Thoughts on Returnil (Products and Company)

Now that Shadow Defender may no longer be actively developed, I went searching for an alternative, both for personal use and for a product that I can recommend to customers. I see virtualization as the primary line of defense, leapfrogging the unreliable malware scanner. It is something that needs very little user interaction, other than the initial configuration. I have heard a lot of good things about Returnil, so I decided to check them out. I got a deal I just could not refuse, so I bought Lux 2010.

I have used Shadow Defender for a long time. It remains my only frame of reference for whole-system virtualization. That being said, there were things I discovered about Returnil that I did not like: (If I am in any way wrong please point that out.)

• Returnil requires a yearly subscription for their products. If they are like most business models than the user doesn't actually pay to use the product, they pay for the right to upgrade the product. I prefer products that do not use such models, rather I prefer one time fees. There is also no renewal discount with Returnil, which is rather odd considering that most companies offer substantial renewal discounts. I tend to gravitate towards products created by individuals; Shadow Defender (Tony), Sandboxie (Tzuk), Drive Snapshot (Tom). All these products are one time fee because they are not responsible for employees that reinvent their product every year. Tweaking (and updating) is good. But there is not need to reinvent the wheel all the time. See the drastic differences between 2008, Lux 2010 and the beta 2011 to see what I'm talking about. That simply leads to greater expense, which gets passed along to the consumer. Oh yeah, those three products I mentioned earlier all are one-time fee. And as anyone around here knows, they are among the best at what they do. So, why, Returnil, why?
  
  
• Returnil uses a lot more system resources that similar products. Shadow Defender and Shadow user and both incredibly light, using under 10 MB. Returnil Lux 2010 is not, which can use around 90-100 MB when both processes are combined. Granted that is in part because it makes use of a malware scanner.
  
  
• Returnil 2010 Lux uses a malware scanner. Some might like that fact. After all, it adds another "layer" to the security 2010 Lux provides. I do not. It's a patchwork at best. This is still a virtualization product, right? Then I assume that the key ingredient here is virtualization. Is that element was so great there would be no need for other "layers". I view adding an anti malware scanner as an admission that it might not be up to the task. After all, who cares if Trojan X, Malware Y, or Rootkit Z come along and do their worst a simple reboot and revert should take care of that, right? Evidentially not. The same can be said for any application that puts inner-layers in their application. I agree with the security concept of layering, but that should not be done inside one single application. Think of it like the Windows/Linux relationship. Windows' is not that secure by itself, comparatively. Linux is. Windows needs patches and service packs in order to make their product more secure and more stable. Linux needs far less to be both secure and stable. I don't wish to get into an OS debate here. My point simply being that if something is done write their is not that much patching than needs to done to it.
  
  
• Returnil uses blanket exceptions. I dislike the idea of giving read/write permissions to an entire directory. This is a fault of all system virtualization applications. I have yet to see one that will allow the user to restrict read/write to a directory based on a process, ensuring that only that process is allowed to read/write to that directory. For the life of me cannot figure out why this would be a bad thing. Currently, the file Manager which was designed to force the user to make deliberate changes. Really? Manual exclusion is your rebuttal? Have you every used Opera? You try committing a single email to the real disk. It can be done but it's not easy. That, of course, is just an example. Okay. Tell me how that method is in any way better than the one I suggested above, which has already been previously suggested and dismissed.

If they were to implement the above feature and place their priorities and resources to the virtualization aspect of the product, rather than in the patch-work that is inner-application layering Returnil might be worthy of being the giant in security virtualization. Until then I might just have to pass, and find other products to recommend to to my customers.

I place real value and trust in a company in how well they listen to users and adapt, and with Returnil the jury's still out.

 

My take on it...

• Returnil does have a free version of the product, so that tends to balance a yearly subscription from my perspective. From a long term business perspective, lifetime licenses simply aren't sustainable. The other scheme often used, major version upgrades at reduced cost on a yearly basis, are viable and are often operationally the same as a subscription. You correct that there isn't a renewal discount, but as long as there are periodic/continuing buy-1-get-2-free offer, I fine since I install on multiple machines.
• I haven't really noticed undue resource consumption on a regular basis. Occasionally I see rvsmon.exe go a little crazy as though there's a conflict or glitch. A restart solves it. Would prefer that I didn't need to do that. Not sure of direct cause (haven't noticed obvious patterns - it's rather infrequent).
• I tend to have the scanner disabled. I can see the possibility of a number of strategic reasons for the inclusion, but it's a neutral for me at the end of the day.
• Not a facility that I use.

Overall, it's a product I've used for a couple of years and continue to employ as my primary security application (in concert with LUA/SuRun/SRP).

Blue

 

As I have posted on many occasions when this subject is brought up, I find no inconsistencies with Blue's reply. Life-time license are a dead-end in business terms and lead more to failure or an inordinate focus on revenue generation at the expense of development and support when the pool of available customers becomes static. We plan to be here for the long haul and to do this we need to have a sustainable model.

This is not universal as Blue notes and may be related more to resource challenges on some computers. With this said however we are working to improve performance overall and still need feedback (yes those logs we always ask for) to help us identify why this happens in these specific, but rare cases.

RVS is a security solution and not just a simple virtualization tool. Also, the antimalware is not a patchwork implementation as it has been highly modified to work hand-in-hand with the other components in RVS to provide warning and expert feedback on potential malware content. It is also designed to work as a traditional AV when it is uncertain whether the real disk is infected BEFORE you move to invoke the virtualization. This is because you would simply get into a bouncing ball situation where the malware is detected and removed by your other security programs and simply returns with the next restart of the computer because of the virtualization.

Please try to understand that RVS is not and never will be just a simple virtualization tool and that we are working to create a product/service with the end of malware as its ultimate goal.

This makes no sense as you start by rejecting folder exclusions and then suggest that the File Manager approach is too difficult while not mentioning anything about the File Protection feature. Also, who is rebutting what? The File Manager was a deliberate move to address user requirements to allow saving content to the real disk and to balance the inherent risk of doing that with a way to make it happen securely.

Exclusions are only available (at the moment) in RVS Lite 2011 which is actually closer to your vision of a virtualization solution...

There is nothing patch-work about RVS (any version) and there is no point in simply focusing on the virtualization part of the strategy at the expense of where we are going with the product and its relevance to better overall security.

Virtualization, regardless of what type, has inherent weaknesses as does any other tool you want to discuss. What is important is how those weaknesses are addressed to provide real protection for the customer. This requires a strategy that encompasses more than a single approach with the understanding that as threats evolve and time passes, these features will need to be refined, changed, or dropped as required to meet that mission goal.

Don't get lost in the trees at the expense of seeing the forest. Try to see what we are developing here as a whole rather than the sum of its parts which were chosen for very specific reasons to achieve targeted goals.

Mike