Skip navigation.
Home

Sandbox & Virtualization & Lockdown Technology Used Personally to Capture Malware.

Sandbox, Virtualization, and Lockdown Technology If you think of a sandbox as a "virtual workspace" the concept has been around a long time. A RAM drive is a virtual workspace, since upon reboot, nothing written to that drive remains.

One of the problems with the early RAM drives was the limitation of 32MB of the windows ramdrv.sys. An interesting product that was used for some time was vRamDir, a virtual ram drive that could be as big as your available free RAM. Also, you could remap directories to it. It was common to load temp and cache directories into RAM on startup. Running applications in RAM was really fast. This was in the days before fast CPUs. We didn’t think of it so much for security, as for speed. For example, I knew programers who compiled in a RAM drive.

In more recent times the technology has been incorporated as a security tool. A virtual PC is like a sandbox - any configuration changes on it have absolutely no effect on the host system, but are based on the host system's hardware.

A company called SoftGrid has its SystemGuard™ - "because applications bring their own set of configurations and run within a protective virtual run-time ‘sandbox,’ there is no dependency or effect on the configuration of the machine running them."

Windows Servers include this technology. From my WinServer2003 notes: "The new Software Restriction Policies (SRP) feature creates a virtual ‘sandbox’ that prevents unauthorized code execution."

Tiny firewall uses sandbox technology.

Another group of programs use the ‘sandbox’ idea to protect the system. Sandbox is usage of a virtual container in which untrusted programs can be safely run.

Sandboxie is a true stand-alone sandbox program. Their site diagrams nicely how it works:
http://www.sandboxie.com/

ShadowUser works on a similar principle, where the ‘ShadowMode’ creates a virtual volume:
http://www.shadowstor.com/products/I...83&ProductID=4

RollBack Rx claims to write-protect the HD and create 'Scratch Space'

These programs below uses virtualization. It is a framework or methodology of dividing the resources of a computer into multiple execution environments, by applying one or more concepts or technologies such as hardware and software partitioning, time-sharing, partial or complete machine simulation, emulation, quality of service, and many others.

Returnil uses a powerful virtualization technology that completely mirrors your actual computer setup and it can create a virtual storage disk within your PC where you can save documents, data, and files while using the System Protection feature.

BufferZone’s revolutionary virtualization technology creates an isolated zone on your PC, which separates your operating system and confidential data from unknown programs, downloads and files. Unlike anti-virus and anti-spyware software, BufferZone Free requires no signature updates at all, while protecting your PC against spyware, adware and viruses - even new and yet unknown ones downloaded using your P2P, Web browser or instant messaging software.

The programs below uses lockdown. Lockdown, pertains to a state of containment or a restriction of progression. You could almost say that it freezes time.

Deep Freeze - 'locks down' the system but doesn't use virtualization.Deep Freeze = locked volume content, changes revert on restart, can only change content in a thawed state. Once changed in a thawed state, that's the content moving forward. Deep Freeze instantly protects and preserves baseline computer configurations. No matter what changes a user makes to a workstation, simply restart to eradicate all changes and reset the computer to its original state - right down to the last byte.

First Defense ISR = Take system snapshots (akin to snapshots on a VM) and boot to any of them. Any snapshot can be used as a live system. Can revert to any previous snapshot state. Think of it as akin to keeping an online jukebox of system drives and being able to choose anyone you want via a preboot menu. Downside is that the current program is being replaced by the only distributor of the product (Horizon Data Systems) with a version that allows retention of a single snapshot only. More mass market potential. Also, freeze option (similar to deep freeze) is gone on current HDS release. I think they stop selling the full FD-ISR Workstation at the end of this month

Both work. DeepFeeze is designed for a static system with forced restoration on any restart and takes minimal HDD space. FirstDefense-ISR is designed for immediate restoration of a dynamic system in which states are preserved across restarts, but can be bumped by a forced snapshot change or restoration. Snapshots take a bit of space (a few to maybe 10 GB depending on what your machine looks like and how you take a snapshot). Cost per seat is different as well.

These types of programs are becoming popular as the foundation of a security system. Each program works on different principles and levels of restriction.
Some people admit that they run such a program + firewall and little else

I personally use all three technolgy to capture & detain mallware, mostly snadbox & virtualization & lockdown for insurance against the unknown threats.

Great list! I use sandbox

Great list! I use sandbox technology for malware analysis as well and have found it invaluable.

In fact, I just gave a talk about using sandboxes in forensic analysis (geared towards malware analysis). If you'd like to see it, let me know and I'll post a link (don't want to spam it out).

That´s not spam. Please,

That´s not spam. Please, post it.

ultragunner: Nice article, well done.

I Agree, if you can add more

Thanks, for those using only sandbox, try also virtualization like Returnil, it is free. http://www.returnilvirtualsystem.com/index_files/rvspersonal.htm

Bufferzone=http://www.trustware.com/index.html

Also lockdown technology Try First Defense ISR http://www.raxco.com/products/FDISR/fdisr_features.cfm

Deep freeze http://www.faronics.com/html/deepfreeze.asp

I Agree, if you can add more info to my article, all the better.

All of these technolgy are good & should be combined to complement each other & best of all, they do not conflict as long as you dont combine virtualization & lockdown in realtime with each other.
"Word of caution"
Never use two of them in realtime. Sandbox can be use with either virtualization or lockdown together.

for example I use sandbox to capture mallware & virtualization to create a space EX.Drive Z for mallware for storage where it can guarante no escape for it & lockdown technogy for insurance if you make a mistake & to restore any damage caused by unknown threats.

I completely forgot about

I completely forgot about this. Sorry.

The presentation I gave can be found at http://www.korelogic.com/Resources/Presentations/intro_to_sandnets.ppt.

Please let me know what you think (thru the forum or by emailing me).

BTW, I agree ultragunner - great article!

ultragunner! You forgot

Hi ultragunner! You forgot to mention:

GesWAll
DefenceWall
SafeSpace

All great sandboxes!

Check out Truman by Joe

Check out Truman by Joe Stewart, he spoke about it at Shmoocon sometime back.

Note: It's a Sandnet, and not a sandbox.

http://www.secureworks.com/research/tools/truman.html

Plus, it doesn't rely on Virtual machines ;)

Cheers :)
Kish

--
Remember there is alwayz someone who knows more than us out there

ic

Thanks

Add iCore Computer

Add iCore Computer 3-in-1:
http://icoresoftware.com/

ColPeters

Hi,

Thanks for pointing this out, though this technology seems to be in its infancy at best. See this "testimonial" from their forum:
http://icoresoftware.com/forum/viewtopic.php?f=3&t=13&sid=723d21c8bc3746452566513da3ee23ba
Might be worth keeping an eye on....

My "Extractor" uses sandbox

My "Extractor" uses sandbox technology to unpack malwares packed inside installation setups like Inno, Setup Factory, NSIS, etc.

With that system Extractor is able to unpack virtually any malware of that kind.