Trying out Returnil

Discussion in 'sandboxing & virtualization' started by FadeAway, Dec 30, 2007.

Thread Status:
Not open for further replies.
  1. FadeAway

    FadeAway Registered Member

    Joined:
    Apr 6, 2007
    Posts:
    270
    Location:
    USA
    Well here I am, trying my first virtual software, Returnil (free).

    Everything is being done on a test machine with a separate data partition
    and ATI images, so nothing that goes wrong can possibly be of any
    consequence to me on that machine. System Restore is turned off.

    I installed the program, and did not create virtual partition Z.
    When the system boots, the tool tip shows that protection is OFF,
    and the tray icon is green.

    Can someone confirm if my understanding of the following hypothetical
    scenario is correct?

    1. I click Session Lock and the tray icon turns red. Now, the only way
    to turn it off, is to reboot.

    2a. I download a document to my Desktop on C:\, and
    2b. copy the document to Data partition E:\.

    3. While surfing, I pick up a drive-by root kit.

    4. While surfing, my AV auto-updates.

    5. I reboot the machine.

    6. The desktop comes up on C:\, the tray icon should be green,
    protection is again OFF. The document on my desktop, the root-kit,
    and the AV updates, are history, but the copy of the document on
    E:\ is still there.

    7. If I decide I don't like Returnil, I restore a pre-install ATI image
    of C:\, and the installation of Returnil will have done nothing
    to the partition that will prevent a perfect ATI restore.

    Do I have that right? Any suggestions?

    Thanks
     
  2. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    6. Yes, that is all correct. Returnil currently will only protect/virtualize C:\ or your system partition (where Windows is installed). Anything installed on C:\ will be gone at reboot. There may be some exotic/rare malware or POC that can bypass the protection, but it appears that Returnil reacts very quickly to fix any vulnerabilities.

    7. I'm not sure, but I would guess yes. I'm new to imaging myself and I'm also using DiscWizard/ATI. I hope someone can confirm this.

    When I first installed Returnil, I played around with it a bit. I turned on protection and then created a file just to see if it was gone on reboot. Of course it was. I installed the VP and when it was mounted your could move files back and forth freely with Returnil's protection on or off. It was just like a real partition. I've also tried installing programs, extensions, etc. with protection mode on and when I rebooted, they were gone. Returnil has also been very stable for me. I have only turned on protection by the Session Lock. I haven't needed the other features yet.
     
  3. FadeAway

    FadeAway Registered Member

    Joined:
    Apr 6, 2007
    Posts:
    270
    Location:
    USA
    Good evening, innerpeace, & thanks for responding.

    The reason I didn't create partition Z, was out of concern that if it
    somehow altered C:\, it might interfere with an image restoration.
    Already having a separate data partition, I didn't see any immediate
    need for it. Any suggestions received in this thread will affect how
    Returnil is finally configured in the working machine. I will run every
    possibility I can think of on the test box before reaching a final
    decision.

    Thus far, it seems to be nice icing on my security layer cake.
     
  4. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Hello FadeAway,

    Your right, there is really no need for the Virtual Partition (default Z:\) if you have somewhere else to store what you want to save. I've just very recently created a data partition myself and opted out of making a VP. However, Peter2150 does use the VP as a sort of safe place to store data as it can be password protected.

    When the VP isn't mounted, it's just like another file sitting on your computer. It and the Returnil folder are now hidden in this new release. C:\Returnil is where they are located if you can view hidden files/folders.

    If you use the VP, and it's not mounted, I don't see a problem with imaging. Coldmoon/Mike will give you better info.

    I also think that Returnil is "icing on the cake" and I am slowly trying to find a way to use it full time. I hope this helps and I will step aside so you can get other opinions.
     
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,041
    Couple of points.

    1st, the virtual partition when not mounted is simply a file in a folder. If I decided to remove it, I would first uninstall, and then if you want restore the image. Returnil uninstalls cleanily.

    Pete
     
  6. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    I would only add that 2.0's repair feature will allow you to delete the VP file before imaging and then recreate it later if needed without a full uninstall/reinstall process

    Mike
     
  7. FadeAway

    FadeAway Registered Member

    Joined:
    Apr 6, 2007
    Posts:
    270
    Location:
    USA
    Although I have not tested the creation of an image with both the
    virtual partition file installed, vs. without it installed, I assume
    that without it, the size of the image file would be significantly reduced.
     
  8. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Yes

    Mike
     
  9. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    I new to trying Returnil and my question Is If protection Is on and lets say my antivirus updates, I am assuming the update will not be applied after reboot would that be a correct assumption? Edit seen post above opps
     
  10. FadeAway

    FadeAway Registered Member

    Joined:
    Apr 6, 2007
    Posts:
    270
    Location:
    USA
    hello djohn,

    I've been using Returnil regularly on the main machine for about two
    weeks now, & it has, in all instances, performed exactly the way it
    is supposed to. When you turn on Session Lock, the system partition, C:\,
    acts as if that part of the HDD upon which it resides is frozen
    solid. Everything from that point on is done, I think, in RAM.

    On reboot, C:\ picks up exactly where you left it at the point of
    initiating Session Lock. Or at least that is the way it appears from
    the user's point of view. I'm not a technical type, so my explanation
    may be a bit crude, but so far it has worked very much to my
    satisfaction on XP SP2. Combined with my disk imaging program, with which
    I do full back-ups of C:\ on a systematic schedule, it provides me
    with a warm, fuzzy feeling inside. Whenever I start following unknown
    links, I just turn on Session Lock. If I want to save something, I
    move it to the Data Partition before rebooting.

    I've read some comments that there may be some theoretical methods
    with which malware could bypass Returnil's protection, but with the
    other proper back-ups in place, that does not concern me.
     
  11. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    thank you you for the replay I now understand it better and I Hope it works good long term.
     
Thread Status:
Not open for further replies.