Returnil and AV's

Discussion in 'other anti-malware software' started by Ocky, Apr 23, 2008.

Thread Status:
Not open for further replies.
  1. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    Just installed Returnil (free) and I like it. What is the best,
    or rather commomly employed, method by users of Returnil regarding AV
    updates.
    Do you simply let the updates run as scheduled (hourly in my case),
    knowing that on reboot they will not be saved to disc, then do a manual
    update ?
    Or just change the scheduled update intervals to suit ?
    Or only do manual updates when session lock is disabled ?
    (I only use session lock feature).
    I think the first option is best as even with session lock on,
    one surely doesn't want malware to cripple one's internet
    'experience'. :)
     
  2. Firebytes

    Firebytes Registered Member

    Joined:
    May 29, 2007
    Posts:
    903
    I think any of the above methods will work fine. It is mostly up to your preferences and how you use your computer. Personally I only use session lock and I shut my computers down each night when I go to bed. I like to do manual updates and I don't have anything set to update automatically. So, each morning when I boot the computers I update everything as needed and make any other system changes I want. Then I go into session lock. I have Retrunil session lock on about 99% of the time.

    If I left my systems running for extended periods under session lock then I would update them on my normal schedule knowing that when I rebooted I would have to catch up on all the updates that I lost when the system had been shut down. The bad thing about that though is that anyone who might turn on the computer after it had been shut down after the extended run would have to remember that it was behind in updates and be sure to do those ASAP before doing any surfing, etc. especially if Returnil was not enabled again.

    I want to say (but can't remember for sure) that some other members here once discussed having their AVs save updated definitions to another partition so they aren't lost at all. So that might be an option if you can do it, but for me it isn't nescessary anyway with how I use my computers. I do have my email client saving emails and contacts to another partition though, so I don't lose them even while in session lock.
     
  3. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    I use the free returnil as well,my pref Is I boot with protection off check my updates.I only turn on session lock when I web surf or check email.I use a laptop so I shut down when not in use.
     
  4. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    I think the answer may depend upon how frequently you are being infected.
    If infection is occurring every day then frequent updates might help so allowing the AV to update even when protected might help. If at the other extreme you are like me and have never been infected then you might even want to turn of real time protection and do an on demand even month or so
     
  5. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Yes, returnil allows for a virtual partion Z upon istallation if chosen,the data can be saved there so work will not be lost on reboot.How ever I do use It and not certain how well it works.
     
  6. Firebytes

    Firebytes Registered Member

    Joined:
    May 29, 2007
    Posts:
    903
    I have the virtaul partition installed on two computers (a laptop and a desktop) and have never had any problems with either of them. Seems to work like a charm to me.
     
  7. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    Many thanks for your viewpoints, everyone obviously has their own
    preferences. I also don't use 'Z' virtual partition as I have my data
    on a separate partition.

    Haven't been infected since I got my 'new' computer nearly 3 years ago.
    Avira has stopped one or two suspicious files via heuristics, but these could
    have been false positives. Somehow I feel safer sticking to my current
    hourly updates. I will just redo them first thing on next reboot before
    turning on session lock. Thanks again.

    Edit: Long View I see you are also using ATI. I wonder whether one
    can mount an image with session lock on. Am too scared to try this on
    my first day using Returnil. :) My guess is it will be OK and that I would
    be able to copy a file to my data partition - which is not protected by
    Returnil.
     
    Last edited: Apr 23, 2008
  8. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    Yes you can mount with Returnil protected. When you make an image though
    I don't think it is a good idea to have Returnil in protected mode. I'm not sure what would happen if you try to restore C: with Returnil protected. With DeepFreeze certainly and Returnil probably you would not be allowed to restore to C: The program is protecting C: To restore you would have to turn off the protection

    good luck
     
  9. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Hi,
    This is a good thread and I hope it continues. It would be helpful for many however if the topic also included specific feedback regarding how you have configured your favorite AV to work with RVS in the mix. Of particular interest to Personal Edition users would be how you have changed your default save locations (if applicable) for definition updates when using RVS protection.

    Thanks
    Mike
     
  10. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    With the Premium version of Returnil, which I believe is available for
    download on GAOTD, folder and file saving, while in protected virtual
    mode is possible ( provided disk caching and not memory caching is used).**
    Maybe I will make use of the generous offfer on GAOTD,
    and add the folders to which my AV saves signature/engine/product
    updates. Hopefully this will work.
    I have kept my C:\ patition rather small @ 15 GB and currently have 36%
    free. What size should I use for the disk cache - maybe 1.5 GB is
    sufficient ?

    Regards, and thanks for making the Premium version affordable ..:D

    **Edit:- With System Protection on this feature will work without
    enabling disk caching; so disk caching is only essential for this
    feature to work with Session Lock ??

    Edit:- "...and add the folders to which my AV saves signature/engine/product
    updates. Hopefully this will work." Nope won't be good because
    for engine/product updates there will also be changes made in the system32
    folder and maybe registry changes. Purely for definition updates,
    and provided they don't come bundled with engine/product updates
    it might be OK.
     
    Last edited: Apr 25, 2008
  11. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    Personally with AVG 7 and Returnil Premium GAOTD, i put the entire Grisoft folder and updates are saved.
     
  12. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    Good ! It also works with Avira and with OE Identities.
     
  13. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    Nice! With most programs there is no problem. Sometimes, if it doesn't save it, one should check in Doc & Settings, Application Data and see if the program has a folder there too.

    Right now i have Ghostwall under Returnil too. You need to save the gfirewall file in windows\system32\ and it can save its rules.

    Returnil works really well. :thumb:
    The only bad thing is that sometimes i forget to click "update selected" before i reboot, but it's a matter of time before i get the habbit.
     
  14. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    So if a malware targets AVG7, it can change AVG7, because the entire Grisoft folder isn't protected anymore by Returnil o_O
     
  15. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Yes in the same way as if a malware targets FDISR, it can change FDISR.
     
  16. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    Hello ErikAlbert,

    Yes, but as Fuzzfas said you are only committing to save the changes
    by selecting 'update selected' before rebooting - otherwise no changes
    to the folder on the 'real' disk will be made - only in the virtual
    environment. I hope this is correct otherwise one would have to rely
    on the AV's self protection capabilities.

    Regards.
     
  17. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    That is not the same problem. Malware can target Returnil also.
    This is not about FDISR or Returnil, it's about excluding folders, which is possible in FDISR and Returnil.
     
  18. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    HI Erik,
    The files and folders are protected until the moment you commit them to disk whether this be through the File Manager, the Toolbar drag & drop, or the right click extension in Explorer (if activated). Once you have committed your changes to disk, they are again protected until you decide or need to make changes (recommit to disk).

    This is also true if you automate the commit process through Windows Task Scheduler using the supported command line:

    C:\Program Files\Returnil\Returnil.exe /FILEUPDATE

    Edit: This command line forces RVS to commit only those items listed and selected in the File Manager list.

    Mike
     
  19. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    That is a very acceptable solution. :)
     
  20. osip

    osip Registered Member

    Joined:
    Oct 25, 2006
    Posts:
    610
    Have to try this approach with Avast Pro and threatfire...Searched for files and folders for Avast but could only find program files\Alwil software, anyone knows if there are essentials in win folder ?
    ----------
    added:
    Just after I wrote this I made an Avast push update from v 4.8.1178 to .1185 with sys protection on and tested the file manager update...Worked extremely well with a fast and smooth saving...Everything seems to be perfectly saved. Still to test defs updating...
    ----------
    Mike: Can you in system protection mode freely add/deselect files to the file manager whithout reboot and in this way strengthen your control and choices ?
     
    Last edited: Apr 25, 2008
  21. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    Yes. Even when Returnil is in protection mode, you can add or remove folders/files in the file manager. Just click "save list" after you have finished. At this point, if you click "enable selected", the new data in the list will be saved.
     
  22. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Hi osip,
    In addition to this you can also use custom File manager lists if you want to have different lineups for different scenarios using the import/export feature in the File Manager.
     
  23. Threedog

    Threedog Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    1,125
    Location:
    Nova Scotia, Canada
    In the free version I had my av and outlook pst installed on a different partition so all updates were not affected by session lock. With the GOTD version I left everything on C and then used the File manager to set them to save any changes and then did Coldmoon's above with Task scheduler to save the changes hourly and everything is working fine so far.

    I was going to buy the Premium version but wasn't sure if I needed the extras but after doing some fooling with this I see it would be a worthwhile purchace. I will probably pay for it where I do a lot of tweaking, and testing and stuff and are always restoring images and the like and the GOTD is only good for today's install. :thumb:
     
  24. osip

    osip Registered Member

    Joined:
    Oct 25, 2006
    Posts:
    610
    Well, I have the free on another FDISR snapshot where I use it with the session lock...Due to GOTD I took down the Premium to test it in my test snapshot where I have Avast Pro,LnS,Threatfire as combo...
    Thanks Mike, this is great, I will customize needed scenarios and get used to it...
     
  25. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    I don't know about Avast, but one should be careful. For instance with Avira
    definition (vdf) updates are fine and the changes are saved. However
    updates to drivers are more complicated. Avira saves them to the
    system32/drivers folder. The system32 folder was also the destination for
    another update. So for me I just let Avira do its updates in protected mode
    (at least the latest vdf's are saved), and then just do a manual update
    first thing after booting and before going back into 'virtual' protected mode.
     
Thread Status:
Not open for further replies.