Sandbox, ]Virtualization], and Lockdown
If you think of a sandbox as a “virtual workspace” the concept has been around a long time. A RAM drive is a virtual workspace, since upon reboot, nothing written to that drive remains.
One of the problems with the early RAM drives was the limitation of 32MB of the windows ramdrv.sys. An interesting product that was used for some time was vRamDir, a virtual ram drive that could be as big as your available free RAM. Also, you could remap directories to it. It was common to load temp and cache directories into RAM on startup. Running applications in RAM was really fast. This was in the days before fast CPUs. We didn’t think of it so much for security, as for speed. For example, I knew programers who compiled in a RAM drive.
In more recent times the technology has been incorporated as a security tool. A virtual PC is like a sandbox - any configuration changes on it have absolutely no effect on the host system, but are based on the host system’s hardware.
A company called SoftGrid has its SystemGuard™ - “because applications bring their own set of configurations and run within a protective virtual run-time ‘sandbox,’ there is no dependency or effect on the configuration of the machine running them.”
Windows Servers include this technology. From my WinServer2003 notes: “The new Software Restriction Policies (SRP) feature creates a virtual ‘sandbox’ that prevents unauthorized code execution.”
Tiny firewall uses sandbox technology.
Another group of programs use the ‘sandbox’ idea to protect the system. Sandbox is usage of a virtual container in which untrusted programs can be safely run.
Sandboxie is a true stand-alone sandbox program. Their site diagrams nicely how it works:
[u]http://www.sandboxie.com/[/u]
ShadowUser works on a similar principle, where the ‘ShadowMode’ creates a virtual volume:
[u][url=http://www.shadowstor.com/products/ItemPage.aspx?ItemID=83&ProductID=4]http://www.shadowstor.com/products/I...83&ProductID=4[/url][/u]
RollBack Rx claims to write-protect the HD and create ‘Scratch Space’
These programs below uses virtualization. It is a framework or methodology of dividing the resources of a computer into multiple execution environments, by applying one or more concepts or technologies such as hardware and software partitioning, time-sharing, partial or complete machine simulation, emulation, quality of service, and many others.
Returnil uses a powerful virtualization technology that completely mirrors your actual computer setup and it can create a virtual storage disk within your PC where you can save documents, data, and files while using the System Protection feature.
BufferZone’s revolutionary virtualization technology creates an isolated zone on your PC, which separates your operating system and confidential data from unknown programs, downloads and files. Unlike anti-virus and anti-spyware software, BufferZone Free requires no signature updates at all, while protecting your PC against spyware, adware and viruses - even new and yet unknown ones downloaded using your P2P, Web browser or instant messaging software.
The programs below uses lockdown. Lockdown, pertains to a state of containment or a restriction of progression. You could almost say that it freezes time.
Deep Freeze - ‘locks down’ the system but doesn’t use virtualization.Deep Freeze = locked volume content, changes revert on restart, can only change content in a thawed state. Once changed in a thawed state, that’s the content moving forward. Deep Freeze instantly protects and preserves baseline computer configurations. No matter what changes a user makes to a workstation, simply restart to eradicate all changes and reset the computer to its original state - right down to the last byte.
First Defense ISR = Take system snapshots (akin to snapshots on a VM) and boot to any of them. Any snapshot can be used as a live system. Can revert to any previous snapshot state. Think of it as akin to keeping an online jukebox of system drives and being able to choose anyone you want via a preboot menu. Downside is that the current program is being replaced by the only distributor of the product (Horizon Data Systems) with a version that allows retention of a single snapshot only. More mass market potential. Also, freeze option (similar to deep freeze) is gone on current HDS release. I think they stop selling the full FD-ISR Workstation at the end of this month
Both work. DeepFeeze is designed for a static system with forced restoration on any restart and takes minimal HDD space. FirstDefense-ISR is designed for immediate restoration of a dynamic system in which states are preserved across restarts, but can be bumped by a forced snapshot change or restoration. Snapshots take a bit of space (a few to maybe 10 GB depending on what your machine looks like and how you take a snapshot). Cost per seat is different as well.
These types of programs are becoming popular as the foundation of a security system. Each program works on different principles and levels of restriction.
Some people admit that they run such a program + firewall and little else.
This evening in the AntiMalware by Trustware thread Eyal Dotan, the author & CTO of AntiMalware, wrote:
…what AntiMalware’s BufferZone does is virtualize
untrusted processes “Write” access to FileSystem & Registry
For those who have experienced problems and conflicts with various ‘sandbox,’ ‘lock-down’ or ‘virtualization’ programs, most people using them (ShadowUser and Deep Freeze especially) stress starting with a clean system. I would uninstall all AV/AT etc programs, then install SU, AM, Sandboxie or whatever - use that as the foundation - and then add other programs to see at what point you have conflicts.
Immediate Recovery Softwares VS On Demand Scanners
Introduction
- ISR-softwares is the collecting name for all Immediate System Recovery softwares :
- DeepFreeze
- FirstDefense-ISR + clones
- PowerShadow
- Returnil
- RollbackRx + clones
- ShadowDefender
- ShadowUser
- …
Softwares like Sandboxie, DefenseWall, … don’t belong in this list because they don’t recover an entire system partition.
The main goal of ISR-softwares is to keep your system (partition) UNCHANGED, not your personal data.
Although they use all a different method to keep your system UNCHANGED, the final result is the same : they reset your system during reboot. Some do it even better than others.
- An On Demand scanner is any scanner that is used as second scanner. MAIN scanners are not included in this thread.
Personally, I consider MAIN scanners without a real-time shield also as ON DEMAND scanners. If you don’t agree with me, tell me why.
The main goal of ON DEMAND scanners is to detect/remove any malware, that wasn’t detected/removed by the MAIN scanner.
It doesn’t really matter if it’s an AV/AS/AT/…-scanner, because there is no clear distinction anymore, they all remove something bad, that doesn’t belong on your system and that is important.
Differences
To keep it pure, no other security softwares are involved than ISR-softwares and ON DEMAND scanners.
I won’t use ON DEMAND scanners anymore, I call them scanners for the rest of my post.
Vulnerable Period
ISR-softwares have a vulnerable period between two reboots.
Scanners have a vulnerable period between two scans.
Both allow installation and execution of any malware during that period. So there is no difference and that means it doesn’t matter.
Removal of Malware
ISR-softwares remove any CHANGE and that means a complete removal of all bad changes.
ISR-softwares don’t need signatures or heuristics to remove any malware, in other words they remove :
- any known malware
- any unknown/undiscovered malware
- any malware created in the future.
Scanners remove only what they recognize as malware, using signatures, heuristics, packer & suspicious detection on anything else remains on your harddisk.
Each scanner has a different signature database, so only the different signatures makes a scanner special.
This means that ONE scanners, might not be enough. So how many scanners do you need ? One, two, three, … ?
This is a problem in theory. This problem is usually solved in practice by ignoring the theory and make a final choice, but that doesn’t mean the problem is solved.
The bottom line is that scanners and even MAIN scanners, don’t guarantee a complete removal of malware.
Removal Time
ISR-softwares remove malware on reboot, which is usually very short, in my case less than 2 minutes and FDISR is certainly not the fastest one.
Scanner require alot more than 2 minuts to do a full scan. The more scanners you have, the more time you need to run them.
Some users run scanners only one time a week. If this scanner finds a malware, it means that this malware has been on your system during a period of 1 upto 7 days. That is the same as leaving a burglar in your house during 1-7 days to steal whatever he wants or to destroy whatever he wants. So running a scanner one time a week is absurd and only proves that users want to save time, because there is no scanner of 2 minuts.
Since the reboot-time is so short, you can reboot more than one time a day, which means a shorter vulnerable period.
False Positives
ISR-softwares don’t have false positives at all.
Scanners do have false positives, not all the time, but when it happens, these false positives will be removed by less-knowledgeable users, damaging their own system this way. Kind of suicide.
Conclusion
- Regarding the vulnerable period, there is no difference.
- Regarding removal of any malware, ISR-softwares are clearly the winners.
- Regarding removal time, ISR-softwares are again clearly the winners.
- Regarding false positives, ISR-softwares are again clearly the winners.
So ISR-softwares are much better than ON DEMAND scanners. You can almost say that ISR softwares put all mallwares in to the “BERMUDA TRIANGLE” literally.
).