Does Returnil protects my computer completely against rootkits? Can some types of rootkits bypass Returnil (such as those which have their own driver to have direct disk access or hypervisor rootkits such as the old blue pill)? I'm planning to turn on my computer 24/7, connected to the internet, with Returnil activated. Will it be safe? I'm afraid I'll get some infections if some malware are able to bypass Returnil. Thanks in advance
You are very safe and no need to be afraid. If you are asking can you be 100% safe then the answer can't be 100% accurate More general info https://www.wilderssecurity.com/showthread.php?t=255228
Thanks for your response How about those rootkits which come with their own direct disk access drivers? Or hypervisor rootkits which will attempt to put Windows under their virtual environment? Can Returnil protect my computer from those rootkits?
Although I cannot answer your question, there will always be theoretical vulnerabilities, even in security software. Thus, I would advise not relying on Returnil alone. Using it in combination with a HIPS would provide stronger protection. Even programmers of security software are human, thus their code is still susceptible to vulnerabilities, like any other software. For the same reason, Returnil will provide additional protection for any other security software on your machine. But I look forward to Coldmoon's answer, particularly regarding blue pill.
RVS includes protection for the MBR and low sector editing which is effective against the majority of malware out there. There are a small number of families that can get around virtualization and is one of the most important reasons we added antimalware/antiexecute/behavior analysis functionality in 2010. Also, there is no software solution that will ever be able to protect against exploitation when the attacker has physical access to the target computer... You can be confident in RVS's protection ability as well as the improvements it introduces over traditional approaches/solutions. As there is no way to predict what the malware devs are going to come up with next, you should still practice good computing as the most important link in your security is you and what you do... Mike
Perhaps, but the keys with RKs are: 1. Avoid them (best idea if possible) 2. Don't let the infecter activate. In this scenario you work to ensure that the RK installer never gets a chance to work and is a partial reason for the Anti-execute functionality in RVS/RSS. For the scenario where a RK already exists, we are working to upgrade the Virus Guard with support for detection and removal. It is still a work in progress, but progressing well. Mike