Protection BEFORE Windows starts?

Discussion in 'General Returnil discussions' started by bellgamin, Aug 12, 2010.

Thread Status:
Not open for further replies.
  1. bellgamin
    Online

    bellgamin Very Frequent Poster

    There are some security applications that somehow insert themselves into the bootstrap routines so that they can run certain processes BEFORE Windows itself is actually loaded & operational.

    QUESTION- Will Returnil protect bootstrap areas from such changes? In other words, will a restart from Returnil ensure that any & all such changes will disappear?
  2. Coldmoon
    Offline

    Coldmoon Returnil Moderator

    Hi bellgamin,
    If by "bootstrap" you mean the Master Boot Record (MBR), then yes; if you have the virtualization set to start with Windows, then the MBR remains protected with a restart.

    In the case of temporary virtualization (AKA Session Lock from older versions of RVS), all changes are dropped at restart of the computer so the MBR is again protected.

    If we are discussing the processes and drivers that may load at restart, the key protection will be the anti-execute feature that includes a form of "driver firewall":

    1. RVS 2010: if it is known (already exists on the real disk) it can start and will function; otherwise it is blocked.

    2. RSS 2011: Again the key will be the AE, but in the new version there is an additional option that is between the extremes of let programs run as they will or trust only what already exists on the real disk that will allow known services. This is to provide a level of protection that is less restrictive, but not as liberal as letting everything run as it will.

    Mike
Thread Status:
Not open for further replies.