If i choose firefox to be fully virtualized, often per minute things get logged as blocked.
That way the log gets filled with 100s of entries very fast, and you would not see a real blocked threat among all those normal things.
If something is fully virtualized, why should anything been blocked and logged?
Nothing gets blocked if firefox is not fully virtualized. The entries are firefox and flash trying to access memory.
So this doesnt make sense.
This also seems to happen in virtual kiosk.
A log makes sense if it logs important things.
And virtualization makes sense if it doesnt allow access to real things at all, as they should be FULLY virtualized.
I just want to point out that you can filter out things from the log, for example you can set the filter to not show entries with “firefox” in the application field, don’t know if you knew that or not but thought I might as well point it out. Otherwise I agree with you, it has been pointed out a few times before (well specifically browsers) but I don’t believe anything really came out of those threads.
What actions are being logged? Can you post a screenshot?
Only when fully virtualized (and in kiosk too), several times a minute:
firefox exe > access memory > target: system
Flash exe too. If its playing.
The Flash executable probably runs under FF and therefor virtualised when FF is virtualised. You can check that with Killswitch. Programs in Kiosk also run virtualised and as a consequence you will see the same events logged. VK is a nicely wrapped environment that runs on top the virtualisation engine.
I am inclined to interpret this that D+ is also playing a role when running virtualised.
The D+ logs offers advanced filter capabilities that will allow you filter out the memory access attempts. It works pretty straight forward. See attached image.
[attachment deleted by admin]
A virtual sandbox that tells me “access to the memory of system was blocked” appears not virtual. It just blocked that access.