Direct Disk Access?

Discussion in 'General Returnil discussions' started by Pliskin, Jul 30, 2009.

Thread Status:
Not open for further replies.
  1. Pliskin
    Offline

    Pliskin Registered Member

    Malware mentioned here can bypass Returnil using direct disk access. So could you suggest some simple standalone HIPS which can protect us against these type of attacks (both OA and Comodo HIPS stopped this malware)?
  2. Coldmoon
    Online

    Coldmoon Returnil Moderator

    Hi Pliskin,
    We are aware of the reports and are addressing them in the new 3x series. Would you be willing to try the current 3x Beta?

    Mike
  3. Dregg Heda
    Offline

    Dregg Heda Registered Member

    Does 3x have full system virtualisation and how stable is the beta?
  4. Coldmoon
    Online

    Coldmoon Returnil Moderator

    It is very stable but does not yet include multi-partition virtualization. The LAB version of 2x does include this feature.

    Mike
  5. Pliskin
    Offline

    Pliskin Registered Member

    Sorry, but no. Reason why I use Returnil is because I don't want an antivirus on my system.

    My security setup should look like this:

    Returnil
    Windows Firewall
    HIPS - which will help Returnil stopping known and unknown malware

    So can you suggest me some light, standalone HIPS which can do that?

    P.S.: No is better than nothing
  6. Dregg Heda
    Offline

    Dregg Heda Registered Member

    Why dont you try the the anti-executable add-on that comes with RVS, I'm sure that will handle any malware capable of direct disk access by preventing it from executing.
  7. Coldmoon
    Online

    Coldmoon Returnil Moderator

    I really can't suggest a specific HIPS solution as I don't use one having had a negative reaction to their effect on system performance every time I have tried one in the past. This however should be taken as a personal opinion rather than a denunciation of HIPS in general.

    There are quite a few on-going and older discussions in the "Other antimalware" forum with recommendations and user feedback on a wide range of HIPS alternatives you could try (Search using suggestions, HIPS, and light as the search string yielded two pages of matching threads for example...)

    The objective in RVS 3 is not to replace your AV/AM solution or to force that type of feature on the user. The effect of the combination of ISR/AM in v3 is extremely light on the system, more so than a HIPS implementation that can be very heavy, even for those recognized as being "light". For modern computers this may or may not be an issue, but on older systems and those that are challenged, it can be quite noticeable...

    This is why v3 has not only an AV component (will be available without Virus Guard in the final release as an option), but also includes behavioral analysis and sample data collection support. The major point to get from the design is that with virtualization protection on and malware detection you are protected against a majority of threats that could cause harm to your System. Further, the actual population of specialized malware families with the ability to force direct disk access is very limited so patching the program against a newly discovered exploit is both fast and effective.

    I hope that you will at least give the concept a trial run to see how well it works and let us know your thoughts to help improve the software as we go forward...

    Mike
  8. developers
    Offline

    developers Registered Member

    You can try Returnil with Sandboxie, or Returnil anti executable
  9. Pliskin
    Offline

    Pliskin Registered Member

    Don't worry, I was just blefing, of course I will continue to use Returnil.

    One more question though, how can Returnil protect selected files, folders on non-system partition from being deleted, modified, encrypted? Is anti executable strong enough to handle this?

    Thanks for your feedback!
  10. Dark Star 72
    Offline

    Dark Star 72 Registered Member

    Mike,
    In the v3 final release if one uses the option without the AV component will the behavioral analysis and sample data collection still be included along with the AE element.
  11. Coldmoon
    Online

    Coldmoon Returnil Moderator

    Too soon to say exactly what the non-AV version is going to have exactly. We will post more information about the available options and what features they have as we get closer to the final release...
  12. Dark Star 72
    Offline

    Dark Star 72 Registered Member

Thread Status:
Not open for further replies.