Returnil on the fly driver protection

Discussion in 'Returnil releases' started by Dregg Heda, Aug 30, 2009.

Thread Status:
Not open for further replies.
  1. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    I assume this prevents drivers from being installed while protection is on. This in turn should protect Returnil against all direct disk access right? And the only malware which can bypass returnil needs direct disk access to do so right? So this should be more than enough to protect me right?
     
  2. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
  3. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    No need to bump Dregg Heda, all posts that require a reply will get one as soon as possible ;)

    It blocks drivers not already on the white list.

    In most cases - yes. Some may require deliberate addition to the black list.

    The chances of running into something that could bypass is very small, and all that have been reported to us to this point have been addressed. This does not mean however that something new could come along so don't fall prey to a false sense of invulnerability...

    Mike
     
  4. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    Alright, thanks Mike! I was afraid you had forgotten me.:)

    It seems to me that I am better off relying on the direct disk access protection provided by HIPS, do you agree?
     
  5. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    If you already have a full featured HIPS, or are interested in using a full featured HIPS, then yes, you should. It is important to remember that the AE functionality in RVS 2008 is an extremely targeted and simplified solution that was never intended to be a full featured type of implementation available in mature solutions in that space as our primary concern is/was to address specific areas where the RVS virtualization could be bypassed...

    Mike
     
  6. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    Hi Mike,

    What if I were to disable all my HIPS functions except for protection against direct disk access. Would that be more secure than on the fly driver protection? And would it be secure enough?
     
  7. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    RVS already provides MBR protection when the virtualization is active. This feature is part of the virtualization itself rather than in the AE functionality. So if you turn off the AE in RVS and use a full featured solution, you would be able to block activation of a wider range of potential malware by default.

    The choice of whether to use something like an OA, GW, or Commodo is more dependent on your overall strategy rather than worrying about whether the AE in RVS will provide a level of protection you are comfortable with. Going on this conversation, I think you would feel more comfortable using RVS + HIPS rather than RVS with AE activated...

    The goal here (I believe) is that you want more capability to block activation of malware even while in virtual mode and targeted performance is less of an overall concern.

    Mike
     
  8. subset

    subset Registered Member

    Joined:
    Nov 17, 2007
    Posts:
    825
    Location:
    Austria
    There seems to be an error in reasoning.
    There is not really a need for a driver for direct disk access, therefore the on the fly driver protection can not really protect you against it.
    Most likely you will get a warning from the anti-exe module and that's it.

    Like with this KillDisk Trojan.

    Killdisk.png

    There is simply no additional prompt about a driver.

    However, Returnil will protect against this Malware automatically and prevent the modification of the MBR or Boot Sector or whatever.

    Only if you play around a lot with brand new KillDisk variants, you'll maybe be out of luck with Returnil's protection.
    But then you should test in VMs and/or with a HIPS backup anyway.

    Cheers
     
  9. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    Hi Mike I think you misunderstand me. Im asking about driver protection, not anti-executable protection? I was under the impression that Returnil had a driver protection feature separate to its anti-executable protection. I had assumed that driver protection would protect against direct disk access, which I was told was the only way a virtualiser could be defeated. Hence my line of questioning.

    I dont want a full-featured HIPS or an anti-executable. I just want something that will prevent any and all direct disk access save for that which I allow, since i have been told that direct disk access is the only way a virtualiser can be beaten. Is 'on the fly driver protection' something like this or is it something else? Does Returnil have any functions/features which enable it to prevent direct disk access?

    Do you see what Im looking for?
     
  10. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    Ah I see! Thanks for this subset.:thumb:

    I was under the impression that DDA required the installation of drivers. Clearly I was wrong. Thanks again subset!
     
  11. MikeRogers

    MikeRogers Registered Member

    Joined:
    Jul 6, 2009
    Posts:
    25
    Can someone explain the concept of blacklists/whitelists, WRT Returnil? If there is the concept of a whitelist, will there be things that don't automatically get rolled back? (I've looked in the Help file and can only find reference to the File Manager in the paid version. Is this the same thing?)

    MikeR
     
  12. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Hi all,

    @Dregg Heda:

    The driver protection is part of the AE tool in the 2x series. In 3x, the AE is simplified to two distinct choices:

    1. Only trust content that already exists on the real system when the virtualization is activated

    2. Let programs run as they will...

    @MikeR:

    To understand the lists, you need to be clear about the purpose of the AE and autoruns tools in the 2x series. Neither is designed to be a complete or separate security solution so do not have all the features you may be used to in programs that support similar functions. They were conceived and developed to provide users with tools to deal with Robo/Sony dog, killdisk, some types of CleanMBR, and similar types of malware that use low level disk attacks. This is further combined with a very limited form of under-the-hood antimalware that provides a framework for us to update the program to defend against the types mentioned above.

    The White and Black lists are additional options that allow admins (design focus = public access) to customize the execution blocking for specific programs they do not want and also for newly discovered malware that we may not be aware of yet.

    We are seeking to simplify this by providing solid antimalware protection in the 2010 series that covers a great deal of what we were doing in the 2x series automatically and with a minimum requirement for human intervention.

    HTH
    Mike
     
  13. SammyJack

    SammyJack Registered Member

    Joined:
    Aug 19, 2009
    Posts:
    129
    While I use Returnil Premium,protection on 90% of the time,
    with the Anti-Executable enabled,
    Is there,in your opinion, enough real system benefit in the Anti-Executable
    module for a Returnil Free user to keep it on,even if they only
    use Returnil virtualization on-demand/rarely?
    Assuming they do not have a dedicated HIPS or Anti-Executable program.
     
  14. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    It will provide protection from a wide range of content even though it's design was specifically geared towards specific types of malware.

    Mike
     
  15. SammyJack

    SammyJack Registered Member

    Joined:
    Aug 19, 2009
    Posts:
    129
    Thank you.
     
Thread Status:
Not open for further replies.