Has anyone tried Clean Slate?

well, that would be stupid on their part,,

isnt there software supposed to protect your PC from unwanted changes?

or not?

Well, it's been greater than 2 months since you asked about it. Their "support" doesn't sound too good anyway.

Yo!

its time to test their apparently fixed CLEAN SLATE

MBR problem is apparently gone...

and its now x64 compatible!

Please find below the link to download Clean Slate V6.5 build 3246
http://www.fortresgrand.com/redirect.asp?url=downloads/CSv65b3246.exe

Guys, Go on and test it in a VM

under an ADMIN account with ADMIN rights...

before, it was failing these 2 tests...

failure to protect against ---> WYH Disk killer
failure to protect against ---> BOOTICE

and now?

does it pass them?

here's the viruses used in the test,you guys could try it on your own.
dl.dropbox.com/u/5748985/rollback%20killers.rar

Thanks eskro, sounds very promising.

I imagine it's weakness will be against different malware types, so between us all we should be able to put this thing through it's paces and potentially help the product improve (if they're responsive!)

Will load into a VM and see what happens...

Can we (between us) come up with a good list of malware to test it against?

yes, malware's to test are here --> dl.dropbox.com/u/5748985/rollback%20killers.rar

careful, these are real viruses so, only play with them in your VM ....

Passes both tests that it failed here:
https://ssj100.forumotion.com/other-f6/has-anyone-tried-clean-slate-t144.htm#887

"BOOTICE" - PASSED. I'm not able to change the MBR.
"WYH Disk killer" - PASSED. I'm not able to even run it, even though execution control is disabled.

Good work by Clean Slate developers I suppose. They certainly took their time though. Still, better late than never haha.

ssj100 wrote:"WYH Disk killer" - PASSED. I'm not able to even run it, even though execution control is disabled.

What do you suppose causes this? Is it some kind of heuristic analysis that triggers anti-executable?

Don't like the sound of that...

PS, where do you source your malware?

I use:
http://www.offensivecomputing.net/

But it's hard to know what are the most "hardcore" ones...

Stephen2 wrote:

ssj100 wrote:"WYH Disk killer" - PASSED. I'm not able to even run it, even though execution control is disabled.

What do you suppose causes this? Is it some kind of heuristic analysis that triggers anti-executable?

Don't like the sound of that...

Not too sure, but I also don't like the sound of it if it's true.

Stephen2 wrote:PS, where do you source your malware?

I use:
http://www.offensivecomputing.net/

But it's hard to know what are the most "hardcore" ones...

I'm really not that interested in 99.9999% of malware out there. I used to occasionally visit malwaredomainlist etc to test malware. But it's all the same thing - SRP doesn't even allow it to start/run and Sandboxie easily contains it. I've posted at another forum asking for fancy types of malware which use exploits/remote code execution etc, but I've only come across one exploit so far that's interesting and easily reproducible:
https://ssj100.forumotion.com/security-f7/excel-exploit-testing-t266.htm#2096

As you can see, SRP and all other anti-execution technology blocks it dead. I'm currently waiting patiently for Didier Stevens to modify his Excel Macro which can bypass SRP. I currently have an old version of his Excel Macro which bypasses SRP but it doesn't work on my system (as my Windows has been updated, and his Excel Macro was developed in 2008). Once I receive it, I may have the ultimate POC to test against various anti-malware mechanisms. Of course SRP would be bypassed (since it is targeted to disable it), but I'm wanting to see if Classical HIPS software (even when configured tightly) can prevent the Macro from running and disabling SRP. Given that his Excel Macro doesn't load a "detectable" DLL, it seems unlikely that even HIPS/"Faronics Anti-Executable version 2" can stop it. However, I'm fairly sure Sandboxie would easily contain it. And that's the main (only) security software I rely on. As I've said before, LUA + SRP is only a "just for fun windows tweak". It just so happens that this "just for fun windows tweak" blocks 99.9999% (or even 100%, I'm not sure) of real-world malware.

Removed after testing for a while..

Has good points and bad points:

Good:

1. Exclusion of files
   
2. Exclusion of registry keys
   
3. Executable control settings
   
4. "Rollback" happens at logoff
   
5. Can turn on/off virtual mode on the fly

Bad:

1. Clunky interface
   
2. Exclusion of files flaky at best
   
3. Does NOT play nice with Sandboxie <- this one is the killer

Overall promising, but I get the feeling it will never work nicely with SandboxIE so while it may end up a very good full session virtualization product, it will never be running on my PC while that is the case!!

weird, i didnt had any problems with sandboxie + CleanSlate

eskro wrote:weird, i didnt had any problems with sandboxie + CleanSlate

NOD... just to see what's different:

I'm running SUA under Win7 Ultimate 64bit
SandboxIE 3.5
Outpost Pro Firewall 7.0.4

Your windows version? Any other potential security programs conflicting (or not in your case)?

windows XP Pro x86
comodo internet security
sandboxie
clean slate

Cool... Significant difference in OS version.

Plus the only thing I had difficulty with in SandboxIE was "OpenFilePaths" weren't working under Clean Slate.

Do you have any OpenFilePaths setup in your sandboxes?

nope not at all ,,,,

I don't use any "OpenFilePaths" either. While it's probably safe enough, it conceptually defeats the purpose of the sandbox for me (and of having "100%" security).

I know what you mean... But at the same time, it's my Noscript prefs, bookmarks, Adblock patterns, cookies/permissions and that's about it.

So it probably degrades security down to 99.9999999999999999% percent!!

Hehe, I like convenience.

Fair enough. I keep my NoScript preferences in a notepad file that I update from time to time. I don't use bookmarks or adblock. The only thing that is of slight inconvenience is the loss of my address bar history. However, it's not like eg. Firefox releases updates every day or week, so I don't end up deleting my Firefox sandbox that often.

Hi guys, another Message from CS tech support...

they want us to try a new build,,,,

here --> http://www.fortresgrand.com/redirect.asp?url=downloads/CSv65b3247.exe

Test in MV

see if you guys can modify MBR and PBR using BOOTICE.EXE

if not, then CS is 100% ready to ROCK on GOLD!!!

Tested and can't change the MBR or PBR with BOOTICE.EXE.

then CS is 100% ready to ROCK on GOLD!!!

Well, good luck with it mate!

ssj100 wrote:
As you can see, SRP and all other anti-execution technology blocks it dead. I'm currently waiting patiently for Didier Stevens to modify his Excel Macro which can bypass SRP. I currently have an old version of his Excel Macro which bypasses SRP but it doesn't work on my system (as my Windows has been updated, and his Excel Macro was developed in 2008). Once I receive it, I may have the ultimate POC to test against various anti-malware mechanisms. Of course SRP would be bypassed (since it is targeted to disable it), but I'm wanting to see if Classical HIPS software (even when configured tightly) can prevent the Macro from running and disabling SRP. Given that his Excel Macro doesn't load a "detectable" DLL, it seems unlikely that even HIPS/"Faronics Anti-Executable version 2" can stop it.

If Macro is disabled in Excel, will this POC still work? Moreover, can Didier Stevens or anyone else produce a POC that bypasses SRP on a system which has neither MS office nor Adobe Reader?

Hi apoptosis, no the POC won't work if Macros are "disabled" in Excel (at least "High" security level, which is the default level anyway).

There are other "mediums" to bypass SRP - one of them is called Powershell. However, you can easily block it directly with SRP:
https://ssj100.forumotion.com/windows-hardening-f5/blocking-powershell-t7.htm#21

Thanks for the reply.

I'm on XP too, so no Powershell to worry about. In fact, I've only installed 3 pieces of software on my PC: firefox, sumatraPDF and vlc player. In addition to your setup (https://ssj100.forumotion.com/free-for-all-f4/ssj100-s-security-setup-t4.htm), I added extra rules to block Outlook Express, Windows Messenger, NetMeeting, MSN, MSN Gaming Zone, Windows Media Player, Windows Movie Maker and Remote Assistance. I also completely disabled Internet Explorer by setting up a dummy proxy server (0.0.0.0). Do you think LUA+SRP will be able to defeat "the ultimate POC" on my system?

Sounds pretty good apoptosis! I've never personally come across a single piece of malware that bypassed LUA + SRP (even with more basic configurations) anyway. Those macros and other POC's are just theoretical.