
Moderator

Posts : 193
Join date : 2010-06-23

View user profile

Back to top Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by Coldmoon on 5/7/2010, 22:39

Hi noor,
The Virus Guard in 2010 (and newer) and the System Guard in Lite 2011 (was Labs) both work without the virtualization being active.

Mike

Coldmoon
Security Professional
Security Professional

Posts : 15
Join date : 2010-07-05

View user profile

Back to top Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by noorismail on 5/7/2010, 22:43

Ah!! That DOES sound Good!!
Please note my edit/Question,About lite 2011 the former labs.
avatar
noorismail
Moderator
Moderator

Posts : 193
Join date : 2010-06-23

View user profile

Back to top Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by Coldmoon on 5/7/2010, 23:01

noorismail wrote:Ah!! That DOES sound Good!!
Please note my edit/Question,About lite 2011 the former labs.

RVS Lite 2011 is the next generation of the 2008/Labs series with a focus on Public Access, Cafe, and network customer's requirements. It is scalable however for simple Home to complex Enterprise environments with a stand-alone management console that is included in the installer, is less than 4 MB in total size, and the console can be "thrown up" anywhere in the network for convenience. To manage the clients simply requires an update for the "server" IP address on the client and you are good to go - this provides flexibility to the IT staff for local troubleshooting and management in situations where the normal server may be inconvenient to access quickly.

In Lite 2011:

1. File Protection is replaced by multi-partition/disk virtualization
2. the File Manager is replaced by selective file and folder exclusion from virtualization. For those familiar with the File Manager in 2010, you will be happy to know that inclusion of a folder exclusion in Lite 2011 includes all the files within that folder Wink
3. Non-system disks and partitions that are virtualized support the creation and maintenance of the cache for that drive on a different non-system disk. Use case: I have a SSD data or backup drive where I want to minimize disk writes to preserve the life of the SSD. I simply virtualize the SSD disk and then place the cache on a sacrificial platter drive. This is not yet available for the System partition yet, but is a goal for complete SSD support in the future.
3. As described above: stand alone and included remote management console that includes ability to set client configurations, activate/deactivate client features, remote shell access on the client, desktop view (see what is happening on the client without interacting with it), server/client chat for faster IT support (simply send a message to the client and open a chat between the two), power cycling of the clients, and other information useful to the network administrator (administrate clients in a work situation or monitor children in a home environment without being too intrusive).

Mike

Coldmoon
Security Professional
Security Professional

Posts : 15
Join date : 2010-07-05

View user profile

Back to top Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by noorismail on 5/7/2010, 23:10

Thank you Coldmoon.
Sounds like a configurable alternative to what many,myself included, considered too much of a good thing!!

regards
noor

_________________
ShadowDefender 1.1.0.323 Sandboxie 3.49, NAT router.
Open DNS with "Malware/Botnet Protection",
MalwareDefender,Malwarebytes on demand.
avatar
noorismail
Moderator
Moderator

Posts : 193
Join date : 2010-06-23

View user profile

Back to top Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by Ruhe on 6/7/2010, 00:54

Hi Mike, don't get me wrong. I appreciate your presence, that you talk here and there (Wilders), share info and that you're open for discussions. What you do is a manner of support too. Smile
avatar
Ruhe
Valued Member
Valued Member

Posts : 261
Join date : 2010-04-16
Location : Germany

View user profile

Back to top Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by Rico on 6/7/2010, 01:57

how is SD's covert AE/AM stop a malware created in the future after this product versions relese?
Am I missing sthg here??

Rico
Advanced Member
Advanced Member

Posts : 118
Join date : 2010-06-18

View user profile

Back to top Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by ssj100 on 6/7/2010, 03:44

Coldmoon wrote:3. Be careful here as the word "Suite" implies a traditional approach of putting full versions of various programs together under an "over-GUI". The approach we are championing is to look at what parts of these component programs actually enhance or compliment the functionality of the other component parts to achieve long-term protection for the user. This is why you do not get a popup asking whether to deny or allow in 2010 and in the Lite 2011 series this just has a flexible mode where a network administrator can temporarily allow something for research. compliance, investigation, or simple troubleshooting while not having to remember if they changed a rule later on. IOW, the rules reset at restart and there is less potential for a wrong answer to result in opening a vulnerability later on.

4. That is addressed by both the AE (block it if you don't know it and don't bother me with confusing popups) and/or through the Virus Guard where a direct warning of detected malware can give the user time to restart the system and avoid getting infected with a roll back.

5. This is the 4th leg of the chair we are working on with our new multi-state restore engine to allow restoration to a specific state through snapshots (yes, multiple) that can also be used for testing programs/policies/configurations changes across restarts of the computer. Further enhancements will allow restoration of system and user generated files from other Returnil snapshots, Windows installation disks, and other images such as factory restore etc.

6. When the user becomes involved and allows something deliberately or runs under the default admin user account, there may be nothing that any software solution can do to protect the user against themselves. We have tried however to put in triggers and alerts through the AE and AM functionality that greatly reduces the long-term impact of these decisions such as not remembering whether something was allowed or denied in the Lite 2011 series and to configure the AE in 2010 to simply trust or dont' trust - no need to make a decision about it, it is just blocked or allowed to run as it would normally.

Regarding how the AM/AE functionality in SD works - it is just a simple type of targeted "lab" antimalware engine that will block what it is programed to block and does this silently.

Mike

Thanks for the reply Coldmoon.

3. Yes I do understand what you're getting at - hence why I wrote "suite" in punctuation marks. Again, the similarity to my setup/approach is rather (I suppose) pleasing to me. I'm a big fan of default-deny. However, I have some further concerns/ramblings about your approach/philosophy below.

4. That wasn't really my point though. The point is that if a user wants to execute something on their REAL system, nothing can stop them (if they know the passwords etc). They can easily disable the Returnil system and execute the file. The same goes with LUA/SUA + SRP/AppLocker - if you know the admin password, you can execute anything with admin rights. Furthermore, the fact is that many users out there who do not have intelligent handling of newly introduced files (a good security approach) simply will ignore any security on one's system and endeavour to disable it etc. I guess what I'm saying is that there is simply no substitute for intelligent handling of newly introduced files and/or a good security approach/computer common sense/experience.

5. This sounds interesting, but as I said, it sounds more like what Rollback Rx/EAZ-FIX, Comodo Time Machine or FD-ISR are trying to do, rather than what Drive SnapShot or Macrium Reflect do. Am I right?

6. That is exactly what I'm saying. The weakness of default-deny is that if the user knows the administrator password (or equivalent), and has a poor security approach, no amount of software (the security setup) will stop them from getting infected. Take this example:
1. User with poor security approach downloads a dodgy executable file from a dodgy source.
2. Returnil 10000 is enabled on the system which employs clever technology to default-deny etc.
3. User tries to execute the file. Nothing happens (or the executable doesn't seem to install) and he gets frustrated.
4. User disables the Returnil system (as he knows the password)
5. User executes the dodgy file and gets owned.

Again, the point is that (and I'm not saying you don't agree...I just feel it's important to repeat it because it's extremely important in my opinion) the security approach (eg. handling of newly introduced files) is arguably the most important aspect of computer security. My own approach is to generally handle dodgy files in a (sandboxed) full blown VM (particularly those that are executables) or to open them via a sandboxed explorer.exe.

I mentioned in another post on these forums that I think the poor handling of newly introduced files is perhaps the second most common way of getting infected (after web-browser-based attacks). Examples include downloading an infected e-mail attachment on to your REAL system and running it on your REAL system. This is why I feel it's so important to (also) promote and spread the habit of a good security approach to the average user out there. The fact is that having a good security approach is free for life haha. It also makes the user think intelligently when handling newly introduced files.

I think for every person (on other forums) that says: Install this program or install that program and you're 99% covered, we should also have another person who describes the importance of a good security approach and/or intelligent handling of newly introduced files. Again, there is simply no substitute for good manual handling.

Anyway, sorry for straying a little bit off topic, but I feel you have raised some very important issues.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by ssj100 on 6/7/2010, 03:54

Rico wrote:how is SD's covert AE/AM stop a malware created in the future after this product versions relese?
Am I missing sthg here??

This is also what I'm confused about, but it appears Coldmoon has his hands tied behind his back (sorry for putting words in your mouth mate). If Shadow Defender has AE/AM, Tony must be one heck of a programmer - the Shadow Defender installation file is only 1Mb in size! How does he manage to fit signature-based and/or heuristic-based black-listing and/or an anti-executable mechanism in that?

I guess it's possible though - Sandboxie is not much bigger than 500kb and it's got an "anti-executable", "firewall" and "resource access protecion" component in it, as well as its main purpose - "containment".

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by Coldmoon on 6/7/2010, 17:01

ssj100 wrote:
Rico wrote:how is SD's covert AE/AM stop a malware created in the future after this product versions relese?
Am I missing sthg here??

This is also what I'm confused about, but it appears Coldmoon has his hands tied behind his back (sorry for putting words in your mouth mate). If Shadow Defender has AE/AM, Tony must be one heck of a programmer - the Shadow Defender installation file is only 1Mb in size! How does he manage to fit signature-based and/or heuristic-based black-listing and/or an anti-executable mechanism in that?

I guess it's possible though - Sandboxie is not much bigger than 500kb and it's got an "anti-executable", "firewall" and "resource access protecion" component in it, as well as its main purpose - "containment".

The size of a program may or may not have any real relevance to its effectiveness, depending on the application. A simple detection and removal engine can be very small and the same can be true for its database if they are targeted to address very specific content. In the older 2007 and 2008 series, the RVS installer was ~2 MB with the current Lite 2011 being less than 4 MB with the inclusion of a remote management console.

Mike

Coldmoon
Security Professional
Security Professional

Posts : 15
Join date : 2010-07-05

View user profile

Back to top Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by ssj100 on 6/7/2010, 17:06

Yes, but I guess I was just exclaiming that it's surprising that Shadow Defender would have AM/AE capabilities built into it since its installation file is only 1Mb. I'm not sure how much you can code into 1Mb, but I'm guessing you can't code much into 1Kb. Anyway, enough of that haha.

By the way, why is the current Returnil release installation file I have over 35Mb?

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by Sponsored content


Sponsored content


Back to top Go down

Page 2 of 3 Previous  1, 2, 3  Next

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum