Seven shortcomings of virtual security

I've seen a spate of virtualization products popping up to protect your computer while you surf the Internet. Roughly similar to Sun’s Java infamous sandbox environment, they use various mechanisms to prevent malware from infecting or modifying your computer while you browse the Web, read e-mail, or use other forms of Internet-based communications (IM, p-to-p, and so on).

I’ve reviewed several of these types of products, including GreenBorder, Linux jail programs, and Microsoft Windows Vista’s file and registry virtualization technology. And many of us often use Zen, VMware, or Virtual PC virtual machine sessions to safely browse the Web.

While each virtualization technology has its benefits, most of the products in this protection class share the same problems -- I could mix and match my criticisms from a single spreadsheet. Here are the most commonly shared problems:

1. No sandbox product is foolproof. I've yet to meet one that could not be easily circumvented. So, while they might give you a moderate amount of protection early on, if the sandboxes gain widespread popularity for protecting the masses, they will be hacked and circumvented. It happened to Java, and it will happen to Vista’s file and registry virtualization protection.

I’ve been able to defeat every product I’ve personally reviewed with minimal effort. The vendors often claim that their products are foolproof and don’t need constant updating “like those sorry anti-virus scanning products.” Then I run a battery of malware tests, and usually a well-known worm, spambot, or adware program breaks out of the virtual jail and modifies the host. Some take a bit more effort, but all have fallen within an hour of trying.

After one of my successful malware tests, a vendor that previously claimed its product was unbreakable said, “The automated attack had simulated a manual attack, which they didn’t protect against.” Excuse me while I try to choke back the reflux!

In my "Where Windows Malware Hides" document, I specify more than 130 file and registry locations where malware can hide to spread in Windows. Most sandbox protection products only protect against a dozen or so file and registry locations.

All OS virtual machine products, which might be able to protect all vulnerable locations, can be detected by the bad guys and be circumvented. There are a few products that perform the virtualization outside the host; although these offer additional protection, even they can be detected -- and have their own additional problems, to boot.

2. Most virtual protection products don’t respond well to encoded attacks. Encoding is a popular malicious method for bypassing the initial inbound checks of a security product. Hackers and malware writers often encode malicious HTML commands into hexadecimal, double-byte, dotted decimal notation, or Unicode, instead of the ASCII text we, and protection products, expect. In many cases, the end result is that slight modifications to malicious commands are not detected or prevented.