Practicing Safe Installs
From CastleCopsWiki
Contents |
[edit] Steps to take before downloading and running a shiny new program
Everyone knows that before running a program you downloaded from the net, you should
1. Do your research (check out what people are saying about the software on google groups etc)
2. Read the EULA (End User License Agreement) with the help of Javacool's Eulalyzer.
3. Download from a trust worthy source, check site reputation using services like SiteAdvisor (or free alternatives)
4a. Even trust worthy sites (open source sites) can be subverted, so you might want to check the hash of the file download. Obviously, the file hash must be obtained from a source that is different from the server serving the download, since if it is the same, an attacker can easily change both to match.
4b Even better is if a file is digitally signed. If it is digitally signed by one of the Certifying authorities you trust, you can right-click on the file in Windows Explorer and select Properties, then go to the Digital Signatures tab to verify the source of the file. Many files (particularly open source packages) are digitally signed using PGP or GPG, and this can also be verified. As you know this only verifies the source, but it does not tell you whether you should trust the source. I.e You might be sure that the file comes from JoeBlow.com, but you might have no idea who this person is and whether you can trust him or not.
5. Scan the executable with not just your local antivirus but also get second and third options with various Online malware Scanners, particularly multiple engine scanners like VirusTotal (or alternatives). Advanced users should scan with sandboxing type scanners like Anubis or PC Tools Threat Expert (or alternatives).
But these methods aren't foolproof , but what other defenses are there to ensure recovery if the programs turns out to be malicious or bad? Besides doing a full rollback from your backups (which takes up a lot of time) what can you do? Here are some alternatives.
[edit] Using installation monitors
How they work - These tools monitor changes made during installation of a program. This is achieved by creating a mini-snapshot of the entries in the file system, registry (typically it is not 100%) before the installer is run, followed by another run after the installer is run to capture any changes (some may require reboots to capture all changes).
Examples (freeware unless otherwise indicated) - Inctrl, Total Uninstall 2.35 (last freeware version) and ZSoft Uninstaller.
Pros - Simple to use and understand. No time limits for which the trial program can be installed. Can be used to monitor programs that require reboots.
Cons - Not accurate as other methods. Before and after differences might capture changes made by other programs and not just the installer. Captures only changes made during installation. For example the program might make registry changes only after the nth use (a typical tactic used by shareware) and will not be captured by the installation monitors. Malware programs might do the same.
[edit] Using Sandboxing with file/registry virtualization
How they work - Run the installer or program sandboxed and every file and registry change made by the process (and usually child processes) is tracked in real time. The changes are shunted to a virtualized sandbox (an alternative location), but work normally otherwise. After installation, the program can then be run sandboxed, this ensures *every* change is being monitored in real time unlike using installation monitors.
Examples (freeware unless otherwise indicated) -Sandboxie, Bufferzone Virtual Sandbox, Altiris Software Virtualization Solution (this one works quite differently)
Pros - Every change made by the sandboxed program is tracked and can be reversed. Program can be tested over several sessions and can be cleared just by clearing the sandbox. Strong security, most sandboxes prevent potentially dangerous activities like installing drivers.
Cons - Many programs will not install in sandboxes because of restrictions. Programs that require reboots (generally those that install drivers and services) will not work either. Some changes might leak and not be tracked.
Note: Altiris Software Virtualization Solution differs from the usual sandbox in that it does not do security restrictions. It uses different layers which can be mounted or unmounted separately.
[edit] Using partition virtualization
How they work - They are kissing cousins of rollback and disk imaging software, except that they record changes made only during a session (protected mode/shadow mode etc) and automatically clear it after a reboot. This can be done very quickly as compared to re-imaging the whole disk.
Examples (freeware unless otherwise indicated) -Returnil Virtual System Personal Edition , Windows SteadyState(allows changes to survive reboot)
Pros - Every change made by the program you are trialling (and everything else in fact) is tracked and is reversed on reboot. While it does not protect you during the session, you are assured that nothing nasty is left behind on reboot.
Cons - Most of these software clear everything on reboot (exception Windows SteadyState that allow you to keep changes for a period of time), so programs that require reboots to install cannot be tested with this.
[edit] Multiple Snapshot/rollback virtualization
How they work - A subset of partition virtualization, but allows storing of multiple snapshots, which can be restored very rapidly using incremental backups. Many also offer advanced features of "data anchoring" (where certain files/folders are left untouched) etc.
Examples (freeware unless otherwise indicated) - Mostly commercial or enterprise products. Rollback RX (non-freeware) , FirstDefense-ISR
Pros - The snapshot facility makes it as easy to use as similar features in Virtual Machines for testing, while being immune to VM detection methods since no hardware virualization is being used.
Cons - Despite improvements in compression of incremental changes , keeping multiple snapshots tend to use up several gigabytes of space.
[edit] Using Virtual machines
How they work -Uses software to completely simulate a new machine.
Examples (freeware unless otherwise indicated) -Virtual PC2007, VMware server , VirtualBox.
Pros - Complete security, nothing can leak to your real machine. Everything is removed when the virtual machine snaphot is deleted. Allows installation of almost all types of programs (some games that require graphic cards might not work).
Cons - Virtual machines require a seperate OS license. Host machine needs to have sufficient RAM. A few malware will detect vm and act accordingly. Unless you take pains to setup your virtual machine exactly like your real production machine, software that works in the former might not work well in the later due to software conflicts.
[edit] Misc
- Windows System Restore - Restores mostly system files.
- Conventional Backup or disk imaging. - Examples include DriveImage XML ,Acronis TrueImage, Norton Ghost. Whether the backups are in actual archived files or in disk images, provides full restore, but restoration is relatively slow.
[edit] Summary
| Name | Installation monitors | Sandboxing with file/registry virtualization | Partition virtualization | Virtual machines | Conventional backup or disk imaging |
|---|---|---|---|---|---|
| Example | ZSoft Uninstaller | Sandboxie | Returnil Virtual System Personal Edition | Virtual PC2007 | DriveImage XML |
| Compatibility with programs | High. | Low, When Sandboxed many installers will not have sufficient rights. | Medium. Less restricted than Sandboxing but installers that require reboots will not work, because changes will be cleared. | High. Pretty much any program will run, except rare programs that require special graphic hardware support. | Highest. |
| Maintains changes over a period | Yes, as long as you want. | Yes, until sandbox is cleared | No, changes are cleared on reboot (except for Windows SteadyState) | Yes, until VM snapshot is cleared or virtual machine file is deleted. | Yes, as long as you want, until you decide to restore. |
| Ease of use | High. Simple to understand. Taking snapshots before and after installation is fairly quick. | High. Somewhat harder to understand,but clearing sandbox is fast. | Medium. Because everything on the partition is removed, some work need for retaining wanted changes. | High. Some work need to setup the Virtual machine at first.But once done, you can treat it as a completely different machine. | Low. A complete backup or imaging takes some time. So does recovering. Slowest method. |
| Thoroughness in removing changes made by programs | Low, only removes changes made during install and nothing else. | High, but may leak and miss some changes made by child processes if not sandboxed automatically | Very high. In theory everything is removed. | Removing a snapshot is similar to virtualization partition methods. But with the right settings there is almost no chance of anything leaking into the host (original) machine. | High. You are recovering everything after all. |
| Level of security | None-existent. Installed program free to do whatever it wants | High. When run in the sandbox, installer and installed program are restricted. Programs running in the same sandbox e.g web browser and another program might be vulnerable to each other. | Medium. Installed program is free to do whatever it wants during the session (so keyloggers can still steal keys and send passwords during th session), but will be all removed on reboot. | High. Unless there is a security exploit, installed program on virtual machine is totally isolated from the host (original) machine. | Medium. Installed program is free to do whatever it wants until you restore (so keyloggers can still steal keys and send passwords during th session), but will be all removed on restore.
} |
