Roger A. Grimes - InfoWorld Mag

Don't be fooled into thinking virtual security technologies are a panacea for your malware woes

I've seen a spate of virtualization products popping up to protect your computer while you surf the Internet. Roughly similar to Sun’s Java infamous sandbox environment, they use various mechanisms to prevent malware from infecting or modifying your computer while you browse the Web, read e-mail, or use other forms of Internet-based communications (IM, p-to-p, and so on).

I’ve reviewed several of these types of products, including GreenBorder, Linux jail programs, and Microsoft Windows Vista’s file and registry virtualization technology. And many of us often use Zen, VMware, or Virtual PC virtual machine sessions to safely browse the Web.

While each virtualization technology has its benefits, most of the products in this protection class share the same problems -- I could mix and match my criticisms from a single spreadsheet.

1. No sandbox product is foolproof. I've yet to meet one that could not be easily circumvented. So, while they might give you a moderate amount of protection early on, if the sandboxes gain widespread popularity for protecting the masses, they will be hacked and circumvented. It happened to Java, and it will happen to Vista’s file and registry virtualization protection.

I’ve been able to defeat every product I’ve personally reviewed with minimal effort. The vendors often claim that their products are foolproof and don’t need constant updating “like those sorry anti-virus scanning products.” Then I run a battery of malware tests, and usually a well-known worm, spambot, or adware program breaks out of the virtual jail and modifies the host. Some take a bit more effort, but all have fallen within an hour of trying.

After one of my successful malware tests, a vendor that previously claimed its product was unbreakable said, “The automated attack had simulated a manual attack, which they didn’t protect against.” Excuse me while I try to choke back the reflux!

In my "Where Windows Malware Hides" document, I specify more than 130 file and registry locations where malware can hide to spread in Windows. Most sandbox protection products only protect against a dozen or so file and registry locations.

All OS virtual machine products, which might be able to protect all vulnerable locations, can be detected by the bad guys and be circumvented. There are a few products that perform the virtualization outside the host; although these offer additional protection, even they can be detected -- and have their own additional problems, to boot.