Returnil

Peter,
I have in no way been using "marketing representations" when I have done my best to answer every question forthrightly and as truthfully as humanly possible. Additionally, your implication that I am acting in anything other than a respectful and helpful manor is rather unethical in and of itself…

I suggest that a reply that details your position would help the reader more than a weak attempt to impugn my character or my motivation as regards the subject we are currently discussing.

 

Hi Coldmoon:

No expansion forthcoming. It was just a humerous attempt by a novice at pointing out that your assertions seemed to get progressively hypothetical. With that said, I enjoyed reading your posts and the discussion with Peter2150. It is what makes WIlder's so interesting.

 

I think hard disk wear could be debated untill the cows come home at Christmas sometime next decade. Seriously, if lets say for clarity sake that a Power Shadow user substituted Returnil for it, what is really gained?

Even the most novice users WILL NOT abandon their other security softwares such as HIPS, AV's, AS's etc and those, plus many other programs do more aggressive & intense disc accessing than Power Shadow ever will, plus i must also add, what about most RootKit scanners that go Low-Level?

So any arguement too heavily based on the support alone that Returnil would greatly preserve disk-longetivity, couldn't possibly be realistic given the nature of most other applications activity in comparison, wouldn't you agree?

Yes, Returnil by it's own nature may be coded to use MEMORY (quicker) as opposed to DISK as one of it's supporting credentials and aspects, but the disk wear arguement just appears a little too overdone when you add up all the other factors into the equation.

Maybe it's pure speculation on my part, but then maybe it's also speculation where concerns the disk wear issue as an underlying basis of advantage when making that comparison. I'm trying to walk an even line here between what is factual to what is theory.

Thanks for allowing me to sound off over what i perceive as not a particular risk as hinted to earlier.. EASTER

 

Hello Easter,

The question here is not about substituting anything for anything else. It may come as a surprise, but I am not here to "steal" customers or to convert the faithful. The first idea is personally disgusting to me, and the second is a useless endeavor.

The original poster asked for information about RVS and what people thought about it and what comparisons/differences there were between it and the other solutions that offer similar protection, and not if anyone was going to switch or drop their current solution for RVS.

Therefore, to this end, I have limited my commentary to answer all questions as accurately as possible and leave the decision about which solution is best in the hands of the reader/user as it should be. There are differences and I have done my best to shed light on them – nothing more, nothing less…

Why would the user need to abandon their other security solutions? As I have stated and as I personally believe, there is no reason to discard their current line-up in preference to using RVS. Intelligent layering is a GOOD idea, so why focus on a configuration that only a very few experts would even consider?

When discussing a low-level RK attack, you need to understand that even the RK needs to access the real HDD. With Protection ON, the RK infects something which is virtual and is gone with all the other changes at system reboot.

Earlier in this thread, there was discussion regarding protection of the MBR and we will begin to test our solution in the next series of public betas for the next version of RVS. Though the driver will support this currently, we strongly believe that real-world testing MUST happen before we include this feature in a final release…

No, I would not agree entirely. While it is obvious that no one in our space can provide strict empirical data over time, the door is still open to debate until this data is available.

When you take all other activities a user may engage in over the life cycle of the HDD, then yes, I agree there would be too many variables to definitively say anything one way or another. This is precisely why I discussed this on a limited/theoretical level AND is why we need a completely independent “authority” to provide acceptable and reproducible testing of our solutions and the solutions provided throughout the entire security industry.

There is no reason to get hung up over the issue of theory V proof other than that no fact is known or proven without it being a theory in the first place. So at the very least, I have been successful in provoking debate which will hopefully lead to testing, feedback, and improvements in our space…

 

So whats the timeline on some tentative date for release of Returnil?

I will add this in support of it, i absolutely detest VMWare because it is evadable by clever malware enthusiasts and anyway it hits resources way too strong IMO.

Theres no accurate test or results unless you use a RAW unvirtualized machine for testing malicious content.

Now on to the practical matters of Returnil, it can be assumed then that this is another step to exploring virtualization programs and in this case users would be placing their system into another artificial environment, only one that in this case utilizes MEMORY as opposed to DISK.

 

coldmoon:

Well noted

All good. I'm very interested and play with ram, ramdisk also in virtualization that is why I looked at Returnil last year. i'm glad and can see personally that Returnil has come along since then, is there anything you can tell us as to where returnil is going, what devs are working on?

 

Easter.2010 asked:

We are pushing hard for later this week or next week. There are still some graphics to complete which will need a manual update by necessity.

Meriadoc asked:

There are several things we are working on with RVS:

1) Number 1 priority: To provide a solution for the "Turn OFF System Protection without reboot" issue/user wish-list item
2) MBR protection
3) Western language versions of our management console/manual. This will take some time as it involves quite a bit more to provide real-world testing where networks are concerned with an appropriately greater need for technical information and expanded customer support with network expertise

As for new solutions, I need to keep this close to the vest until we move the new application out of internal beta testing. For the moment, all I can say is that it is something that is needed, but to date has not been solved adequately by those we will be competing with...

 

Sounds interesting to me. I'm intrigued with the virtual solution to the malware threat and I would love to use PS but it doesn't like my computer.

I avidly read and sometimes, re-read, every post in that long thread concerning PowerShadow.

Unfortunately, when I did exeperiment, it didn't go well. Had sytem freeze, memory issues and threatened hard drive failure the last time I used it. CheckDisc found that some registry files were 'orphaned' and they had to be restored from backup. Naturally, this experience has made me more than a little cautious.

One annoying thing is that almost no one else here had problems with it which made me feel 'orphaned' never mind the rest. It might have been incompatible with some other program I was running at the time, I don't know and I'm not feeling brave enough to try again.

I'm thus looking foreward to testing Returnil and to keeping it if it works smoothly, but not just yet. I know that it's predicated on RAM which makes it inherently different to PS and I'm hopeful that it will work for me in the long term. I'll keep an eye on the boards here in Wilders and see how the experts get on. In the meantime, I'll continue to use the very elegant, simple and effective SandboxIE.

Following this discussion with great interest.

Cheers folks.

 

Hello Riverrun,
Thank you for your words of encouragement. Having rare/unique compatibility issues is frustrating, especially when it seems that no one else can reproduce the same results. There is no “one-solution-fits-all” in computer security – what works for one person may not work for another, so never be shy with your feedback…

Beta Feature Update

The development team has been moving much faster than I previously estimated where MBR protection is concerned. This new feature has passed its initial limited outside beta testing over the past week. Therefore, I am delighted to announce that MBR protection is now available in the latest Beta release 1.62.4025.

MBR protection is now included as a component of the System Protection/Session Lock feature. We want to thank Peter2150 personally for his invaluable feedback on this issue

 

Hi Coldmoon, I'm looking forward to testing this product but I'll give it a week or two yet.

 

BTW Coldmoon, I have just 1Gb. of memory in my main computer; will this be enough for Returnil to work smoothly?

 

Hi Riverrun,
Yes, RVS will perform extremely well with 1 GB of RAM.

 

Yup, http://en.wikipedia.org/wiki/Master_boot_record

Mike

 

Hello Coldmoon,

The Returnil Web site states,

Now, since the MBR is the Partition table stored on the first sector of the Disk, isn't it automatically protected since a restart restores the system partition original configurations?

I'm a bit confused here, and hope you can explain!

regards,

-rich

 

Peter2150 said:

Hello Peter,
Yes this is exactly what I was talking about. The MBR is really just another "partition" on your HDD.

EX: Let's say you have a HDD with a C:\ and D:\ partition you can see in Windows Explorer. What you actually have is three partitions or "devices" that are associated with your harddisk:

[MBR][System Partition C:\][Data Partition D:\] OR in other words you have three Devices:

MBR = \harddisk0\partition0\
C:\ partition = \harddisk0\partition1\
Data D:\ partition = \harddisk0\partition2\

And so on...

The System Protection can be expanded to include any partition on the HDD, but it was more important to prove stability and effectiveness of the RVS driver before attempting to make it more complex.

 

I do not think that is right. Per http://en.wikipedia.org/wiki/Master_boot_record

This is the first time I have ever heard the MBR called a partition. Are you just trying to "dummy down" the explanation of the MBR?

Mike

 

Rmus said:

No, as the System Partition and the MBR are actually two different "devices". So in previous versions of RVS, the MBR would retain changes as would any other non-system partition (like data D:\ for example) with a reboot. This is why the Killdisk trojan was able to destroy the MBR in Peter2150's experiment and is why the development team moved to adress this quickly.

 

Hi flinchlock

Actually the lead developer dummed it down enough for me to understand the basics of what the technology was doing so I tried to explain it here in a similar way.

HTH
Mike

 

OK, understand, but you might want to study harddisk partitions/MBR/PBR/etc just so you come across as knowledgeable/trustworth.

Mike

 

Just a question about the returnil license. Is the software still useable after the 12 month subscription expires?

 

In this case it was not really nessessary to explore everything that makes up the MBR. What is more important is that the MBR protection addition prevents unwanted changes to the entire MBR sector.

So describing it as a "Partition" is easier for the reader to visualize what is being protected.

 

Hi farmerlee,
After the subscription period the Virtual Partition feature will be disabled but the System Protection feature will continue to function.