PDA

View Full Version : Questions about Returnil Lab version

developers
June 3rd, 2009, 06:41 AM
Hi,

Few questions

- How does work SystemGuard? I've activated SystemGuard protection but it doesn't appear to work, and it doesn't alert me after system modification, driver loading, auturun modification (Windows XP SP3 and Windows XP SP2).

-Install process need an internet connection, otherwise it returns an error "Fail to download the latest database from the internet". What is this database?

PS
This version is immune to new MBR rootkit also
Coldmoon
June 3rd, 2009, 10:20 AM
Hi developers,
{QUOTE-> - How does work SystemGuard? I've activated SystemGuard protection but it doesn't appear to work, and it doesn't alert me after system modification, driver loading, auturun modification (Windows XP SP3 and Windows XP SP2). <-QUOTE}

The System Guard uses features of the Anti-Execute and a AM implementation that is designed to protect against current dog type trojans and those you have sent us in the past.

In the current version of Lab, there are no configurations available and SG will block these types of malware silently.

{QUOTE-> -Install process need an internet connection, otherwise it returns an error "Fail to download the latest database from the internet". What is this database? <-QUOTE}

The database is for the System Guard feature. At install, RVS will check our server at Returnil (dot) org for updates. It will then download and apply those updates. Further, the Lab version will connect to the same server when the program is started to check for new database updates.

Mike
developers
June 10th, 2009, 04:10 PM
Why does Returnil (RvsSvr.exe) try to connect to ip-43-103.iinet.pdx.dotster.net (http protocol) even if it's disabled and system guard is off?
Coldmoon
June 11th, 2009, 11:40 AM
Hi developers,
I apologize for the late reply on this. The Lab version will check for updates to the targeted database included in the System Guard feature. This process is automatic and designed to provide protection against specific types of malware that can circumvent ISR protection.

The remote address you mention however is not to us. I suspect you may be using TCPview which has a tendency to report incorrect information (sometimes shows the next/random hop in the route or even the ISP for example).

Mike
Coldmoon
June 11th, 2009, 01:10 PM
After some checking, the address is actually pointing at the ISP and resolves to the same IP as returnil.com

HTH

Mike
developers
June 11th, 2009, 03:52 PM
Thanks!

Yes I've used TcpView ;D