Question for Coldmoon on Returnil driver

Hi Coldmoon, thanks for this remarkable piece of software. I just have a small question about it. Does the Returnil driver or any part of Returnil install itself at the kernel level? I know many security apps including DefenseWall does this. Does Returnil do this also? And if so, would it cause conflicts?

 

Hi lordbest and welcome to the forums

Yes, the virtualization driver (also the Virtual Disk) is Kernel mode and can conflict with other programs designed to do similar things like boot-to-restore. Also be aware that some imaging solutions may also conflict with RVS.

If you are using Vista or Win 7, RVS does not conflict with the native Windows backup or imaging in more advanced versions (Business, Pro, Ultimate, Enterprise).

Mike

 

Thanks. So does Returnil work on 64-bit with PatchGuard? Is the protection just as good as with 32-bit?

 

Yes, RVS works on supported 64 bit versions of Windows and there are no conflicts with patchguard.

Yes, the level of protection is exactly the same

Mike

 

How is that possible? I have read you cannot provide the same protection with PatchGuard unless you violate Microsoft's Terms of Services?

 

See my reply in the following thread for my answer regarding the Virus Guard:

https://www.wilderssecurity.com/showthread.php?t=272215

The virtualization is done at the disk level so there is no need to "hack" the Kernel.

Mike

 

Does this mean that the virtualization is easily bypassed? My reckoning is that kernel mode level (ring 0) provides the most secure protection. Many robust apps hook ring 0 on 32-bit and this makes them very tough to bypass. A competing product called Shadow Defender appears to work similarly to Returnil. Surely that product hooks ("hacks") the kernel to provide maximum protection (ring 0).

 

I will not comment specifically about a competing product and suggest that you should contact the SD developer for more information regarding their products.

As for RVS, there is no loss or difference in the level of protection with the virtualization. The reason for this is that RVS virtualization doesn't care what Windows does as it is not a file filter where it would need to monitor changes in the file system. This would require some form of hooking and is the reason many application based virtualization solutions have been slow or have had issues supporting 64 bit Windows.

Though not a precise analogy, you can think of the RVS virtualization as a form of disk filter with its focus being on attempted changes to the real disk and is why RVS can put Windows into a fantasy world without interfering with its functionality or user experience and why 64-bit support is possible without a great deal of trouble over 32-bit.

Mike

 

The real question I have is how secure programs like Returnil is then if it doesn't hook the kernel at ring 0. It doesn't sound like it would provide the same level of protection as a program that did. There probably are not many bypasses because malware writers simply don't target systems with light virtualisation?

 

They do and there are a small number of families that can bypass ISR (Robodog/Sonydog, cleanMBR, and KillDisk are examples) that are based on hacking tools. This was the reason we added antimalware, antiexecute, and MBR/low level editing protection in 2007 (simple, targeted AM), upgraded/expanded in 2008/Labs, and significantly improved in 2010.

It is also a partial reason why we moved to add the suspicious behavior and malware sample monitoring/upload features to 2010. The other part of the monitoring is for a distributed immunity feature we are working to realize where this information can be shared between the copies of RVS and provide wide protection after a client or clients first discover it.

The main thing you need to keep in mind is that there is no such thing as a silver bullet and it is why an intelligent, layered approach to security is essential.

Mike

 

Thanks for being honest and also specific. I would have thought Returnil is resistant to killdisks by now. I know Shadow Defender is resistant to all known killdisks. I'm not sure about the others you mentioned.

 

It is hardened against KillDisk - you can see this as it happened by going through some older threads from 2008 and we continue to monitor for new variants. The difference is that 2010 can be updated much faster through the Virus Guard signatures rather than having to introduce a new build as happens with some other solutions we compete with...

Mike

 

Sounds like light virtualisation is becoming like an antivirus signature database! That is, it's not very reliable. What is it? 63% detection?

 

No, not like an antivirus as that would be going in the wrong direction. Look at it this way, what is most critical to protecting the user in the long term is to ensure that the priority is a clean system. To do this, any supporting strategy or feature has to ensure that this priority is met so its number one focus is going to be on anything that can potentially bypass the virtualization from a software POV. Further, the detection is bolstered by anti-execute that can stop unknown content from running in the first place.

Barring the previously mentioned threats, a simple restart removes any infection you might have encountered, keeping the system clean over time. So what is better? Detecting and maybe not being able to remove everything found (reactive) or complete malware removal at restart (proactive)?

Mike

 

I suppose the fact is that it's a pity you cannot provide light virtualisation protection from the kernel level on 64-bit. If you could, I would presume protection would be much much harder to bypass.

 

lordbest, there is no difference in protection or even that much difference in the virtualization engine. Actually, you are more secure using anything on 64 bit Windows due to the inherent architecture of the OS itself. So if you look at it this way, a 64 bit system is even more secure with RVS installed.

You do not have to hook the kernel to provide effective security. It takes innovative thinking and allot of work, but in the end there is really no need to resort to shortcuts; especially shortcuts that open potential issues...

Mike

 

So you disagree that if Returnil primarily functioned at the kernel level, it wouldn't be more secure than what it currently functions at?

 

As many of us don't like to use the Virus Guard, I would like to see the anti-execute function handle new variants.

 

I agree. I also would like to see Returnil release a slim version containing only the virtualisation program.

 

It does and is updated regularly along with the Virus Guard. The virtual drivers are kernel mode, not user mode. This does not mean that the Windows Kernel needs to be hacked for them to work properly. You just need to follow the rules:

http://www.microsoft.com/whdc/driver/kernel/64bit_chklist.mspx

Mike

 

This would require Preferences->Communication to be enabled? Anything else?
Thank you.

 

For updating the VG signatures and additional rules, you will need to communicate with the update server...