Returnil anti executable?

Discussion in 'General Returnil discussions' started by AlexC, May 27, 2011.

Thread Status:
Not open for further replies.
  1. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,280
    Hello,
    I heard that Returnil have a anti-executable feature.

    Is it present in all versions?
    How does it work?

    Thanks!
     
  2. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Hi AlexC,
    Yes, all three versions have a form of the Anti-execute with some differences:

    1. 3X (RVS Pro and RSS Pro/Free): Virtual Mode > Settings > Additional Protection Options

    2. 2X (RVS Lite): System Guard

    Both are default-deny. In the 3x series there are only three choices to let programs run as they will, restrict any unknown services, or restrict any unknown programs with the last being the most restrictive.

    There are no questions to answer and no rules to create. The feature itself is updated through the Cloud component's White list based on analysis of known good content submitted to our AI/Machine learning tech at the server. This is part of the data that is sent for analysis through the data collection policy that works to identify unknown programs and behaviors which are then investigated for malicious and/or potentially unwanted (PUP) content/activity and if found to be legitimate are white listed to 1. improve detection quality (ref: reduce FP's) and 2. to build a database of known good content that is then shared between all the clients both paid and free.

    For scenarios where an Admin or authorized user knows a program is legitimate but it is not yet white listed (ref: network tools, custom scripts, etc) you can use the least restrictive setting to allow temporary use of said program.

    In the RVS Lite series, the System guard is a kind of hybrid with a targeted Antimalware capability (not a replacement for AV) as well as a type of driver "firewall" that blocks the loading of unknown/suspicious drivers at the Kernel level. It does however have a kind of short-term memory in that an Admin or authorized user can temporarily allow something in a manner similar to the HIPS programs you may be familiar with, but then completely forgets any choices you make at restart of the computer.

    This difference is due mainly to the expected environments each series is going to be within. For the 3x series, Internet and wider network access is likely to be less restrictive with the greater risk that entails as far as security is concerned. For the 2x series, it is more likely that the clients will be inside of inner ring or isolated, high-security networks with little or no access to the Internet or even other internal networks which is less risky by default so some convenience is included to allow more efficient network management.

    Another key difference is that the System Guard in the Lite series is independent of the Virtual Mode. In the 3x series, the A-E is tied to the Virtualization so is on when the VM is on and visa versa. This can be demonstrated by attempting to perform a Microsoft Update:

    What to expect with the Virtual Mode off:

    1. In the 2x series with the SG active and the VM off, the MU will fail as it will be completely blocked.

    2. In the 3x series with the VM off, you can apply the MU's.

    Mike
     
  3. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,280
    Thanks for the comprehensive answer!:thumb:
     
Thread Status:
Not open for further replies.