AV/AM

Discussion in 'Returnil releases' started by Hugger, Dec 11, 2010.

Thread Status:
Not open for further replies.
  1. Hugger

    Hugger Registered Member

    Joined:
    Oct 27, 2007
    Posts:
    1,003
    Location:
    Hackensack, USA
    Would somebody tell me what anti virus/anti malware Returnil is using?
    Thanks.
     
  2. skokospa

    skokospa Registered Member

    Joined:
    Apr 1, 2009
    Posts:
    177
    Location:
    Srbija
    F-PROT Antivirus
     
  3. Hugger

    Hugger Registered Member

    Joined:
    Oct 27, 2007
    Posts:
    1,003
    Location:
    Hackensack, USA
    OK.
    Thanks.
     
  4. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Hi Hugger,
    The F-Prot engine is only part of the Virus Guard which also includes our own engine and updates as well.

    Mike
     
  5. skokospa

    skokospa Registered Member

    Joined:
    Apr 1, 2009
    Posts:
    177
    Location:
    Srbija
    Hello Coldmoom
    I have a few questions
    1.whether the AV Returnil works in real time when virtual mode is included and when excluded?
    2.If AV all the time working in real time why there are no adjustments for real-time scanning.Do you plan to install these settings?
    3.Does antivirus scan e-mails?
    4.Can you tell us which AV engines do you use in addition to F-Prot.Let's say Behavioral...HIIPS...antispy...etc..
    5.Do you plan to add AV scanning functions in the context menu?

    Regards
     
  6. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    The Virus Guard works regardless of your Virtual Mode settings unless you deliberately turn the Real Time monitor off in the settings.

    No as it is not needed. The Real Time monitor is extremely light as it is focused on new content rather than the traditional approach of continuous and performance hogging monitoring of the file system. This is part of the overall strategy of RSS where Time to Removal of malicious/PUP content is the proper goal as you can actually achieve 100% removal as opposed to the impossible task of 100% detection.

    Detection will always lag your ability to revert to a clean state (Virtualization) or restore to an earlier time (System Restore). Combine this with targeted default deny Anti-Execute and you can see why detection, though important as a feedback element, is less important as far as keeping your system clean over time is concerned.

    No as the scanning of e-mails is actually unimportant at the client level. Where it is essential is at the ISP or mail service provider/mail server level before it has a chance to get to your computer. If something new gets past the network/ISP level, the attempted saving of an e-mail to the real system would trigger a check of the content you are trying to save. If still not detected, the changes would be lost at restart with Virtual Mode active and would also be lost should a System Restore or File Restore be required for whatever reason.

    The Anti-Execute also has a part to play here by blocking the activation of any attachments and/or scripts/on-line programs from a suspect site linked to from said e-mail.

    E-mail scanners are more marketing driven than security needs driven except at specific points in transit outside of the client level. As noted, this is more appropriately handled at the network/ISP level. The main reason for this is the adjustment the mal-devs have made in response to better filtering of blatant malware content attached to e-mails.

    The other engine I mentioned is our server side machine learning and Artificial Intelligence technology. This works hand-in-hand with the client side behavioral analysis that works to collect suspicious file and behavior information that is then analyzed at the server level. Once analyzed, the server automatically updates all RSS clients several times a day.

    This includes both new detection capability but also works to correct false positives as well.

    We may explore this in the future, but at the moment is not critical to the overall RSS security strategy as the same effect as a right click "Scan file with..." option can be achieved through the Full System scan by unchecking the general scan options and then specifying the target file as part of a "Custom Scan".

    This is not as simple to use as a context menu option, but is consistent with the expectation that any new content you try to download, or is contained within a newly attached device (ex: USB or media card) is scanned by the Real Time monitor immediately. So rather than worry that you would need to manually scan a file, you can be certain it is already scanned as soon as it appears.

    Another thing to keep in mind here (if you have not yet noticed it) is the fact that a fresh catch-up rescan will be performed when a new signature and/or server side Cloud update is downloaded at the client; further reducing the need for the user to worry about remembering to perform a single file scan or re-scan following an update.

    Mike
     
  7. skokospa

    skokospa Registered Member

    Joined:
    Apr 1, 2009
    Posts:
    177
    Location:
    Srbija
    Thanks the detailed response.
    Excellent piece of software.Last night I bought a license for two years.
    21€...And in a country where I live this is not a lot of money.
    Too bad, you do not have distributors in Serbia.

    Regards Mike
     
Thread Status:
Not open for further replies.