Video Screencast Help
Endpoint Virtualization Community Blog

Does the virtualization of a Web browser prevent a virus infection?

Created: 25 Apr 2006 • Updated: 29 Jul 2010 • 3 comments
Admin's picture
0 0 Votes
Login to vote

Q:
Jack asked: Does the virtualization of a Web browser such as Internet Explorer or Firefox prevent a virus infection? For example, if one were browsing the Web with an SVS installation of Firefox and encountered a virus, could that spread to the baseline system, or does the sandbox effect extend to the system memory as well as the file system?

A:
Hello Jack. Thanks for the question.

If malware launches from a virtualized application, SVS will track that as part of the process tree and capture what it does. When the layer is reset, the malware will be removed from the local hard drive. So SVS does prevent malware from permanently altering the app that launched it.

Note: The malware still has an opportunity to run and to perhaps do some damage across the wire. So this should be considered an additional layer of protection, not a replacement for anti-virus products!

Also, a caveat on this: There are several ways in Windows to launch a process that is not tracked as part of the parent process tree. If a piece of malware does this, it could write outside the source layer (to the base or to other layers). SO, it's very important to understand that Altiris is NOT positioning this release of SVS as a security solution!

Our Altiris Protect product (based on the same core technology as SVS) is the solution for isolating everything that is not in a Virtual Software Package (VSP). That is, for maintaining the state and integrity of the base. In the next release of Protect and SVS, you will be able to deploy them together. Then you will have a comprehensive solution, regardless of how the malware runs or where it writes to. At that time, we will be talking about the security benefits.

Comments 3 CommentsJump to latest comment

riva11's picture

Interesting argument, my only doubt is related to the layer reset, in order to any malware download from Internet is a must reset the layer.

+2
Login to vote
erikw's picture

There are two ways that malware and viruses use to infect your computer.

The first way is to drop a little program on you're machine that multiplies itself. When you have no exclusions, the infection stays in the layer, and by resetting it when logging of, the malware is gone.

The second way is to delete a Windows program from %windir%\system32, and create itself there with that name.
SVS does not see it, and the infection gets out of the layer.

Altiris has another great product released that can really prevent this. Use Altiris Endpoint solution.

Regards
Erik
www.svs4u.nl

Regards Erik www.DinamiQs.com Dinamiqs is the home of VirtualStorm (www.virtualstorm.org)

*************************************************************
If your issue has been solved, Please mark it as solved
***********

+2
Login to vote
Col Peters's picture

Being a new user I'm trying to get a handle on SVS so please forgive any naivete:

Doesn't SVS monitor [WINDIR] and it's subdirs including system32 ?

I thought SVS would capture any malware trying to create itself here, and, if not, just how reliably *does* SVS do what it claims to do ?

Thanks

0
Login to vote