Direct Disk Access?

Discussion in 'General Returnil discussions' started by Pliskin, Jul 30, 2009.

Thread Status:
Not open for further replies.
  1. Pliskin

    Pliskin Registered Member

    Joined:
    Feb 8, 2009
    Posts:
    276
    Malware mentioned here can bypass Returnil using direct disk access. So could you suggest some simple standalone HIPS which can protect us against these type of attacks (both OA and Comodo HIPS stopped this malware)?
     
  2. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,968
    Location:
    North Carolina USA
    Hi Pliskin,
    We are aware of the reports and are addressing them in the new 3x series. Would you be willing to try the current 3x Beta?

    Mike
     
  3. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    Does 3x have full system virtualisation and how stable is the beta?
     
  4. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,968
    Location:
    North Carolina USA
    It is very stable but does not yet include multi-partition virtualization. The LAB version of 2x does include this feature.

    Mike
     
  5. Pliskin

    Pliskin Registered Member

    Joined:
    Feb 8, 2009
    Posts:
    276
    Sorry, but no. Reason why I use Returnil is because I don't want an antivirus on my system.

    My security setup should look like this:

    Returnil
    Windows Firewall
    HIPS - which will help Returnil stopping known and unknown malware

    So can you suggest me some light, standalone HIPS which can do that?

    P.S.: No is better than nothing
     
  6. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    Why dont you try the the anti-executable add-on that comes with RVS, I'm sure that will handle any malware capable of direct disk access by preventing it from executing.
     
  7. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,968
    Location:
    North Carolina USA
    I really can't suggest a specific HIPS solution as I don't use one having had a negative reaction to their effect on system performance every time I have tried one in the past. This however should be taken as a personal opinion rather than a denunciation of HIPS in general.

    There are quite a few on-going and older discussions in the "Other antimalware" forum with recommendations and user feedback on a wide range of HIPS alternatives you could try (Search using suggestions, HIPS, and light as the search string yielded two pages of matching threads for example...)

    The objective in RVS 3 is not to replace your AV/AM solution or to force that type of feature on the user. The effect of the combination of ISR/AM in v3 is extremely light on the system, more so than a HIPS implementation that can be very heavy, even for those recognized as being "light". For modern computers this may or may not be an issue, but on older systems and those that are challenged, it can be quite noticeable...

    This is why v3 has not only an AV component (will be available without Virus Guard in the final release as an option), but also includes behavioral analysis and sample data collection support. The major point to get from the design is that with virtualization protection on and malware detection you are protected against a majority of threats that could cause harm to your System. Further, the actual population of specialized malware families with the ability to force direct disk access is very limited so patching the program against a newly discovered exploit is both fast and effective.

    I hope that you will at least give the concept a trial run to see how well it works and let us know your thoughts to help improve the software as we go forward...

    Mike
     
  8. developers

    developers Registered Member

    Joined:
    Apr 1, 2009
    Posts:
    62
    You can try Returnil with Sandboxie, or Returnil anti executable
     
  9. Pliskin

    Pliskin Registered Member

    Joined:
    Feb 8, 2009
    Posts:
    276
    Don't worry, I was just blefing, of course I will continue to use Returnil.

    One more question though, how can Returnil protect selected files, folders on non-system partition from being deleted, modified, encrypted? Is anti executable strong enough to handle this?

    Thanks for your feedback!
     
  10. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    672
    Mike,
    In the v3 final release if one uses the option without the AV component will the behavioral analysis and sample data collection still be included along with the AE element.
     
  11. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,968
    Location:
    North Carolina USA
    Too soon to say exactly what the non-AV version is going to have exactly. We will post more information about the available options and what features they have as we get closer to the final release...
     
  12. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    672
    Thanks Mike
     
Thread Status:
Not open for further replies.