Returnil and nothing else

Discussion in 'sandboxing & virtualization' started by trjam, Dec 9, 2007.

Thread Status:
Not open for further replies.
  1. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    So for one week on one machine and just this product, I have visited the underside and back. Did reboot this morning, ran Kasperskys online scanner and nothing.:thumb:

    of course I did mess up one computer and had to reformat but that was my fault for some reason.:rolleyes:

    So email .pst restored and taking my AV off other computers and have decided to only use this. ;)

    I really dont think we get as infected as some might lead us to think. But having totally nothing slowing me down has been very nice. Good job to Returnil.:)
     
  2. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    Ok, but just remember, even though a Trojan will be deleted upon reboot, while it is still on your system (before you reboot) it can still steal your passwords, credit card numbers, etc. Once the person who sunk the Trojan onto your system has your private info, he/she does not care if the Trojan gets deleted.

    Acadia
     
  3. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    I dont keep information like that on my computers.
     
  4. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    :thumb: :thumb:

    Acadia
     
  5. zaxxon

    zaxxon Registered Member

    Joined:
    Dec 8, 2007
    Posts:
    15
    Location:
    Norway
    Don't you have any passwords on your pc?
     
  6. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    none that make sense.:rolleyes:
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,057
    Returnil has one weakness that would keep me from running it by itself, in that it only protects the c: drive. If you have two internal drives the second one is indeed vulnerable, and rebooting with returnil does nothing for it.

    Pete
     
  8. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi, And....

    The drives other than "C" are where you keep all the sensitive info. Be careful, be careful.
     
  9. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    nearly 10 months now with "only" Returnil or deepfreeze. I do have a hardware firewall and use Firefox with the usual add ons. Roboform with a 1 minute window protects password account details - I don't even know the passwords.
    I load and run various on demand programs every week or so just to check ( Nod 32. superantispy the usual suspects) and nothing has ever shown up. Oh yes always re-boot just before paying by credit card.
     
  10. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    :thumb: :thumb: :thumb: :thumb:

    Acadia
     
  11. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,422
    Location:
    New Mexico, USA
    I use Returnil and either Sandboxie, geswall, or Bufferzone depending on my mood and my browser is Kmeleon which I run in Altiris. I'm not quite brave enough to abandon my av/as although in the couple of weeks I've run my machine this way, both antivirus and antispyware have found nothing.

    As a test, I set my av/as to on demand only and took my computer to some pretty dark places just to see, using only Returnil and, in this case IE7. I downloaded and opened some pretty grungy stuff. In one case only did I actually notice anything.

    It was something I've never seen before. I have no idea what I picked up. My monitor screen began changing into what looked like a mosaic, just a series of little multicolored blocks and the hard drive was racing. I don't remember what site this was. I hit quite a few.

    That scared the hell out of me and I immediately rebooted. When the reboot finished, the computer was back to normal. I ran my av and antispyware and it found nothing.

    The only sensitive data I keep is my income tax data and it's on my second HD and is encrypted with Blowfish and a long, involved password.

    Whatever weird thing I picked up, Returnil worked. Combined with geswall, sandboxie, or bufferzone, I'd have even more protection.
     
  12. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,057
    You make a case for what I was saying above. Some nasties affect any drives they detect. If you are using something like sandboxie, or Defensewall you can protect the second drive. But rebooting with Returnil won't clean the 2nd drive if the nasty you downloaded affected it.

    I use another product that gives me the choice. If just routine surfing I may only protect c:, but if I am going riskier, I'll protect both. Downloading somthing to keep isn't a problem.

    Pete

    PS. Don't misunderstand me, Returnil is fine, but stuff can get to other drives.
     
  13. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,422
    Location:
    New Mexico, USA
    It's true that Returnil won't protect my second drive, which is why it is where I keep sensitive info, all encrypted. Of course if whatever gets through Returnil can destroy the second drive, all is lost. Considering computers and their 'ways,' and from learning the hard way I also have the info I need on a CD. I've had computers die unexpectedly.

    I don't know of any free software like Returnil that will also cover my second HD, or I'd be taking a look at it. I'd still encrypt personal files and my current writing work though.
     
  14. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Yes thats it. But it wouldn´t be good if returnil would protect other drives because you could never store anything.

    Pass protect this stuff and good is but before this use anti-keylogger that blocks all known spy methods.

    That isn´t so dramatically because one push on reset button and every malware activity must restart
    from the frozen point.
     
  15. WWS

    WWS Registered Member

    Joined:
    Jul 13, 2004
    Posts:
    249

    How would you know if you have a nasty sandboxed?
    And what would happen if you did a file recovery from the sandbox to your desktop, for instance?
    Would the nasty escape then?
     
  16. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,422
    Location:
    New Mexico, USA
    Good question. I'd say that unless the thing opened in Sandboxie or one of the others, yes - if you downloaded the file and opened it on your desktop your computer would be at risk. If you had Returnil running, a reboot would get rid of it. If it turns out to be okay, move it to your other HD or onto CD.
     
  17. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,057
    Yes a sandbox would contain it, and not let it out, unless you recover it.

    To answer the question how do you know it's there. By watching via a HIPS, and watch what it's doing, as it installs. Point is the malware I tested in the other thread, installed on both the c: drive and d: drive. So unless you were protected by a sandbox type program, it was installed on both drives. With Returnil, rebooting would clean the c: drive, but not the d: drive. That is the point.

    Note this may or may not be a big deal to anyone, but just be aware, that the other drive isn't always safe.
     
  18. WWS

    WWS Registered Member

    Joined:
    Jul 13, 2004
    Posts:
    249
    I was hoping you'd return and tell us about your using "another product."
     
  19. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Since Peter proved, that PC Security didn't protect my second HDD as I expected, I use Sandboxie to protect it.
    I still find "locking" my second HDD better in theory with more possibilities, but it doesn't work in practice, because malware can still "write" to my second HDD.

    If I could lock my second HDD, I still would be able to test softwares and what happens in my system partition doesn't matter, because my boot-to-restore fixes that.
    I don't have that possibility anymore since I use Sandboxie, because Sandboxie is not good enough to test softwares and Sandboxie only works with sandboxed applications, just like DefenseWall does with untrusted applications.

    If I test software in my system partition now and there is a malware that targets my second HDD, it will be infected or even destroyed.

    The bottom line is :
    1. I solved one problem, but I created another problem : I can't protect my second HDD anymore during testing of softwares in my system partition.
    2. So I need another extra software to test softwares, like VMware, Virtual PC, etc.
    Locking my second HDD would have solved both issues.

    Using Returnil doesn't change anything and I have already something like Returnil. Maybe all these ISR-softwares and isolating softwares are not good enough to TEST softwares and do we all need something like Virtual PC, .... whatever.
     
    Last edited: Dec 9, 2007
  20. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,634
    Location:
    U.S.A. (South)
    Hi Erik

    I still think you're selling yourself a little short by so quickly discounting PC Security this soon. The percentages are still in it's favor after all. How many malwares specifically can cross into the "LOCKED" data partition by PC Security. Peter2150 indeed proved "one" was able to penetrate, but you do open up a valid concern if even "one" is one too many and it only takes one entry of some destructive type to ruin what is expected to be secure 100%. I dunno short of changing partition flags exactly what software could ascend to that mark. I'm just as skeptical as you but not as quickly convinced. You still should keep a duplicate mirror copy of the data partition in any event because we both know theres always a chance any software will fall short at some point, including the system itself hence the need for images. I just haven't seen that happen yet with PC Security in normal surfing and some of those being visits to known risk sites. I guess whats sets my confidence apart from yours concerning PC Security is EQSecure 3.41 HIPS. It's already alerted me to a few stealth attempts of dropping a malicious file but they are easily cancelled with one click, DENY!
    Still, i line up completely with the idea and expectation that some software should automate this action without user interaction, but that's simply not possible yet, and then attention is returned back again to signature-based AS's and resident scanners.
     
  21. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    More and more malwares are using the autorun.inf trick to copy themselves into every disk/partition they encounter. Worms spreaded throu removable drives are very common and some of them carry a real annoying payload (Virut/Tenga/Parite/Brontok)
     
  22. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Easter,
    I'm not willing to discuss "PC Security" anymore. PC Security failed ONE time and that is enough. Tropical Software is selling a product that doesn't do its job. Period.
    I don't even understand why you are still defending PC Security. Locking a HDD should be a very simple thing to program : no reading and no writing. That's all and even that wasn't possible for TropSoft.
    If locking isn't technical possible at all, don't create such a software, because you are cheating the users. :)
     
    Last edited: Dec 9, 2007
  23. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    How is this possible with anyone who has some type of execution protection?


    ----
    rich
     
  24. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    I disabled autorun a long time ago because I found it annoying. whould this prevent the problem ?
     
  25. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,057
    Shouldn't be, unless you think you have a trusted program to install, and you were wrong.
     
Thread Status:
Not open for further replies.