Programs of a new type have been created by different companies recently. The first I am aware of was developed in 2006 and violated the GPL back then. More of them seem to be offered all the time.
These programs claim to save you from malware, just like AVs, only better and also for unknown threats. And indeed the idea is intriguing and I have heard of the first implementation – although more complete than the half-hearted solutions offered now – in 2005. That particular solution would move the Windows kernel into ring 1 and could then supervise it. In fact every process would literally see its own copy of the system. Process separation to the max.
The solutions you find nowadays are redirecting write access to the disk and to the registry and so on to some storage. So it seems like the system runs normally, but in fact all changes are non-persistent. Apart from the security aspect – where I would claim there are ways to circumvent this – this can be a bit inconvenient. But the idea is still intriguing. But how exactly does it make anything safer?
Alright, if I reboot such a “secured” system it goes back to the old state, but what does that help me if my system was running uninterrupted for two weeks and some spyware took the time to send some of my private data over the wire?! Remember, access is the same, thus only the malicious part of the malware which consists of “writing somewhere” will be defused! The botnet owner who infected my machine during the uptime will still be able to remote-control my system. Let’s assume for a second that botnet owner is not after my private data: my zombified machine is still going to spit a shitload of spam mails into the internet. How does that help in any way?
So how exactly does that solve anything? I can have the same level of security with a backup program and restoration of a clean baseline. Once you think about it in more detail, the idea is not so intriguing anymore. As long as there is no stronger separation of processes and some definition of what a particular process is allowed to access, security has not increased. Even worse, some users will be even more reckless, because they don’t care about their own private data, let alone the spammed mailboxes of others. This needs some more thought to refine the idea. There is something to it, but so far, the gained security is rather theoretical.
// Oliver