Author Topic: [CTM 2.8 tested]Light virtualization software / Partial sandbox test  (Read 44873 times)

Offline Tech

  • Usability Study Member
  • Comodo's Hero
  • *****
  • Posts: 3027
CTM could not protect the MBR.
Well... Should it be CTM's job? Should it block *any* MBR change?
We have enough troubles trying to restore Windows MBR in case of CTM failure.
Would we be blocked to do such changes?

Ghost's shadow: safe. but after a rollback, CTM uninstalls self.
CTM uninstall itself? ???
avast! team member
Save freeware snapshot technology of Comodo Time Machine. Vote!

Offline dax123

  • Comodo Loves me
  • ****
  • Posts: 160
  • Big Clucker
Well... Should it be CTM's job? Should it block *any* MBR change?
We have enough troubles trying to restore Windows MBR in case of CTM failure.
Would we be blocked to do such changes?
if you use recovery media(like CD, hypervising boot) you can easily change the MBR in case of corruption.(unless you have BIOS MBR protection enabled)
but COMODO should protect the MBR change when the protected system is loaded,
and should prevent any permanent filesystem changes as far as I think. that's what protection means.  88)
and because XueTr can recover that corruption, CTM can make it too

CTM uninstall itself? ???

Yes. I think CTM recognizes MBR change and removes self if so.
And not only CTM fails to protect the MBR, it also fails to protect the filesystem. as shown below.


maybe the security feature is incomplete.

edit: I'm now testing Shadow defender.
edit2: I was wrong, the test result against TDSS/Safesys was contaminated.
edit3: I think this is just a maintenance release. security feature is not yet supported.

[attachment deleted by admin]
« Last Edit: July 27, 2010, 09:19:17 PM by dax123 »
i cannot help but confess, dang I wanted to get that. LOL

Offline Tech

  • Usability Study Member
  • Comodo's Hero
  • *****
  • Posts: 3027
Re: Light virtualization software / Partial sandbox test [CTM 2.8 Fails!]
« Reply #32 on: July 27, 2010, 06:47:31 PM »
But COMODO should protect the MBR change when the protected system is loaded,
and should prevent any permanent filesystem changes as far as I think. that's what protection means.  88)
If possible, I fully agree with you.

Yes. I think CTM recognizes MBR change and removes self if so.
If MBR is changed, the console can't load properly.

And not only CTM fails to protect the MBR, it also fails to protect the filesystem
So, nothing to celebrate :'(
avast! team member
Save freeware snapshot technology of Comodo Time Machine. Vote!

Offline Coldmoon

  • Newbie
  • *
  • Posts: 5
Re: [CTM 2.8 tested]Light virtualization software / Partial sandbox test
« Reply #33 on: August 05, 2010, 12:34:14 PM »
Hi dax123,
Interesting tests, but you need to take into account that RVS is not just a simple boot-to-restore solution so you need to activate all the features to take advantage of the layered security. Each component part is designed to cover the potential weaknesses of the other components to achieve a truly integrated, but layered approach which has been shown to be effective against the malware types you are testing in this discussion (ref: various related Wilders threads in the Virtualization and Sandboxing forum).

This means that to really test RVS, you need to turn on the Anti-execute and antimalware features. You should also try the tests in the same way with the new 3.2 series (RSS Pro 2011 - be sure to review the changes as the AE and AM features have been upgraded as well as a great deal more over the RVS 2010 series).

Kind regards
Mike

Offline ssj100

  • Comodo's Hero
  • *****
  • Posts: 482
Re: [CTM 2.8 tested]Light virtualization software / Partial sandbox test
« Reply #34 on: August 05, 2010, 08:20:10 PM »
Hi dax123,
Interesting tests, but you need to take into account that RVS is not just a simple boot-to-restore solution so you need to activate all the features to take advantage of the layered security. Each component part is designed to cover the potential weaknesses of the other components to achieve a truly integrated, but layered approach which has been shown to be effective against the malware types you are testing in this discussion (ref: various related Wilders threads in the Virtualization and Sandboxing forum).

This means that to really test RVS, you need to turn on the Anti-execute and antimalware features. You should also try the tests in the same way with the new 3.2 series (RSS Pro 2011 - be sure to review the changes as the AE and AM features have been upgraded as well as a great deal more over the RVS 2010 series).

Kind regards
Mike

To me, this is basically further proof that light virtualisation isn't particularly a strong "layer" of defense (relatively to say, Sandboxie or SRP, both of which I'm struggling to find current real-world malware to bypass them).  Returnil have obviously recognised this (for quite a while too), hence the reason for implementing other "layers" of defense.
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)

Offline Tech

  • Usability Study Member
  • Comodo's Hero
  • *****
  • Posts: 3027
Re: [CTM 2.8 tested]Light virtualization software / Partial sandbox test
« Reply #35 on: August 05, 2010, 08:48:53 PM »
For me, CTM is not a defense layer but a system restore feature. If it can works in common infections, well, another advantage.
avast! team member
Save freeware snapshot technology of Comodo Time Machine. Vote!

Offline bequick

  • Comodo's Hero
  • *****
  • Posts: 1117
    • GooGle
Re: [CTM 2.8 tested]Light virtualization software / Partial sandbox test
« Reply #36 on: August 05, 2010, 08:49:00 PM »
To me, this is basically further proof that light virtualisation isn't particularly a strong "layer" of defense (relatively to say, Sandboxie or SRP, both of which I'm struggling to find current real-world malware to bypass them).  Returnil have obviously recognised this (for quite a while too), hence the reason for implementing other "layers" of defense.

I will send you on PM a malware that bypasses sandboxie.:)

Offline dax123

  • Comodo Loves me
  • ****
  • Posts: 160
  • Big Clucker
Re: [CTM 2.8 tested]Light virtualization software / Partial sandbox test
« Reply #37 on: August 06, 2010, 12:42:03 AM »
Hi dax123,
Interesting tests, but you need to take into account that RVS is not just a simple boot-to-restore solution so you need to activate all the features to take advantage of the layered security. Each component part is designed to cover the potential weaknesses of the other components to achieve a truly integrated, but layered approach which has been shown to be effective against the malware types you are testing in this discussion (ref: various related Wilders threads in the Virtualization and Sandboxing forum).

This means that to really test RVS, you need to turn on the Anti-execute and antimalware features. You should also try the tests in the same way with the new 3.2 series (RSS Pro 2011 - be sure to review the changes as the AE and AM features have been upgraded as well as a great deal more over the RVS 2010 series).

Kind regards
Mike

Thanks for the feedback. my opinion is this.

1. Even though Returnil provides an additional security layer, it's still a legacy AV and it can be bypassed.
   only HIPS can appropriately cover that weakness if not fixed. (and HIPS is chatty)
2. I don't buy an anti-executable things(unless it's highly customizable and automated). Imagine a gamer.
    A normal (or business) user can't(or won't) use it because it may be irritating.
3. you need more security layer to cover the weakness, if you want to leave it unfixed.

anyway, it will be interesting to test new RVS 2011.
Regards
« Last Edit: August 06, 2010, 12:46:37 AM by dax123 »
i cannot help but confess, dang I wanted to get that. LOL

Offline ssj100

  • Comodo's Hero
  • *****
  • Posts: 482
Re: [CTM 2.8 tested]Light virtualization software / Partial sandbox test
« Reply #38 on: August 06, 2010, 08:32:33 AM »
I will send you on PM a malware that bypasses sandboxie.:)

I can't find any evidence that it bypasses Sandboxie, but will verify/confirm it with Buster and tzuk himself etc.

By the way, the malware can't even run with Sandboxie's start/run restrictions.
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)

Offline aigle

  • Comodo's Hero
  • *****
  • Posts: 716
Re: [CTM 2.8 tested]Light virtualization software / Partial sandbox test
« Reply #39 on: August 06, 2010, 05:53:30 PM »
Please keep us updated on SBIE issue. Thanks

Offline ssj100

  • Comodo's Hero
  • *****
  • Posts: 482
Re: [CTM 2.8 tested]Light virtualization software / Partial sandbox test
« Reply #40 on: August 06, 2010, 06:21:56 PM »
Please keep us updated on SBIE issue. Thanks

Still waiting on tzuk/Buster to get back to me, but it appears to be a simple malware dropper to me.  I think "bequick" got confused that the malware file "deletes" itself and then drops files into the Application data folder.  This is true, but it all happens inside the sandbox as far as I can tell.
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)

Offline ssj100

  • Comodo's Hero
  • *****
  • Posts: 482
Re: [CTM 2.8 tested]Light virtualization software / Partial sandbox test
« Reply #41 on: August 07, 2010, 11:59:47 PM »
tzuk confirms there is no bypass.  bequick, next time, it might be worthwhile to at least query whether there is a bypass rather than blatantly state/imply that there definitely is one haha.  To my knowledge, out of all third party security software out there, Sandboxie (particularly on 32-bit) has had the fewest bypasses in the last few years.
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)

Offline aigle

  • Comodo's Hero
  • *****
  • Posts: 716
Re: [CTM 2.8 tested]Light virtualization software / Partial sandbox test
« Reply #42 on: August 14, 2010, 11:24:28 PM »
Thanks for update.

Offline ssj100

  • Comodo's Hero
  • *****
  • Posts: 482
Re: [CTM 2.8 tested]Light virtualization software / Partial sandbox test
« Reply #43 on: August 15, 2010, 01:36:29 AM »
Thanks for update.

Yes, I notice bequick hasn't commented on this.  Therefore, it's possible/likely that he was simply trolling.  His PM's about this were full of "smiley" faces too as he claimed a bypass.  Well bequick, you were wrong.  Sorry.
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)

Offline bequick

  • Comodo's Hero
  • *****
  • Posts: 1117
    • GooGle
Re: [CTM 2.8 tested]Light virtualization software / Partial sandbox test
« Reply #44 on: August 21, 2010, 04:50:21 AM »
  Therefore, it's possible/likely that he was simply trolling. 
Yes, it's possible, but it's not true.I have this issue confirmed by other people, that's why i do not comment here.I don't want confrontation.As simple as that.And I will never comment SB again, here.

p.s.Sorry for my "trolling"!

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek