Discussion in 'sandboxing & virtualization' started by Genady Prishnikov, Dec 16, 2007.
Are there any real differences? If so, what are they? Thanks!
With PowerShadow you can choose to virtualize/protect your system partition only or all of your partitions. Returnil can only virtualizes/protect your system partition. Returnil has a free version, whereas PowerShadow no longer has a free version. Both can be turned on at anytime manually without a reboot, and both need a reboot to either turn off protection and/or clear changes.
I have Returnil's latest release version and PowerShadow 2.8.2 and they both work as advertised. I've only used them on demand and not full time.
This being said another difference would be is that PowerShadow all known versions does not protect system C: from sector fills tested against Julie Lau's Sector Editor v1.05.
I have tried both and to me there isnt a comparision over Returnils beta. It allows a lot more flexibility, has forum support here, and I just personally think it is a more secure solution. To me it is a a no-brainer.
Never tried Power Shadow but sounds extreme... is there anyone who likes to have a total frost? I guess a frost of C:\ is enough isn´t it?
Support from the developers of Returnil is excellent and seems to be setting the standard in protecting most areas of the system.
Returnil may have taken a clear lead in being able to protect against sector editing.
If any flaws are found within Returnil it doesn't take long before it's patched.
PowerShadow is still a good product.
I'm actually using both products (PS V 3.0 and Returnil 2008 beta) on different machines, along with the other options in this category (Shadow Defender and ShadowUser Pro) just to get my hands around the approach and to develop a better sense of it.
In terms of active support by the vendor, PowerShadow and Returnil are the clear leaders with the primary difference being that PowerShadow's is via their dedicated support channels (Email, Windows Live IM) and while Returnil's is a combination of forum, email (I assume), and PM.
Currently, all of PowerShadow's support is provided out of Beijing, so you'll have to contend with time zone differences. Fortunately, language is not an issue for English speaking customers, their communication skills are excellent and the time zone differences are not terribly bad for North/South American customers in that the Beijing workday coincides with evening hours in these time zones (they are 13 hours ahead of East Coast US time for example).
Returil has support coverage in the US and Europe and it's been very responsive to date, as any member can note by examining the relevant threads on this site.
While the main function of these products are the same, they do have somewhat different implementations and minor feature set differences:
Returnil currently protects the system partition only, while PS has two different operating modes - one for system partition protection and the other for protection of all non-mobile volumes on the systems. System partition protection is clearly the most critical facility.
While operating in protected mode, one is able to commit changes to the system partition using the File Manager facility in Returnil 2008. The specific folder to commit, as well as those changes, can be dynamically handled while in shadow mode (Shadow Defender is similar in this regard). There is an analogous facility in PowerShadow while in Single Shadow mode that uses a folder relocation, but this has to be done prior to entering shadow mode and physically relocates the folder to an unprotected volume (single shadow mode only)
Both products can enter shadow mode without a restart, and both require a restart to exit shadow mode. Neither carry shadow sessions across restarts (as is possible with ShadowUser Pro, but ShadowUser Pro requires a restart to enter shadow mode in the first place).
Pricing on these products could be a little clearer. Returnil 2008 is quoted (see here) as $24.95/yr. I assume the subscription model is similar to that for the business product and provides for any software upgrades and dedicated support during the subscription period. PowerShadow's cost is a little higher ($39, although the base cost is supposedly $49, there 20% off at the moment), this covers support via email and minor version updates and bug fixes. Presumably a major version upgrade would be available at reduced cost. In my own experience, the long term differences in these pricing models are inconsequential. Both prices are for single PC's.
As noted in the thread Returnil Passes Sector Editor Test!, the current Returnil 2008 beta build (126.96.36.19921) now protects against low level sector edits using Julie Lau's Sector Editor (available on plenty of Asian sites, use http://www.google.com/search?hl=en&q=sector editor 188.8.131.52&btnG=Search and be cautious). I tried a similar experiment with PS V 3.0 using Sector Editor V 184.108.40.206 in single shadow mode. Rather than allowing the changes, and then restoring them on a restart, PS blocked the application from performing any write - shadowed or otherwise. Rather than block fills, I used simple manual edits (although either operation is blocked).
There are some additional minor differences. Both products are young and how the vendors approach specific issues now (specific implementation, pricing, licensing, support, etc.) could change depending on demands in the marketplace. As far as I can see, both products are quite stable (as are the other two options for that matter), function as advertised, have good support mechanisms in place in the event of problems, and both are worth further examination by anyone interested in this application area.
There is going to be a new pricing structure for Returnil 2008 Premium Edition when it is ready. It is going to be very competitive and I think a 2 year license. I have heard the pricing but dont want to publically state it for obvious reasons. Coldmoon will pop in Monday and he may offer some details. There will still be a free version but obviously not as many functions as the paid version.
I am running it on 2 machines and unless something pops, I am happy. It works and that is what counts.
Here is the best thing about not having a suite drag my internet connection down. The following is what I am getting with DSL and using Returnil. Before it was sometimes 1/2 of this.
I use Returnil all the time without issue. I tried PowerShadow and did not like the fact that once installed on one machine I could not automatically remove it and then install on another. I was also unfortunate in that the machine I chose to test it on did not get on very well with PS. When it worked it was fine but every so often I would get a message saying that it had a problem and would have to shut down. The help at Powershadow was excellent and I feel sure that if I had continued to investigate I would eventually discovered the conflict but with 2 copies of DeepFreeze and Returnil I saw no point in continuing.
I´m still trying to figure out how to use these apps, basicly I would like to do software testing on my "real machine" because IMO virtual machines are too slow. Are these apps suited for that?
If what you want to test requires a reboot to install then the current Returnil would not be suitable as it will not keep changes over a reboot, not sure if this changes in any advantagous way in the new build.
Is this really a problem ? Keep C: fairly small (under 5 gig) and use Returnil to keep things the way you want them. Then you decide to try a new program.
Use Acronis 10 or your favorites image program to make an image ( less than 2 mins). Install the test program and play for a day or so. Then restore your original image ( 4 mins max). A good imaging program was an essential anyway I would think and used together with Returnil it works quite well.
It is if he wants to use Returnil for testing. For me it's not a problem since I have another computer for testing, and imaging software, and fd-isr, I was simply replying to a question as it was phrased.
I think there is a way to do this. Install the program, include into one folder to be saved on reboot, then on reboot mount your virtual drive and use it. When you reboot if you dont save any changes the program made, they wont be saved. Turn off Returnil and uninstall the program.
Or load the program with Returnil off, turn on Returnil on reboot and do what you want. The only thing that will be their on reboot with will be the orginal installation which you uninstall. Again, coldmoon may know a better way, or this is exactly what their developers need to know for the future. coldmoon asked for as much feedback from here as possible.
Could someone please explain to me the major differences in the Returnil free addition compared to the Premium version. At a later date I plan on installing Returnil on my system but am confused as to which version would be best for me. I have no problem in paying for the Premium version but I am not sure whether or not the additional functions would really benefit me. Please remember when replying that I am not very computer knowledgeable. Most of what I read on this forum is over my head. I know just enough to be dangerous. Thank you in advance for your replies.
currently there is the free for consumers and a paid one for businesses. The beta is going to be for consumers in paid and free versions. As to what will be in each has not been announced.
Although this thread is Poweshadow vs Returnil, I like SafeSPace better. Can be configured into PowerShadow and Returnil like security, Sandboxie tyoe of virtualisation and just a tad more strict security than GesWall. So in stead of talking of A vs B, why not have it all.
I must be missing the discrepancy here.
Well..., not really.
Returnil protects the system partition only. The OS will revert to it's original state on a restart. If one attempts to get around that by installing off the system partition, dependencies required via the system partition (registry information, shared files on %SYSTEMDRIVE%, etc., will be lost), so the system - read as Operating System - state is preserved.
Some applications do not touch the registry, are standalone executables, and could be placed off the system partition. They will still reside on the system, but there will be no mechanism preserved to automatically activate them from the system partition. They could be activated, for example, by a direct user launch. The other approach would be to have the malware embedded in a document file as active content, again saved off the system partition. When this file is loaded by the user, the malware could launch (depending upon how the loading program was configured).
Note that excluded folders on the system partition could be used instead of a nonsystem partition, but the same comments apply.
Let's try to remain nominally on topic. The original poster requested information related to the technical differences in the two applications that are the subject of this thread. Let's try to stay close to that nominal target. Thanks in advance.
Wow. Thanks to all for discussion of these products. I especially want to thank Blue for his very detailed post describing the technical differences.
I have noticed something that troubles me. There is a certain poster who seems to show up in every thread to knock whatever product because it can't do what product X can do. Even when not mentioning Product X by name, everyone knows what his point is. That gets very tiring to read and all the back and forth when it's not even the issue at hand.
Thanks again to all for informative discussion.
Before this gets too far out of hand and to make this thread easier to read as re the original poster's question, I suggest splitting off the FD-ISR discussion as it appears that it has enough support for its own thread.
I cannot speak to design plans for SP but I can speak to ours. RVS is designed to be as simple as possible while doing exactly what it needs to do. The most important part is to provide a tool that will be there to fill the glaring hole in current traditional security strategies/solutions.
This does not mean that we think our current solutions are the peak or end of what we will design as we go forward and neither should you
With kind regards
At the risk of going a little off topic here, I just have a question about Returnil.
Is it compatable/no conflicts with Rollback Rx? Anyone have experiance with the two?
Would I benifit by having both?
Done, to my best approximation, see Applicability of ISR approaches (née PowerShadow vs Returnil)
That's nice to hear..., my personal suggestions for future feature extensions would be:
User based selection of partitions to protect (default to either %SYSTEMDRIVE% or all non-removable drives)
Preservation of a shadow session across reboots
Separate names with a comma.