Light virtualization software / Partial sandbox test
4 posters
Page 1 of 1
Do you want to use shadow defender? do you think it's realible enough?
Light virtualization software / Partial sandbox test
(I'll keep modifing this thread to inform)
Test index
1. Light virtualization software test
Test environment: Microsoft Virtual PC 2007, Windows XP SP3, no critical updates.
Picture version of test results can be found here
=========================================================
=========================================================
* : Checked to my production machine. several samples tested but 1.1.0.325 successfully protected my system.
nonetheless you might want to see the result described here
** : Returnil provides additional AE layer. when I test it with AV enabled, Most of my samples were stopped by AV. but my TDSS-1 sample evaded detection and the system's still contaminated.
*** : I'm figuring out why this result was produced. see here
**** : It's a hardware solution. however driver version is shown above.
since I don't have the PCI chip now, it takes time. please be patient.
2. Partial sanfbox software test
Test environment:
=========================================================
=========================================================
(* : Defense+ is set to off )
3. Verdict
The result is frustrating. it doesn't make your system bullet-proof.
but shadow defender shows good results.
And, FarStone Snapshot 7 protected some of those malware. it's strange though.
I think we would rather use a disk imaging utility for security's sake
4. Vendors' response
From COMODO (Time Machine):
From Faronics (Deep Freeze):
you're lying, see here and here
and it's not a "bypass", but a bypass, definitely. please don't try to deceive by a transparent guile :-\
From Wondershare (Time Freeze):
PS. Microsoft advertises Windows steadystate a shared computer protection, not a 'virus-free'
From Horizon Datasys (Rollback Rx, EAZ-FIX):
From Microsoft(Windows Steadystate):
5. Appendix
you can also see the related articles on wilders security and prevx
Virtualization/Rollback software test
TDL/TDSS trojan series bypassing isolation software
Deep Freeze 7 bypassed
A puzzle called SafeSys
Kernelmode.info - RootKit TDL3
Any suggestions, sample giveaways (I need a stronger sample), critics are welcome ;D
Test index
- Light virtualization software test
- Partial sandbox software test
- Verdict
- Vendors' response
- Appendix
1. Light virtualization software test
Test environment: Microsoft Virtual PC 2007, Windows XP SP3, no critical updates.
Picture version of test results can be found here
=========================================================
Name | Version | SafeSys | TDSS-1 | TDSS-2 | SysAnti(!) |
Comodo Time Machine 2.8 | 2.8.155286.178 | FAIL | FAIL | - | FAIL |
Comodo Time Machine 2.7 beta | 2.7.150952.175 | FAIL | FAIL | - | - |
Comodo Time Machine 2.6 | 2.6.138262.166 | FAIL | FAIL | - | - |
Shadow Defender | 1.1.0.325 | PASS | PASS | PASS | PASS |
Shadow Defender | 1.1.0.326 | PASS | PASS* | PASS* | - |
Windows Steadystate 2.5 | 5.1.2600.4364 | FAIL | FAIL | - | - |
Wondershare Time Freeze 2.0 | 2.0.674 | FAIL | FAIL | - | - |
Windershare Time Freeze 1.0 | 1.0.587 | FAIL | FAIL | - | - |
Returnil Virtual System 2010** | 3.1.8774.5254 | FAIL | FAIL | - | - |
Rollback Rx Professional | 9.1.0.0 | FAIL | FAIL | - | - |
EAZ_FIX | 9.1.0.0 | FAIL | FAIL | - | - |
HD Guard 8.0 | 8.0.0.6 | FAIL | FAIL | - | - |
HD Guard 8.1 beta | 8.1.0.1 | FAIL | FAIL | - | - |
Deep Freeze | 7.0.20.3172 | FAIL | FAIL | - | - |
PowerShadow | 2.2.2.21 | FAIL | FAIL | - | - |
FarStone Snapshot 7*** | 7.03.1 | FAIL | PASS | PASS | FAIL |
ComBack IR Pro | 5.0 | FAIL | FAIL | - | - |
HDD Sheriff**** | 5.73.0.0 | - | - | - | - |
* : Checked to my production machine. several samples tested but 1.1.0.325 successfully protected my system.
nonetheless you might want to see the result described here
** : Returnil provides additional AE layer. when I test it with AV enabled, Most of my samples were stopped by AV. but my TDSS-1 sample evaded detection and the system's still contaminated.
*** : I'm figuring out why this result was produced. see here
**** : It's a hardware solution. however driver version is shown above.
since I don't have the PCI chip now, it takes time. please be patient.
2. Partial sanfbox software test
Test environment:
=========================================================
Name | Version | SafeSys | TDSS-1 | TDSS-2 |
Comodo Sandbox* | 4.1.150349.920 | - | - | - |
Sandboxie 3.46 | 3.46 | - | - | - |
Avast! Sandbox | - | - | - | - |
Bufferzone free | - | - | - | - |
GesWall | - | - | - | - |
AppGuard | - | - | - | - |
Sandbox RX | - | - | - | - |
DefenseWall | - | - | - | - |
(* : Defense+ is set to off )
3. Verdict
The result is frustrating. it doesn't make your system bullet-proof.
but shadow defender shows good results.
And, FarStone Snapshot 7 protected some of those malware. it's strange though.
I think we would rather use a disk imaging utility for security's sake
4. Vendors' response
From COMODO (Time Machine):
Hi guys.
Thanks for your good work.
Please relax. This is not big deal. We can detect/defend such as rootkit simply.
We will add the feature for CTM on next version.
Thanks,
Doskey.
Hi dax123, thank you very much for your feedbacks, we will fix this issue in future.
Regards
From Faronics (Deep Freeze):
my response :
Faronics is aware of the report that a worm called "W32.SafeSys.Worm" is able to
"bypass" Deep Freeze and other competing products. We are continuing to
investigate the issue to determine a possible resolution to the vulnerability.
As always, we continue to recommend that customers use an antivirus product in
combination with Deep Freeze. Please refer to the White Papers section of the
Faronics Content Library for information regarding how to use Deep Freeze with
many popular antivirus products.
Regards,
Adam Zilliax
Technical Support
Faronics Technologies Inc.
you're lying, see here and here
and it's not a "bypass", but a bypass, definitely. please don't try to deceive by a transparent guile :-\
From Wondershare (Time Freeze):
my response: it's okay, it certainly have a function that prevents a system from unwanted changes. But if you are not going to fix this issue, then you are not going to advertise your product like this.Thank you for the kind feedback. This is Sara from Wondershare Support Team. Nice to contact you.
Wondershare Time Freeze as a system restore software, but does not a anti-virus software. So it could not instead of anti-virus software. So we advise you use Wondershare Time Freeze with anti-virus software together, it will be better for protect your computer.
Since far as we know, most similar coud not defense all the rootkits. We are aware of this problem, and we are working hard to improve our program in future version.
Thank you again.
If you have any further question or suggestion, please contact us freely.
Best regards
Sara
Support Team
__________________________________
Wondershare Software
PS. Microsoft advertises Windows steadystate a shared computer protection, not a 'virus-free'
From Horizon Datasys (Rollback Rx, EAZ-FIX):
We are aware of this virus. It’s a virus programmed by a former developer of Rollback type instantly recovery software. We don’t believe he/she is a former developer of Rollback Rx but he has to be someone who has insight knowledge of how instant recovery disk filter driver works.
This type of virus is very popular in Chinese market, in Internet cafes. Our software for Chinese market has a patch for dealing with this type of virus. But we have not implemented the patch in our general release outside of China.
Because the patch is not a one fix fits all type of solution, today’s patch is only good for yesterday’s version of the virus which changes very frequently. We didn’t want our Rollback users in North American markets to update Rollback every week because there is a new patch for the virus, as the virus is rare outside of Chinese market.
The virus is actually quite simple. It writes to the hard disk directly bypassing Rollback device drivers (or any other disk filter drivers) and write things to the hard disk. And because it writes to the hard disk directly, what it does to the hard disk is outside of Rollback snapshots jurisdiction. It’s really a suicidal virus, it just “shoots without asking any questions”. A logical software cannot deal with this type of problem. But it’s pretty easy to stop this virus, you just need to configure your antivirus software to prevent installing and loading of device drivers without your consent. (The virus does the direct disk write through a device driver).
Our proposed solution to this problem for customers outside of Chinese market is that we will develop a separate patch, outside of Rollback Rx, that will specifically deal with this type of virus. Basically we patch Windows O.S. to ban any direct write to the hard disk. The patch is still under development and we will provide it to customers as it’s needed. We won’t make it a wide open download because we don’t want to make the impression that we are in the business of patching systems.
From Microsoft(Windows Steadystate):
Thank you for your patience on this. After some investigation this is not something that we consider to be a security vulnerability.
Windows SteadyState 2.5 is intended to assist in providing a consistent environment on shared computers and reducing the potential for unintended alteration to the system. That being said, it definitely does not take the place of having a firewall and other appropriate anti-malware and security products installed.
From the SteadyState 2.5 Technical FAQ:
Q. Do I still need an antivirus program?
A. Yes, we recommend that you use antivirus and spyware prevention programs in addition to the protections provided by Windows SteadyState.
Additionally, SteadyState 2.5 only protects the partition that windows is installed on and Windows Disk Protection, which is the part of SteadyState that controls disk alteration does not load prior to certain files such as the master boot record which the samples provided appear to do.
Best Regards,
Nate
5. Appendix
you can also see the related articles on wilders security and prevx
Virtualization/Rollback software test
TDL/TDSS trojan series bypassing isolation software
Deep Freeze 7 bypassed
A puzzle called SafeSys
Kernelmode.info - RootKit TDL3
Any suggestions, sample giveaways (I need a stronger sample), critics are welcome ;D
Last edited by dax123 on 28/7/2010, 06:22; edited 6 times in total
dax123- New Member
- Posts : 8
Join date : 2010-07-05
Re: Light virtualization software / Partial sandbox test
Hi dax123, welcome to the forum! Great first post haha. Keep up the good work.
By the way, did you ever work out why the samples never seem to work in VirtualBox?
By the way, did you ever work out why the samples never seem to work in VirtualBox?
Re: Light virtualization software / Partial sandbox test
ssj100 wrote:Hi dax123, welcome to the forum! Great first post haha. Keep up the good work.
By the way, did you ever work out why the samples never seem to work in VirtualBox?
Only SafeSys worm does not seem to work in VBox. some TDSS samples work.
and TDSS tries to infect the guest addition if detected. I think it's VM/Sandbox-aware, Vbox aware at least.
and i started multitasking so test result will be updated faster.
dax123- New Member
- Posts : 8
Join date : 2010-07-05
Re: Light virtualization software / Partial sandbox test
Could you PM me the specific samples (or tell me which ones specifically) work in VirtualBox? I think I've tried many (including the ones you sent me), and all that appeared to happen was the VM crashes and spontaneously restarts. For some samples, like "034_crypted.exe", it executes just fine, but it doesn't appear to drop a detectable rootkit. All that happens is on restart, my system is frozen and a web-site appears to have started with some forms to fill. And since the system is frozen, I can't run TDSSKiller to check for rootkits.
Every other time I run TDSSKiller, nothing ever comes up. It's really frustrating haha. Which version of VirtualBox have you tried?
Every other time I run TDSSKiller, nothing ever comes up. It's really frustrating haha. Which version of VirtualBox have you tried?
Re: Light virtualization software / Partial sandbox test
I PMed you. and i use vbox latest version installed. though i test it with VPC as some of TDSS seems to be aware of VBox.ssj100 wrote:Could you PM me the specific samples (or tell me which ones specifically) work in VirtualBox? I think I've tried many (including the ones you sent me), and all that appeared to happen was the VM crashes and spontaneously restarts. For some samples, like "034_crypted.exe", it executes just fine, but it doesn't appear to drop a detectable rootkit. All that happens is on restart, my system is frozen and a web-site appears to have started with some forms to fill. And since the system is frozen, I can't run TDSSKiller to check for rootkits.
Every other time I run TDSSKiller, nothing ever comes up. It's really frustrating haha. Which version of VirtualBox have you tried?
dax123- New Member
- Posts : 8
Join date : 2010-07-05
Re: Light virtualization software / Partial sandbox test
Thanks, can you tell me exactly what happens after you execute dogma.exe? I've just run it in my VM and it spontaneously restarted again (?crashed). Running the TDSSKiller tool reveals no infection. I think this has something to do with my Windows XP version and associated drivers - perhaps the rootkits can't target it?
Re: Light virtualization software / Partial sandbox test
Try turning on "IO APIC enabled". see this page.ssj100 wrote:Thanks, can you tell me exactly what happens after you execute dogma.exe? I've just run it in my VM and it spontaneously restarted again (?crashed). Running the TDSSKiller tool reveals no infection. I think this has something to do with my Windows XP version and associated drivers - perhaps the rootkits can't target it?
or maybe the guest addition makes it to work.
( I asked Leach and he said he executed the "dogma.exe" that I've sent to you, so i suggested it )
dax123- New Member
- Posts : 8
Join date : 2010-07-05
Re: Light virtualization software / Partial sandbox test
Thanks for organizing this test and sharing your results.
Ruhe- Valued Member
- Posts : 261
Join date : 2010-04-16
Location : Germany
Re: Light virtualization software / Partial sandbox test
PleasureRuhe wrote:Thanks for organizing this test and sharing your results.
anyway ubuntu is a very cool OS, I'm using it too
dax123- New Member
- Posts : 8
Join date : 2010-07-05
Re: Light virtualization software / Partial sandbox test
dax123 wrote:Try turning on "IO APIC enabled". see this page.ssj100 wrote:Thanks, can you tell me exactly what happens after you execute dogma.exe? I've just run it in my VM and it spontaneously restarted again (?crashed). Running the TDSSKiller tool reveals no infection. I think this has something to do with my Windows XP version and associated drivers - perhaps the rootkits can't target it?
or maybe the guest addition makes it to work.
( I asked Leach and he said he executed the "dogma.exe" that I've sent to you, so i suggested it )
Tried it, and it made no difference. TDSSKiller comes up clean after the system spontaneously crashes and reboots. I think I'm bored of these rootkits that can't infect anything haha. Thanks anyway.
Re: Light virtualization software / Partial sandbox test
Hi dax123, if you get a chance, can you test Clean Slate? Read about it here:
https://ssj100.forumotion.com/other-f6/has-anyone-tried-clean-slate-t144.htm#879
https://ssj100.forumotion.com/other-f6/has-anyone-tried-clean-slate-t144.htm#879
Re: Light virtualization software / Partial sandbox test
ssj100 wrote:Hi dax123, if you get a chance, can you test Clean Slate? Read about it here:
https://ssj100.forumotion.com/other-f6/has-anyone-tried-clean-slate-t144.htm#879
I'll check these viruses and cleanstate will include it to the test
Since I moved to win7ows pro (), I've got to change my testing environment
dax123- New Member
- Posts : 8
Join date : 2010-07-05
Re: Light virtualization software / Partial sandbox test
dax123: didn´t you have the chance to try a hardware solution yet?
I hope tomorrow I can get someone to make a test for me with one of them. In theory hardware rollback software can not be bypassed but we will see.
I hope tomorrow I can get someone to make a test for me with one of them. In theory hardware rollback software can not be bypassed but we will see.
Buster_BSA- Member
- Posts : 87
Join date : 2010-07-21
Re: Light virtualization software / Partial sandbox test
I was a little bit lazy doing my job I'll do the test when I have a access to them.Buster_BSA wrote:dax123: didn´t you have the chance to try a hardware solution yet?
I hope tomorrow I can get someone to make a test for me with one of them. In theory hardware rollback software can not be bypassed but we will see.
It's good for you to test a hardware solution
dax123- New Member
- Posts : 8
Join date : 2010-07-05
Similar topics
» GFI Software acquires Sunbelt Software
» Microsoft Application Virtualization
» Discuss full session virtualization with me
» Sandbox VirtualBox
» Buster Sandbox Analyzer
» Microsoft Application Virtualization
» Discuss full session virtualization with me
» Sandbox VirtualBox
» Buster Sandbox Analyzer
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum
|
|