RVS 2011 Additional Protection Options

Discussion in 'General Returnil discussions' started by Auguss, Aug 23, 2010.

Thread Status:
Not open for further replies.
  1. Auguss

    Auguss Registered Member

    Joined:
    Jun 1, 2010
    Posts:
    8
    RSS 2011 > Virtual Mode > Settings >Additional Protection Option

    I looked around for this I was not able to find the answer.

    I do not understand the three modes. Which is the safest of all three. There is three options, Allow programs to run normally, trust system services from real disk only, Trust programs from real disk only. I do not want to trust anything, IE Internet Explorer or Firefox. I want any changes, even temporary internet files, downloads, and program temps caches, to go to the Virtual disk and removed at the shutdown of the computer. I did not have this option in 2010 it was simple. Now I do not understand the differences in the three and which one should I pick.
     
  2. culla

    culla Registered Member

    Joined:
    Aug 15, 2005
    Posts:
    504
    i use returnil2008 it does what you want :D
     
  3. Boyfriend

    Boyfriend Registered Member

    Joined:
    Jun 7, 2010
    Posts:
    1,070
    Location:
    Pakistan
    Additional Protection Options (Anti-Execute feature)
    • Allow programs to run normally
    As implied, programs will not be blocked or prevented from running unless they are detected specifically by the Virus Guard Real-Time monitor.
    • Trust system services from real disk only
    Allows some flexibility between "block nothing" and "block all". Though good security practice would be to block all, this is not always the most optimal environment to work in at all times. With convenience however, comes risk and this is why this option is designed to allow things that the "Trust programs from the real disk only" option does not, but also provides protection against certain types of malware that are designed to circumvent the Virtual Mode protection and does so without need for signatures or updates.
    • Trust programs from the real disk only
    This is the most restrictive setting and will block anything not already known. This will even block the addition of plugins for your browser.
     
  4. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Hi Auguss and welcome to the forums :)

    Boyfriend posted the text from the manual and it is a good general description of what the options will do here. The AE feature is essentially the same as 2008 as far as what to expect from the two options you are familiar with:

    1. Allow programs to do what they want
    2. Block what isn't already known

    The new option gives a little flexibility rather than being an either/or situation while still providing a level of protection.

    Mike
     
  5. Auguss

    Auguss Registered Member

    Joined:
    Jun 1, 2010
    Posts:
    8
    I wish there was a block all option. This computer is used as a public computer where kids get on it. They do not know what they download and install. I might be looking for another Virtual Disk program to try. Thanks for the information. I did not really understand the description that Boyfriend left. It is a little confusing.
     
  6. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    The option for only allowing what is known is a default "block all" option as it will simply not allow any exe to start if it doesn't already exist on the real hard disk so this would be appropriate for your stated requirements.

    Give it a try and you will see exactly what it does. further, the blocking is done silently so there are no rules to learn, configure, or adjust. When using the option to show an alert, the authorized user would be able to allow things to run, but the AE feature itself will not remember the decision following restart so there is flexibility when required and discipline at all other times.

    Mike
     
  7. chuckfrasher

    chuckfrasher Registered Member

    Joined:
    Feb 15, 2008
    Posts:
    15
    How do you tell it to ignore. I keep getting warnings about a Norton update. A red box pops up.



    \DEVICE\HARDDISKVOLUME2\PROGRAMDATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\DEFINITIONS\VIRUSDEFS\20100826.002\EX64.SYS
     
  8. Boyfriend

    Boyfriend Registered Member

    Joined:
    Jun 7, 2010
    Posts:
    1,070
    Location:
    Pakistan
    With default AE, I am also unable to use Core Temp (0.99.7.7). Moreover, Z: drive (exact size and with name of system drive C: ) appears in explorer. To avoid frustration, I am running it with option to allow programs to run normally.
     
  9. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,709
    Set it to "Allow programs to run normally" if you intend to test software or run certain stuff that isn't on your real system itself.

    Set it to either one of the other 2 options if you want further restrictions....

    In any case, there's nothing much to worry as you're using Returnil....simply reboot and poof most changes (if not all) are gone;)
     
  10. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Hi chuckfrasher,
    Open the Virus Guard > Log section, select the detection from the list and select Quarantine. Next, open the Quarantine list, select the item you just sent to quarantine and then select Restore. During the restore process, choose to add the file to your Virus Guard exclusions list. The file should now be ignored during further scans.

    Mike
     
  11. Boyfriend

    Boyfriend Registered Member

    Joined:
    Jun 7, 2010
    Posts:
    1,070
    Location:
    Pakistan
    @Coldmoon: How we can exclude a file/driver to be detected by AE? (Not by virus guard).
    Is there any solution for Z: drive appears during virtual mode enabled?
     
  12. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    1. No, the AE will block what it is programed to block depending on your settings. If you have problems activating some programs using the "Trust programs from the real disk only" option, try the "Trust services..." option for more flexibility. If this still causes issues, you may have to consider allowing programs to run as they will until you are done using the particular program you are trying to use.

    2. This should be resolved in 64 bit systems. If you are seeing a Returnil Z:\ drive in my computer, it should be the mounted Virtual Disk (virtual storage feature and not the virtualization cache).

    Mike
     
  13. Boyfriend

    Boyfriend Registered Member

    Joined:
    Jun 7, 2010
    Posts:
    1,070
    Location:
    Pakistan
    1. How to allow it while using default AE option (Trust system services from real disk only). I am experiencing problem with Core Temp (0.99.7.7). It extracts its driver (sys) in temp files and Returnil do not allow it to run. How can I exclude a file to run normally?

    2. The problem is not resolved on x64. I have never used Virtual Disk nor enabled it. Currently I am in virtual mode. As soon as I select option (Trust system services from real disk only) and click Apply, Z: drive appears in explorer (size and name are exactly of system drive). When I select option (Allow programs to run normally), then it is does not show up. It is virtualization cache. Need snap as proof?

    EDIT: I have found another bug. Coldmoon please check your PM.
     
    Last edited: Aug 27, 2010
  14. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    1. You can't. You will need to lower the AE settings or find a way to install the application on the real system prior to activating the virtual mode.

    2. I am unable to reproduce your report here. Please open a new support ticket and send us the usual log files so we can investigate your situation in greater detail.

    Mike
     
Thread Status:
Not open for further replies.