How to use ShadowProtect + Returnil as a replacement for an Antivirus

Discussion in 'sandboxing & virtualization' started by Paul Keith, Nov 23, 2008.

Thread Status:
Not open for further replies.
  1. Paul Keith

    Paul Keith Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    25
    Hi, I asked about the topic here because someone recommended the combination but I've never used these programs before and don't know how to switch to these.

    http://www.donationcoder.com/Forums/bb/index.php?topic=15779.0

    I'm thinking with the new wave of viruses that can't be detected, I might as well replace my anti-spyware and antivirus scanners for these in combination with a HIPS.

    Does anyone also have any recommendation for what to look for in a great HIPS?
     
  2. Paul Keith

    Paul Keith Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    25
    Anyone?

    Topic too stupid to answer?
    Not worth your time?
    Newb must post x times to get replies for advanced stuff?
    Google it Mother****er?
    Read the ****ing Search button?
     
  3. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    dont need both to replace your antivirus,just choose one of the 2 and you will just be fine without and antivirus:D
     
  4. Paul Keith

    Paul Keith Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    25
    Thanks. Could you provide some more details though? First time I'm going to use these kinds of programs.

    Casual user knowledge to security and from what I understand, they're like much more advanced versions of System Restore, Erunt and Sandboxie that utilizes virtualization stuff which allows for a direct safe copy of your PC as long as you don't mind restarting? Is this correct?

    I'm just a bit skeptical because I'm so used to scanners like antiviruses and I'm not seeing many threads converting to these programs so I wanted to know more details.
     
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,054
    Paul, I don't have time tonight, but tomorrow I'll try to give you my take on what you are asking.

    Pete
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,054
    PS. How many disk drives in your machine.
     
  7. Paul Keith

    Paul Keith Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    25
    2 and thanks.
     
  8. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,222
    It is true that using ShadowProtect and a virtualizer like Returnil one doesn't need to run any scanner. ShadowProtect is an imaging program which will save you from the ultimate disaster: Sudden death of your HD. If you have two drives, I'd put the backup image on the drive that that is not hosting the OS. Even better IMO would be to put the image on an external USB Drive, which will be safe from physical destruction (fire, theft, etc.) and virus contamination (rare but possible).

    Returnil would probably act as your daily cleaner: It virtualizes the disk/partition on which it is installed, and any changes good or bad are deleted with a simple reboot (it will only cover the disk/partition where it is installed, unlike other applications which will virtualize everything). If you are running Vista, don't forget to disable the hibernation function as it creates a hard conflict with Returnil (my computer crashed corrupting the partition table). Returnil promised to fix the bug, I really don't know whether they did.

    This is general info, I think you need to ask specific questions and above all trial these programs. I don't think they are a replacement to an antivirus, as they are doing different things and should be used whether you decide to run an antivirus or not. If you want to save anything to disk you need to have HIPS (+ patience and knowledge) or an antivirus to check known malware, there is also AntiExecutable from Faronics (white list based application) which will block any executable, the new version is great if it doesn't conflict with other applications (I have a license, but alas it conflicts with FD-ISR Rescue).

    I hope this will give you some food for thought.
     
    Last edited: Nov 26, 2008
  9. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
    I run a similar setup on one of my systems. I run faronics deepfreeze and antiexecutable. Deepfreeze reverts all changes upon reboot and antiexecutable stops any unauthorized program from running. I simply setup my system exactly how i want it, then enable both programs which keeps my system nice and clean. Once a week i'll backup the system then disable the protection and perform any required updates. If theres no problems i enable the security again and get back to work.

    One possible free combination you can try is returnil free combined with online armor free. Make sure your system is clean then install returnil. After that install online armor with returnil disabled and as you go thru the installation steps set everything to trusted. Once thats done enable returnil and you should have hassle free computing. Online armor will only pop up if something changes.
     
  10. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    very good security aproach:thumb: :thumb:
     
  11. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,054
    Hi Paul

    Depending on what you do a couple of suggestions for this approach. First with two disks I'd suggest going with ShadowDefender as opposed to returnil. Returnil can block access to your 2nd drive, but won't shadow it. With Shadowdefender you can shadow both drives. I've tested this even shadowing a huge VM machine directory, making a change in the vm machine and then rebooting and all worked.

    2nd, what I would do is run Shadowprotect's continous incremental's and you can take them every 15 minutes with no system impact. Then use shadowprotect when you feel your are going to do something extra risky. I am not sure what effect SD will have on Shadow protect. May test this out later this week.

    I'll PM you another suggestion as it would take this thread off topic.

    Pete
     
  12. Paul Keith

    Paul Keith Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    25
    Thanks everyone for the suggestion. I'm currently considering what's the best approach for me. One thing I'm really not sure of is whether I can cope with the annoyance of having ShadowDefender/Returnil consistently requiring a restart on my part because I often have my PC running barring a power outage.

    I'm also not quite sure with having a HIPS with an Anti-virus. I've used Spyware Terminator's in the past and it seemed more hassle when Avira already detects and blocks the infected programs anyway.
     
  13. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
    It doesn't consistently require restarting. Only when you want to revert changes do you need to reboot. The only time i will reboot my system is when i want a clean system to do my online banking/shopping.
    HIPS can be a hassle if you are constantly changing your system, a behaviour blocker might be better suited in that situation. If you keep a steady system then hips work very well and will only alert you to new system changes such as some malware trying to execute.
     
  14. Paul Keith

    Paul Keith Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    25
    What's a behaviour blocker? I was under the impression that it was just another name for a HIPS.

    Couldn't running ShadowDefender/Returnil screw your settings up during a power outage if the rebooting reverts the changes? I was under the impression it reboots when you want to keep the changes.
     
  15. Hugger

    Hugger Registered Member

    Joined:
    Oct 27, 2007
    Posts:
    1,003
    Location:
    Hackensack, USA
    There is always the option of running with Avira free, Defensewall and Threatfire. I've been using this combo for awhile with no noticeable slowdown.
    I use Shadow Defender when my wife, the famous Mrs. Click, is using the pc.
    Shadowprotect is there for when I want to restore an image.
    None of my security hits me with a slowdown.
    I can leave my pc on for weeks if I want. Usually no reboots needed.
    Just a thought.
    Enjoy the day.
    Hugger
     
  16. Paul Keith

    Paul Keith Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    25
    Thanks Hugger but my problem with Avira isn't so much that it's causing slowdowns but that I'm looking for a way to reduce the scanning and constant upgrading on the users' part so it can be installed in a casual users PC without them having to even check their security settings at all and this whole new slew of programs seems like it has the potential to do just that.

    Also it would be nice to finally stop scratching my head on how to bypass false positives while the real time guards are blocking it without searching far and wide on multiple forums although Avira rarely gets any false positive.
     
  17. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
    A behaviour blocker is something like threatfire or mamutu which monitor your system for suspicious behaviour. It more of an automated hips i guess rather than the classical hips.
    The paid version of returnil gives you the option to either keep or remove changes upon reboot, the free version only has the remove option. Its possible that your system could get screwed during a power outage no matter what you are running. In the past i've tested returnil against a power outage and my system rebooted just fine with the changes reverted.
     
  18. Hugger

    Hugger Registered Member

    Joined:
    Oct 27, 2007
    Posts:
    1,003
    Location:
    Hackensack, USA
    Avira's scanning can be done as often or infrequently as you want. Just set it up that way. Avira on my pc, with default settings, is minimally invasive. I haven't had a false positive in many months, if I remember correctly.
    Threatfire scans my pc only when I want it to. Straight out of the box this behavior blocker works well.
    Farmerlee is right about Returnil. I prefer Shadow Defender but the choice is yours.
    Defensewall might have more of a learning curve than you want.
    In that case you might want just, as an example, Avira(could even be the free version), Threatfire and Returnil or Shadow Defender.
    Good luck.
    Hugger
     
  19. Paul Keith

    Paul Keith Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    25
    Finally installed ThreatFire. So I see this is like the recently mentioned PrevX Edge. My apologies for forgetting what a behaviour blocker is.

    Is this really worth it? When I first read about the idea, I avoided it because it didn't sound like it would be any different than manually scanning each individually downloaded files but also slow down the PC for users and right now it is indeed slowly initiating things and my PC is running slowly. I'm not even sure if the setup had hung or it's normal for this to take this long.
     
  20. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    ive experienced slow loadings and freezes with threatfire, thats why i switched to Mamutu, and havent had a slow down in any way since. and i definetly think it is worth using.
     
  21. Paul Keith

    Paul Keith Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    25
    Unfortunately, my experience with ThreatFire was largely unproductive. At first I just thought the setup was slow as it was saying ThreatFire was initiating.

    Having left it for half a day, it stayed the same so I didn't attribute this to Threatfire scanning my files. Force restarted and Threatfire looks to have been installed. Started scanning and several error msgs popped out during the course of it's process (not all at the same time.)

    First there was the IEscript error, then the VBruntime error... despite this ThreatFire was still scanning but the last draw was when Threatfire had to close at around 80% of it's scanning time.

    Checking the threats, it really didn't detect anything outside the common false positives like LvLLord's TCPIP.Sys Patcher and stuff like that. I credited this to setting it to it's maxed settings but still the slowdown coupled with the errors made me fear installing these behaviour blockers on casual users' PC.
     
Loading...
Thread Status:
Not open for further replies.