How to isolate suspicious processes in Windows without breaking the OS itself? How to create a reliable and Windows-compatible software sandbox without hardware virtualization and kernel function hooks, but using documented built-in OS security mechanisms? We will talk about the most common problems faced by developers (and ultimately consumers) of software sandboxes. Well, of course, we will offer our solution :).
Introduction, or how bad it is to live without a sandbox
There are a few axioms among professionals that they don't like to talk about. What can we say about axioms? They are and are. It seems that everyone understands how two and two are two. For example, one of them is that signature-based antiviruses do not protect. Well, that is, they don’t protect, and that’s all. A lot of things have been said and retold about this many, many times. With examples, beautiful presentations, dances and performances. And epidemics of all sorts of nasty things like Ransomware serve as one of the proofs of the ineffectiveness of signature and heuristic technologies. All kinds of cryptors and obfuscators successfully solve the problem of protecting long-known malware from detection, and for some time this malware is not detected by antiviruses. This time is quite enough for some to feel bad and for others to feel good.
That is, we are not even talking about 0day: you can take the old well-known bearded malware, morph it, remove behavioral signatures (work for a couple of days for a lazy person) and use it again, and then again, and again, until you get tired of it or until you are imprisoned. At the same time, the people who sold the medicine so that this “bad thing” would never happen seem to have nothing to do with it; With serious faces, they publish some kind of newsletter and talk about hygiene on the Internet, while forgetting to say that if this same hygiene is observed completely, then antiviruses, especially paid ones, are practically not needed.
Sandboxes and features of their implementation
So, antiviruses do not save, but sometimes break what already exists. “Let's approach protection from the other side and isolate processes from each other,” said someone infinitely smart. It's really great when suspicious processes run in some isolated environment called a sandbox. Malware running in a sandbox cannot leave the sandbox and harm the entire system. This could be a solution, however there are nuances in existing sandbox implementations...
Next, we will discuss all the intricacies of building sandboxes, the knowledge of which will definitely come in handy when you need to choose a process isolation tool or HIPS (Host-based Intrusion Prevention System - an intrusion prevention system for workstations).
Nuance No. 1, or one sandbox for everyone
Most sandboxes don't actually provide process isolation. In truth, in most implementations the system being protected is divided into two parts - trusted and untrusted. The trusted part runs normal processes, while the untrusted part runs isolated processes. That is, all isolated processes run in the same sandbox, have access to each other and to each other's resources, use the same registry and the same file system.
Thus, the malware can gain a foothold in the sandbox itself and start sporadically with one of the isolated applications (or with several isolated applications, or with any of them). At the same time, sandboxes often do not log the actions of isolated processes. Actions that HIPS complain about take place in sandboxes without the slightest reaction, adjusted for isolation, which is not very good.
How to check that the insulation is designed this way? Very simple! Run two applications in a sandbox. For example, notepad.exe and wordpad.exe. Create a text file 1.txt using notepad.exe.
Of course, this file will not be saved on the desktop, but in a “virtual” directory. Try opening it with Wordpad (Fig. 3).
So, a file created by one sandboxed application can be opened by another sandboxed application. Let's face it, isolation isn't very good anymore. But maybe there will at least be some kind of protection from recording? We change the contents (Fig. 4).
And we save. Now let's try to open file 1.txt using notepad.exe. Of course, let's run notepad.exe in the sandbox (Fig. 5).
And this is what we were talking about. Two isolated applications are not isolated from each other. It turns out that such isolation was not entirely clear why. Even the ransomware, without gaining access to local folders on the computer, can encrypt everything in a virtualized directory, and if you’re lucky, also on network resources, since the sandbox settings are the same for all isolated applications.
Nuance No. 2, or under-insulation
Yes, isolated processes cannot reach the trusted part of the system... but in most implementations it is write-only. That is, they can read from anywhere with virtually no restrictions and often have access to the network. This was apparently done for greater compatibility, but this cannot be called isolation.
Try a simple experiment with a sandbox of your choice. Create a directory on your hard drive. Let's say this: E:\Photos. Place, for example, a photograph in it (Fig. 6).
Launch Internet Explorer in the sandbox and try to send this image to, say, rghost.
So how is it? Happened? If the experiment was a success, then this is not very good. Even worse, if the sandbox does not have the ability to specify directories to which isolated applications will not have access. And it’s not at all good if isolated applications can read data from the current user’s directories.
File system and registry virtualization in most implementations is based on the “copy-on-demand” principle. That is, if a file just needs to be read, then it is read from the source directory if there is no analogue in the virtual directory. If the same file is present in the virtual directory, then the isolated application will work with it. The same can be said about the virtual registry. Well, it’s clear that when you try to write a file to a real path, it will be written to the virtual file system. Almost always.
Thus, if the malware is “isolated” in such a sandbox, then it will be able to have full access to all other “isolated” processes, almost all readable data in the system, and virtualized (stored by isolated applications) data (which is often common to all isolated applications). applications) for recording.
Nuance No. 3, or “let’s make another bike, it’s so interesting”
Continuation is available only to members
Option 1. Join the “site” community to read all materials on the site
Membership in the community within the specified period will give you access to ALL Hacker materials, increase your personal cumulative discount and allow you to accumulate a professional Xakep Score rating!
So I'm trying to lock an isolated storage file in my client application so that multiple instances of my application cannot access it at the same time. I use the following syntax:
LockStream = new IsolatedStorageFileStream("my.lck", FileMode.OpenOrCreate, isoStore); lockStream.Lock(0, 0);
This code causes my application to throw a NullReferenceException from the FileStream.Lock method of the structure. I tried using a non-zero value for length. I tried to write a byte to a file and then only blocked that byte. No matter what I do, the same NullReferenceException haunts me. Does anyone know if this is possible with isolated storage?
Also I'm learning this technique in a Silverlight application, does Silverlight support file locking? The MSDN docs seem to indicate that this is not the case, but I saw this post from MVP that says it does.
Update: Microsoft has fixed the bug that I submitted to Connect, but it was not released in version 4 of the framework. It should be available hopefully in the next SP or full release.
42 answers
This looks like a bug in the Framework. Maybe I'm wrong because this really is too big to be true.
Looking at the .NET 3.5 SP1 source code with Reflector, you can find that IsolStorageFileStream calls the dimensionless base constructor (FileStream()), which results in a non-really initialized base class. IsolatedStorageFileStream creates an instance of FileStream and uses it in all methods it overrides (Write, Read, Flush, Seek, etc.). It's strange that it doesn't use its base class directly.
But locking and unlocking are not overridden, and they require a private field (_handle), which is still null (since the constructor used is parameterless). They assume it's not null and play it and trigger an NRE.
To sum it up, locking and unlocking is not supported (or doesn't work).
I think you are forced to use other locking methods such as Mutex or Semaphore.
4
So I'm trying to lock an isolated storage file in my C# client application so that multiple instances of my application cannot access it at the same time. I use the following syntax:
LockStream = new IsolatedStorageFileStream("my.lck", FileMode.OpenOrCreate, isoStore); lockStream.Lock(0, 0);
This code causes my application to throw a NullReferenceException inside the framework's FileStream.Lock method. I tried using a non-zero value for length. I tried to write a byte to a file and then only blocked that byte. No matter what I do, the same NullReferenceException haunts me. Does anyone know if this is possible with isolated storage?
Also I'm learning this technique in a Silverlight application, does Silverlight support file locking? The MSDN docs seem to indicate that this is not the case, but I saw this post from C# MVP that says it is.
Update: Microsoft has fixed the bug that I submitted to Connect, but it was not released in version 4 of the framework. It should be available hopefully in the next SP or full release.
0
I was able to work around this error by using reflection to call the lock method on the IsolatedStorageFileStream field of the private "m_fs" like so: lockStream = new IsolatedStorageFileStream("q.lck", FileMode.OpenOrCreate, isoStore); FileStream m_fs = typeof(IsolatedStorageFileStream).InvokeMember(("m_fs"), BindingFlags.GetField | BindingFlags.NonPublic | BindingFlags.Instance, null, lockStream, null) as FileStream; m_fs.Lock(0, long.MaxValue); - bsiegel 05 Mar 10 2010-03-05 15:57:55
2 answers
Sorting:
Activity
4
This looks like a bug in the Framework. Maybe I'm wrong because this really is too big to be true.
Looking at the .NET 3.5 SP1 source code with reflector, you find that IsolStorageFileStream calls the dimensionless base constructor (FileStream()), which results in a non-initialized base class. IsolatedStorageFileStream creates an instance of FileStream and uses it in all methods it overrides (Write, Read, Flush, Seek, etc.). It's strange that it doesn't use its base class directly.
But locking and unlocking are not overridden, and they need a private field (_handle), which is still null (since the constructor used is parameterless). They assume it's not null and play it and trigger an NRE.
To sum it up, locking and unlocking is not supported (or doesn't work).
“How to recover my files deleted by Eset NOD32 antivirus” is a request that can often be seen on the Internet. However, there are not many possible solutions to this issue, which often creates the feeling that there are no ways to return lost documents.
First of all, you need to understand that an antivirus will never block or delete a file that does not in one way or another affect the functioning of the operating system or other installed programs.
Accordingly, if your document was deleted, you can safely suspect that it was malicious. However, there are also files that simply modify the program, interfering with its processes, but do not pose a threat.
Are there ways to recover a file deleted by an antivirus? There definitely is! In this article we will look at what the Eset NOD32 application is, the features of working with it and an effective way to recover files erased by an antivirus.
What is Eset NOD32?
It’s no secret to anyone in the modern world how important, and most importantly, how relevant antivirus applications are. They allow you not only to eliminate the vast majority of malicious files, but also help to prevent a possible threat even before it manifests itself, harming the system in one way or another.
Antivirus Eset NOD32, which is most often referred to simply as NOD32, is an entire antivirus software package created by the Slovak company Eset back in 1987.
There are two editions of the program:
- Home version.
- Business version.
The main difference between the business version and the home version is the possibility of remote control and the presence of cross-platform protection. No less pleasant is the feature that allows you to easily and flexibly customize the program to suit any needs.
Eset NOD32. How to enable or disable antivirus?
It often happens that when installing a particular program, we are required to disable the antivirus, because otherwise it will “eat” an important file without which the application simply cannot start.
Another common reason for looking for answers to the question of enabling/disabling an antivirus is the goal of reducing the resource consumption of the “defender”. This is due to the peculiarity of the work of antiviruses - they usually take up a fairly large amount of memory even when in a passive state, and when running other “heavy” programs, it is sometimes necessary to pause the protection.
So how do you complete the task of enabling or disabling NOD32? Let's look at this issue in the instructions below.
1. Launch the application Eset NOD32 and go to Settings.
2. In the window that opens, you will find all installed NOD32 service packages. Visit each one and enable/disable the options depending on your needs.
Eset NOD32. Antivirus quarantine and exceptions.
Quarantine- a repository that is necessarily present in any antivirus, regardless of its manufacturer and version (home or business). It stores all suspicious files that, according to the antivirus, can harm your operating system in one way or another.
It is worth noting the fact that not a single document, even if it is a Trojan, is deleted instantly. First of all, the threat posed by it is neutralized: the file is placed in quarantine and the antivirus patiently waits for the user to make a responsible decision on further actions - you can either delete the infected document or mark it as an exception, which we will discuss a little later.
How to find Eset NOD32 antivirus quarantine? Very simple! Let's look at the instructions below.
1. Run Eset NOD32 and go to the section Service.
2. Open the tab Additional funds. It is located in the lower right corner.
3. We now have a complete list of additional services provided by Eset as part of its antivirus. Open Quarantine.
4. In the menu that opens, NOD32 gives you full rights to manage all isolated files.
We found quarantine and found him main functions:
- Isolate file. This option allows you to manually find a malicious file and block it if the antivirus cannot cope on its own.
- Restore. An option that allows you to recover an accidentally locked file.
Simply restoring an isolated document does not always avoid further blocking. Can this be changed? Let's consider.
1. Without leaving the window Quarantine, right-click on the file you want to unlock.
2. Select an option Recover and exclude from scan.
3. If you are confident in your actions, click Yes. If you do not know whether a file is dangerous or harmless, we recommend clicking No.
Eset NOD32 deleted files. How to recover?
Antivirus- this is the only barrier that holds back the incredibly large number of possible threats that can penetrate our computers via the Internet. It is quite natural that it blocks absolutely all files with a similar operating mechanism; such documents that in one way or another interfere with system or software processes.
Unfortunately, antiviruses are not able to differentiate files, because any malicious file can easily disguise itself as a Windows process and gradually destroy the computer from the inside.
Consequently, the program tries in every possible way to protect the PC, blocking everything that, in its opinion, poses a certain threat. In most cases, blocked documents can be easily restored simply by making an exception, but occasionally they are completely deleted if the antivirus considers the file critically dangerous.
Starus Partition Recovery will be a good assistant in everyday work with the file system. The application will relieve you of any worries about your personal documents in the long run and will help you recover a file of any format, regardless of how you lost it.
You can evaluate all the chances of “recovering what was lost” before registering the Starus Partition Recovery tool. Download the program to recover personal documents erased by antivirus and try it completely free. All features are available in the trial version, including preview of recovered files. The preview window will allow you to make sure that a particular file is not damaged or overwritten and can be fully restored.
We hope the article was useful to you and helped you resolve your questions.