Question for Coldmoon on Returnil driver

Discussion in 'General Returnil discussions' started by lordbest, Jun 16, 2010.

Thread Status:
Not open for further replies.
  1. lordbest

    lordbest Registered Member

    Joined:
    Jun 16, 2010
    Posts:
    38
    Hi Coldmoon, thanks for this remarkable piece of software. I just have a small question about it. Does the Returnil driver or any part of Returnil install itself at the kernel level? I know many security apps including DefenseWall does this. Does Returnil do this also? And if so, would it cause conflicts?
     
  2. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Hi lordbest and welcome to the forums :)

    Yes, the virtualization driver (also the Virtual Disk) is Kernel mode and can conflict with other programs designed to do similar things like boot-to-restore. Also be aware that some imaging solutions may also conflict with RVS.

    If you are using Vista or Win 7, RVS does not conflict with the native Windows backup or imaging in more advanced versions (Business, Pro, Ultimate, Enterprise).

    Mike
     
  3. lordbest

    lordbest Registered Member

    Joined:
    Jun 16, 2010
    Posts:
    38
    Thanks. So does Returnil work on 64-bit with PatchGuard? Is the protection just as good as with 32-bit?
     
  4. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Yes, RVS works on supported 64 bit versions of Windows and there are no conflicts with patchguard.

    Yes, the level of protection is exactly the same :)

    Mike
     
  5. lordbest

    lordbest Registered Member

    Joined:
    Jun 16, 2010
    Posts:
    38
    How is that possible? I have read you cannot provide the same protection with PatchGuard unless you violate Microsoft's Terms of Services?
     
  6. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
  7. lordbest

    lordbest Registered Member

    Joined:
    Jun 16, 2010
    Posts:
    38
    Does this mean that the virtualization is easily bypassed? My reckoning is that kernel mode level (ring 0) provides the most secure protection. Many robust apps hook ring 0 on 32-bit and this makes them very tough to bypass. A competing product called Shadow Defender appears to work similarly to Returnil. Surely that product hooks ("hacks") the kernel to provide maximum protection (ring 0).
     
  8. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    I will not comment specifically about a competing product and suggest that you should contact the SD developer for more information regarding their products.

    As for RVS, there is no loss or difference in the level of protection with the virtualization. The reason for this is that RVS virtualization doesn't care what Windows does as it is not a file filter where it would need to monitor changes in the file system. This would require some form of hooking and is the reason many application based virtualization solutions have been slow or have had issues supporting 64 bit Windows.

    Though not a precise analogy, you can think of the RVS virtualization as a form of disk filter with its focus being on attempted changes to the real disk and is why RVS can put Windows into a fantasy world without interfering with its functionality or user experience and why 64-bit support is possible without a great deal of trouble over 32-bit.

    Mike
     
  9. lordbest

    lordbest Registered Member

    Joined:
    Jun 16, 2010
    Posts:
    38
    The real question I have is how secure programs like Returnil is then if it doesn't hook the kernel at ring 0. It doesn't sound like it would provide the same level of protection as a program that did. There probably are not many bypasses because malware writers simply don't target systems with light virtualisation?
     
  10. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    They do and there are a small number of families that can bypass ISR (Robodog/Sonydog, cleanMBR, and KillDisk are examples) that are based on hacking tools. This was the reason we added antimalware, antiexecute, and MBR/low level editing protection in 2007 (simple, targeted AM), upgraded/expanded in 2008/Labs, and significantly improved in 2010.

    It is also a partial reason why we moved to add the suspicious behavior and malware sample monitoring/upload features to 2010. The other part of the monitoring is for a distributed immunity feature we are working to realize where this information can be shared between the copies of RVS and provide wide protection after a client or clients first discover it.

    The main thing you need to keep in mind is that there is no such thing as a silver bullet and it is why an intelligent, layered approach to security is essential.

    Mike
     
  11. lordbest

    lordbest Registered Member

    Joined:
    Jun 16, 2010
    Posts:
    38
    Thanks for being honest and also specific. I would have thought Returnil is resistant to killdisks by now. I know Shadow Defender is resistant to all known killdisks. I'm not sure about the others you mentioned.
     
  12. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    It is hardened against KillDisk - you can see this as it happened by going through some older threads from 2008 and we continue to monitor for new variants. The difference is that 2010 can be updated much faster through the Virus Guard signatures rather than having to introduce a new build as happens with some other solutions we compete with...

    Mike
     
  13. lordbest

    lordbest Registered Member

    Joined:
    Jun 16, 2010
    Posts:
    38
    Sounds like light virtualisation is becoming like an antivirus signature database! :p That is, it's not very reliable. What is it? 63% detection? :p
     
  14. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    No, not like an antivirus as that would be going in the wrong direction. Look at it this way, what is most critical to protecting the user in the long term is to ensure that the priority is a clean system. To do this, any supporting strategy or feature has to ensure that this priority is met so its number one focus is going to be on anything that can potentially bypass the virtualization from a software POV. Further, the detection is bolstered by anti-execute that can stop unknown content from running in the first place.

    Barring the previously mentioned threats, a simple restart removes any infection you might have encountered, keeping the system clean over time. So what is better? Detecting and maybe not being able to remove everything found (reactive) or complete malware removal at restart (proactive)?

    Mike
     
  15. lordbest

    lordbest Registered Member

    Joined:
    Jun 16, 2010
    Posts:
    38
    I suppose the fact is that it's a pity you cannot provide light virtualisation protection from the kernel level on 64-bit. If you could, I would presume protection would be much much harder to bypass.
     
  16. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    lordbest, there is no difference in protection or even that much difference in the virtualization engine. Actually, you are more secure using anything on 64 bit Windows due to the inherent architecture of the OS itself. So if you look at it this way, a 64 bit system is even more secure with RVS installed.

    You do not have to hook the kernel to provide effective security. It takes innovative thinking and allot of work, but in the end there is really no need to resort to shortcuts; especially shortcuts that open potential issues...

    Mike
     
  17. lordbest

    lordbest Registered Member

    Joined:
    Jun 16, 2010
    Posts:
    38
    So you disagree that if Returnil primarily functioned at the kernel level, it wouldn't be more secure than what it currently functions at?
     
  18. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,739
    Location:
    New York City
    As many of us don't like to use the Virus Guard, I would like to see the anti-execute function handle new variants.
     
  19. lordbest

    lordbest Registered Member

    Joined:
    Jun 16, 2010
    Posts:
    38
    I agree. I also would like to see Returnil release a slim version containing only the virtualisation program.
     
  20. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    It does and is updated regularly along with the Virus Guard. The virtual drivers are kernel mode, not user mode. This does not mean that the Windows Kernel needs to be hacked for them to work properly. You just need to follow the rules:

    http://www.microsoft.com/whdc/driver/kernel/64bit_chklist.mspx

    Mike
     
  21. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,739
    Location:
    New York City
    This would require Preferences->Communication to be enabled? Anything else?
    Thank you.
     
    Last edited: Jun 22, 2010
  22. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    For updating the VG signatures and additional rules, you will need to communicate with the update server...
     
Thread Status:
Not open for further replies.