With legitimate Web sites becoming very common vectors for malware infection, how can an end-user decide which Web sites to open up in the green or red environments? When should the user save versus discard a change?
Many limited emulation environment vendors state that their products will automatically determine what should and shouldn't be saved permanently. They state they can tell the difference between something initiated by a legitimate user and something done programmatically by malware. The truth is, they can't do it perfectly. In my testing, every product left behind some malware permanently, and things the user saved or configured manually were deleted.
My favorite story about unwanted leftovers came when I confronted a vendor with malware remnants left behind by their product. The vendor proceeded to tell me that the automated malware program "had mimicked the actions a legitimate user would have done manually, so that's why the limited emulation program left the malware remnants behind."
Many products append to their automatic decision process by letting the user (or admin) manually decide when to reset the limited emulation environment. I chuckle about this every time I test it. First, malware can do what it needs to do (steal and e-mail passwords, for instance) in milliseconds. If it takes longer than that, the malware does it rather silently in most cases. I mean, if the user were capable of consistently recognizing when they were infected by malware, they wouldn't need the emulation protection in the first place!
Even more to the point, a large amount of the malware is installed on purpose by end-users because of social engineering enticements. Last week's column revealed that in many studies, more than 50 percent of end-users, when notified that they are installing malware by anti-malware programs, still install the malware. If the limited emulation environment attempts to keep software intentionally downloaded by end-users, and a lot of that software is malicious, what protection have you gained?
It's because of these flaws, and others, that I cannot recommend limited emulation environments. They are flawed in theory, and in practice, real malware affirms the theoretical conclusions. I'm not saying that a highly accurate limited emulation protection environment can't be created, but I doubt it. Why we keep repeating the same failed techniques and expecting different results is a mystery to me.
Just as strange, after each of my limited emulation protection product reviews, in which I skewered a product and the entire product class, more than a dozen other vendors offered to send me their limited emulation product for testing, hoping that their product will succeed where others have failed. Accordingly, I've decided to review multiple vendor products in an upcoming InfoWorld Test Center review article. I'm hoping to be surprised, but I'm not holding my emulated breath.