Returnil

So, the VP is really not necessary for Returnil to function? If the user has other partitions, they can do without the VP. is that right? Can I delete the VP and still use Returnil?

 

It was something with error 5 I uninstalled now and installed the new beta that works.

Good to know. I just installed the new beta.

Interesting to know! But not to forget many people surf with admin rights so its crucial also trying to keep protection alive in case someone uses Returnil as admin.

 

@Coldmoon: I´ve presumably missed it, but if I want to change the size of the virtual partition where can I do that? Since it seems you can only decide this during installation (with/without VP + size).

/C.

 

I just made a change and gave up the one product I swore I never would, Sandboxie. Tell you something interesting about that product in a minute but, even with Sandboxie and Returnil I still felt uneasy that even if something happened, until a reboot, I wanted to know it. I put Avira back on with Returnil. I figure even in the virtual world, you just never know when one of those virtual eating trojans might show up, and Avira can pop it.

With the new beta of Returnil I can set it up so that Aviras updates are not wiped out on rebooting. This really seems to work well and give me a better piece of mind. I think the best approach is still a combo of virtualization and AV.


Now, after uninstalling Sandboxie on Vista, I went in to delete the leftover folders, there were 3 in different places. But the main one said it was to large for the recycle bin did I just want to delete it anyway. I had Sandboxie set to delete contents on closing. Not sure what was in their, not sure if now I feel safe with it, but doesnt matter, a taste of both worlds is what I have now.

 

If I understand you correctly here the message "has been compromised" means that a simple reboot may not remove the offender ? so perhaps a restore of a clean image, made earlier, would be better than trusting to some scan which may or may not clean the system fully ?

 

I see that trjam uses Sandboxie and Retournil. I have Sandboxie 3.20.01, but also have Perfect Disk 8, which is set to run overnight once a week.

Were I to install Retournil, would this cause problems?

Grateful thanks for any advice!

My OS is WinXP SP2

 

Yes and no. It would defragment based on what is currently running but if Returnil is on, which it would be, then on a reboot all would revert back making your weekly defrag useless. There are 2 ways to do this.

One is just shut off and reboot with Returnil off and then defrag, or the other, which is cool, in the beta it allows you to schedule time frames for certain things to work without having Returnil actually on. Alsio I set mine up to allow Aviras updates at a specific time to come through then it reactivates. I think I have this right, coldmoon can better explain.


No, I have stopped using Sandboxie for now as I would rather have a AV just for safe-keeping and old habits, then 2 layers of virtualization. Returnil and Avira are doing well for me.

So download the beta for Returnil, at their site, play with it some, then set it up for Perfect Disk to run at a time that you also set up in Returnil.

 

For the best security, your solution would rank number 1.

 

For 2 years I had the combination of virtualization + AV, nothing entered my system, and my computer had the most dangerous exposure to malware one could possibly imagine. I'd say this combination will give you 99% security without physical access to your machine.
At the moment I'm trying AntiExecutable instead of a good AV, only because it really speeds up my computer, and I don't have to rely on updates.

 

If I ever get that message as a Returnil-user :
"Warning! The System Protection Engine has been compromised!"
I won't use any scanner to clean my system partition, I will restore a CLEAN image, which removes ANY malware.
Returnil doesn't have archives to do this quickly, so an image is the only option to get a guaranteed clean system back, because scanners can't guarantee a clean system, unless you are brainwashed by the message "Congrats, no threats found.".

 

Green Giant. Using Returnil and PD8. Returnil Protection is on all week. On the weekend - turn Returnil off and make system cahnges, update programs etc. then use PD8 to defrag C:. For the rest of the week everytime you reboot C: will be almost perfectly fragmented.

 

True Erik, once compromised I guess my thought that Avira could promise a perfect clean again, is stupid. So what is the best and more user friendly product to restore a clean image. Then you basically are 100 percent secure.

 

My issue is my computer is always on, I reboot weekly. So the purpose of Sandboxie or an AV is to catch anything during the week instead of letting it hang around all week doing its thing. That is why I thought Avira would be better at this then Sandboxie which cant detect. So then AE would fit the bill for both of these instances or needs, is that what you are saying. I just want to know during the week if something bad enters my nice virtual world.

 

Many thanks for the advice given!

 

Forget AE as it isnt Vista compatible. Any others. Hips are all going to need to be updated which I can allow with the beta. I wonder if Threatfire would suffice better then Avira.

 

You should qualify that statement Erik, you'll restore an image that you presume is clean. It probably is clean if you install no third party/major vendor software. But the fact of the matter, unless you can disassemble and analyze the executables yourself, an AV remains the best "expert guidance" on malware identification available.

If you're going to be over-the-top paranoid, you're basically in the same psychological boat with either approach and you're always looking to plug that last molecular level hole in your imaginary fortress. You own continuing journey here suggests as much.

I use an AV, I have a clean system, I'm not brainwashed, I don't spend by hours restoring image after image, and I don't have an elaborate pandimensional scheme designed to handle things down to the sub-bit level (whatever that would be), sweeping away ghosts that have yet to see even a workable proof-of-concept outline.

Restoration is one approach. It's clearly a very robust methodology if practiced with a very high level of discipline. However, it is neither foolproof nor always terribly convenient, even when implemented with ISR type technology.

Blue

 

I dont know. I still like the idea of a AV and Returnil. Not for the scanning that everyone hates, but more from the guard aspect. For folks like me that may only reboot once a week, it is the most sound. This isnt about ditching, scanning, AVs, virtual products. It is about trying to find the right and light combo that works.

I think using Avira as the guard and Returnil as the backup is good. A little of sugar and salt. Nothing wrong with that.

 

BlueZanetti,

1. Those clean images are based on a fresh installation, that has hardly been online.
2. Those clean images have been scanned by several advanced+ scanners and of course they didn't find anything.
3. Those clean image produce clean archives for FDISR.
4. I use these clean images and archives for restoration only.
5. Via these clean images and archives, I create my daily system, which means I have two groups of images and archives :
a. Clean images and archives.
b. Daily images and archives.
I use my clean images and archives to keep my daily images and archives clean, including my freeze storage, which cleans my system during each reboot, more complete than any group of scanners and above all faster.

My setup doesn't require more discipline than other setups.
If users are using scanners, they can't backup their system without running their scanners first. That is also discipline.
Users have to run their scanners also every day and not every week like some do. That is also discipline.
I can reboot every hour, but users will never run all their scanners every hour, that would take too much time, while my boot-to-restore takes less than 2 minuts.

I just work differently than most users and I certainly do it much quicker, more complete and safer and without working hard.

 

Hi estervantes,
This is correct. In fact you can just delete the VP file if you want without causing any issues for RVS. Please dismount it first and backup any data you you want to save stored within it before you do this...

 

Hi,
You will need to uninstall and then reinstall RVS to create a new Virtual Partition.

 

Hi Long View and others with the same suggestion,
Yes, this is by far the best idea but it is not a solution that is available to everyone. If in doubt as to what they have, err on the conservative side as it were. And many that do use imaging also have at least one on-demand scanner in the closet just in case...

 

Good idea.

Erik and RIPS (rest in peace with your sandbox)

 

My frozen snapshot is the same as Returnil in frozen mode.
I ran KAV, NOD32, NAV2008, BitDefender, SUPERAntiSpyware, Spyware Doctor, TrojanHunter, ... they can't find anything, which is normal, because there is nothing to find, except false positives. When I'm back in the mood, I will try Avira and McCafé.

 

I'm not sure what difference it might make but I don't think it is correct to say that an FD-ISR frozen snapshot is the same as a Returnil. I have no idea how Returnil works but if I understand it correctly FD-ISR has a frozen snapshot and when the machine boots C: is compared with that frozen snapshot and corrections made to C: to make C: the same as the Frozen snapshot. I do know that Returnil does not maintain a frozen snapshot on another partition or drive.

 

The end result of all these ISR-softwares is the same and that counts for users : an unchanged system partition, only the method is different.