(I’ll keep modifing this thread to inform)
Test index

• 1. Light virtualization software test
• 2. Partial sandbox software test
• 3. Verdict
• 4. Vendors’ response
• 5. Appendix

1. Light virtualization software test
Test environment: Microsoft Virtual PC 2007, Windows XP SP3, no critical updates.
Picture version of test results can be found here

[tr][td] Name[/td][td]Version [/td][td]SafeSys[/td][td]TDSS-1[/td][td]TDSS-2 [/td][td]SysAnti(!)[/td][/tr][tr][td] Comodo Time Machine 2.8[/td][td]2.8.155286.178[/td][td]FAIL[/td][td]FAIL[/td][td]- [/td][td]FAIL[/td][/tr][tr][td] Comodo Time Machine 2.7 beta[/td][td]2.7.150952.175[/td][td]FAIL[/td][td]FAIL[/td][td]- [/td][td]-[/td][/tr][tr][td] Comodo Time Machine 2.6[/td][td]2.6.138262.166[/td][td]FAIL [/td][td]FAIL[/td][td]- [/td][td]- [/td][/tr][tr][td]Shadow Defender[/td][td]1.1.0.325[/td][td]PASS[/td][td]PASS[/td][td]PASS[/td][td]PASS[/td][/tr][tr][td]Shadow Defender[/td][td]1.1.0.326[/td][td]PASS[/td][td]PASS*[/td][td]PASS*[/td][td]- [/td][/tr][tr][td]Windows Steadystate 2.5[/td][td]5.1.2600.4364[/td][td]FAIL[/td][td]FAIL[/td][td]- [/td][td]- [/td][/tr][tr][td]Wondershare Time Freeze 2.0[/td][td]2.0.674[/td][td]FAIL[/td][td]FAIL[/td][td]- [/td][td]- [/td][/tr][tr][td]Windershare Time Freeze 1.0[/td][td]1.0.587[/td][td]FAIL[/td][td]FAIL[/td][td]- [/td][td]- [/td][/tr][tr][td]Returnil Virtual System 2010**[/td][td]3.1.8774.5254[/td][td]FAIL[/td][td]FAIL[/td][td]- [/td][td]- [/td][/tr][tr][td]Rollback Rx Professional[/td][td]9.1.0.0[/td][td]FAIL[/td][td]FAIL[/td][td]- [/td][td]- [/td][/tr][tr][td]EAZ_FIX [/td][td]9.1.0.0[/td][td]FAIL[/td][td]FAIL[/td][td]- [/td][td]- [/td][/tr][tr][td]HD Guard 8.0[/td][td]8.0.0.6[/td][td]FAIL[/td][td]FAIL[/td][td]- [/td][td]- [/td][/tr][tr][td]HD Guard 8.1 beta[/td][td]8.1.0.1[/td][td]FAIL[/td][td]FAIL[/td][td]- [/td][td]- [/td][/tr][tr][td]Deep Freeze[/td][td]7.0.20.3172[/td][td]FAIL[/td][td]FAIL[/td][td]- [/td][td]- [/td][/tr][tr][td]PowerShadow[/td][td]2.2.2.21[/td][td]FAIL[/td][td]FAIL[/td][td]- [/td][td]- [/td][/tr][tr][td]FarStone Snapshot™ 7***[/td][td]7.03.1[/td][td]FAIL[/td][td]PASS[/td][td]PASS[/td][td]FAIL[/td][/tr][tr][td]ComBack IR Pro[/td][td]5.0[/td][td]FAIL[/td][td]FAIL[/td][td]- [/td][td]- [/td][/tr][tr][td]HDD Sheriff****[/td][td]5.73.0.0[/td][td] -[/td][td]- [/td][td]- [/td][td]- [/td][/tr]

(!): Ahnlab-V3’s SysAnti signature is “Hupigon”, which means ‘phew… I’m so tired’ ;D ;D

• : Checked to my production machine. several samples tested but 1.1.0.325 successfully protected my system.
  nonetheless you might want to see the result described here
  ** : Returnil provides additional AE layer. when I test it with AV enabled, Most of my samples were stopped by AV. but my TDSS-1 sample evaded detection and the system’s still contaminated.
  *** : I’m figuring out why this result was produced. see here
  **** : It’s a hardware solution. however driver version is shown above.
  since I don’t have the PCI chip now, it takes time. please be patient.

2. Partial sanfbox software test
Test environment:

[tr][td] Name[/td][td]Version [/td][td]SafeSys[/td][td] TDSS-1[/td][td]TDSS-2 [/td][/tr][tr][td]Comodo Sandbox*[/td][td]4.1.150349.920[/td][td] -[/td][td] -[/td][td]- [/td][/tr][tr][td] Sandboxie 3.46[/td][td]3.46[/td][td] -[/td][td]- [/td][td]- [/td][/tr][tr][td]Avast! Sandbox[/td][td]- [/td][td] -[/td][td]- [/td][td]- [/td][/tr][tr][td]Bufferzone free[/td][td] -[/td][td]- [/td][td]- [/td][td]- [/td][/tr][tr][td]GesWall[/td][td] -[/td][td] -[/td][td]- [/td][td]- [/td][/tr][tr][td]AppGuard[/td][td] -[/td][td] -[/td][td]- [/td][td]- [/td][/tr][tr][td]Sandbox RX[/td][td] -[/td][td] -[/td][td]- [/td][td]- [/td][/tr][tr][td]DefenseWall[/td][td] -[/td][td] -[/td][td]- [/td][td]- [/td][/tr]

(* : Defense+ is set to off )

3. Verdict
The result is frustrating. it doesn’t make your system bullet-proof.
but shadow defender shows good results.
And, FarStone Snapshot™ 7 protected some of those malware. it’s strange though.
I think we would rather use a disk imaging utility for security’s sake

4. Vendors’ response
From COMODO (Time Machine):

From Faronics (Deep Freeze):

Faronics is aware of the report that a worm called "W32.SafeSys.Worm" is able to "bypass" Deep Freeze and other competing products. We are continuing to investigate the issue to determine a possible resolution to the vulnerability.

As always, we continue to recommend that customers use an antivirus product in
combination with Deep Freeze. Please refer to the White Papers section of the
Faronics Content Library for information regarding how to use Deep Freeze with
many popular antivirus products.

Regards,

Adam Zilliax
Technical Support
Faronics Technologies Inc.

my response :

http://dl.dropbox.com/u/8120060/COMODO/faronics-1.gif

you’re lying, see here and here
and it’s not a “bypass”, but a bypass, definitely. please don’t try to deceive by a transparent guile :-\

From Wondershare (Time Freeze):

Thank you for the kind feedback. This is Sara from Wondershare Support Team. Nice to contact you.

Wondershare Time Freeze as a system restore software, but does not a anti-virus software. So it could not instead of anti-virus software. So we advise you use Wondershare Time Freeze with anti-virus software together, it will be better for protect your computer.

Since far as we know, most similar coud not defense all the rootkits. We are aware of this problem, and we are working hard to improve our program in future version.

Thank you again.

If you have any further question or suggestion, please contact us freely.

Best regards

Sara
Support Team

---

Wondershare Software

my response: it’s okay, it certainly have a function that prevents a system from unwanted changes. But if you are not going to fix this issue, then you are not going to advertise your product like this.

http://dl.dropbox.com/u/8120060/COMODO/wondershare.png

PS. Microsoft advertises Windows steadystate a shared computer protection, not a ‘virus-free’

From Horizon Datasys (Rollback Rx, EAZ-FIX):

We are aware of this virus. It’s a virus programmed by a former developer of Rollback type instantly recovery software. We don’t believe he/she is a former developer of Rollback Rx but he has to be someone who has insight knowledge of how instant recovery disk filter driver works.

This type of virus is very popular in Chinese market, in Internet cafes. Our software for Chinese market has a patch for dealing with this type of virus. But we have not implemented the patch in our general release outside of China.
Because the patch is not a one fix fits all type of solution, today’s patch is only good for yesterday’s version of the virus which changes very frequently. We didn’t want our Rollback users in North American markets to update Rollback every week because there is a new patch for the virus, as the virus is rare outside of Chinese market.

The virus is actually quite simple. It writes to the hard disk directly bypassing Rollback device drivers (or any other disk filter drivers) and write things to the hard disk. And because it writes to the hard disk directly, what it does to the hard disk is outside of Rollback snapshots jurisdiction. It’s really a suicidal virus, it just “shoots without asking any questions”. A logical software cannot deal with this type of problem. But it’s pretty easy to stop this virus, you just need to configure your antivirus software to prevent installing and loading of device drivers without your consent. (The virus does the direct disk write through a device driver).

Our proposed solution to this problem for customers outside of Chinese market is that we will develop a separate patch, outside of Rollback Rx, that will specifically deal with this type of virus. Basically we patch Windows O.S. to ban any direct write to the hard disk. The patch is still under development and we will provide it to customers as it’s needed. We won’t make it a wide open download because we don’t want to make the impression that we are in the business of patching systems.

From Microsoft(Windows Steadystate):

Thank you for your patience on this. After some investigation this is not something that we consider to be a security vulnerability.

Windows SteadyState 2.5 is intended to assist in providing a consistent environment on shared computers and reducing the potential for unintended alteration to the system. That being said, it definitely does not take the place of having a firewall and other appropriate anti-malware and security products installed.

From the SteadyState 2.5 Technical FAQ:
Q. Do I still need an antivirus program?
A. Yes, we recommend that you use antivirus and spyware prevention programs in addition to the protections provided by Windows SteadyState.

Additionally, SteadyState 2.5 only protects the partition that windows is installed on and Windows Disk Protection, which is the part of SteadyState that controls disk alteration does not load prior to certain files such as the master boot record which the samples provided appear to do.

Best Regards,
Nate

5. Appendix
you can also see the related articles on wilders security and prevx
Virtualization/Rollback software test
TDL/TDSS trojan series bypassing isolation software
Deep Freeze 7 bypassed
A puzzle called SafeSys
Kernelmode.info - RootKit TDL3

Any suggestions, sample giveaways (I need a stronger sample), critics are welcome ;D

[attachment deleted by admin]

Hey mate, please check your PM.

Keep up the good work! Thanks.

Worried… Seems the snapshot technology is not protected against rootkits at all…
Maybe Doskey has something to tell us… Maybe the teams of CAV and CTM could work together in this…

Hi:

Thanks dax123 for the test but did you by chance test the “Defensewall” as well and how about if you test “returnil” with its antivirus on? I would appreciate it if you could post the result for these for me. Thanks ina dvance.

Received

Great work! Looking forward to more info

Hi dax123, thank you very much for your feedbacks, we will fix this issue in future.

Regards

thanks, your works are greatly appreciated.
I can’t wait ;D

What will be fixed? Please, give more technical info when acknowledging a bug or a problem.

1. The detection of TDSS by CAV?
2. The bypassing of CTM by TDSS?
3. A stronger (much safe) driver?

It´s a shame that all these vendors recognize the issue but don´t change the publicity they use to sell products.

You will never be infected. Indestructible PC. Safe from all types of viruses. 100% security.

Lies!

They must change the publicity to reflect the reality.

Tech: It´s not a good signal that over 24 hours after your message you still didn´t get a reply to your questions.

The speed differs from forum to forum.
There are a lot of volunteer moderators (not Comodo staff).
There are a lot of products being develop at the same time.
The development speed is below the beta testers expectations.
I’m waiting for Comodo team input in a lot of threads (CTM, CPM, COB, CCS…).

yeah. hope they fix this issue in later release ;D

Thanks for your test dax123.

I`m shocked by these results! This means bye bye to Comodo time machine for me.

Bad conclusion in my opinion.
Software must to be developed. Not a software is perfect.
For what will you change CTM? Shadow Defender? Which features will you lost? Is it perfect against all infections?

You must drop CTM immediately if you think you could have only it.
We’re talking about layered defense.

I´m going to use Paragon Backup & Recovery Free Edition.

Well… I use partition backup, but this is not the same as a system restore (snapshot) tool.
Also, it does not protect against virus if you have an infected backup.

Hi guys.
Thanks for your good work.
Please relax. This is not big deal. We can detect/defend such as rootkit simply.
We will add the feature for CTM on next version.

Thanks,
Doskey.

Thanks!! ;D nobody did reponse like this ;D

Thanks Doskey. As this is a problem will all snapshots/virtualization software, if you correct it, it won’t be bad for the image of Comodo team development. We’ll be proud of you.
Hope dax123 tests the new beta version.

I hope the fix is generic and not just a “hardcoded” solution specifically targeted to SafeSys and TDSS.