Author Topic: [CTM 2.8 tested]Light virtualization software / Partial sandbox test  (Read 35718 times)

Offline dax123

  • Comodo Loves me
  • ****
  • Posts: 160
  • Big Clucker
(I'll keep modifing this thread to inform)
Test index
  • 1. Light virtualization software test
  • 2. Partial sandbox software test
  • 3. Verdict
  • 4. Vendors' response
  • 5. Appendix

1. Light virtualization software test
Test environment: Microsoft Virtual PC 2007, Windows XP SP3, no critical updates.
Picture version of test results can be found here
==============================================================
NameVersion SafeSysTDSS-1TDSS-2 SysAnti(!)
Comodo Time Machine 2.82.8.155286.178FAILFAIL- FAIL
Comodo Time Machine 2.7 beta2.7.150952.175FAILFAIL- -
Comodo Time Machine 2.62.6.138262.166FAIL FAIL- -
Shadow Defender1.1.0.325PASSPASSPASSPASS
Shadow Defender1.1.0.326PASSPASS*PASS*-
Windows Steadystate 2.55.1.2600.4364FAILFAIL- -
Wondershare Time Freeze 2.02.0.674FAILFAIL- -
Windershare Time Freeze 1.01.0.587FAILFAIL- -
Returnil Virtual System 2010**3.1.8774.5254FAILFAIL- -
Rollback Rx Professional9.1.0.0FAILFAIL- -
EAZ_FIX 9.1.0.0FAILFAIL- -
HD Guard 8.08.0.0.6FAILFAIL- -
HD Guard 8.1 beta8.1.0.1FAILFAIL- -
Deep Freeze7.0.20.3172FAILFAIL- -
PowerShadow2.2.2.21FAILFAIL- -
FarStone Snapshot™ 7***7.03.1FAILPASSPASSFAIL
ComBack IR Pro5.0FAILFAIL- -
HDD Sheriff****5.73.0.0 -- - -
==============================================================
(!): Ahnlab-V3's SysAnti signature is "Hupigon", which means 'phew... I'm so tired'  ;D ;D

* : Checked to my production machine. several samples tested but 1.1.0.325 successfully protected my system.
nonetheless you might want to see the result described here
** : Returnil provides additional AE layer. when I test it with AV enabled, Most of my samples were stopped by AV. but my TDSS-1 sample evaded detection and the system's still contaminated.
*** : I'm figuring out why this result was produced. see here
**** : It's a hardware solution. however driver version is shown above.
since I don't have the PCI chip now, it takes time. please be patient.


2. Partial sanfbox software test
Test environment:
=========================================================
NameVersion SafeSys TDSS-1TDSS-2
Comodo Sandbox*4.1.150349.920 - --
Sandboxie 3.463.46 -- -
Avast! Sandbox- -- -
Bufferzone free -- - -
GesWall - -- -
AppGuard - -- -
Sandbox RX - -- -
DefenseWall - -- -
=========================================================
(* : Defense+ is set to off )


3. Verdict
The result is frustrating. it doesn't make your system bullet-proof.
but shadow defender shows good results.
And, FarStone Snapshot™ 7 protected some of those malware. it's strange though.
I think we would rather use a disk imaging utility for security's sake :(


4. Vendors' response
From COMODO (Time Machine):
Hi guys.
Thanks for your good work.
Please relax. This is not big deal. We can detect/defend such as rootkit simply.
We will add the feature for CTM on next version.

Thanks,
Doskey.
Hi dax123, thank you very much for your feedbacks, we will fix this issue in future.

Regards

From Faronics (Deep Freeze):
Quote
Faronics is aware of the report that a worm called "W32.SafeSys.Worm" is able to
"bypass" Deep Freeze and other competing products. We are continuing to
investigate the issue to determine a possible resolution to the vulnerability.
 
As always, we continue to recommend that customers use an antivirus product in
combination with Deep Freeze. Please refer to the White Papers section of the
Faronics Content Library for information regarding how to use Deep Freeze with
many popular antivirus products.
 
Regards,
 
Adam Zilliax
Technical Support
Faronics Technologies Inc.
my response :

you're lying, see here and here
and it's not a "bypass", but a bypass, definitely. please don't try to deceive by a transparent guile  :-\

From Wondershare (Time Freeze):
Quote
Thank you for the kind feedback. This is Sara from Wondershare Support Team. Nice to contact you.
 
Wondershare Time Freeze as a system restore software, but does not a anti-virus software. So it could not instead of anti-virus software. So we advise you use Wondershare Time Freeze with anti-virus software together, it will be better for protect your computer.
 
Since far as we know, most similar coud not defense all the rootkits. We are aware of this problem, and we are working hard to improve our program in future version.
 
Thank you again.
 
If you have any further question or suggestion, please contact us freely.
 
Best regards
 
Sara
Support Team
__________________________________
Wondershare Software
my response: it's okay, it certainly have a function that prevents a system from unwanted changes. But if you are not going to fix this issue, then you are not going to advertise your product like this.

PS. Microsoft advertises Windows steadystate a shared computer protection, not a 'virus-free'

From Horizon Datasys (Rollback Rx, EAZ-FIX):
Quote
We are aware of this virus. It’s a virus programmed by a former developer of Rollback type instantly recovery software. We don’t believe he/she is a former developer of Rollback Rx but he has to be someone who has insight knowledge of how instant recovery disk filter driver works.

This type of virus is very popular in Chinese market, in Internet cafes. Our software for Chinese market has a patch for dealing with this type of virus. But we have not implemented the patch in our general release outside of China.
Because the patch is not a one fix fits all type of solution, today’s patch is only good for yesterday’s version of the virus which changes very frequently. We didn’t want our Rollback users in North American markets to update Rollback every week because there is a new patch for the virus, as the virus is rare outside of Chinese market.

The virus is actually quite simple. It writes to the hard disk directly bypassing Rollback device drivers (or any other disk filter drivers) and write things to the hard disk.  And because it writes to the hard disk directly, what it does to the hard disk is outside of Rollback snapshots jurisdiction. It’s really a suicidal virus, it just  “shoots without asking any questions”. A logical software cannot deal with this type of problem. But it’s pretty easy to stop this virus, you just need to configure your antivirus software to prevent installing and loading of device drivers without your consent. (The virus does the direct disk write through a device driver).

Our proposed solution to this problem for customers outside of Chinese market is that we will develop a separate patch, outside of Rollback Rx, that will specifically deal with this type of virus. Basically we patch Windows O.S. to ban any direct write to the hard disk. The patch is still under development and we will provide it to customers as it’s needed. We won’t make it a wide open download because we don’t want to make the impression that we are in the business of patching systems.

From Microsoft(Windows Steadystate):
Quote
Thank you for your patience on this. After some investigation this is not something that we consider to be a security vulnerability.

Windows SteadyState 2.5 is intended to assist in providing a consistent environment on shared computers and reducing the potential for unintended alteration to the system. That being said, it definitely does not take the place of having a firewall and other appropriate anti-malware and security products installed.

From the SteadyState 2.5 Technical FAQ:
Q. Do I still need an antivirus program?
A. Yes, we recommend that you use antivirus and spyware prevention programs in addition to the protections provided by Windows SteadyState.

Additionally, SteadyState 2.5 only protects the partition that windows is installed on and Windows Disk Protection, which is the part of SteadyState that controls disk alteration does not load prior to certain files such as the master boot record which the samples provided appear to do.

Best Regards,
Nate



5. Appendix
you can also see the related articles on wilders security and prevx
Virtualization/Rollback software test
TDL/TDSS trojan series bypassing isolation software
Deep Freeze 7 bypassed
A puzzle called SafeSys
Kernelmode.info - RootKit TDL3

Any suggestions, sample giveaways (I need a stronger sample), critics are welcome ;D
« Last Edit: July 27, 2010, 08:03:20 PM by dax123 »
i cannot help but confess, dang I wanted to get that. LOL

Offline ssj100

  • Comodo's Hero
  • *****
  • Posts: 482
Hey mate, please check your PM.

Keep up the good work!  Thanks.
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)

Offline Tech

  • Usability Study Member
  • Comodo's Hero
  • *****
  • Posts: 3027
Worried... Seems the snapshot technology is not protected against rootkits at all...
Maybe Doskey has something to tell us... Maybe the teams of CAV and CTM could work together in this...
avast! team member
Save freeware snapshot technology of Comodo Time Machine. Vote!

Offline taleblou

  • Comodo Family Member
  • ***
  • Posts: 87
Hi:

Thanks dax123 for the test but did you by chance test the "Defensewall" as well and how about if you test "returnil" with its antivirus on? I would appreciate it if you could post the result for these for me. Thanks ina dvance.

Offline dax123

  • Comodo Loves me
  • ****
  • Posts: 160
  • Big Clucker
Hi:

Thanks dax123 for the test but did you by chance test the "Defensewall" as well and how about if you test "returnil" with its antivirus on? I would appreciate it if you could post the result for these for me. Thanks ina dvance.
Received  ;)
i cannot help but confess, dang I wanted to get that. LOL

Offline Greg S

  • Comodo Family Member
  • ***
  • Posts: 89
Great work! Looking forward to more info

Offline herbzhang

  • Comodo Staff
  • Comodo Loves me
  • *****
  • Posts: 180
Hi dax123, thank you very much for your feedbacks, we will fix this issue in future.

Regards

Offline dax123

  • Comodo Loves me
  • ****
  • Posts: 160
  • Big Clucker
Hi dax123, thank you very much for your feedbacks, we will fix this issue in future.

Regards
thanks, your works are greatly appreciated.
I can't wait  ;D
i cannot help but confess, dang I wanted to get that. LOL

Offline Tech

  • Usability Study Member
  • Comodo's Hero
  • *****
  • Posts: 3027
Hi dax123, thank you very much for your feedbacks, we will fix this issue in future.
What will be fixed? Please, give more technical info when acknowledging a bug or a problem.
1. The detection of TDSS by CAV?
2. The bypassing of CTM by TDSS?
3. A stronger (much safe) driver?
avast! team member
Save freeware snapshot technology of Comodo Time Machine. Vote!

Offline Buster_BSA

  • Newbie
  • *
  • Posts: 4
It´s a shame that all these vendors recognize the issue but don´t change the publicity they use to sell products.

You will never be infected. Indestructible PC. Safe from all types of viruses. 100% security.

Lies!

They must change the publicity to reflect the reality.

Tech: It´s not a good signal that over 24 hours after your message you still didn´t get a reply to your questions.

Offline Tech

  • Usability Study Member
  • Comodo's Hero
  • *****
  • Posts: 3027
Tech: It´s not a good signal that over 24 hours after your message you still didn´t get a reply to your questions.
The speed differs from forum to forum.
There are a lot of volunteer moderators (not Comodo staff).
There are a lot of products being develop at the same time.
The development speed is below the beta testers expectations.
I'm waiting for Comodo team input in a lot of threads (CTM, CPM, COB, CCS...).
avast! team member
Save freeware snapshot technology of Comodo Time Machine. Vote!

Offline dax123

  • Comodo Loves me
  • ****
  • Posts: 160
  • Big Clucker
It´s a shame that all these vendors recognize the issue but don´t change the publicity they use to sell products.

You will never be infected. Indestructible PC. Safe from all types of viruses. 100% security.

Lies!

They must change the publicity to reflect the reality.

Tech: It´s not a good signal that over 24 hours after your message you still didn´t get a reply to your questions.
yeah. hope they fix this issue in later release  ;D
i cannot help but confess, dang I wanted to get that. LOL

Offline dave_mustaine

  • Comodo Family Member
  • ***
  • Posts: 87
Thanks for your test dax123.

I`m shocked by these results! This means bye bye to Comodo time machine for me.

Offline Tech

  • Usability Study Member
  • Comodo's Hero
  • *****
  • Posts: 3027
This means bye bye to Comodo time machine for me.
Bad conclusion in my opinion.
Software must to be developed. Not a software is perfect.
For what will you change CTM? Shadow Defender? Which features will you lost? Is it perfect against all infections?

You must drop CTM immediately if you think you could have *only* it.
We're talking about layered defense.
avast! team member
Save freeware snapshot technology of Comodo Time Machine. Vote!

Offline dave_mustaine

  • Comodo Family Member
  • ***
  • Posts: 87
Bad conclusion in my opinion.
Software must to be developed. Not a software is perfect.
For what will you change CTM? Shadow Defender? Which features will you lost? Is it perfect against all infections?

You must drop CTM immediately if you think you could have *only* it.
We're talking about layered defense.

I´m going to use Paragon Backup & Recovery Free Edition.

 

Seo4Smf 2.0 © SmfMod.Com | Smf Destek