So for one week on one machine and just this product, I have visited the underside and back. Did reboot this morning, ran Kasperskys online scanner and nothing.:thumb:

of course I did mess up one computer and had to reformat but that was my fault for some reason.::)

So email .pst restored and taking my AV off other computers and have decided to only use this. ;)

I really dont think we get as infected as some might lead us to think. But having totally nothing slowing me down has been very nice. Good job to Returnil.:)

Ok, but just remember, even though a Trojan will be deleted upon reboot, while it is still on your system (before you reboot) it can still steal your passwords, credit card numbers, etc. Once the person who sunk the Trojan onto your system has your private info, he/she does not care if the Trojan gets deleted.

Acadia

I dont keep information like that on my computers.

-{ Quote: "I dont keep information like that on my computers." }-
:thumb: :thumb:

Acadia

-{ Quote: "I dont keep information like that on my computers." }-

Don't you have any passwords on your pc?

none that make sense.::)

Returnil has one weakness that would keep me from running it by itself, in that it only protects the c: drive. If you have two internal drives the second one is indeed vulnerable, and rebooting with returnil does nothing for it.

Pete

Hi, And....

The drives other than "C" are where you keep all the sensitive info. Be careful, be careful.

nearly 10 months now with "only" Returnil or deepfreeze. I do have a hardware firewall and use Firefox with the usual add ons. Roboform with a 1 minute window protects password account details - I don't even know the passwords.
I load and run various on demand programs every week or so just to check ( Nod 32. superantispy the usual suspects) and nothing has ever shown up. Oh yes always re-boot just before paying by credit card.

-{ Quote: "Oh yes always re-boot just before paying by credit card." }-
:thumb: :thumb: :thumb: :thumb:

Acadia

I use Returnil and either Sandboxie, geswall, or Bufferzone depending on my mood and my browser is Kmeleon which I run in Altiris. I'm not quite brave enough to abandon my av/as although in the couple of weeks I've run my machine this way, both antivirus and antispyware have found nothing.

As a test, I set my av/as to on demand only and took my computer to some pretty dark places just to see, using only Returnil and, in this case IE7. I downloaded and opened some pretty grungy stuff. In one case only did I actually notice anything.

It was something I've never seen before. I have no idea what I picked up. My monitor screen began changing into what looked like a mosaic, just a series of little multicolored blocks and the hard drive was racing. I don't remember what site this was. I hit quite a few.

That scared the hell out of me and I immediately rebooted. When the reboot finished, the computer was back to normal. I ran my av and antispyware and it found nothing.

The only sensitive data I keep is my income tax data and it's on my second HD and is encrypted with Blowfish and a long, involved password.

Whatever weird thing I picked up, Returnil worked. Combined with geswall, sandboxie, or bufferzone, I'd have even more protection.

-{ Quote: "I use Returnil and either Sandboxie, geswall, or Bufferzone depending on my mood and my browser is Kmeleon which I run in Altiris. I'm not quite brave enough to abandon my av/as although in the couple of weeks I've run my machine this way, both antivirus and antispyware have found nothing.

As a test, I set my av/as to on demand only and took my computer to some pretty dark places just to see, using only Returnil and, in this case IE7. I downloaded and opened some pretty grungy stuff. In one case only did I actually notice anything.

It was something I've never seen before. I have no idea what I picked up. My monitor screen began changing into what looked like a mosaic, just a series of little multicolored blocks and the hard drive was racing. I don't remember what site this was. I hit quite a few.

That scared the hell out of me and I immediately rebooted. When the reboot finished, the computer was back to normal. I ran my av and antispyware and it found nothing.

The only sensitive data I keep is my income tax data and it's on my second HD and is encrypted with Blowfish and a long, involved password.

Whatever weird thing I picked up, Returnil worked. Combined with geswall, sandboxie, or bufferzone, I'd have even more protection." }-

You make a case for what I was saying above. Some nasties affect any drives they detect. If you are using something like sandboxie, or Defensewall you can protect the second drive. But rebooting with Returnil won't clean the 2nd drive if the nasty you downloaded affected it.

I use another product that gives me the choice. If just routine surfing I may only protect c:, but if I am going riskier, I'll protect both. Downloading somthing to keep isn't a problem.

Pete

PS. Don't misunderstand me, Returnil is fine, but stuff can get to other drives.

It's true that Returnil won't protect my second drive, which is why it is where I keep sensitive info, all encrypted. Of course if whatever gets through Returnil can destroy the second drive, all is lost. Considering computers and their 'ways,' and from learning the hard way I also have the info I need on a CD. I've had computers die unexpectedly.

I don't know of any free software like Returnil that will also cover my second HD, or I'd be taking a look at it. I'd still encrypt personal files and my current writing work though.

-{ Quote: "Returnil has one weakness that would keep me from running it by itself, in that it only protects the c: drive. If you have two internal drives the second one is indeed vulnerable, and rebooting with returnil does nothing for it." }-Yes thats it. But it wouldn´t be good if returnil would protect other drives because you could never store anything.

-{ Quote: "The drives other than "C" are where you keep all the sensitive info. Be careful, be careful." }- Pass protect this stuff and good is but before this use anti-keylogger that blocks all known spy methods.

-{ Quote: "PS. Don't misunderstand me, Returnil is fine, but stuff can get to other drives." }-
That isn´t so dramatically because one push on reset button and every malware activity must restart
from the frozen point.

-{ Quote: "You make a case for what I was saying above. Some nasties affect any drives they detect. If you are using something like sandboxie, or Defensewall you can protect the second drive. But rebooting with Returnil won't clean the 2nd drive if the nasty you downloaded affected it.

I use another product that gives me the choice. If just routine surfing I may only protect c:, but if I am going riskier, I'll protect both. Downloading somthing to keep isn't a problem.

Pete

PS. Don't misunderstand me, Returnil is fine, but stuff can get to other drives." }-


How would you know if you have a nasty sandboxed?
And what would happen if you did a file recovery from the sandbox to your desktop, for instance?
Would the nasty escape then?

-{ Quote: "How would you know if you have a nasty sandboxed?
And what would happen if you did a file recovery from the sandbox to your desktop, for instance?
Would the nasty escape then?" }-

Good question. I'd say that unless the thing opened in Sandboxie or one of the others, yes - if you downloaded the file and opened it on your desktop your computer would be at risk. If you had Returnil running, a reboot would get rid of it. If it turns out to be okay, move it to your other HD or onto CD.

Yes a sandbox would contain it, and not let it out, unless you recover it.

To answer the question how do you know it's there. By watching via a HIPS, and watch what it's doing, as it installs. Point is the malware I tested in the other thread, installed on both the c: drive and d: drive. So unless you were protected by a sandbox type program, it was installed on both drives. With Returnil, rebooting would clean the c: drive, but not the d: drive. That is the point.

Note this may or may not be a big deal to anyone, but just be aware, that the other drive isn't always safe.

-{ Quote: " I use another product that gives me the choice. If just routine surfing I may only protect c:, but if I am going riskier, I'll protect both. Downloading somthing to keep isn't a problem. " }-

I was hoping you'd return and tell us about your using "another product."

Since Peter proved, that PC Security didn't protect my second HDD as I expected, I use Sandboxie to protect it.
I still find "locking" my second HDD better in theory with more possibilities, but it doesn't work in practice, because malware can still "write" to my second HDD.

If I could lock my second HDD, I still would be able to test softwares and what happens in my system partition doesn't matter, because my boot-to-restore fixes that.
I don't have that possibility anymore since I use Sandboxie, because Sandboxie is not good enough to test softwares and Sandboxie only works with sandboxed applications, just like DefenseWall does with untrusted applications.

If I test software in my system partition now and there is a malware that targets my second HDD, it will be infected or even destroyed.

The bottom line is :
1. I solved one problem, but I created another problem : I can't protect my second HDD anymore during testing of softwares in my system partition.
2. So I need another extra software to test softwares, like VMware, Virtual PC, etc.
Locking my second HDD would have solved both issues.

Using Returnil doesn't change anything and I have already something like Returnil. Maybe all these ISR-softwares and isolating softwares are not good enough to TEST softwares and do we all need something like Virtual PC, .... whatever.

Hi Erik

I still think you're selling yourself a little short by so quickly discounting PC Security this soon. The percentages are still in it's favor after all. How many malwares specifically can cross into the "LOCKED" data partition by PC Security. Peter2150 indeed proved "one" was able to penetrate, but you do open up a valid concern if even "one" is one too many and it only takes one entry of some destructive type to ruin what is expected to be secure 100%. I dunno short of changing partition flags exactly what software could ascend to that mark. I'm just as skeptical as you but not as quickly convinced. You still should keep a duplicate mirror copy of the data partition in any event because we both know theres always a chance any software will fall short at some point, including the system itself hence the need for images. I just haven't seen that happen yet with PC Security in normal surfing and some of those being visits to known risk sites. I guess whats sets my confidence apart from yours concerning PC Security is EQSecure 3.41 HIPS. It's already alerted me to a few stealth attempts of dropping a malicious file but they are easily cancelled with one click, DENY!
Still, i line up completely with the idea and expectation that some software should automate this action without user interaction, but that's simply not possible yet, and then attention is returned back again to signature-based AS's and resident scanners.

-{ Quote: "How many malwares specifically can cross into the "LOCKED" data partition by PC Security. Peter2150 indeed proved "one" was able to penetrate, but you do open up a valid concern if even "one" is one too many" }-
More and more malwares are using the autorun.inf trick to copy themselves into every disk/partition they encounter. Worms spreaded throu removable drives are very common and some of them carry a real annoying payload (Virut/Tenga/Parite/Brontok)

Easter,
I'm not willing to discuss "PC Security" anymore. PC Security failed ONE time and that is enough. Tropical Software is selling a product that doesn't do its job. Period.
I don't even understand why you are still defending PC Security. Locking a HDD should be a very simple thing to program : no reading and no writing. That's all and even that wasn't possible for TropSoft.
If locking isn't technical possible at all, don't create such a software, because you are cheating the users. :)

-{ Quote: "More and more malwares are using the autorun.inf trick to copy themselves into every disk/partition they encounter. Worms spreaded throu removable drives are very common and some of them carry a real annoying payload (Virut/Tenga/Parite/Brontok)" }-How is this possible with anyone who has some type of execution protection?


----
rich

-{ Quote: "More and more malwares are using the autorun.inf trick to copy themselves into every disk/partition they encounter. Worms spreaded throu removable drives are very common and some of them carry a real annoying payload (Virut/Tenga/Parite/Brontok)" }-

I disabled autorun a long time ago because I found it annoying. whould this prevent the problem ?

-{ Quote: "How is this possible with anyone who has some type of execution protection?


----
rich" }-

Shouldn't be, unless you think you have a trusted program to install, and you were wrong.

-{ Quote: "I disabled autorun a long time ago because I found it annoying. whould this prevent the problem ?" }-

Not necessarily. See reply above.

Ok I was listening to this thread and I'm also a user of Returnil awesome program! However just some info on a test I just did with Julie Lau's sector editor v1.05 which happens to work low level. Side note Powershadow all versions fail as well. I session locked and ran sector editor, selected my C: which is partition 1 and did a sector fill. Then did a reboot and OS was gone,
abracadabra, scary ****. Recovered my system using PC-DOS and a back up ghost file of my system and was back in action in less than a min. Just wanted to say that there is malware that currently exist that has abilities on a low level that well bypass alot of stuff if it is allowed to run, so maybe you may think about adding some kind of script blocker plus .exe and whatever else methods that could be used by malware to execute this type of action.
I don't wanna freak any one out just keeping it real, you guys may never run across malware that can do this but I have simple fact I look for it, but yeah just running returnil for what I do wouldn't be enough to protect my system.

-{ Quote: "How is this possible with anyone who has some type of execution protection?" }-
It isn't possible. The autorun.inf trick is only a concern for those who depend only/mainly on reboot-to-restore solutions (malware survives on non-system partitions and it's executed when the user double clicks on a drive).
-{ Quote: "I disabled autorun a long time ago because I found it annoying. whould this prevent the problem ?" }-
With autorun disabled, you can safely plug removable drives and explore/scan them before double-clicking anything. If you get infected (by whatever reason/cause) malware might re-enable autorun.

Greetings again yankinNcrankin

It's always interesting the demands you place with your testings as well as Peter2150 and some others then report on them. Thanks for that.

I'm sure Coldmoon of Returnil would find your results of some interest, hopefully we'll see some response to this and what might can be done to prevent it.

Thank Goodness for fallback images eh?

-{ Quote: "However just some info on a test I just did with Julie Lau's sector editor v1.05 which happens to work low level." }-
I'd guess that HxD (http://wa651.ok16.de/hxd/) (Hex Editor and Disk Editor) might bypass Returnil's protection too.

yankinNcrankin,
Yes that kind of malware is scaring and I would be scared too, that is a normal human reaction, because you don't expect this at all.
I know already that this can happen to any ISR-software and that's why I have a Zero Tool and a clean image to fix this.

As long I can fix it with restoring an image, I'm not scared anymore.
If I cannot fix it with restoring an image, then I'm REALLY scared and out of business. Something like a hardware virus.

heheh, well thats what I'll elude to later maybe in another topic post, that the mysterious beast is the actual hardware you buying. :-X

think I will just stick with my old tried and true for now, Sandboxie and F-Secure.;)

also a word of warning to those who are not very schooled in areas like partioning, virtualazation, and etc, like me. Be careful, sometimes you can do yourself more harm then good. I guess the best advice I can give is get yourself a solid AV or suite and the reality is, you will be fine. I am a bigger danger to my PC security then any trojan, worm or bot.:-\

-{ Quote: "Ok I was listening to this thread and I'm also a user of Returnil awesome program! However just some info on a test I just did with Julie Lau's sector editor v1.05 which happens to work low level. Side note Powershadow all versions fail as well. I session locked and ran sector editor, selected my C: which is partition 1 and did a sector fill. Then did a reboot and OS was gone,
abracadabra, scary ****. Recovered my system using PC-DOS and a back up ghost file of my system and was back in action in less than a min. Just wanted to say that there is malware that currently exist that has abilities on a low level that well bypass alot of stuff if it is allowed to run, so maybe you may think about adding some kind of script blocker plus .exe and whatever else methods that could be used by malware to execute this type of action.
I don't wanna freak any one out just keeping it real, you guys may never run across malware that can do this but I have simple fact I look for it, but yeah just running returnil for what I do wouldn't be enough to protect my system." }-Incredible beasty trick, good to know.

-{ Quote: "but not the d: drive. That is the point." }-
What about full encryption of D?

-{ Quote: "I am a bigger danger to my PC security then any trojan, worm or bot." }-Hehe, the human factor. ;D

-{ Quote: "also a word of warning to those who are not very schooled in areas like partioning, virtualazation, and etc, like me. Be careful, sometimes you can do yourself more harm then good. I guess the best advice I can give is get yourself a solid AV or suite and the reality is, you will be fine. I am a bigger danger to my PC security then any trojan, worm or bot.:-\" }-

ROFL. I sure can agree with that, given what I've done to myself.

I don't know that anything that runs from the system disk could withstand a sector by sector low level attack of the system disk.

There is still the problem for the bad guy to drop the right malware on the right system, get it initiated and get it functioning to the point that it's in control. In some things it's possible. In others it would be an extreme challenge. Every way we find of destroying our own systems doesn't mean theres a hoard of hackers that can remotely release the same things easily on an armed system.

-{ Quote: " Every way we find of destroying our own systems doesn't mean theres a hoard of hackers that can remotely release the same things easily on an armed system." }-

"Beware the enemy within" ---- in which case would be true for me, many times over. LOL ;D

-{ Quote: "With autorun disabled, you can safely plug removable drives and explore/scan them before double-clicking anything. If you get infected (by whatever reason/cause) malware might re-enable autorun." }-

How do you disable it? I found many different ways in google, and I don't feel like re-booting every time in case I break something (and some methods require a reboot anyways) ;D

-{ Quote: "I'd guess that HxD (http://wa651.ok16.de/hxd/) (Hex Editor and Disk Editor) might bypass Returnil's protection too." }-

Hi lucas1985,
We added protection for changes attempted when using this type of application in previous versions to protect the MBR. We are looking closer at methods to address the use of Sector Editors that none of the ISR alternatives provide protection for.

We should have a version of 2.0 available soon (this week) that will include a solution for testing...

EASTER said:
-{ Quote: "I'm sure Coldmoon of Returnil would find your results of some interest, hopefully we'll see some response to this and what might can be done to prevent it." }-

The most important thing everyone needs to keep in mind here is that we advocate a layered approach. This does not mean "layered" as in "I use three different antimalware scanners and a firewall...", rather it means that we advocate that the user deploy a strong, but targeted line up designed to cover the greatest number of vulnerabilities with the smallest number of resources used.

Further we advocate using the following framework:

1) Prevention - keep the malicious content off of your computer in the first place

2) Detection (and removal if #1 fails) - Detect incoming content and keep it off your system then remove it if it gets through.

3) Cure - Using ISR to close the gap should #1 be insufficient and when you run into the inevitable issue with #2 where the solution failed to detect and/or remove the content for whatever reason (no signature update, removal engine insufficient to deal with a new malware, etc)

The point here is that you should never rely solely on a single product or method to protect your system, rather you should evaluate the strengths of your current tool chest to make sure you have have adequately addressed any weaknesses these tools might have...

Mike

-{ Quote: "

The most important thing everyone needs to keep in mind here is that we advocate a layered approach. This does not mean "layered" as in "I use three different antimalware scanners and a firewall...", rather it means that we advocate that the user deploy a strong, but targeted line up designed to cover the greatest number of vulnerabilities with the smallest number of resources used.

Further we advocate using the following framework:

1) Prevention - keep the malicious content off of your computer in the first place

2) Detection (and removal if #1 fails) - Detect incoming content and keep it off your system then remove it if it gets through.

3) Cure - Using ISR to close the gap should #1 be insufficient and when you run into the inevitable issue with #2 where the solution failed to detect and/or remove the content for whatever reason (no signature update, removal engine insufficient to deal with a new malware, etc)

The point here is that you should never rely solely on a single product or method to protect your system, rather you should evaluate the strengths of your current tool chest to make sure you have have adequately addressed any weaknesses these tools might have...

Mike" }-
Precisely the approach I try to follow, with firewall, AV, and HIPS, alongside Returnil and Sandboxie.

-{ Quote: "How do you disable it? I found many different ways in google, and I don't feel like re-booting every time in case I break something (and some methods require a reboot anyways) ;D" }-
Do it with Tweak UI (http://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx) :)
-{ Quote: "Hi lucas1985,
We added protection for changes attempted when using this type of application in previous versions to protect the MBR. We are looking closer at methods to address the use of Sector Editors that none of the ISR alternatives provide protection for.

We should have a version of 2.0 available soon (this week) that will include a solution for testing..." }-
Great :)