Returnil vs Rootkits?

Discussion in 'Returnil releases' started by usagi, Apr 5, 2010.

Thread Status:
Not open for further replies.
  1. usagi
    Offline

    usagi Registered Member

    Does Returnil protects my computer completely against rootkits?

    Can some types of rootkits bypass Returnil (such as those which have their own driver to have direct disk access or hypervisor rootkits such as the old blue pill)?

    I'm planning to turn on my computer 24/7, connected to the internet, with Returnil activated. Will it be safe? I'm afraid I'll get some infections if some malware are able to bypass Returnil.

    Thanks in advance :)
  2. Cudni
    Offline

    Cudni Global Moderator

  3. usagi
    Offline

    usagi Registered Member

    Thanks for your response :)

    How about those rootkits which come with their own direct disk access drivers?
    Or hypervisor rootkits which will attempt to put Windows under their virtual environment?
    Can Returnil protect my computer from those rootkits?
  4. ace55
    Offline

    ace55 Registered Member

    Although I cannot answer your question, there will always be theoretical vulnerabilities, even in security software. Thus, I would advise not relying on Returnil alone. Using it in combination with a HIPS would provide stronger protection. Even programmers of security software are human, thus their code is still susceptible to vulnerabilities, like any other software. For the same reason, Returnil will provide additional protection for any other security software on your machine.

    But I look forward to Coldmoon's answer, particularly regarding blue pill.
  5. Coldmoon
    Offline

    Coldmoon Returnil Moderator

    RVS includes protection for the MBR and low sector editing which is effective against the majority of malware out there. There are a small number of families that can get around virtualization and is one of the most important reasons we added antimalware/antiexecute/behavior analysis functionality in 2010. Also, there is no software solution that will ever be able to protect against exploitation when the attacker has physical access to the target computer...

    You can be confident in RVS's protection ability as well as the improvements it introduces over traditional approaches/solutions. As there is no way to predict what the malware devs are going to come up with next, you should still practice good computing as the most important link in your security is you and what you do...

    Mike
  6. regeu
    Offline

    regeu Registered Member

    Possibly a combination of firewall, antivirus and Returnil may help.
  7. Coldmoon
    Offline

    Coldmoon Returnil Moderator

    Perhaps, but the keys with RKs are:

    1. Avoid them (best idea if possible)
    2. Don't let the infecter activate. In this scenario you work to ensure that the RK installer never gets a chance to work and is a partial reason for the Anti-execute functionality in RVS/RSS.

    For the scenario where a RK already exists, we are working to upgrade the Virus Guard with support for detection and removal. It is still a work in progress, but progressing well.

    Mike
Thread Status:
Not open for further replies.