RVS 2011 Questions

I just had a few questions and thought regarding Returnil Virtual System Lite 2011. I have been a Shadow Defender user for a long time. It is a great application. It's powerful yet very minimalistic. I can see that the new RVS beta is heading in that direction as well. The gui has been redesigned, and the who application itself has become more streamlined and less convoluted. If the rumors of Shadow Defender are true, Returnil might soon be getting a lot more users that think like me as they search for an active, yet similar, project.

I do like the fact that there is no AV present. I think it is a little bit redundant; if your virtualization technology is as good as you say it is they why add the AV scanner in the first place? Unless you feel the virtualization is inadequate and you7r using the AV as a safety net. The only other thing I can think of is that you don't have enough faith in your users and believe that they will go crazy adding exclusion entries, punching holes in the boat so to speak. I think Returnil is moving in the right direction here

Am I wrong or is there an HIPS now included in RVS 2011 light? That is what System Guard is, right? Again, to me that seems a bit redundant. Something that prevents drivers from loading and system files from executing seems like a good idea, but in a virtualization application it seems unneeded since it's designed to revert the system at reboot anyway.

Is RVS complete in functionality? I'm not asking if it's ready to be released, but there were features in 2010 that didn't seem to make it in RVS 2001, such as secure wiping.

I guess I'd appreciate a little description of just how RVS 2011 differs from the previous year, and for that matter from similar applications such as Shadow Defender. If I had no knowledge of the two what would you tell me to convince me to use your product over others?

I just hope Returnil isn't trying to reinvent the wheel here.

 

Hi n8chavez,
The Virus Guard/AE in RVS 2010 and the System Guard in RVS Lite 2011 are there to provide protection against ISR circumventing malware. Neither the AE or the System Guard are HIPS implementations as they are targeted towards addressing issues related to this type of malware.

SD is just as vulnerable to these types of malware as any other virtualization solution and uses a hidden ("under-the-hood") antimalware capability that blocks the execution of known "bypassers". We are honest about this issue and have posted many replies in this forum and in other forums here at Wilders and other places discussing this vulnerability in ALL ISR solutions.

There is no such thing as a silver bullet which means that no strategy that focuses on a single technique is effective for long term protection/cleanliness of your computer. To achieve real, lasting security you need to think about a layered approach and this is exactly what we are doing in both the 3x and 2x based product lines. The main difference is the target customer/user base.

For the 3x line (RVS 2010), the focus is general (has relevance to all types of users including consumers). The 2x based line (Lite 2011) is targeted towards the Public Access/Cafe market where control is still required, but the Virus Guard is not. Additionally, the Lite 2011 line offers a stand alone management console that is more appropriate for highly controlled networks that do not allow outside communications.

This does not mean that Lite 2011 is not a proper choice for the consumer and/or Home network market, just that its design comes directly from current network customer requirements and wish lists.

There is nothing redundant in either product line. Don't confuse targeted use of some features you would expect from a full featured HIPS and/or antimalware solution with what we are doing in RVS. Each component part works to cover the weaknesses in the other components to achieve an effective whole and the antimalware engine in the 3x line (to be replaced in the future with our AI engine technology) provides traditional detection and removal capabilities because it is not guaranteed that the system is clean before installing RVS.

Our goal is not to be just another virtualization/roll back/technology provider; rather we are interested in real, long term protection for the user and PC. To do this, we choose not to turn our backs on the parts of traditional security that work while leaving out the bling and marketing inspired feature sets.

Mike

 

Does that mean that there will be no AV in 2011 light?

I assume that these are the kind of threats you are referring to. As far as I aware aware, as far as I can gleam from the thread, Shadow Defender was one of the only products to successfully defend against the TDL/TDSS trojan. Returnil, on the other hand, failed. But I understand your point.

I agree with you there. That's why I also run Sandboxie Pro. I was having a discussion on their forum the other day about how I don't like to give blanket read/write access to certain directories. Security applications are intended to protect users' system. And, there's no way they can do that the protection they provide is full of holes. I understand the exclude "feature" is intended for data that needs to be committed from the virtual drive to the real one. But that is the same as giving blanket read/write permission to that directory, which every directory that is. Below are two lines configuration lines from Sandboxie. Direct read/write permission is given to a certain directory, in this case "Mail".

OpenFilePath=opera.exe,%Tmpl.Opera_Mail%\*
OpenFilePath=opera.exe,%AppData%\Opera\*\mail\*

But what makes this safer, in my opinion, and greatly reduced the change of infection, unlike the blanket permission approach, is that the read/write permissions are limited by process exe, Opera. Meaning, nothing else has the right to read/write to that directory other than Opera.exe. I would love to see Returnil implement something like this for their exclusions, reducing the possibility of infection.

Okay then. I guess we agree for the need and disagree on its implementation. I don't agree with scanners; they use definitions and heuristics that cannot possible keep ahead of the games, and don't forget about the capability of destruction because of the false-positive.

 

I totally agree with you. I use AppGuard, along with Shadow Defender and Sandboxie, and I've been suggesting in the AppGuard threads that it should be possible to set folder permissions and exclusions on a per application basis. If Sandboxie can do it, why not other security solutions?

As a former user of RVS, I have posted previously in the Returnil threads that I would have preferred to have seen RVS beef up its policy restriction and anti-execute features, rather than going down the antivirus route.

 

You are correct, we have no plans or wish to add an AV engine to the lite 2011 line as we have in the 2010 line outside of the System Guard. The design of Lite 2011 is in direct response to our cafe and PA network customers and is intended as an alternative to our main 3x line.

No, RVS 2010 passed when all the protection features were activated as intended. Returnil Virtual System 2010 IS NOT just a simple boot to restore application with additional things thrown on top; rather it is a security solution that makes use of virtualization, antimalware, and anti-execute to provide an intelligent, layered shield to provide long term and effective protection for our users and customers.

RVS Lite 2011 passes in a similar way when the System Guard feature is activated as intended even though it is closer to a strict virtualization solution than is RVS 3x.

You already have this in the 3x line with the File Manager which was designed to force the user to make deliberate changes. Further, the user must intentionally update the items in the FM list as well which means that it provides a higher level of protection that the method you advocate through a SBIE approach.

The good news here however is that RVS (3x OR 2x) are completely compatible with SBIE and we have commented on this as a natural combination where each compliments the other. SBIE at the application/file system level and RVS at the disk/system level.

We don't rely on scanners and have long discussed their short falls. They do however have a place with their ability to detect malware. The AM engine also provides a means (for now) to monitor for and collect potential malware samples and behavior analysis information that allows us to refine this feature in response to what our actual customers are seeing right now.

When Distributed Immunity is introduced, updating will happen in near real time as the information is shared between the RVS clients.

Mike

 

Not sure what you mean by "beef up", in this regard as our design of the AE functionality is either allow or block what you do not already know. Further, there are no annoying, cryptic popups to deny or allow something. Either you allow it or you do not. If something is blocked but you need to run it for whatever reason, you can adjust your settings and go on about your business.

In RVS Lite 2011 the System Guard is not allowed to remember a deny/allow response when the option to prompt is activated. This keeps wrong decisions from opening lasting holes in the protection while giving the cafe/PA network admin some flexibility to run specialized tools and/or scripts for example when required.

Another part of the Antimalware component is to gather information on what is good so it also incorporates a form of white listing that will see improvement in the 3.2 and above generations, especially when the AI/behavioral learning engine is fully integrated into RVS going forward.

Mike

 

Mike,
In RVS 2010 the Virus Guard > 'Trust programs from real disk only' option which is the anti-execute element only works if the user has System Safe in Enabled mode. If they have System Safe disabled for say updating 'My Documents' then the AE element is non-operational even if it is ticked. I personally would prefer that it remained active, is there any particular reason why it is not?
In the 2011 Lite is the System Guard (AE replacement) linked to System Protection in the same way or will System Guard still be active and protecting my system even if I have System Protection turned off?

 

Hi DS,
Yes, the System Guard will remain active whether the virtualization is on or not but is turned off by default at installation. It should be truned off however when you need to install MS/Windows updates as it can block them from being installed.

Mike

 

Hi Mike,

Actually I think the AE in RVS 3.x is sufficiently well implemented that I'm not sure why it was necessary to add an AV as well, given that the AE on its own ought to be enough to prevent unknown processes from running. Most people who want an antivirus will already have one, so are likely to keep real-time VirusGuard protection turned off.

If you reread my post you will see that what I was primarily talking about is folder permissions and restrictions. I was agreeing with the OP's suggestion to improve folder protection by making it more granular on a per process basis, similar to the way Sandboxie works. The problem with an all or nothing approach is that it is inflexible. Either you choose to protect a folder but have to keep temporarily turning off protection to allow access for specific programs which is inconvenient OR you don't bother with folder protection at all, thereby potentially exposing private and confidential data to any program that executes. A more granular approach combines both privacy/security and convenience at the same time.

Other problems that I experienced with folder protection as implemented in RVS 3.x is that: (1) files and folders are treated separately so, as you have previously stated, protection has to be added individually for each file. Not only is that inconvenient when dealing with large folders containing a lot of files but it is also impractical if the contents of the folder change frequently; (2) my own experience of folder and file protection was that it was somewhat buggy and didn't always prevent read access to files by running processes.

I also found RVS 3.x unstable on my system with frequent "delayed write failure on drive Z" messages, even though I never used the virtual drive feature and don't have drive Z mapped to anything. I never experienced this with the 2.x series. I would have preferred to have seen more focus on getting these kind of things right before adding an AV, which I was forced to turn off anyway because it conflicted with Prevx and slowed down Prevx scheduled scanning to a horrible extent.

Please don't take this as negative criticism. I respect the stance taken by Returnil to develop a complete security solution and I really want to see RVS succeed. That's why I think that improving the policy restriction features have a role to play. I will probably return to RVS at some point, once multi-partition virtualisation and permanent folder exclusions have been incorporated into the main product. The killer feature for me will be the ability for a virtual session to persist across restarts, enabling software that requires a reboot to be tested using RVS. I know you have this planned for a future release, and I'm looking forwards to seeing it implemented.

I do have a couple of questions for you.

1. As File Protection and System Safe are located within the VirusGuard tab, are these features still available with Home Classic or is the VirusGuard tab itself disabled in this version, along with all its contents?

2. I have a valid licence for RVS 2010 Home Lux. Is the Home Lux licence valid for a downgrade to Home Classic or is a separate Home Classic licence needed?

Regards

 

Wouldn't the most flexible solution be to allow the user to choose whether or not to link File Protection and/or System Guard to the virtualisation state by means of a user-controlled setting within the RVS control panel?

 

Coldmoon?

 

Hi pegr,

1. Yes. In the newer builds above 3.2 there will be some changes that will eventually see the end of the File Protection and File Manager features which will be replaced by multi-disk virtualization and virtualization exclusions respectively.

Also, there will be an end of the Home Classic line as it proved to be unpopular. We are replacing the entire "Classic" lines with the new RVS Lite 2011 series which has greater relevance to our actual customer base who requested the feature sets in that version, including the stand-alone management console for restricted/secure networks.

2. As noted above, the Home Classic line is coming to an end so your upgrade path would be to the new 2011 3x series.

Mike

 

Hi Mike,

Many thanks for the detailed clarification.

I'm looking forwards to seeing how RVS develops and I'm sure that I will return to RVS at some point as it continues to develop. My reasons for abandoning RVS 2010 in favour of Shadow Defender were the stability issues I was encountering with "delayed write failure on drive Z" messages together with a lack of permanent exclusions (for antivirus definition updates) and multi-partition virtualisation (my system has a recovery partition I wanted to protect). It does look as though the new 2011 3x series may suit me better.

I do hope though that removing the File Protection and File Manager features doesn't also mean the end of the Anti-Execute feature. The ability to prevent new executables not already present on the real system from being able to run within the virtual system is a powerful, well-implemented security feature within RVS that I wouldn't like to see disappear.

I would also welcome a feature to prevent read access to folders containing personal data on a per application basis from within the virtual system. Whilst the virtual system guards the real system against infection, shortening the time to removal by means of a reboot doesn't prevent malware from being able to do damage of a personal nature while it is running. IMO a feature to protect folders from unauthorised access would add an additional layer of security.

Hope you are open to constructive suggestions.

Regards

 

Why not try RVS Lite 2011 then? It has what you are looking for in feature sets and is extremely stable with a long testing period (used to be RVS Labs).

Mike

 

Thanks - I'll give it a try.

Regards

 

Well I tried it but it wasn't as stable as I hoped it would be. Unfortunately, it detected my SD Memory Card drive as an additional partition. I kept getting Windows - No Disk error messages so I uninstalled it.

Exactly what is the status of RVS Lite 2011? The release notes on the Returnil website say that it is still in beta, yet when I installed it, it installed as a time limited trial with an option to purchase.

EDIT: This post is now cross-referenced in the [Public Beta] Returnil Virtual System Lite 2011 thread.

 

Hi,
RVS Lite 2011 is completely stable. The issue you reported however is being investigated and may be related to an issue reported earlier involving SD cards.

Is the SD card internal or external (connected via USB for example)?

Mike

 

Hi Mike,

I didn't expect the SD MMC to be wrongly identified as an additional hard disk partition, causing repeated Windows - No Disk error messages. Surely you can accept that this makes the program unusable and therefore falls short of complete stability in my case.

To answer your question about the SD card reader, I have a 2003 model HP Media Center PC, factory fitted with an internal 7-in-1 Memory Card Reader as standard.

Regards

 

No, that just makes it temporarily incompatible with your environment for the moment, not unstable. This distinction however doesn't make the issue any less frustrating in your case so be assured that we are investigating aggressively.

Thanks - Devs updated.

Mike

 

I didn't use the term "unstable" in relation to RVS. I said that my system fell short of "complete stability" with RVS installed, which is a different thing. Whilst RVS itself was stable in the sense that it didn't crash or cause BSODs, RVS was responsible for causing increased volatilty in my system, with Windows - No Disk error messages being repeatedly displayed while I was trying to work.

I don't think I'm unusual in assuming that words like "completely stable" implicitly carry the suggestion that the user experience will be a good one, which was far from true in my case. I do appreciate you taking the time to get this issue investigated though.

BTW you never answered the question I asked, so I'll repeat it. Exactly what is the status of RVS Lite 2011? The release notes on the Returnil website say that it is still in beta, yet when I installed it, it installed as a time limited trial with an option to purchase and a live link to a Cleverbridge payment screen.

 

It will be available for purchase as soon as it is released as a final this summer.

Mike

 

It appears to be available for purchase now, hence the question.

 

The links are there for testing and will change to reflect the appropriate purchase page when released as a final as we cannot sell potential customers Beta software. This is why the links now simply take you to RVS 2010 purchase pages as that is all that can be purchased at the current time.

Mike

 

Which is precisely why I assumed that a link to what appears to be a live purchase screen must be a mistake (see attached screenshots). Needless to say, I didn't go as far as to enter my actual card details to see what would happen in case the card got charged.

I'm just trying to let you know in case somebody does attempt to purchase RVS Lite 2011 while it is still in beta and gets charged by mistake.

 

Coldmoon,

Would you please clarify what the situation is regarding the screenshots I posted. I have provided evidence that the 'Buy now' button links to what appears to be a live purchase screen.

Will Returnil be changing the operation of the 'Buy now' button in the beta to display a message saying the program is not for sale yet, instead of redirecting the user to a purchase screen?