RVS 2011 Lite query

Discussion in 'Returnil Betas' started by Dark Star 72, Jul 16, 2010.

Thread Status:
Not open for further replies.
  1. Dark Star 72
    Offline

    Dark Star 72 Registered Member

    When using RVS 2011 Lite with System Protection ON and System Guard ON and 'Prompt user(s) for action when unauthorized access occurs' ticked I get the pop-up shown below when I activate Process Explorer. If I click 'Terminate' ProExp doesn't start as is to be expected. If I click 'Pass' ProExp starts up :thumb: . However, if I click 'Deny' it still starts normally o_O . If I untick 'Prompt user...' etc ProExp just starts normally.
    So, what should 'Deny' do? Or does it allow ProExp because it isn't actually doing anything malicious?
    I was was also under the impression that if I unticked 'Prompt user...' etc it would become like 'Default-Deny' and block without a warning pop-up.
    Not sure if I have misunderstood quite how it works but some clarification would be welcome.

    Also, I notice that there is a countdown timer on the pop-up and when it gets to zero the 'suspended' application then starts. Shouldn't it terminate it?

    Attached Files:

  2. Coldmoon
    Online

    Coldmoon Returnil Moderator

    Hi DS,
    What is happening is that Process Explorer's Kernel Mode driver is blocked. What is not obvious here is that PE can still run without this driver being installed or working. The important part to keep in mind here is that the content that could have presented a potential threat is the installation of Kernel Mode drivers which the System Guard prevented.

    For the rest:

    1.) Terminate button: If the user selects the Terminate button, it will terminate the specific running process.

    2.) Deny button: If the user chooses deny, it will not allow the operation shown in the dialog. (ref: create .sys driver in the system folder).

    3.) Count down: There is a 60 second count down at the end of which, if there is no user response to take action, the System Guard will automatically default to Deny.

    Mike
  3. Dark Star 72
    Offline

    Dark Star 72 Registered Member

    Thanks for your usual comprehensive reply Mike.

    Just to be sure I have got this right:
    Deny Button: Had it been a malicious software/application and I had clicked Deny it would not have run, or not been able to access any critical parts of the OS? ie: It could not have done any harm or installed anything malicious.

    Same with the Countdown Timer and the Prompt User functions, non-malicious and it would have started with 'limited' rights but malicious/malware and it would have been stopped?
    This would seem similar to the way DefenseWall works.

    I notice we have new toys to play with now, RSS Pro 2011 Pro and the Multi Snapshot. Will install them later and play:D
  4. Coldmoon
    Online

    Coldmoon Returnil Moderator

    Don't confuse blocking the program with blocking installation of kernel mode drivers. The threat comes from kernel rather than user mode content. This means that if the program had been malicious, it could have infected your virtual system but could not have gotten around the virtualization which is the true goal here.

    As I do not know DW at a low enough level to comment, I would refer you to their support staff to get specific information about their program and how it works.

    Regarding the count down timer and System Guard functionality, the timer is there for the user, not the software as the content is blocked regardless of the wait for a response from the user. If you allow (Pass), then the software would unblock at that point. If you deny, it remains blocked.

    Mike
Thread Status:
Not open for further replies.