Discuss full session virtualization with me

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

Discuss full session virtualization with me

Post by Stephen2 on 18/10/2010, 16:16

Hi all,

Leading on from this topic I asked about:
http://ssj100.fullsubject.com/shadow-defender-f3/file-exclusions-in-shadow-defender-t274.htm

I'm after a software that is like Returnil/Shadow Defender - always on mode. Where I can exclude certain files & registry keys (namely noscript settings/surun settings/outpost firewall settings) etc...

Reading something over at Sandboxie forum about full session virtualization (which I now can't find - typical...) about Sandboxie trying out this feature "ForceUser=" or "ForceLogin=" or similar..., this is exactly what I'm after, and if Sandboxie can bring it the table all the better as it's the virtualization software I feel is most secure against different threat types.

Plus, Sandboxie allows the exclusion of files, and registry keys, as well as deny access, start/run restrictions, all the good stuff already:

Some interesting options:
  1. Shadow Defender - doesn't allow registry keys to be excluded and no longer maintained by the looks

  2. Returnil Lite - looking quite good, but doesn't allow registry keys to be excluded, and I'm not sure of the security levels

  3. Found this recently, but it apparently only runs in XP 32bit... Will check out in a VM and report back at some stage:
    http://icoresoftware.com/



Are there any products out there that I've missed that would give me what I'm after??

Stephen2
Member
Member

Posts : 34
Join date : 2010-10-18
Location : Melbourne, Australia

View user profile

Back to top Go down

Re: Discuss full session virtualization with me

Post by ssj100 on 18/10/2010, 23:21

Yes, I do recall tzuk experimenting with some sort of full session virtualisation in a Beta (I think it was around the 3.45 Beta series). I never got the chance to test it out, but it sounded like an interesting idea. There was even an implication that it would make 64-bit Sandboxie more "bullet-proof", given the PatchGuard caveat.

Regardless, I think I understand why you are wanting this sort of protection, but perhaps you should ask yourself exactly why. Instead of virtualising everything and making exceptions (eg. needing to exclude registry keys), why not virtualise the malware threat-gates themselves? The disadvantage of doing this is that it will take more time to reach a final configuration. However, keeping in mind that a malware attack can only come through a malware threat-gate, if you virtualise all the threat-gates, then you should have just as much protection as if you virtualised everything on the system. That's one of the concepts I've been applying for the last year or so, and I've been very happy with it.

What do you think?

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Discuss full session virtualization with me

Post by noorismail on 19/10/2010, 02:02

I have all of internet facing applications forced into a restrictive sandbox.

There is one thing that I wonder about.

I rember when I was using a Kerio 2.1.5,and was training it by opening all of my applications, out of ShadowMode,I had to open a windows search box, to cause explore.exe to throw up an outbound connection alert so I could block it from calling out.

I never really understood why it would need to call out,or where.

Of course I have a ssj100 style sandboxed short cut for explore.exe,to open and on demand scan new files in,but cant force sandbox explorer.exe.

noor

PS@ Stephen2:

Was Returnil Lite stable when you used it?
Did you use its anti-executable module?
I miss Returnil 2008.

_________________
ShadowDefender 1.1.0.323 Sandboxie 3.49, NAT router.
Open DNS with "Malware/Botnet Protection",
MalwareDefender,Malwarebytes on demand.
avatar
noorismail
Moderator
Moderator

Posts : 193
Join date : 2010-06-23

View user profile

Back to top Go down

Re: Discuss full session virtualization with me

Post by Stephen2 on 19/10/2010, 05:34

ssj100 wrote:...it would make 64-bit Sandboxie more "bullet-proof", given the PatchGuard caveat.
He kind of nay-sayed that but it would aid with the EndTask API problem 64 bit protection has, because ALL tasks would be sandboxed, so it wouldn't matter that 1 task could end another.

ssj100 wrote:Regardless, I think I understand why you are wanting this sort of protection, but perhaps you should ask yourself exactly why.
Heh, the eternal question... I actually don't need any of this security setup as I ran for a year with just a NAT Firewall and firefox with no problems...

HOWEVER, I've been bitten by the security "bug" again and want to play around with the latest options.

My setup in previous years was:
LUA (WinXP) + SRP + SuDown (like SuRun but not as good)
SandboxIE w/ forced programs etc...
Outpost Firewall Pro 4
ProSecurity (Classical HIPS)

It's right now:
SUA (Win7) + AppLocker + SuRun
SandboxIE w/ forced programs etc...
Outpost Firewall Pro 7 w/ HIPS enabled

And am trying to find a full session virtualization option to... just because it's fun. Let's face it, I'm not getting infected... The irony I find with Wilders etc... is that the people who use all this security software are the ones who don't need it due to being aware/safe Smile

ssj100 wrote:Instead of virtualising everything and making exceptions (eg. needing to exclude registry keys), why not virtualise the malware threat-gates themselves? The disadvantage of doing this is that it will take more time to reach a final configuration. However, keeping in mind that a malware attack can only come through a malware threat-gate, if you virtualise all the threat-gates, then you should have just as much protection as if you virtualised everything on the system.
Well I'd say I've already got this covered with SandboxIE forced programs, SUA etc...

The only (and major risk area) remaining threat is from downloaded keygens/apps. These are tested in a VMWare Win XP session, with Malware Defender running so I can analyze what the programs are doing.

The idea of full session virtualization is intriguing though - I'd like the following options:

1) Always "On", but instant On/Off without a reboot. Maybe switching from On to Off kills all the virtual files

2) Direct access to files, folder & registry keys

3) Top notch defense against malware techniques!


I'm sure more ideas will come to me - basically SandboxIE covers them all... Seems to me that this is my best hope.






Stephen2
Member
Member

Posts : 34
Join date : 2010-10-18
Location : Melbourne, Australia

View user profile

Back to top Go down

Re: Discuss full session virtualization with me

Post by Stephen2 on 19/10/2010, 06:39

noorismail wrote:Was Returnil Lite stable when you used it?
Did you use its anti-executable module?
I miss Returnil 2008.

It's quite stable, yes.

No, System Guard is off, because of one annoyance I found already:

I use Process Explorer 64 bit from SysInternals as a Task Manager. The way this operates is your run "procexp.exe" which then creates a driver "procmon20.sys" and "procexp64.exe" dynamcially and runs these.
Returnil wouldn't allow the newly created executables to load because they "weren't on the live system".

It sound like a good idea in theory, maybe I should try and find a better way around this and turn System Guard back on.


I've not used Returnil until now, but hated Returnil System Safe 2011 - am liking Returnil Lite 2011...

Stephen2
Member
Member

Posts : 34
Join date : 2010-10-18
Location : Melbourne, Australia

View user profile

Back to top Go down

Re: Discuss full session virtualization with me

Post by ssj100 on 19/10/2010, 09:47

Stephen2, you have a security setup/approach very similar to mine! Nice to see haha.

For me, ever since discovering LUA + SRP, I'm yet to get bitten by the security "bug" (again). In fact, my real-time setup has gradually become slimmer and slimmer over the months, and in general, I haven't changed my setup for over a year.

Looking at your setup, you seem to be keen on having a third party software firewall as well as some sort of third party HIPS. This I don't quite understand, given you are using Sandboxie + SUA + AppLocker.

Another query I have is why you have chosen Windows 7 "Ultimate" over the "Professional" version. Is AppLocker really worth it given Microsoft will discontinue support for the Ultimate version by January 2015 (not long after discontinuing support for Windows XP, SP3)? Read here for more details:
http://ssj100.fullsubject.com/windows-hardening-f5/microsoft-support-lifecycle-for-windows-t262.htm#2084

I guess you could argue that once Microsoft discontinue support, you could switch to Windows 7 Professional, or perhaps "Windows 8". For me personally, SRP and AppLocker are equally easy to enforce from a configuration point of view. I guess for me, the only advantage of AppLocker over SRP is that AppLocker checks process execution at the kernel level, and thus would be resistant to even targeted attempted bypasses as described by Didier Stevens:
http://blog.didierstevens.com/2008/06/25/bpmtk-bypassing-srp-with-dll-restrictions/
http://hype-free.blogspot.com/2008/10/limitations-of-software-restriction.html

In private exchanges between Didier and myself, he admitted that to bypass SUA + AppLocker, one would require a privilege escalation exploit, since the limited/standard user does not have access to the kernel. Of course, such exploits are readily available from month to month from a theoretical point of view:
http://ssj100.fullsubject.com/windows-hardening-f5/mis-understandings-about-software-restriction-policies-srp-t22-60.htm#1636

This is why Microsoft issue out patches every month - they often need to patch privilege escalation exploits (as well as arbitrary/remote code execution exploits). Because of this, at the end of the day, I feel that SRP and AppLocker provide equally effective in-the-wild protection. It becomes even more equal when implementing Sandboxie appropriately.

With regards to full session virtualisation, I"m fairly sure tzuk will re-visit this in the near future. He is a programmer in a class of his own, so I'm sure we will be in for some really great stuff.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Discuss full session virtualization with me

Post by noorismail on 19/10/2010, 22:38

Stephen2 wrote:
noorismail wrote:Was Returnil Lite stable when you used it?
Did you use its anti-executable module?
I miss Returnil 2008.

It's quite stable, yes.

No, System Guard is off, because of one annoyance I found already:

I use Process Explorer 64 bit from SysInternals as a Task Manager. The way this operates is your run "procexp.exe" which then creates a driver "procmon20.sys" and "procexp64.exe" dynamcially and runs these.
Returnil wouldn't allow the newly created executables to load because they "weren't on the live system".

It sound like a good idea in theory, maybe I should try and find a better way around this and turn System Guard back on.


I've not used Returnil until now, but hated Returnil System Safe 2011 - am liking Returnil Lite 2011...


I see,thanks Stephen2.
I also was not really happy with the Returnil versions I tried after version 2008.
However Lite 2011 sounds very nice.

_________________
ShadowDefender 1.1.0.323 Sandboxie 3.49, NAT router.
Open DNS with "Malware/Botnet Protection",
MalwareDefender,Malwarebytes on demand.
avatar
noorismail
Moderator
Moderator

Posts : 193
Join date : 2010-06-23

View user profile

Back to top Go down

Re: Discuss full session virtualization with me

Post by eskro on 20/10/2010, 00:30

again guys, CLEAN SLATE 6.5 is a good choice but not for now,,,

im still working with tech support regarding some issues i encountered,,

if you guys could test the new apparently fixed version of CLean Slate

against some malware in your VM's

i could then report to them our findings...

read my last post here --> http://fwd4.me/iCM

Razz
avatar
eskro
Member
Member

Posts : 29
Join date : 2010-07-12

View user profile

Back to top Go down

Re: Discuss full session virtualization with me

Post by Rico on 20/10/2010, 07:16


Hi again guys, I have a question for the knowledgeable coders here; does the full session sandboxing feature mean that the potential problem of a sandboxed process accessing a windows service has been solved? (on x64 that is)


eskro wrote:again guys, CLEAN SLATE 6.5 is a good choice but not for now,,,

im still working with tech support regarding some issues i encountered,,

if you guys could test the new apparently fixed version of CLean Slate

against some malware in your VM's

i could then report to them our findings...

read my last post here --> http://fwd4.me/iCM

Razz

I see how enthusiastic you were about cleanslate. I was too, until I read about it being bypassed by some pretty potent malware. What is it about this product that appeals to you in place of the formidable shadowdefender?

Rico
Advanced Member
Advanced Member

Posts : 118
Join date : 2010-06-18

View user profile

Back to top Go down

Re: Discuss full session virtualization with me

Post by noorismail on 20/10/2010, 09:02

Hi Rico!!

I know your question was addressed to eskro,but I cant help chiming in.

The thing that appeals to me about CleanSlate,Returnil 2011 Lite,and comrades,is nothing more than active development.

I am fairly knowledgeable about the "in's' and "out's" of ShadowDefender,
but if I do run into a problem,at the moment,I am pretty much out on a limb.

Not the best feeling.

noor

_________________
ShadowDefender 1.1.0.323 Sandboxie 3.49, NAT router.
Open DNS with "Malware/Botnet Protection",
MalwareDefender,Malwarebytes on demand.
avatar
noorismail
Moderator
Moderator

Posts : 193
Join date : 2010-06-23

View user profile

Back to top Go down

Re: Discuss full session virtualization with me

Post by eskro on 20/10/2010, 09:21

enthusiastic about cleanslate because

#1 CLEANSLATE can Let you decide
what you want to exclude from its protection!
You can exclude Files, Folders,
Entire Drives or even a single Registry Key!!!

#2 CLEANSLATE only needs a LOGON/LOGOFF
to wash away unwanted changes made to your system!!!

#3 CLEANSLATE's total RAM usage is 17MB!!!

#4 CLEANSLATE can turn OFF & ON its protection
without the need of a REBOOT or LOGON/LOGOFF!!!
very useful when you need to change a setting in an application
or save files to a usually protected folder!!!

#5 CLEANSLATE can prohibit any desired file/application from being executed!!!

#6 CLEANSLATE Accommodates AntiVirus Updates Without requiring any effort!!!

#7 CLEANSLATE Accommodates Windows Critical Updates Without requiring any effort!!!

Razz
avatar
eskro
Member
Member

Posts : 29
Join date : 2010-07-12

View user profile

Back to top Go down

Re: Discuss full session virtualization with me

Post by ssj100 on 20/10/2010, 09:26

Clean Slate certainly sounds promising and when I tested it a few months ago, I quite liked its configurability - I completely forgot that you can exclude registry keys, which is what Stephen2 wants. By the way, how much exactly does it cost? And are there annual fees?

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Discuss full session virtualization with me

Post by noorismail on 20/10/2010, 09:40

I have to agree,#4 is pretty much the "Holy grail" of light virtualization.

Number #3 is nice,#5 also.

You have my attention.

0n #2 you said:"CLEANSLATE only needs a LOGON/LOGOFF
to wash away unwanted changes made to your system!!!"

do you have to log on and off,as opposed to just restarting?

regards,
noor

_________________
ShadowDefender 1.1.0.323 Sandboxie 3.49, NAT router.
Open DNS with "Malware/Botnet Protection",
MalwareDefender,Malwarebytes on demand.
avatar
noorismail
Moderator
Moderator

Posts : 193
Join date : 2010-06-23

View user profile

Back to top Go down

Re: Discuss full session virtualization with me

Post by eskro on 20/10/2010, 09:43

Loging OFF or Rebooting
will wash away any changes made while protection was turned ON
avatar
eskro
Member
Member

Posts : 29
Join date : 2010-07-12

View user profile

Back to top Go down

Re: Discuss full session virtualization with me

Post by noorismail on 20/10/2010, 09:49

That sounds very good,to me.
Please keep us appraised of your progress with their
tech support for your issues.

regards,
noor

_________________
ShadowDefender 1.1.0.323 Sandboxie 3.49, NAT router.
Open DNS with "Malware/Botnet Protection",
MalwareDefender,Malwarebytes on demand.
avatar
noorismail
Moderator
Moderator

Posts : 193
Join date : 2010-06-23

View user profile

Back to top Go down

Re: Discuss full session virtualization with me

Post by eskro on 20/10/2010, 09:50

yepp of course i will !!

im looking for a replacement for Shadow Defender and

CLean SLate seems a winner!

but not until they fix the PBR issue im discussing with SSj100

will inform u shortly
avatar
eskro
Member
Member

Posts : 29
Join date : 2010-07-12

View user profile

Back to top Go down

Re: Discuss full session virtualization with me

Post by noorismail on 20/10/2010, 09:53

Thanks,Friend.

_________________
ShadowDefender 1.1.0.323 Sandboxie 3.49, NAT router.
Open DNS with "Malware/Botnet Protection",
MalwareDefender,Malwarebytes on demand.
avatar
noorismail
Moderator
Moderator

Posts : 193
Join date : 2010-06-23

View user profile

Back to top Go down

Re: Discuss full session virtualization with me

Post by eskro on 20/10/2010, 10:00

Some viruses (but not all) can infect a computer's MBR or the PBR.
They read the MBR and replace it with themselves
and then put a copy of original MBR data elsewhere on the hard drive.
Some do that to the PBR instead.
avatar
eskro
Member
Member

Posts : 29
Join date : 2010-07-12

View user profile

Back to top Go down

Re: Discuss full session virtualization with me

Post by ssj100 on 20/10/2010, 10:05

Confirming here that Clean Slate allows the PBR to be modified. From memory, Shadow Defender prevented this.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Discuss full session virtualization with me

Post by eskro on 20/10/2010, 10:06

yes, Shadow Defender prevented pretty much every bad things that exists...

too bad its a dead app now,,,,

hope to see CLEAN SLATE fixing the PBR issue soon, thats all there is to do!

after that, it'll be amazing!
avatar
eskro
Member
Member

Posts : 29
Join date : 2010-07-12

View user profile

Back to top Go down

Re: Discuss full session virtualization with me

Post by noorismail on 20/10/2010, 10:17

What about MBRGuard by BlueRidge with the current CleanSlate?

I use it at the moment with Sandboxie and ShadowDefender with no problems.
(never know it is there)

Would something that protects the MBR also inherently hook the kernel?

I have been taught to be wary of too many applications on the same system that do that.

regards,
noor

_________________
ShadowDefender 1.1.0.323 Sandboxie 3.49, NAT router.
Open DNS with "Malware/Botnet Protection",
MalwareDefender,Malwarebytes on demand.
avatar
noorismail
Moderator
Moderator

Posts : 193
Join date : 2010-06-23

View user profile

Back to top Go down

Re: Discuss full session virtualization with me

Post by ssj100 on 20/10/2010, 10:21

noor, since you use Sandboxie like me, there shouldn't be any concern about MBR/PBR modification.

I'm not sure if MBRGuard from BlueRidge protects the PBR from being modified too? To be honest, I'm having a hard time understanding exactly the difference between the MBR and the PBR:
http://en.wikipedia.org/wiki/Partition_Boot_Record

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Discuss full session virtualization with me

Post by eskro on 20/10/2010, 10:22

there's appguard too,,

altho ive never used it

http://www.softpedia.com/get/Internet/Popup-Ad-Spyware-Blockers/Blue-Ridge-AppGuard.shtml
avatar
eskro
Member
Member

Posts : 29
Join date : 2010-07-12

View user profile

Back to top Go down

Re: Discuss full session virtualization with me

Post by noorismail on 20/10/2010, 10:28

I thank this is a different application.
this is the one I use.

http://www.blueridgenetworks.com/support/mbguard/mbguard.php


regards,
noor

Ok,Please forgive me,I see you were pointing out another application by the same firm
time for me to go to bed.

_________________
ShadowDefender 1.1.0.323 Sandboxie 3.49, NAT router.
Open DNS with "Malware/Botnet Protection",
MalwareDefender,Malwarebytes on demand.
avatar
noorismail
Moderator
Moderator

Posts : 193
Join date : 2010-06-23

View user profile

Back to top Go down

Re: Discuss full session virtualization with me

Post by ssj100 on 20/10/2010, 10:31

AppGuard is more or less an anti-executable. MBRGuard specifically protects the MBR from being modified.

The latest stable release of AppGuard has been bypassed a few times in my testings. The latest Beta release has some promise, and I'll wait until the final version before running some tests with it.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Discuss full session virtualization with me

Post by Sponsored content


Sponsored content


Back to top Go down

Page 1 of 2 1, 2  Next

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum