Considering Returnil.

Hi, I'm considering using Returnil system safe but I need some advice on a couple of things first if someone could help that'd be great, I apologize if this has been asked before but my questions are: Do I need to uninstall Avira free or can I keep it installed with Returnil and do I need to uninstall Comodo fw w/d+ or can I also keep that alongside Returnil?

Thanks for any help and advice, any suggestions for other security products to run alongside Returnil would also be much appreciated, I'm starting to feel like I'm living in the dark ages by using a regular av lol.

Edit: Just to add I'm using windows 7 x64

 

Hell Breakfastofchumps and welcome to the forums

No, but the order of install may be relevant in rare cases. In most cases, you can simply install RSS or RVS and be good to go, but if you encounter an issue where the install did not complete properly, it may be due to interference with the process so you may need to uninstall the other programs you mention, install RSS or RVS and then reinstall the other programs.

The Virus Guard in RSS is compatible with both Avira and Comodo so that will not be a problem. The only issues that do happen (rarely) are as described above where a component install was blocked by sandboxing with the AV and/or a block by HIPS for whatever reason.

Mike

 

Hello Mike,

When it comes to virtualization programs such as Returnil I'm a total noob (which may soon become obvious).

Your reply (above) leaves me confused. I was under the impression that when you reboot a Returnil system all current program installations, updates, etc, are gone. If that is correct, why would you suggest installing an AV and FW programs after installing Returnil?

Wendi

 

Hi Wendi,

Excuse me for butting in here but I think what Mike meant was to install the other programs after installing Returnil but without the virtual mode enabled. As you correctly surmise, the whole point of Returnil is to remove all system changes on reboot that have taken place within a virtual session after the virtual mode has been enabled. If the virtual mode is not enabled though, all changes will be made directly within the real file system.

A few other points regarding Returnil virtualization that you may find useful in relation to Returnil, and which may also help to answer some questions you have posted in other threads regarding virtualization solutions.

There are a few types of malware that are able to bypass disk virtualization on its own. This is true for all products of this type, and is not restricted to Returnil. In order to guard against this specific threat, and also to provide additional protection against malware while the virtualization is enabled, Returnil (the company) chose to incorporate an AV into their product, specially tailored to close the gap in protection.

There are two versions of Returnil: Returnil System Safe (RSS) and Returnil Virtual System (RVS). RVS is for people who only want the virtualization without the included Virus Guard AV and is available as a paid version only. RSS includes the Virus Guard AV and is available in both free and paid versions. The difference between the free and paid versions of RSS is that selective file and folder commits when the virtualization is enabled are only possible with the paid version. With the free version, it's all or nothing: commit all changes or discard all changes on exit from the virtual mode. As part of the strategy of creating a layered security both RSS (free and paid) and RVS include an anti-executable component that is active while the virtual mode is enabled.

As you would expect, RVS is slightly cheaper than RSS because RVS doesn't include Virus Guard. I believe that with RSS, all Virus Guard updates will be preserved irrespective of the virtualization status, so you don't have to worry about whether the Virus Guard updates will survive after exiting the virtual mode. This is possible because Virus Guard is an integral component of RSS (Mike will correct me if I'm wrong about this).

The RSS/RVS tray icon colour shows the protection status: green for protection enabled; red for protection disabled. With RSS, you can choose whether the tray icon colour reflects the Virus Guard real-time status or the virtualization status. By default when you install it, RSS displays the Virus Guard status but this can be changed in the RSS settings if you prefer to see the virtualization status in the system tray.

In addition to virtualizing the system partition, both RSS (free and paid) and RVS can be set to virtualize additional partitions if required.

I hope the above is of use.

Regards
pegr

 

Hello pegr ...and thank you for your detailed explanation! I now have a better understanding as to what Mike meant and a little more knowledge about how Returnil works.

The only thing you said that still leaves me somewhat confused was your comment in response to another post of mine...

From what I've read, Shadow Defender (without an antivirus addition) has been shown to be inpenetrable by malware. Your comment would indicate your disagreement with that...

Wendi

 

Maybe i would be easier for you to simply use Windows firewall instead of Comodo with d+, because after a reboot all the comodo pop-ups in which you have choosen something like "Remember this option" will be back.

 

Hi Wendi,

Shadow Defender during the course of its development was hardened against certain types of malware (robodog for example) that were able to bypass the disk virtualization, as the Shadow Defender change log shows: http://www.shadowdefender.com/history.html

Shadow Defender's anti-malware features are built into the program internally in addition to the virtualization functionality so they are invisible but they are there.

In principle, all security software has potential vulnerabilities and disk virtualization is no exception. Whilst Shadow Defender appears to be impenetrable against existing malware techniques, without active development Shadow Defender could yet prove vulnerable should a new malware technique capable of bypassing the virtualization be discovered that Shadow Defender isn't hardened against.

This whole issue was discussed a while back in the following thread: Software that has commit to real system?

The approach that Returnil takes to security is a multi-layered one with disk virtualization at its core, but also incorporating additional antivirus, file protection, and anti-execute features to cover the weak spots that virtualization alone can't address.

The security issues extend beyond the question as to whether or not the virtualization can be bypassed. It's also about preventing the damage that malware can do in terms of identity and data theft if allowed to run.

Regards
pegr

 

pegr, that all makes very good sense to me - but after reading your replies here I can't help but wonder why Shadow Defender (and not Returnil) appears in your signature?

Thank you,
Wendi

 

Hi Wendi,

That's a very good question and the reason is partly historical.

I am running version 1.1.0.325 of Shadow Defender, which is the last official version before the developer went missing; and the whole question of the authenticity of the Shadow Defender website, and who is currently running it, was called into question. The Shadow Defender licence is lifetime and I purchased mine at a time when the product was still under active development by the developer. No doubt you've seen the other threads where these issues have been discussed.

I was previously a licensed user of Returnil. When I switched to Shadow Defender, Shadow Defender had two features I wanted that were missing from Returnil at the time: multi-partition virtualization and the ability to make permanent file and folder exclusions without the hassle of having to do regular manual commits. Since then, multi-partition virtualization has been added to RSS/RVS and the ability to do scheduled file and folder saves has also been added to the paid version.

If I were starting from scratch now, I would have to think seriously before purchasing a licence for a product that is unlikely to see any further development from an unknown vendor whose credentials are uncertain. Two things I look for in paid security software are a pattern of active development and good product support for the users by a vendor I can trust.

As you will see from my signature, my own approach to security is based on a mixture of system-wide virtualization and system-wide policy restriction as the primary layers, combined with anti-malware as a secondary layer. Shadow Defender is solely a disk virtualization utility, whereas Returnil has developed into a one-stop security solution with all of the layers combined within a single program.

Because of this difference, Shadow Defender should not be relied upon as a complete security solution on its own. If running Shadow Defender, it should be used in conjunction with other approaches. Returnil on the other hand can be used on its own, but can also be combined with other products if desired. They do strive to maintain compatibility with other security products as far as possible.

No doubt I will have to reconsider my options at some point, but I can't see any compelling reason to do so as long as Shadow Defender continues to run well on my system and fulfils my requirements. At the moment, Returnil wouldn't be adding anything extra functionally to what I've already got; and I would be paying an annual licence fee for no additional benefit. The situation for me will change if and when Returnil integrate the experimental Multi-Snapshot feature into RSS/RVS, something they've been talking about for some time now. Extending Returnil's disk virtualization technology to include an ISR rollback type feature would finally solve the problem of using Returnil to test software that requires a reboot. See here: http://www.returnilvirtualsystem.com/returnil-labs.

Regards
pegr

 

It seems the last beta version of Returnil Multi-Snapshot is from July 2010 - over a year old. I can only speculate what that means. Maybe Mike can fill us in on the status of this project. Has anyone tried this application?

Al

 

Thank you pegr for your well thought-out reply. Your commentary makes good sense to me.

Thanks again,
Wendi

 

Hi Adric,
RMSE was/is only a demonstration program to test a form of our multi-snapshotting engine and though we thought about making it its own product line, we eventually decided that its original purpose was sufficient and that we would be adding something later that would be:

1. More robust
2. More useful
3. Integrated into the RSS line as an additional restoration option

The RMSE beta uses our virtualization technology to create simple incremental snapshots and for this purpose it was/is quite successful at what it does. There is more coming in the 3.3x series and we plan to begin moving to a limited external beta soon where you will get a chance to kick the tires before it goes to full public testing.

Mike