Thread: A few questions from a prospective user
View Single Post
  #2  
Old March 29th, 2010, 10:57 AM
Coldmoon's Avatar
Coldmoon Coldmoon is offline
Returnil Moderator
  
Join Date: Sep 2006
Location: North Carolina USA
Posts: 2,743
Default Re: A few questions from a prospective user
Hello ace55 and welcome to the forums

Quote:
Originally Posted by ace55
First off, thanks in advance for your help.

I run windows 7 x64 and am considering adding returnil as part of my layered security model alongside Comodo Firewall and Defense+, avira 10 personal, sandboxie, prevx and immunet. I do not believe I should experience any problems with any of these programs. I do currently have acronis true image 2010 installed and wonder if that would conflict with or fail to work properly with returnil.

Just remember to deactivate the RVS System Safe virtualization before attempting to create a backup or image as RVS will stop these programs from performing said activities when the system is virtualized to prevent potential damage to the real system files. Also be aware that disk defragmentation is similarly blocked for the same reason.

Quote:
Additionally, I am curious as to differences between the x64 and x32 versions of Returnil. I am rather dismayed at the reduced secrurity of my other products due to PatchGuard. I saw a reply from someone from returnil in another thread (coldmoon, I believe) that said there was no effect on x64 due to PatchGuard. I am wondering how Returnil operates so effectively in x64. I would appreciate it of you could provide some details on how returnil maintains such an absolute level of protection without patching the kernel. How does it enforce the system-wide virtualization?

The difference is wholly due to the way RVS virtualizes the system. There is no conflict with patch guard because RVS does not need to "patch" the kernel or monitor the file system. Though not an exact description, think of RVS as a drive filter, rather than a file system filter. As a result, the RVS System Safe virtualization does not care what Windows does or what is happening within Windows as said changes will be removed at restart of the computer.

This property of the SS component is counter-balanced by the detection capabilities in the Virus Guard component to provide the canary-in-the-coal-mine warning of potential malware from newly created or introduced content so it can be "flushed" from the virtual environment and keep your real system clean over time.

Quote:
I use an ssd in this machine so am concerned with the amount of writes done to the drive. Does returnil amplify the amount of data written to the drive as compared to a normal system?

RVS uses a cache to store and track changes during the applicable virtual session (with SS on and until the next restart = one virtual session). Like (but not exactly the same as) the Windows Pagefile, the RVS cache is written to in a form of "streaming consciousness" until the computer is restarted and then begins again at the start of said cache with the following virtual session. This starting point may change due to the fact the the RVS cache is created "on-the-fly" as needed, but can result in the same sectors of the disk being used disproportionately to other sectors of the disk.

As you are probably aware, SSDs have a more limited life cycle (~100,000 writes) for any given sector than a traditional platter drive and as a result, can wear out faster. We are working to address this in future versions of RVS and are testing the initial changes to the virtualization engine in the RVS Labs beta which includes multi-partition virtualization. Further, said virtualization supports the creation and maintenance of caches on alternate partitions.

So what does this mean in English?

Let's say we have a slightly customized computer with three partitions:

C:\ = System (Windows & programs)
D:\ = Factory restore image
E:\ = Data drive & supplemental file storage

The new engine will not support moving the cache for the System partition in the first upgrade versions, but will allow this for non-system drives and partitions. This means that you could virtualize the D:\ drive to protect it from unwanted/malicious changes while storing the cache for the D:\ drive on the E:\ drive.

Now take this to a further logical step and let's assume the E:\ drive is actually a supplemental platter drive. In this case, the platter drive can be used as a sacrificial drive to absorb the writes that would tend to degrade the SSD over time. We are working to make this possible for the System Partition to complete full SSD support in RVS as we go forward.

Quote:
A rather simple question: how easy is it to commit changes to the actual drive and what protections are in place to prevent malware exploiting this and committing changes to the drive? Is there a toggle switch which unconditionally prevents all changes to the drive until after a reboot? Such an option would be wonderful to switch on before performing an unsafe activity such as web broswing and completely guarantee the integrity of the system.

We have designed RVS to be intentionally more difficult to commit content to the real disk as compared to other implementations of virtualization in our space. To commit content you must add that content to the File Manager and then deliberately force that content to be saved to the disk by clicking a link in the tray icon, desktop toolbar, or from within the RVS GUI.

This makes it orders of magnitude more difficult for malware or PUPS to make changes to the real disk. Further, the RVS System Safe feature includes a lock on the MBR by default whenever you activate the virtualization and thus protects the real disk from this type of attack.

We are exploring folder exclusions in the Labs beta as well and will introduce this feature with the engine upgrade for user convenience and a good user experience for those new to the concept of virtualization. The installation however will be to default to no exclusions for the highest level of security - changes beyond this are entirely up to the user and their level of risk aversion.

Quote:
My final question is that of performance. I play recent, system intensive games. How does returnil affect performance? Not disk performance, which I am not overly concerned about, but CPU and graphics performance? I am rather ignorant of the means by which returnil and similar products operate and hope to be enlightened.

Thanks for your time.

If using only the virtualization (Virus Guard and malicious behavior/sample analysis are deactivated), you should not even notice that RVS is running. You will need to ensure that your game sessions are saved on a non-system partition/drive as this information would be lost at restart as expected...

You should do some experimentation using training sessions to tweak the settings so you are satisfied with the performance. As a Gamer, you should already be well aware of the risks of on-line gaming and the minimums you need to have in place to ensure your computer is protected while your attention is diverted...

Mike
__________________
Returnil: The Real Security!
Follow us on Facebook