Does anybody use other security softwares?

Discussion in 'General Returnil discussions' started by fuquen, Jan 29, 2010.

Thread Status:
Not open for further replies.
  1. fuquen

    fuquen Registered Member

    Joined:
    Jan 3, 2010
    Posts:
    95
    OS : Windows XP Pro. sp2 with Firefox
    Returnil : RVS Home 2010

    Have used RVS for about one month.
    There is a "hunch" that the security software that comes with RVS is not enough.

    Does anybody use other security softwares?
    What are they?
    Any conflicts?

    THanks!
     
  2. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Hi fuquen,
    RVS 2010 is effective as both stand alone and in combination with a wide range of security strategies. The issue with perception is due to the messaging the industry and community have focused on: detection, detection, detection...

    The greatest problem with a primary focus on detection however is that, on average, detection technology only provides a 30% to 50% success rate at any given moment in time. Further, testing can only be performed on a subset of all existing malware with results tending to distort the actual performance potential of any program tested when compared to the total population of all possible malware.

    IOW - there is no scanning, blocking, or combination of these technologies that can provide 100% detection of all known/unknown malware with the logical conclusion that there is potential for malware to persist for long periods of time before it is discovered and addressed in these programs (Ex's: Rustock C, Conficker/downadup, Induc A, others yet undiscovered).

    RVS on the other hand is designed to focus on the time to removal of malicious content rather than strict detection or blocking of said malware. So even if the Virus guard component in RVS or another AV/AS/AM program you are using does not detect the presence of the content, it will be removed from your computer with a simple restart. So, rather than a potential for malware to persist for days to years, RVS virtualization can assure that it only persists until a restart. For the average user, this could be as short as hours or only until the end of the day.

    Traditional methods were never fully effective and are becoming less effective over time. What we as an industry and community need to do now is to go back and focus on security rather than get lost in the details of security. To make this clearer for the reader, think of the true goals of security (any type):

    1. Reduce risk
    2. Reduce the time of exposure to that risk

    RVS addresses these goals by providing a means to end malware persistence and to reduce the time of potential exposure for the user as well as others in their network. Further, if RVS is used consistently within a network, propagation of malware (ex: worm) can be terminated by restarting effected machines to contain the outbreak and clean the network with a single action. This reduces need for expensive technical remediation and frees support staff for more productive tasks.

    Mike
     
  3. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    A lot of people use Sandboxie over top of Returnil. As I understand it, the reason is that if a keylogger or something does get into the browser, when you delete the sandbox you will not have to restart Returnil to be protected. I guess that is the reason anyway. It's another layer of protection that is more isolated.

    That being said, I use Eset Nod32, Prevx, PC Tools firewall, Sandboxie, Keyscrambler Premium, and last but certainly not least, I use Xerobank VPN.
     
  4. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    Whilst it is true that a security strategy based solely on detection can never provide 100% protection, it is important to block the effects of malware. In order to do this virtualisation has to be combined with policy restriction in order to mitigate against the risk of data stealing or identity theft while the malware is active. It isn't only a question of how long the malware may be running undetected or how easy it is to remove by rebooting. Malware doesn't necessarily have to be running very long for data stealing or identity theft to occur.

    The file protection feature within RVS is a step in the right direction but isn't really flexible enough or comprehensive enough to provide a complete solution. Given the choice, I would have preferred to see policy restriction features developed in RVS 2010, rather than the addition of an anti-virus. It is the sophisticated policy restriction features present in Sandboxie for example, combined with virtualisation, that makes Sandboxie such a powerful application for browser protection.

    The main advantage RVS has over Sandboxie is that it protects the entire OS partition, not just individual applications. To answer the original question posed by the OP, a good solution is to combine RVS with another application that has good policy restriction features such as AppGuard, DefenseWall, GeSWall, Sandboxie, etc. If RVS develops in this direction, in time it may well become a complete standalone security software solution.
     
  5. Threedog

    Threedog Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    1,125
    Location:
    Nova Scotia, Canada
    I use Defensewall + Returnil. Works great for me although it's the 2008 version of Returnil that I use.
     
  6. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Hi pegr,
    We are working on a more robust approach in the virtualization engine upgrade. This includes non-system partition and disk virtualization with exclusions and support for SSDs by allowing the cache for these volumes to be created and maintained on another non-system disk or partition. This will come first with additional upgrades planned after this that will support the same for the (current) system partition.

    The RVS Virus Guard is not just a simple use of an antivirus engine though it can function as one when required. This includes policies and other things "under-the-hood" that will become more obvious as we go forward, especially when the new AI/machine learning engine is released in a future version. It still needs training so will be a bit yet before we can begin the public beta testing phase.

    SBIE and similar solutions are application virtualization which is quite different than the virtualization used in RVS. This is why RVS and SBIE are complimentary. We have plans to explore this type of solution in the future as additional protection when using RVS virtualization, but for the time being it is not a high priority due to other work we need to complete first and also depends on the level of interest from our customers.

    See my answer above, but also keep in mind that future versions of RVS will be different in some fundamental ways than it is today. Further, antimalware functionality in RVS will be more robust as it evolves to meet the needs of our customer and user base. One of these features will be a proactive "Distributed Immunity" feature that can keep the network and larger population of users as a whole better protected sharing information about good and bad programs/behaviors that also includes policies and other approaches not detailed here...

    Mike
     
  7. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    Hello Mike,

    I'm aware that the longer term roadmap is to turn RVS into a one-stop security solution, and I applaud this as a worthy objective. I'm sure that in time RVS may become the only security application that I need to run, and I for one look forwards to that.

    My response to the question posed by the OP though is still the same. If you are concerned about data and identity theft then the answer is no; it is not enough to run RVS on its own. Whilst it is not essential to be able to detect and prevent malware from running within the virtual system, it is vital to mitigate against the consequences and ensure that it can't access private data or log keystrokes while it is active.

    I hope you didn't take this as a criticism of RVS; it wasn't meant to be. My reason for posting in this thread was not to knock RVS, which I think does a fantastic job at preventing the physical file system from becoming permanently infected. Rather it was to comment on the question posed by the OP as to whether RVS in its present form provides sufficient protection to be used alone.

    Regards
     
  8. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    I understood what you were saying but went into "professor" mode to quickly - apologies. Something to think about here is the fact that there are many types of malware that attack traditional security solutions like disabling the AV, and other things to get around these programs. So logically, this means that the programs used in a traditional strategy are also vulnerable to allowing the activation of malware. The risk is higher though as there is no assurance that the malware would not be active across a restart or multiple restarts.

    RVS System Safe virtualization provides a robust answer to this scenario and this is why detection (which is required for blocking in many of these technologies) still does not provide a reliable means for ensuring a clean computer over time.

    Criticism is actually more valuable than praise in many cases as it helps focus attention on potential issues that need to be addressed, so never feel you have to apologize for negative feedback (when you give it). The focus here however, is whether RVS 2010 can be used as a stand alone solution. Given the fact that the programs that can detect and/or block malware and PUPS have many gaps that malware can slip through, doesn't the time to removal model have more validity and further, should provide a higher level of protection over time?

    Mike
     
  9. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    Hello Mike,

    Yes I agree, which is why I have been a keen advocate of virtualisation for quite a while now. Shortening the time to removal and returning the PC to a known clean state on reboot are both very important. Over a period of time, system partition virtualisation should provide a higher level of protection if used regularly.

    In addition to protecting the machine from the user though, there is also the question of protecting the user from the machine, and this is where issues of data and identity theft come in. For people who never shop or bank online, and have no personal data stored on their PC, RVS may be all they need to keep them safe.

    Whilst virtualisation can (and for me does) provide the cornerstone of a security strategy, it can be effectively combined with other techniques such as policy restriction. Good examples of programs in this category are: AppGuard, DefenseWall, and GeSWall. Using a so called 'policy sandbox' would be enough to defeat the greater majority of malware (including keyloggers) in the first place. Used in conjunction with light virtualisation this can provide very effective security.

    In practice, it's not uncommon for programs to adopt a hybrid approach, combining both virtualisation and policy restriction to some degree. DefenseWall and GeSWall both (I believe) combine policy restriction with limited virtualisation. Sandboxie combines application virtualisation with policy restriction. RVS has basic file protection and anti-execute features (I would like to see RVS develop further in this direction in the future).

    I also believe that it's still important to run an antivirus even if it is an imperfect technology. One category of threat that both virtualisation and policy restriction are largely ineffective against is social engineering. A pure phishing scam that aims to trick the user without simultaneously exhibiting suspicious behaviour can only be detected and prevented by blacklisting.

    For these reasons, I do think that, for most people, a layered approach to security combining different techniques is likely to yield the best results overall.

    Regards
     
  10. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    No argument here and I totally agree. "Light virtualization" can be used with a plethora of other strategies and programs to achieve a desired goal.

    All true, and an approach that is championed by Blue in many of his discussions regarding the use of policies. The only sticky point here is with the experience level of the user. This is also especially true with advanced programs like AG, DW, and GW; if you answer the alert the wrong way, you open a hole that malware could potentially exploit. This does not mean that these programs are ineffective, on the contrary, they are all excellent choices, but the caution still remains.

    This is not entirely true, as the key (if the malware is not detected outright) is the behavior it may exhibit once it activates. But if the phishing is successful, there is often little that a software solution can do if the user is determined to click that link regardless of the risk. This is also a problem in cases of a physical access attack which is better handled by a hardware solution in many cases.

    I totally agree, and we do not advocate that RVS 2010 alone is the only solution or strategy that will yield optimal results. What we are saying is that using RVS 2010 alone can also be a valid configuration if the user decides to use that approach.

    Mike
     
  11. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    By and large, this is not true of policy restriction programs such as AG, DW, or GW, or application sandboxes such as Sandboxie. They will simply block silently and, depending on configuration, may also display an alert that a prohibited action has been automatically disallowed. In order to override this, the program's protection must FIRST be suspended BEFORE the behaviour is encountered. This provides a level of safety and convenience that makes these types of program suitable for users of all level of experience.

    Your point is certainly valid with respect to classical HIPS programs and some other classes of behaviour blockers though, which do require the knowledge (and willingness) to answer alerts correctly. I agree that these types of program should be approached with a degree of caution by less experienced users.

    I think you misunderstood what I was saying. When I said "a pure phishing scam", what I meant was those scams that aim to exploit the user and trick them into compromising themselves in some way, without otherwise attempting to engage in any suspicious behaviour. Clearly if the scam also involves an attempt to exploit the PC and infect the system with malware then behavioural techniques and virtualisation may be successful in dealing with, and containing, the malware aspect. What virtualisation on its own won't do is to protect against any data or financial loss, or identity theft, that may occur from the scam itself, or from any malware that may be running within the virtual system.

    The point I was trying to make is that whilst detection using conventional AV type techniques can never be 100%, it's still a useful additional layer as there are certain types of threat that can't be adequately dealt with by virtualisation or behaviour blocking alone.
     
Thread Status:
Not open for further replies.