Questions about Returnil Lab version

Discussion in 'Returnil Betas' started by developers, Jun 3, 2009.

Thread Status:
Not open for further replies.
  1. developers

    developers Registered Member

    Joined:
    Apr 1, 2009
    Posts:
    62
    Hi,

    Few questions

    - How does work SystemGuard? I've activated SystemGuard protection but it doesn't appear to work, and it doesn't alert me after system modification, driver loading, auturun modification (Windows XP SP3 and Windows XP SP2).

    -Install process need an internet connection, otherwise it returns an error "Fail to download the latest database from the internet". What is this database?

    PS
    This version is immune to new MBR rootkit also
     
    Last edited: Jun 3, 2009
  2. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Hi developers,
    The System Guard uses features of the Anti-Execute and a AM implementation that is designed to protect against current dog type trojans and those you have sent us in the past.

    In the current version of Lab, there are no configurations available and SG will block these types of malware silently.

    The database is for the System Guard feature. At install, RVS will check our server at Returnil (dot) org for updates. It will then download and apply those updates. Further, the Lab version will connect to the same server when the program is started to check for new database updates.

    Mike
     
  3. developers

    developers Registered Member

    Joined:
    Apr 1, 2009
    Posts:
    62
    Why does Returnil (RvsSvr.exe) try to connect to ip-43-103.iinet.pdx.dotster.net (http protocol) even if it's disabled and system guard is off?
     
  4. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Hi developers,
    I apologize for the late reply on this. The Lab version will check for updates to the targeted database included in the System Guard feature. This process is automatic and designed to provide protection against specific types of malware that can circumvent ISR protection.

    The remote address you mention however is not to us. I suspect you may be using TCPview which has a tendency to report incorrect information (sometimes shows the next/random hop in the route or even the ISP for example).

    Mike
     
  5. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    After some checking, the address is actually pointing at the ISP and resolves to the same IP as returnil.com

    HTH

    Mike
     
  6. developers

    developers Registered Member

    Joined:
    Apr 1, 2009
    Posts:
    62
    Thanks!

    Yes I've used TcpView :D
     
Thread Status:
Not open for further replies.