Has anyone tried Clean Slate?
+4
eskro
noorismail
ssj100
Rico
8 posters
Page 2 of 3
Page 2 of 3 • 1, 2, 3
Re: Has anyone tried Clean Slate?
well, that would be stupid on their part,,
isnt there software supposed to protect your PC from unwanted changes?
or not?
isnt there software supposed to protect your PC from unwanted changes?
or not?
eskro- Member
- Posts : 29
Join date : 2010-07-12
Re: Has anyone tried Clean Slate?
Well, it's been greater than 2 months since you asked about it. Their "support" doesn't sound too good anyway.
Re: Has anyone tried Clean Slate?
Yo!
its time to test their apparently fixed CLEAN SLATE
MBR problem is apparently gone...
and its now x64 compatible!
Please find below the link to download Clean Slate V6.5 build 3246
http://www.fortresgrand.com/redirect.asp?url=downloads/CSv65b3246.exe
Guys, Go on and test it in a VM
under an ADMIN account with ADMIN rights...
before, it was failing these 2 tests...
failure to protect against ---> WYH Disk killer
failure to protect against ---> BOOTICE
and now?
does it pass them?
here's the viruses used in the test,you guys could try it on your own.
dl.dropbox.com/u/5748985/rollback%20killers.rar
its time to test their apparently fixed CLEAN SLATE
MBR problem is apparently gone...
and its now x64 compatible!
Please find below the link to download Clean Slate V6.5 build 3246
http://www.fortresgrand.com/redirect.asp?url=downloads/CSv65b3246.exe
Guys, Go on and test it in a VM
under an ADMIN account with ADMIN rights...
before, it was failing these 2 tests...
failure to protect against ---> WYH Disk killer
failure to protect against ---> BOOTICE
and now?
does it pass them?
here's the viruses used in the test,you guys could try it on your own.
dl.dropbox.com/u/5748985/rollback%20killers.rar
eskro- Member
- Posts : 29
Join date : 2010-07-12
Re: Has anyone tried Clean Slate?
Thanks eskro, sounds very promising.
I imagine it's weakness will be against different malware types, so between us all we should be able to put this thing through it's paces and potentially help the product improve (if they're responsive!)
Will load into a VM and see what happens...
Can we (between us) come up with a good list of malware to test it against?
I imagine it's weakness will be against different malware types, so between us all we should be able to put this thing through it's paces and potentially help the product improve (if they're responsive!)
Will load into a VM and see what happens...
Can we (between us) come up with a good list of malware to test it against?
Stephen2- Member
- Posts : 34
Join date : 2010-10-18
Location : Melbourne, Australia
Re: Has anyone tried Clean Slate?
yes, malware's to test are here --> dl.dropbox.com/u/5748985/rollback%20killers.rar
careful, these are real viruses so, only play with them in your VM ....
careful, these are real viruses so, only play with them in your VM ....
eskro- Member
- Posts : 29
Join date : 2010-07-12
Re: Has anyone tried Clean Slate?
Passes both tests that it failed here:
https://ssj100.forumotion.com/other-f6/has-anyone-tried-clean-slate-t144.htm#887
"BOOTICE" - PASSED. I'm not able to change the MBR.
"WYH Disk killer" - PASSED. I'm not able to even run it, even though execution control is disabled.
Good work by Clean Slate developers I suppose. They certainly took their time though. Still, better late than never haha.
https://ssj100.forumotion.com/other-f6/has-anyone-tried-clean-slate-t144.htm#887
"BOOTICE" - PASSED. I'm not able to change the MBR.
"WYH Disk killer" - PASSED. I'm not able to even run it, even though execution control is disabled.
Good work by Clean Slate developers I suppose. They certainly took their time though. Still, better late than never haha.
Re: Has anyone tried Clean Slate?
What do you suppose causes this? Is it some kind of heuristic analysis that triggers anti-executable?ssj100 wrote:"WYH Disk killer" - PASSED. I'm not able to even run it, even though execution control is disabled.
Don't like the sound of that...
PS, where do you source your malware?
I use:
http://www.offensivecomputing.net/
But it's hard to know what are the most "hardcore" ones...
Stephen2- Member
- Posts : 34
Join date : 2010-10-18
Location : Melbourne, Australia
Re: Has anyone tried Clean Slate?
Stephen2 wrote:What do you suppose causes this? Is it some kind of heuristic analysis that triggers anti-executable?ssj100 wrote:"WYH Disk killer" - PASSED. I'm not able to even run it, even though execution control is disabled.
Don't like the sound of that...
Not too sure, but I also don't like the sound of it if it's true.
Stephen2 wrote:PS, where do you source your malware?
I use:
http://www.offensivecomputing.net/
But it's hard to know what are the most "hardcore" ones...
I'm really not that interested in 99.9999% of malware out there. I used to occasionally visit malwaredomainlist etc to test malware. But it's all the same thing - SRP doesn't even allow it to start/run and Sandboxie easily contains it. I've posted at another forum asking for fancy types of malware which use exploits/remote code execution etc, but I've only come across one exploit so far that's interesting and easily reproducible:
https://ssj100.forumotion.com/security-f7/excel-exploit-testing-t266.htm#2096
As you can see, SRP and all other anti-execution technology blocks it dead. I'm currently waiting patiently for Didier Stevens to modify his Excel Macro which can bypass SRP. I currently have an old version of his Excel Macro which bypasses SRP but it doesn't work on my system (as my Windows has been updated, and his Excel Macro was developed in 2008). Once I receive it, I may have the ultimate POC to test against various anti-malware mechanisms. Of course SRP would be bypassed (since it is targeted to disable it), but I'm wanting to see if Classical HIPS software (even when configured tightly) can prevent the Macro from running and disabling SRP. Given that his Excel Macro doesn't load a "detectable" DLL, it seems unlikely that even HIPS/"Faronics Anti-Executable version 2" can stop it. However, I'm fairly sure Sandboxie would easily contain it. And that's the main (only) security software I rely on. As I've said before, LUA + SRP is only a "just for fun windows tweak". It just so happens that this "just for fun windows tweak" blocks 99.9999% (or even 100%, I'm not sure) of real-world malware.
Re: Has anyone tried Clean Slate?
Removed after testing for a while..
Has good points and bad points:
Good:
Bad:
Overall promising, but I get the feeling it will never work nicely with SandboxIE so while it may end up a very good full session virtualization product, it will never be running on my PC while that is the case!!
Has good points and bad points:
Good:
- Exclusion of files
- Exclusion of registry keys
- Executable control settings
- "Rollback" happens at logoff
- Can turn on/off virtual mode on the fly
Bad:
- Clunky interface
- Exclusion of files flaky at best
- Does NOT play nice with Sandboxie <- this one is the killer
Overall promising, but I get the feeling it will never work nicely with SandboxIE so while it may end up a very good full session virtualization product, it will never be running on my PC while that is the case!!
Stephen2- Member
- Posts : 34
Join date : 2010-10-18
Location : Melbourne, Australia
Re: Has anyone tried Clean Slate?
weird, i didnt had any problems with sandboxie + CleanSlate
eskro- Member
- Posts : 29
Join date : 2010-07-12
Re: Has anyone tried Clean Slate?
eskro wrote:weird, i didnt had any problems with sandboxie + CleanSlate
NOD... just to see what's different:
I'm running SUA under Win7 Ultimate 64bit
SandboxIE 3.5
Outpost Pro Firewall 7.0.4
Your windows version? Any other potential security programs conflicting (or not in your case)?
Stephen2- Member
- Posts : 34
Join date : 2010-10-18
Location : Melbourne, Australia
Re: Has anyone tried Clean Slate?
windows XP Pro x86
comodo internet security
sandboxie
clean slate
comodo internet security
sandboxie
clean slate
eskro- Member
- Posts : 29
Join date : 2010-07-12
Re: Has anyone tried Clean Slate?
Cool... Significant difference in OS version.
Plus the only thing I had difficulty with in SandboxIE was "OpenFilePaths" weren't working under Clean Slate.
Do you have any OpenFilePaths setup in your sandboxes?
Plus the only thing I had difficulty with in SandboxIE was "OpenFilePaths" weren't working under Clean Slate.
Do you have any OpenFilePaths setup in your sandboxes?
Stephen2- Member
- Posts : 34
Join date : 2010-10-18
Location : Melbourne, Australia
Re: Has anyone tried Clean Slate?
I don't use any "OpenFilePaths" either. While it's probably safe enough, it conceptually defeats the purpose of the sandbox for me (and of having "100%" security).
Re: Has anyone tried Clean Slate?
I know what you mean... But at the same time, it's my Noscript prefs, bookmarks, Adblock patterns, cookies/permissions and that's about it.
So it probably degrades security down to 99.9999999999999999% percent!!
Hehe, I like convenience.
So it probably degrades security down to 99.9999999999999999% percent!!
Hehe, I like convenience.
Stephen2- Member
- Posts : 34
Join date : 2010-10-18
Location : Melbourne, Australia
Re: Has anyone tried Clean Slate?
Fair enough. I keep my NoScript preferences in a notepad file that I update from time to time. I don't use bookmarks or adblock. The only thing that is of slight inconvenience is the loss of my address bar history. However, it's not like eg. Firefox releases updates every day or week, so I don't end up deleting my Firefox sandbox that often.
Re: Has anyone tried Clean Slate?
Hi guys, another Message from CS tech support...
they want us to try a new build,,,,
here --> http://www.fortresgrand.com/redirect.asp?url=downloads/CSv65b3247.exe
Test in MV
see if you guys can modify MBR and PBR using BOOTICE.EXE
if not, then CS is 100% ready to ROCK on GOLD!!!
they want us to try a new build,,,,
here --> http://www.fortresgrand.com/redirect.asp?url=downloads/CSv65b3247.exe
Test in MV
see if you guys can modify MBR and PBR using BOOTICE.EXE
if not, then CS is 100% ready to ROCK on GOLD!!!
eskro- Member
- Posts : 29
Join date : 2010-07-12
Re: Has anyone tried Clean Slate?
then CS is 100% ready to ROCK on GOLD!!!
eskro- Member
- Posts : 29
Join date : 2010-07-12
Re: Has anyone tried Clean Slate?
ssj100 wrote:
As you can see, SRP and all other anti-execution technology blocks it dead. I'm currently waiting patiently for Didier Stevens to modify his Excel Macro which can bypass SRP. I currently have an old version of his Excel Macro which bypasses SRP but it doesn't work on my system (as my Windows has been updated, and his Excel Macro was developed in 2008). Once I receive it, I may have the ultimate POC to test against various anti-malware mechanisms. Of course SRP would be bypassed (since it is targeted to disable it), but I'm wanting to see if Classical HIPS software (even when configured tightly) can prevent the Macro from running and disabling SRP. Given that his Excel Macro doesn't load a "detectable" DLL, it seems unlikely that even HIPS/"Faronics Anti-Executable version 2" can stop it.
If Macro is disabled in Excel, will this POC still work? Moreover, can Didier Stevens or anyone else produce a POC that bypasses SRP on a system which has neither MS office nor Adobe Reader?
apoptosis- Member
- Posts : 10
Join date : 2010-11-07
Re: Has anyone tried Clean Slate?
Hi apoptosis, no the POC won't work if Macros are "disabled" in Excel (at least "High" security level, which is the default level anyway).
There are other "mediums" to bypass SRP - one of them is called Powershell. However, you can easily block it directly with SRP:
https://ssj100.forumotion.com/windows-hardening-f5/blocking-powershell-t7.htm#21
There are other "mediums" to bypass SRP - one of them is called Powershell. However, you can easily block it directly with SRP:
https://ssj100.forumotion.com/windows-hardening-f5/blocking-powershell-t7.htm#21
Re: Has anyone tried Clean Slate?
Thanks for the reply.
I'm on XP too, so no Powershell to worry about. In fact, I've only installed 3 pieces of software on my PC: firefox, sumatraPDF and vlc player. In addition to your setup (https://ssj100.forumotion.com/free-for-all-f4/ssj100-s-security-setup-t4.htm), I added extra rules to block Outlook Express, Windows Messenger, NetMeeting, MSN, MSN Gaming Zone, Windows Media Player, Windows Movie Maker and Remote Assistance. I also completely disabled Internet Explorer by setting up a dummy proxy server (0.0.0.0). Do you think LUA+SRP will be able to defeat "the ultimate POC" on my system?
I'm on XP too, so no Powershell to worry about. In fact, I've only installed 3 pieces of software on my PC: firefox, sumatraPDF and vlc player. In addition to your setup (https://ssj100.forumotion.com/free-for-all-f4/ssj100-s-security-setup-t4.htm), I added extra rules to block Outlook Express, Windows Messenger, NetMeeting, MSN, MSN Gaming Zone, Windows Media Player, Windows Movie Maker and Remote Assistance. I also completely disabled Internet Explorer by setting up a dummy proxy server (0.0.0.0). Do you think LUA+SRP will be able to defeat "the ultimate POC" on my system?
apoptosis- Member
- Posts : 10
Join date : 2010-11-07
Re: Has anyone tried Clean Slate?
Sounds pretty good apoptosis! I've never personally come across a single piece of malware that bypassed LUA + SRP (even with more basic configurations) anyway. Those macros and other POC's are just theoretical.
Page 2 of 3 • 1, 2, 3
Page 2 of 3
Permissions in this forum:
You cannot reply to topics in this forum
|
|