Some Questions

Discussion in 'General Returnil discussions' started by lanarkshireit, Mar 31, 2011.

Thread Status:
Not open for further replies.
  1. lanarkshireit

    lanarkshireit Registered Member

    Joined:
    Mar 31, 2011
    Posts:
    34
    Location:
    Scotland, UK
    Hi There

    I am currently testing System Safe / Virtual mode and I like the idea. However I have some questions.

    I do a lot of malware removal / protection and I sometimes find that the same customers get infected repeatedly. While this is good business for me it is a hassle for the customer.

    So what I would like to do is to be able to lock down a customers machine but still allow them to save their stuff such as My Documents etc.

    Does RSS 2011 / Virtual Mode allow for this in an easy to configure way?

    What about Windows Updates?

    Can they install new programs?

    What virus scanning engine is included and does it interfere with currently installed Anti-virus programs such MS Security Essentials or MBAM?

    Info greatly appreciated
     
  2. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Yes, but the way you should be looking at it is that RSS/RVS Pro 2011 allow this in a more secure way. Rather than use Exclusions, we use a File Manager approach where you define the files and/or folders (sub-folders included) where you want to have changes saved to the real disk.

    The File Manager includes an autosave option that allows these changes to be saved automatically (every minute to 24 hours and/or at account logoff/shutdown).

    For heavy/large changes, we strongly recommend using the incremental saving to maintain better performance at logoff/shutdown as a large number of saves can cause significant delay for obvious reasons.

    No, the Virtual Mode protection must be turned off to apply Windows/Microsoft updates as these almost always include registry changes. Due to the nature of the virtualization technology (disk filter rather than file system filter) selective registry changes are not supported in the way that file and folder changes are handled.

    Yes and no. Only if the program does not require a restart to complete its installation and the install would be lost at the next restart of the computer. This means that you can only try mobile applications this way and not ones that require a driver install for example.

    The Virus Guard is composed of two distinct engines. One is our own development and the other is the F-Prot engine by Frisk. It is fully compatible with most 1st and 2nd tier AVs/AMs/ASs like MSE and MBAM so you should not run into any issues with this combination (ref: RSS Pro. MSE, and MBAM at the same time).

    The only cautions here are as follows:

    1. Some AV/AM and HIPS resident features can interfere with proper RSS/RVS Pro install. This is not a common issue, but it does happen and in these situations we recommend uninstalling both RSS and the AV then reinstalling with RSS first and then the other AV second. This should clear any unintentional blocks and the programs should work well with each other afterwards.

    2. There is a known incompatibility with CA Antivirus. This is related directly to the F-Prot part of the Virus Guard so users are cautioned not to try this combination until/unless this issue is resolved in a later version of RSS.

    Mike
     
  3. lanarkshireit

    lanarkshireit Registered Member

    Joined:
    Mar 31, 2011
    Posts:
    34
    Location:
    Scotland, UK
    Hi there

    Many thanks for the very informative info.

    So on a new build, I am better downloading and installing ALL Windows Updates BEFORE applying the Virtual Mode?

    However with roughly new updates every month I would have to advise customers to turn OFF Virtual Mode to apply the updates.

    Regards
     
  4. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Yes. These updates come once or twice a month on a fairly predictable schedule so scheduling a "maintenance" day for these times would be beneficial to the customer. For bulk licensees or in managed network situations, access to the Returnil Commander remote management console allows remote scheduling for turning off/on the Virtual Mode and power cycling the clients to release the virtualization so you can have the updates applied.

    Organize these activities so that the virtual mode is tuned off just before the updates are to be applied further increases the efficiency and reduces the impact of the process for any users.

    Mike
     
  5. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,301
    Location:
    South Wales, UK
    Hi Coldmoon

    Have been following the thread with interest as it is very informative and I am minded to ask, following your response;

    "Only if the program does not require a restart to complete its installation and the install would be lost at the next restart of the computer. This means that you can only try mobile applications this way and not ones that require a driver install for example."

    as to whether there is any feature in RSS that will handle this occurrence? Would System Restore handle it, ie, you install the application that requires a restart, you restart, you test that application and then decide you do not like it/want to clean it from your system. Would you not be able to run System Restore to restore the entire system to a time prior to the install of this application...so wiping out the install, etc.?

    Or am I confused? I am still trying to understand how System Restore works from reading the manaul as I think that this is the technology that I am lookinig for.

    Any thoughts?

    Regards




    Balders :D
     
  6. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Maybe yes, maybe no, it depends, but why try to take the long road when you can simply restart your computer with the Virtual Mode active and leave out the need to apply the restore point? Also, do not confuse the System Restore feature with an imaging one as they are completely different.
     
  7. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,301
    Location:
    South Wales, UK
    OK, but not sure I understand as a I am new to the Returnil way and 'maybe yes, maybe no, it depends,...' does not make sense?

    But here goes re. Virtual Mode; start Virtual Mode with 'Virtual Mode Always Enabled', install the application that requires a restart, restart (which should restart in Virtual Mode with the install completed?), test that application and then if I decide I do not like it/want to return to a clean system I hit the button to "Stop Virtual Mode" & then reboot (making sure to leave out the need to apply the restore point)?

    Have I got that right?

    If so great...as Returnil will do for what I want to do...but I am still interested in understanding what the use of System Restore would be. So back to the manual.

    Regards



    Balders
     
  8. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    No, as RSS/RVS do not support virtual sessions across restart. Each time you start your computer with the Virtual Mode on, you are in a new virtual session which ends as soon as the computer is restarted...repeat cycle... That is why you can only test mobile applications and not ones that require a restart of the computer to complete the installation.

    You are asking if you could use a restore point to "remove" an unwanted application by choosing to go back to a snapshot that was sufficiently far in the past so it was created before the program you wanted to get rid of was not installed. Yes this is possible, but sometimes it is not as is evidenced by some families of malware.

    This is why you need to think of layers in your security strategies and why we designed RSS the way we did -> Vertical layered strategy where each component part backs up the other parts to form a stronger whole.

    Mike
     
  9. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,301
    Location:
    South Wales, UK
    Hi Mike

    Thanks of the detailed response. Understand what you are saying...I think. It therefore looks like I will need to wait until the Multi Snapshot functionality is added into RSS before it will do the specifics of what I really want. I think that with that added & Virtual Mode, that should take care of my most pressing requirement but with the added layer of System Restore available as a penultimate resort.

    I will keep checking back to see whether the Multi Snapshot functionality is available, etc. :)

    Also, my compliments on the level of response & assistance provided in this part of the forum...to be admired, even when considering we are at Wilders...which is just about the best forum on the web for security & related issues. :thumb:

    Regards




    Balders
     
  10. lanarkshireit

    lanarkshireit Registered Member

    Joined:
    Mar 31, 2011
    Posts:
    34
    Location:
    Scotland, UK
    Hi There

    Thanks again for your informative answers.

    Anyway this all seems good in a managed environment but what about customers that I might not see again?

    Regards
     
  11. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    I am not entirely certain I am answering this question as you expect, so please clarify if I miss the mark here: My assumption is that you are referring to home users and small networks where the RC console is either not included, not needed, or over-kill.

    The situation with Microsoft/Windows updates remains the same; to apply these updates, the Virtual Mode protection in RSS/RVS must be off. Though there isn't a way to schedule the deactivation of the Virtual Mode via the client GUI, the idea of occasional "maintenance days" still applies.

    These days can be used to install new programs, program updates/upgrades, add new users, etc. In my own case, I do this on "patch Tuesdays" later in the evening, just after normal office hours or I wait for the weekend following patch Tuesday when things are too hectic during the week. I also use this time to review what I have installed and whether it is time to "trim the herd".

    Mike
     
  12. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    Hi Mike,

    I too have a couple of questions: -

    I know I've misunderstood something here and would welcome clarification.

    If a disk filter is used how is it possible that file and folder changes can be saved using the File Manager feature if the virtualization technology is monitoring changes to disk sectors rather than changes to the file system?

    I observed an issue when running Virus Guard alongside Prevx. With Virus Guard real-time protection enabled, Prevx scans slow down horribly, almost grinding to a halt at around the 24% mark then taking several minutes to complete (many times longer than is normal for a Prevx scan). It's fairly obvious what's happening: Virus Guard is scanning the files as Prevx is trying to open them for reading, leading to a conflict.

    I've seen the same thing happen with both Avira AntiVir and MSE, for example, but both of these AVs have a feature whereby processes (as well as files and folders) can be excluded from real-time scanning, which nicely solves the double-scanning problem with Prevx by adding the prevx.exe process as an exclusion.

    Could consideration please be given to adding an option to exclude processes (and not just files and folders as at present) to a future release of Virus Guard in order to improve compatibility with other AVs?

    Many thanks.

    Regards
     
  13. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    The key is in your question: track changes. This is a far more simple thing to do with files and folders than it is for the Windows registry. So rather than monitor the entire file system, the virtualization only needs to monitor where the appropriate changes would have been made on the real system.

    What happens if you add the PrevX exe manually to the Virus Guard exclusions list?

    Mike
     
  14. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    Hi Mike,

    I think I've always understood why disk sector tracking wouldn't be able to track registry changes because the tracking mechanism wouldn't be able to see inside the registry to see what keys were being changed. Saving changes to the files that hold the registry would be an all or nothing operation.

    If I've understood you correctly though, the virtualization technology is not only tracking changes to the disk sectors, but is also able to determine which files and folders are being impacted by the disk sector changes. I assume then that File Manager is saving just those disk sectors that relate to changes in the files and folders in the File Manager list, rather than saving the entire files at the file system level.

    In other words, all tracking and saving is done at the disk sector level, but with an awareness of how this impacts the file system. Have I understood this correctly?

    This excludes the prevx.exe file itself from being scanned by Virus Guard but doesn't prevent Virus Guard from monitoring what Prevx is doing. When the Prevx scanner tries to open files for reading, Virus Guard doesn't see the file activity of the prevx.exe process as something that should be ignored: It only sees that files not in the Virus Guard exclusion list are being accessed and scans them as Prevx is trying to access them, hence the conflict.

    Process exclusion is different to file and folder exclusion. Currently Virus Guard has file and folder exclusion but doesn't have process exclusion.

    Another way to solve the double scanning issue would be to allow a more granular control of Virus Guard real-time scanning, with the ability to separately determine whether files should be scanned on read, write, and execution. This is the approach used by NOD32, for example. NOD32 doesn't have the option of process exclusion but does allow the option of real-time exclusion of files opened for read access - scanning only on write or execution - which enables a conflict with other AV scanners, such as Prevx, to be avoided.

    Process exclusion for trusted processes and granular control of real-time file access are both viable mechanisms for avoiding the double scanning issue. Adding either of these features to Virus Guard would improve its compatibility with other AVs.

    Regards
     
    Last edited: Apr 12, 2011
  15. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    Mike?
     
  16. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Hi,
    Apologies for the late reply on that question.

    Yes, you are correct.

    Mike
     
  17. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    Thank you very much for confirming that Mike.

    Regards
     
Thread Status:
Not open for further replies.