Hi guys,

As I understand Returnil keeps track of which sectors on disk change and reverts these changes after reboot? Yet, I have read certain rootkits and other malware can slip past this?

I don't get how this is possible. A sector that has changed must be clearly detectable? The only way I can think of is that the rootkit compromises the kernel...

Please elaborate on this:)

Instant system recovery softwares use a filter driver which hooks disk driver and intercepts I/O request packets generated by IO Manager.
A rootkit can bypass this, detaching filter device object, or hooking a lower level driver than disk.sys (such as atapi.sys) and make direct I/O instruction. There's also a technique presented at Xcon2008 conference, which penetrate ISR sending commands through IOCTL_XXX_PASS_THROUGH interface.

Then there are bootkit...

Thanks for your answer. This is my first encounter with software like Returnil really.

Now I see one does indeed still need a virus scanner. Perhaps a big off topic question but a very important one to me (if you don't mind)

Does Returnil also prevent the MFT from being updated:

Suppose you save a few files on the desktop with Returnil system protection on. These files will get an entry in the MFT. Returnil will roll back the changes upon reboot, but will it also revert the MFT (and how)?

From a privacy concern a lot of info leaks from the MFT and this would certainly put a lock on that door:)

If you examine the partition with a forensic tool, you can found your files saved with protection turned on, in unallocated cluster (link between MFT entry and cluster still exist), so you can recover them.

{QUOTE-> If you examine the partition with a forensic tool, you can found your files saved with protection turned on, in unallocated cluster (link between MFT entry and cluster still exist), so you can recover them. <-QUOTE}

One note here that all should be aware of; if you activate the cache wipe option, these same files will not be recoverable...

Mike