(I'll keep modifing this thread to inform)Test index
1. Light virtualization software test
- 1. Light virtualization software test
- 2. Partial sandbox software test
- 3. Verdict
- 4. Vendors' response
- 5. Appendix
Test environment: Microsoft Virtual PC 2007, Windows XP SP3, no critical updates.
Picture version of test results can be found here
| Name||Version ||SafeSys||TDSS-1||TDSS-2 ||SysAnti(!)|
| Comodo Time Machine 2.8||2.8.155286.178||FAIL||FAIL||- ||FAIL|
| Comodo Time Machine 2.7 beta||2.7.150952.175||FAIL||FAIL||- ||-|
| Comodo Time Machine 2.6||2.6.138262.166||FAIL ||FAIL||- ||- |
|Shadow Defender||126.96.36.1996||PASS||PASS*||PASS*||- |
|Windows Steadystate 2.5||5.1.2600.4364||FAIL||FAIL||- ||- |
|Wondershare Time Freeze 2.0||2.0.674||FAIL||FAIL||- ||- |
|Windershare Time Freeze 1.0||1.0.587||FAIL||FAIL||- ||- |
|Returnil Virtual System 2010**||3.1.8774.5254||FAIL||FAIL||- ||- |
|Rollback Rx Professional||188.8.131.52||FAIL||FAIL||- ||- |
|EAZ_FIX ||184.108.40.206||FAIL||FAIL||- ||- |
|HD Guard 8.0||220.127.116.11||FAIL||FAIL||- ||- |
|HD Guard 8.1 beta||18.104.22.168||FAIL||FAIL||- ||- |
|Deep Freeze||22.214.171.12472||FAIL||FAIL||- ||- |
|PowerShadow||126.96.36.199||FAIL||FAIL||- ||- |
|FarStone Snapshot™ 7***||7.03.1||FAIL||PASS||PASS||FAIL|
|ComBack IR Pro||5.0||FAIL||FAIL||- ||- |
|HDD Sheriff****||188.8.131.52|| -||- ||- ||- |
(!): Ahnlab-V3's SysAnti signature is "Hupigon", which means 'phew... I'm so tired'
* : Checked to my production machine. several samples tested but 184.108.40.2065 successfully protected my system.
nonetheless you might want to see the result described here
** : Returnil provides additional AE layer. when I test it with AV enabled, Most of my samples were stopped by AV. but my TDSS-1
sample evaded detection and the system's still contaminated.
*** : I'm figuring out why this result was produced. see here
**** : It's a hardware solution. however driver version is shown above.
since I don't have the PCI chip now, it takes time. please be patient.2. Partial sanfbox software test
| Name||Version ||SafeSys|| TDSS-1||TDSS-2 |
|Comodo Sandbox*||4.1.150349.920|| -|| -||- |
| Sandboxie 3.46||3.46|| -||- ||- |
|Avast! Sandbox||- || -||- ||- |
|Bufferzone free|| -||- ||- ||- |
|GesWall|| -|| -||- ||- |
|AppGuard|| -|| -||- ||- |
|Sandbox RX|| -|| -||- ||- |
|DefenseWall|| -|| -||- ||- |
(* : Defense+ is set to off )3. Verdict
The result is frustrating. it doesn't make your system bullet-proof.
but shadow defender shows good results.
And, FarStone Snapshot™ 7 protected some of those malware. it's strange though.
I think we would rather use a disk imaging utility for security's sake 4. Vendors' responseFrom COMODO (Time Machine):
Thanks for your good work.
Please relax. This is not big deal. We can detect/defend such as rootkit simply.
We will add the feature for CTM on next version.
Hi dax123, thank you very much for your feedbacks, we will fix this issue in future.From Faronics (Deep Freeze):
Faronics is aware of the report that a worm called "W32.SafeSys.Worm" is able to
"bypass" Deep Freeze and other competing products. We are continuing to
investigate the issue to determine a possible resolution to the vulnerability.
As always, we continue to recommend that customers use an antivirus product in
combination with Deep Freeze. Please refer to the White Papers section of the
Faronics Content Library for information regarding how to use Deep Freeze with
many popular antivirus products.
Faronics Technologies Inc.
my response :
you're lying, see here
and it's not a "bypass", but a bypass, definitely. please don't try to deceive by a transparent guile From Wondershare (Time Freeze):
Thank you for the kind feedback. This is Sara from Wondershare Support Team. Nice to contact you.
Wondershare Time Freeze as a system restore software, but does not a anti-virus software. So it could not instead of anti-virus software. So we advise you use Wondershare Time Freeze with anti-virus software together, it will be better for protect your computer.
Since far as we know, most similar coud not defense all the rootkits. We are aware of this problem, and we are working hard to improve our program in future version.
Thank you again.
If you have any further question or suggestion, please contact us freely.
my response: it's okay, it certainly have a function that prevents a system from unwanted changes. But if you are not going to fix this issue, then you are not going to advertise your product like this.
PS. Microsoft advertises Windows steadystate a shared computer protection, not a 'virus-free'From Horizon Datasys (Rollback Rx, EAZ-FIX):
We are aware of this virus. It’s a virus programmed by a former developer of Rollback type instantly recovery software. We don’t believe he/she is a former developer of Rollback Rx but he has to be someone who has insight knowledge of how instant recovery disk filter driver works.From Microsoft(Windows Steadystate):
This type of virus is very popular in Chinese market, in Internet cafes. Our software for Chinese market has a patch for dealing with this type of virus. But we have not implemented the patch in our general release outside of China.
Because the patch is not a one fix fits all type of solution, today’s patch is only good for yesterday’s version of the virus which changes very frequently. We didn’t want our Rollback users in North American markets to update Rollback every week because there is a new patch for the virus, as the virus is rare outside of Chinese market.
The virus is actually quite simple. It writes to the hard disk directly bypassing Rollback device drivers (or any other disk filter drivers) and write things to the hard disk. And because it writes to the hard disk directly, what it does to the hard disk is outside of Rollback snapshots jurisdiction. It’s really a suicidal virus, it just “shoots without asking any questions”. A logical software cannot deal with this type of problem. But it’s pretty easy to stop this virus, you just need to configure your antivirus software to prevent installing and loading of device drivers without your consent. (The virus does the direct disk write through a device driver).
Our proposed solution to this problem for customers outside of Chinese market is that we will develop a separate patch, outside of Rollback Rx, that will specifically deal with this type of virus. Basically we patch Windows O.S. to ban any direct write to the hard disk. The patch is still under development and we will provide it to customers as it’s needed. We won’t make it a wide open download because we don’t want to make the impression that we are in the business of patching systems.
Thank you for your patience on this. After some investigation this is not something that we consider to be a security vulnerability.5. Appendix
Windows SteadyState 2.5 is intended to assist in providing a consistent environment on shared computers and reducing the potential for unintended alteration to the system. That being said, it definitely does not take the place of having a firewall and other appropriate anti-malware and security products installed.
From the SteadyState 2.5 Technical FAQ:
Q. Do I still need an antivirus program?
A. Yes, we recommend that you use antivirus and spyware prevention programs in addition to the protections provided by Windows SteadyState.
Additionally, SteadyState 2.5 only protects the partition that windows is installed on and Windows Disk Protection, which is the part of SteadyState that controls disk alteration does not load prior to certain files such as the master boot record which the samples provided appear to do.
you can also see the related articles on wilders security and prevxVirtualization/Rollback software testTDL/TDSS trojan series bypassing isolation softwareDeep Freeze 7 bypassedA puzzle called SafeSysKernelmode.info - RootKit TDL3
Any suggestions, sample giveaways (I need a stronger sample), critics are welcome