Security → Is VMware the answer to spyware

From latest Spyware Weekly:
As promised in the last newsletter, I have written an article about how to use VMware's Browser Appliance. It was so long that I broke it up into four pages. Using the Browser Appliance will be so effective at preventing spyware and browser hijacker infections that I have used it to replace the article I wrote long ago, on the same subject.

The article covers everything I think that you will need to know, if you decide to use the Browser Appliance. Page One introduces newcomers to the idea of the Browser Appliance and explains why it offers 99.9% protection from all spyware. Page Two explains how to perform a few tweaks to the default set-up. Page Three explains how to share files between the virtual computer and the real computer. Page Four explains how to install some additional software you probably will want to have.

It is now my official position that using the Browser Appliance is the best and only way for Windows users to remain completely safe on the internet. I will no longer explain how to alter security settings, block massive lists of nasty web sites or how to install a half dozen different programs, all protecting different parts of the system.

I'm not saying that those methods don't offer some protection or that they shouldn't be done. I am saying that they are not complete protection. I will no longer give complicated instructions that offer only a little protection, when there is a much easier way to have full immunity.

You can lock your machine down with firewalls, script blockers, antispyware programs, antivirus programs, enormous web site block lists, block all ActiveX and then live in fear of the next 0-day exploit. Or you can install the Browser Appliance and be immune to all web-based malware installers. The choice is your's to make.

Source:
»www.spywareinfo.com/news ··· an27.php

You asked the Question.

My answer would be no.

There needs to be a total solution, something that allows recovery under almost every possible method of corruption and or infection.

I think VMware itself is great if you need to test/emulate different system setup's but....for protection, I think it's complicated at best, and when it is only for browser features weak at best for total system security.

Without Double Posting, check this:

»Real Computer Security: File & Dir Permissions

You may want to give it a try, because unlike a restore from backup or even a restore point ("Which we all know by now can be infected as well") a disk image is maintained in a un-named partition ("Hard to go after that").

If the goal is total operating system protection, this is the best method I have seen yet.

No matter how much malware is installed while someone was logged on using this, No matter what someone accidentally changed or deleted, once they log off, the disk is restored to the way it was prior to the infection and or accident, and this is done very quickly, faster than a restore point and much faster than using a backup/restore.

As of this date, I have not seen any other methods which provide the same total solution.

Automatic recovery without as much as a Mouse Click

That's just dumb. The answer is no. Even though I have VPC 2004 installed, I don't use it as a security tool .What's an anti-spyware program? Or a script blocker? I haven't the slightest clue.

I doubt a solution like that is practical for most people. I don't know about everyone else, but I sure like the convenience of being able to save stuff from the web on my hdd. What I don't need is a virtual machine complicating this.

VMware doesn't offer any protection. Your Virtual environment still gets infected, except you can revert back to the original condition. This is not protection, it's just encouraging people to not take responsibility for what they do. It's a culture that says, you're all dumb, you'll never learn, so why try. Click away now and revert later.

So your point is to focus the blame on the users rather than hunt down the people who create these nasty infection? Not everyone is interested in knowing the technical of computer.
If it's a simple method to stop further infection, I see nothing wrong with it.

I don't think anyone is saying the user is to blame here, per se. It's a matter of educating users with simple instructions, much in the same way you teach people abut nearly anything. If you just hand someone a PC and give them virtually no basic instruction, they will have troubles, much the same if you just threw a set of keys to someone and expected them to drive a car with ease and no damage to the yard, house neighbors fence, so forth. Give them some basic instructions, like a drivers ed class, they can maneuver the car and drive reasonably well. Now, give the same user a hi perf driving school lesson(obvious price issue), and the same person can be come a prolific driver handling all sorts of potential troubles.

The more users can learn, with basic operation and use of general PCs, the better off they will be.

Trying to hunt down the creators of most of the invasive malwares is near impossible, especially if they are based off shire, which most are.

The few that do get brought to court will eventually pop up again under a different guise and start all over again. In most cases they have made so much money by illicit installs and unethical behaviour, that the temptation is to go back for more.

Off the Shire? hmmmmm.....I always suspected you were a Hobbit.

Why not use something like deep freeze or shadowuser? It uses lot less ram than running vmware.

Nor do I, as long as one explicitly recognizes that it remedies only one dimension of very complicated problem. That doesn't seem to be conveyed at all in the original post. In fact, my reading is that the original poster ignores every other dimension of an infection aside from returning a PC to it's original state.

Blue

It is rather obvious from the posts here that you guys are not using VMWare. And using Microsoft's Virtual PC 2004 is not the same. It is quite inferior to VMWare. Plus, you all seem to be confusing two very different applications.

Mike Helean's article is about using Browser Appliance in VMWare Player. This is quite different from using VMWare Workstation or Microsoft's Virtual PC 2004. He is correct that you cannot get infected 99.9% of the time using Browser Appliance in VMWare Player with this preinstalled simplified version of Ubuntu. I have used Browser Appliance although I used it in VMWare Workstation. It is designed for browsing only. It has a lot of restrictions on Fx and Ubuntu built in. If, against all odds, you get infected and the infection can elevate itself to admin priviledges somehow, you can just delete it. The host machine will not be infected.
The only way you can get the Host machine infected would be to move an infected file from Browser Appliance to your host PC. It is not easy to move files between the two machines unless you have VMWare Workstation and use Browser Appliance in it and if you have VMWare Workstation, and have mastered all the things you have to learn to properly use Workstation, you are knowledgeable enough to know to be very careful if moving files from a virtual machine to the host. I was very frustrated by Browser Appliance as it is so limited. Plus, I too could not get it to play video files but I had thought maybe I didn't try hard enough until I read Mike's article. I think Mike is being unrealistic about how many users will like Browser Appliance.

I far prefer VMWare Workstation as with that you have virtual machines that are not limited (which you created) running on your Host machine and they can use the CDRom drive on the host, the floppy drive (if you have one), the printer, and you can easily move files between the machines. (I could not get Ubuntu to recognize my CDRom drive when I had Browser Appliance in VMWare Workstation). The beauty of VMWare is that you can start your session by making a current snapshot, then do your thing, when you are through revert to the snapshot you made at the beginning of the session or simply set it so that nothing is saved of the session when you shut down, or you can save or make another snapshot.

VMWare is perfect for beta testing and for learning Linux or using other Microsoft OSes. However, there will be holes in it (VMWare Workstation I mean not Browser Appliance). Just recently there was a required upgrade due to a hole...that is required if you don't use bridged neworking which most use. I was not vulnerable so I kept the older version as the new one is still rather buggy.

VMWare has only one drawback (besides the cost of the software) and that is that you will need plenty of RAM. If you have 1GB that is enough to run one virtual machine (with 256MB allocated to the virtual machine). But if you want to run more than one simultaneously then you will need 1500MB to 2GB RAM.

VMWare is marvelous. It is the best application I have ever used. I'm getting a new PC with 2GB RAM and I'll be able to run several virtual guest machines at the same time. I will be able to switch between Linux and Windows...no need to reboot, printer is shared.

Using VMWare doesn't mean one abdicates responsibilty and learning. (Using Browser Appliance would allow one to remain ignorant but I don't think too many users will like Browser Appliance). Heck, you had to be aware of the recent security hole and know if you were vulnerable and if so you had to upgrade. As VMware becomes very popular, there will be more hackers concentrating on it and thus users will need to be educated about it and be vigilant. A VMWare user (even a Browser Appliance user running it in the free player) needs to join the outstanding VMWare boards immediately.

VMWare is not a panacea. But it sure beats the cost of buying three or four physical computers or setting up dual booting, etc. If you enjoy beta testing there is nothing better. I use TI now with an external hard drive. I still want VMWare. It is tons of fun and simply awesome that I can run a variety of virtual machines on one physical machine.

That's basically what the Microsoft Shared Toolkit Does except on a much less resource intensive manner.

Wish more people would try it, even for shared computers in homes it can be useful. Using it takes much less setup and can be turned on/off very easily. Changes are easy to apply as well.

I guess when I see entire virtual machines created that can be done by simply using the toolkit and much less memory and for FREE I wonder why?

On dual boot systems for Both Windows and other OS's I can understand.

ZOverLord, I have to admit I'm not familiar with that tool but it looks very interesting.
»www.microsoft.com/window ··· iew.mspx
I would love to see a new topic (so as not to detract from this one) on the subject and ask you to share your experiences with it...Pro and Con.

It looks very promising at first glance. Maybe something I should recommend to my home users add to their arsenal?? The VMware appliance here just looks way to complicated (and expensive) to expect the average user to consider.

Edit: typo

I enjoy using Vmware for testing AV programs and playing with spyware. Easy to use, no risk, and easy to clean Like the cat litter of the computer world

Done,

Sorry about that the new topic is located here:

»Windows Shared Computer ToolKit XP Details & Help

Gee. I haven't gotten a piece of spyware in over two years and this guy, who is some sort of authority on the prevention of spyware is in essence, "giving up"?

Maybe I should become the new anti-spyware guru.

Anyone know if it pays well?

Well Mike Healon for all his soapboxing/newsletter's etc has probaly made a right pot of gold out of affiliate sales for products that he's not to subtely promoted

Dose he stand to make commision's on VMWare installs

The security community very own pied piper of hamlin,anyone for x-block or evidence eliminator

Political or financial aspirations afoot:(

How is Mike Healon or anyone going to make money off of installs of Browser Appliance? It is FREE AND IT RUNS ON THE FREE VMWARE PLAYER!

I find Sandboxie to be just about as good as the VMWare Browser appliance. It seems Sandboxie is a much much smaller download as well.

Note that the Browser Appliance is Linux-based, so it is more resistant to the ITW stuff on the net by default; but no, it's not failproof security, nor is it the most convenient.

I've got to second the SandboxIE recommendation. I installed it here to test it out and visited a site with a known (but benign) ActiveX control. I allowed the site to install the ActiveX control and the install went through without a hitch. However, when I closed the sandbox, the ActiveX control was gone without a trace.

Basically, it seems to make your system read-only for anything the browser runs. Sure it's not a 100% secure setup (as sensitive information could be gleaned by a malicious ActiveX control running in "read-only" mode), but it does help against an ActiveX control infecting you with spyware.

Now if I could only make it so that you could start IE in Sandboxed mode. It might help prevent some spyware infections.

EDIT: Actually, a quick visit to their website shows that you can! "C:\Program Files\Sandboxie\Start" "C:\Program Files\Internet Explorer\iexplore.exe" will start up IE in Sandboxed mode. I might do this for a relative who had his PC trojaned. (After I do a format/reinstall for him.)

EDIT #2: Apparently, the registered version ($20) can automatically sandbox programs even if they aren't launched using the "SandBox Start" command. This would be really useful for my relative's system and I just might recommend he pay the registration fee.