Direct Disk Access?

[Pliskin]

Malware mentioned here can bypass Returnil using direct disk access. So could you suggest some simple standalone HIPS which can protect us against these type of attacks (both OA and Comodo HIPS stopped this malware)?

[Coldmoon]

Hi Pliskin,
We are aware of the reports and are addressing them in the new 3x series. Would you be willing to try the current 3x Beta?

Mike

[Dregg Heda]

Does 3x have full system virtualisation and how stable is the beta?

[Coldmoon]

It is very stable but does not yet include multi-partition virtualization. The LAB version of 2x does include this feature.

Mike

[Pliskin]

Quote:

Originally Posted by Coldmoon

We are aware of the reports and are addressing them in the new 3x series. Would you be willing to try the current 3x Beta?

Mike

Sorry, but no. Reason why I use Returnil is because I don't want an antivirus on my system.

My security setup should look like this:

Returnil
Windows Firewall
HIPS - which will help Returnil stopping known and unknown malware

So can you suggest me some light, standalone HIPS which can do that?

P.S.: No is better than nothing

[Dregg Heda]

Why dont you try the the anti-executable add-on that comes with RVS, I'm sure that will handle any malware capable of direct disk access by preventing it from executing.

[Coldmoon]

I really can't suggest a specific HIPS solution as I don't use one having had a negative reaction to their effect on system performance every time I have tried one in the past. This however should be taken as a personal opinion rather than a denunciation of HIPS in general.

There are quite a few on-going and older discussions in the "Other antimalware" forum with recommendations and user feedback on a wide range of HIPS alternatives you could try (Search using suggestions, HIPS, and light as the search string yielded two pages of matching threads for example...)

Quote:

Sorry, but no. Reason why I use Returnil is because I don't want an antivirus on my system.

The objective in RVS 3 is not to replace your AV/AM solution or to force that type of feature on the user. The effect of the combination of ISR/AM in v3 is extremely light on the system, more so than a HIPS implementation that can be very heavy, even for those recognized as being "light". For modern computers this may or may not be an issue, but on older systems and those that are challenged, it can be quite noticeable...

Quote:

...HIPS - which will help Returnil stopping known and unknown malware...

This is why v3 has not only an AV component (will be available without Virus Guard in the final release as an option), but also includes behavioral analysis and sample data collection support. The major point to get from the design is that with virtualization protection on and malware detection you are protected against a majority of threats that could cause harm to your System. Further, the actual population of specialized malware families with the ability to force direct disk access is very limited so patching the program against a newly discovered exploit is both fast and effective.

I hope that you will at least give the concept a trial run to see how well it works and let us know your thoughts to help improve the software as we go forward...

Mike

[developers]

Quote:

Originally Posted by Pliskin

Sorry, but no. Reason why I use Returnil is because I don't want an antivirus on my system.

You can try Returnil with Sandboxie, or Returnil anti executable

[Pliskin]

Quote:

Originally Posted by Coldmoon

I hope that you will at least give the concept a trial run to see how well it works and let us know your thoughts to help improve the software as we go forward...

Mike

Don't worry, I was just blefing, of course I will continue to use Returnil.

One more question though, how can Returnil protect selected files, folders on non-system partition from being deleted, modified, encrypted? Is anti executable strong enough to handle this?

Thanks for your feedback!

[Dark Star 72]

Quote:

Originally Posted by Coldmoon

This is why v3 has not only an AV component (will be available without Virus Guard in the final release as an option), but also includes behavioral analysis and sample data collection support.
Mike

Mike,
In the v3 final release if one uses the option without the AV component will the behavioral analysis and sample data collection still be included along with the AE element.

[Coldmoon]

Too soon to say exactly what the non-AV version is going to have exactly. We will post more information about the available options and what features they have as we get closer to the final release...

[Dark Star 72]

Thanks Mike