Returnil vs Shadow Defender

Discussion in 'sandboxing & virtualization' started by n8chavez, Jul 29, 2010.

Thread Status:
Not open for further replies.
  1. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,305
    Location:
    Location Unknown
    I wanted to start this thread not to say that product X is better than product Y and therefor I'll use Z but rather to find out how they are different, in terms of how they operate. Virtualization products seem to be the3 new fad, which is fine with me because I think that malware scanners are not able to handle modern fast-evolving threats, since they rely or signatures and heuristics.

    I have been a Shadow Defender for a while, and I like it very much. But Tony's absence got me thinking of other similar applications. That is where Returnil comes in. I understand that their purpose is the same; to allow the user to operate inside a virtual environment. But, I find it interesting how the approach both uses differs.

    • Shadow Defender does not use a system service.
    • They do use a driver.
    • Shadow Defender seems to write to no cache file.

    Does not using a system service make the application easier to terminate? If so, that is a pretty significant vulnerability. It also does not write system changes to a temporary cache file, so how are the system changes stored?

    Shadow Defender has one process in memory that uses under 10 meg.

    Returnil Virtual System 2011 is the exact oposite of Shadow Defender.

    • RVS uses a system service to run it's application.
    • It uses two drivers
    • It does use a predetermined cahe file to store changes made to the system while in virtual mode.

    Both products have similar features. But is one product "better" than the other because of the way it employs its methods, or is it just a difference in implementation that means very little?
     
  2. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,981
    Location:
    U.S.A.
    n8chavez, perhaps you already have seen this prior to posting, but for any other reader of this thread, interested in virtualization, BlueZannetti's Approaches to maintaining a clean system, specifically the Virtualization section and its links, is worth reading! Just FYI.
     
  3. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    1. Windows Services help facilitate processes that need to persist in the background to perform routine operations that do not require user interaction. As SD only does one thing, there is no reason it would require a service; just as RVS 2008 did not and RVS Lite 2011 does not.

    2. A driver is often required to do certain things, as said in #1, SD only does one thing so only requires one driver to do it. RVS 2010/RSS 2011 provide that plus a virtual storage container, antimalware, anti-execute, malware behavioral analysis, and in RSS 2011; system restore, and cloud based analysis.

    3. Not true, SD must and does use caching. It simply deletes that cache at shutdown. This doesn't mean wipe the cache however...

    It depends on what is terminated. Once the virtual protection in RVS/RSS (any version) is active, terminating the GUI or services will have no effect on the state of the virtualization. So the answer here is no, there is no vulnerability as you can still reboot to drop the changes.

    It does one thing so only needs one process...

    No, not an opposite as one of the component parts of RVS 2010, RSS 2011, and RVS Lite 2011 is support for virtualizing the system at the disk level. RVS/RSS is intelligent layered security, not simply a single layer...

    1. & 2. See my reply to the SD list

    3. Not true. RVS 2010 and RSS 2011 use dynamic caching that includes both memory and disk. Additionally, the dynamic cache does not require contiguous space (non-fragemented sapce in other words) and they also have a fail-safe mode where the virtualization is preserved using memory caching if the disk cache is corrupted or deleted.

    RVS Lite 2011 does use a pre-determined cache but it, like the caching in RVS 2010 and RSS 2011 does not require defragmented space and can also default to pure memory caching just as the other two can when required.

    You can't really compare them that way. What would make more sense is to compare RVS 2010/RSS 2011 against a layered strategy that includes SD. I suggest you limit this to comparing RVS Lite 2011 against SD as that would give you a clearer picture and be more relevant.

    Kind regards
    Mike
     
  4. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,305
    Location:
    Location Unknown
    Thank you Mike. As always that was very informative. I do, however, want to clarify a few things. I was referring to RVS 2011 lite, at least that was my intention. I forgot to add the "lite" though, but I did say Returnil Virtual System 2011. They are very similar. Also I did not mean that Shadow Defender does not cache, because it has to. I meant that there is no predetermined cache files. With RVS 2011 lite that file can be rather large and can lead to a hassle when you image your partition. That is not the case with Shadow Defender.

    So essentially, RVS 2011 lite is similar to ShadowDefender except that it has the System Guard module, which is supposed to prevent things like drivers loading and anything that tries to assume low-level disk access, right? If that is the case then that explains why RVS 2011 light uses a driver and why ShadowDefender doesn't, since SD doesn't need low-level access in order to prevent low-level access. Is this an inappropriate way of looking at this?

    As I said, I just the different approaches interesting.
     
    Last edited: Jul 30, 2010
  5. korben

    korben Registered Member

    Joined:
    Nov 5, 2009
    Posts:
    740
    any further thoughts on the topic guys?
     
  6. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Yes, SD v 1.1.0.326 is 100% stable on my comp :thumb: RVS 2008 was great, apart from constant System Restore failures on both XP and Vista comps i used it on.

    I'm waiting to see how the new versions of RVS pan out. I sincerely wish them well :)
     
  7. korben

    korben Registered Member

    Joined:
    Nov 5, 2009
    Posts:
    740
    Cool, fast re,

    btw, did you use RVS 2008, not 2010?
     
  8. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Who me ? Yes RVS 2008 was what my post was about.

    I have tried recent versions but i, and others, feel RVS 2008 was very good, apart from the SR issues that is :( And i had some problems with the more recent versions. I'm looking forward to the, hopefully, fully stable releases of the RVS 2011 ;)
     
  9. bman412

    bman412 Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    261
    Is RVS 2008 compatible with windows 7?
     
  10. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Using RVS 2008 V 2.0.9002 here on Win 7 32 bit with no probs.

    The Anti-execute function is available through the start menu and is quite robust but I don't use that part of it here and only tested it in a VM.
     
  11. bman412

    bman412 Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    261
    Thanks Franklin.
     
  12. brainrb1

    brainrb1 Registered Member

    Joined:
    Mar 15, 2010
    Posts:
    475
    Can you update your Anti virus (MSE) and windows update while always on shadow mode of Shadow defender? If i can,someone please show me how? I am new to these kind of softwares.
     
  13. Boost

    Boost Registered Member

    Joined:
    Feb 2, 2007
    Posts:
    1,293
    Yes you can update them just like normal. But when you exit shadow mode,you'll have to apply the updates again so they are retained permanently.

    Just exit Shadow mode,computer reboots. You then update Windows and antivirus and then reboot back into shadow mode.

    Back when I used Shadow Defender,I'd update everything on Friday,then went back to shadow mode until the following Friday again.

    This is just how I did it ;)
     
  14. brainrb1

    brainrb1 Registered Member

    Joined:
    Mar 15, 2010
    Posts:
    475
    Thanks Boost
    I wanted to know if i could just update while "always on shadows mode" (excluding mse update folder,maybe whole Anti virus or something similar)...so i can always remain on the shadows mode and don't have to move in and out of shadows mode just for updates. :)
     
  15. Keyboard_Commando

    Keyboard_Commando Registered Member

    Joined:
    Mar 6, 2009
    Posts:
    690
    Open Shadow Defender control panel, Click - Exclusion List, Click - Add Folder (for MSE C:\Program Files\Microsoft Security Essentials\*) and Apply.

    Windows Update is far too varied a process to exclude in Shadow Mode - it would be impossible. Really, you are leaving massive holes in Shadow Defender's security, if you go any further than things like Bookmarks for browsers, your Anti Virus + any additional malware scanners, and Firewall.

    I have the Sandboxie program file excluded as well (I see you use Sandboxie).
     
  16. brainrb1

    brainrb1 Registered Member

    Joined:
    Mar 15, 2010
    Posts:
    475
    Thank you very much, i just wanted to exclude MSE so that i don't have to reboot every time i have to update my anti virus.:)
     
  17. korben

    korben Registered Member

    Joined:
    Nov 5, 2009
    Posts:
    740
    I may be wrong but I think it used to be possible to exit shadow mode of SD without the necessity to restart system... and it was the main difference between Returnil and SD, wrong?
     
  18. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    You can exit shadow mode from non-system partitions without a reboot but to exit the system partition (usually the C: drive) you must reboot, the same as with Returnil.
     
  19. korben

    korben Registered Member

    Joined:
    Nov 5, 2009
    Posts:
    740
    Now it's clear - thanks.
     
  20. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    You're welcome. :)
     
  21. korben

    korben Registered Member

    Joined:
    Nov 5, 2009
    Posts:
    740
    My observation on my laptop:

    with Retu the usual temp rises to 56 degrees Centigrade max
    with Shadow Def it's 52 max
     
  22. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    The RSS 2011 File Manager handles folders differently than 2010. IOW, you can now simply add the MSE folder and when you click to save your list items, all the files and sub-folders in a listed folder will be saved to the real disk.

    Mike
     
  23. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Now that the included Virus Guard component in RSS 2011 has received a VB100 award, you should be confident of the antimalware detection and remediation quality. Also, with the recently added "Compatible with Windows 7" certification, you can be confident of stable performance on Windows 7 based systems.

    With these in mind, please try your CPU temp tests with only RSS 2011 installed instead of being installed at the same time as the current AV solution you may be using. While we will continue to work to make RSS and future versions compatible with 1st and 2nd tier AVs as we have in RVS 2010, recent quality upgrades start to make this type of configuration redundant and can have overall performance implications...

    Mike
     
Loading...
Thread Status:
Not open for further replies.