Any way to disable scheduled ops (defrag, AV scan)?

Discussion in 'General Returnil discussions' started by VanguardLH, Dec 2, 2011.

Thread Status:
Not open for further replies.
  1. VanguardLH

    VanguardLH Registered Member

    Joined:
    Sep 10, 2007
    Posts:
    96
    On my host in Task Scheduler, are scheduled events for AV scan (Avast free), disk cleanup (CCleaner and Windows cleanup wizard), stop/start magicJack (VOIP) to turn off phone calls and mute/unmute the system audio so I'm not disturbed at night while sleeping, and defrag (Auslogics).

    While the disk cleanup isn't needed when in virtualized mode with Returnil (because such cleanup gets done on the reboot), the impact on the host for such cleanup is minimal. I still want the VOIP (phone) disabled and the system audio muted while I'm sleeping so those are okay to run while virtualized.

    However, there's no point in running a defrag on the OS partition that being virtualized. Any defrag that's done while virtualized will get discarded on a reboot to wipe those disk changes. There's no point in running an anti-virus scan since any malware (that was quiescent and only found through a scan) that showed up while in virtualized mode will be gone on the reboot. So it is a waste of time, resources, impact on responsiveness of the host, and wear on the disk to do a defrag and AV scan while virtualized.

    The defrag (Auslogics) likely uses the safe defrag API included in Windows. So it might be possible to disable or block a defrag by intercepting the system call to that API. That is, when a defrag program makes a call to the defrag API, it gets an error and the defrag never starts. That's something akin someone ringing the doorbell, you open the door only to tell them that you're not in, and slam the door shut in their face.

    Since these are commands executed as scheduled events in Task Scheduler, I'm wondering if Returnil included a state-test utility that could be used either in a batch file to look at its return code or would execute a program only if NOT in virtualized mode. I could replace the commands executed by the scheduled events so:

    "C:\Program Files\Auslogics\Auslogics Disk Defrag\cdefrag.exe" c: d: -bk -o -dt

    becomes:

    rvsstate.exe "C:\Program Files\Auslogics\Auslogics Disk Defrag\cdefrag.exe" c: d: -bk -o -dt

    where rvsstate.exe executes the command given to it as an argument only if not curently in Returnil's virtualized mode. When not virtualized, those scheduled events would run. When virtualized, those scheduled events would not run (well, they'd run but immediately exit without rvsstate executing the specified program).

    While disabling the defrag API in Windows while virtualized provides a means to prevent a defrag operation (assuming the defrag program used only the Windows defrag API and didn't do direct disk changes, say, using a driver at kernel level), there are other operations that I'd like not to run while virtualized. There is no "do not run" policy listing (i.e., app rules) in Returnil that says what can and cannot run while virtualized although that would be handy. Having SRPs (software restriction policies), like those that are available in Windows, where you can block some programs from running would let users tailor what goodware can run while in virtualized mode. That's not there and might never be added so something that lets me test if my host is in the virtualized state for Returnil to then decide whether or not to allow a program to run (either by modifying its shortcut properties or scheduled event) gives me some control.
     
    Last edited: Dec 2, 2011
  2. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Actually it is simple, the virtualization driver in RVS/RSS will simply terminate any attempt to perform a disk defragmentation and/or backup/imaging routine before it can do anything while in Virtual Mode. This is to protect data and files from becoming damaged and also a useless process given the mission of the software.

    The scheduling can be left in place however to take advantage of times when the Virtual Mode is turned off...
     
  3. VanguardLH

    VanguardLH Registered Member

    Joined:
    Sep 10, 2007
    Posts:
    96
    Okay, that addresses the scheduled defrag so it gets blocked in virtualized mode. Still there's the AV scan that is superfluous when in virtualized mode. I doubt that gets blocked because you would be blocking the AV program in virtualized mode. I'm pretty sure Returnil claims to work with other anti-virus software (which really would be only for detection since quarantining or disinfection wouldn't be needed since a reboot would wipe away the malware).

    So is there any way to get other programs blocked during virtualization mode? I gave anti-virus scanning (on-demand) as an example because it fits my case but I'm sure there are other programs the users don't want running when disk virtualization mode is active. If Returnil doesn't provide a means to test for virtual mode = active and since there are no app policies available to define in Returnil, is there some other means I can see that virtual mode is on so I can, for example, write a .bat file that starts the program or alter the shortcut's command so it tests and if virtual mode is active then not run the program?

    While it might seem counter to security to allow for detection that Returnil is active (in its virtual mode) since malware could do the same so it remains quiescent, I've seen malware that can detect when it is loaded under a virtual environ (virtual machine, sandbox, policy restrictions) so it's not like I'm asking for something that isn't already out there. The premise for me is that the virtual environ affords me some protection against accidental infection or corruption. It's not like Returnil can prevent me from installing the software outside of Returnil (when it's not active). I know of an example where I have goodware that I don't want running (the scheduled on-demand AV scan) but other users might other similar requirements.
     
  4. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    The trick with third party AV's while in Virtual Mode is to remember that whatever the AV does will only effect the virtual system. So you can update, scan, and even quarantine what is found, but at restart of the computer, the changes are lost.

    I have likened this effect to a bouncing ball. but also note that RSS is capable of scanning and remediating the real system in Full Scan mode because RSS controls the real disk and thus access to the real system while other AV solutions are limited to the virtual system. Regardless, the third party AV WILL work and do exactly what it is designed to do, just that anything found and quarantined only in the virtual system will come back at restart; until that time however, as you are using the virtual system, you are actually clean until the restart.

    You can also use the Virtual Mode in this scenario to test the removal of malware/PUP content that the third party AV detects. While this might seem to be strange, some removal situations with an AV can have unintended results (bad signature, etc) so why not test this in the Virtual System first?

    Putting that aside for the moment, please keep in mind that the purpose of RVS/RSS is to keep a system clean over the long term with emphasis on time to removal. This goal assumes a clean system when entering Virtual Mode for those exact reasons and it is good to ensure you are clean before entering Virtual Mode so that a clean real system is maintained.

    Mike
     
Loading...
Thread Status:
Not open for further replies.