Trying out Returnil

Well here I am, trying my first virtual software, Returnil (free).

Everything is being done on a test machine with a separate data partition
and ATI images, so nothing that goes wrong can possibly be of any
consequence to me on that machine. System Restore is turned off.

I installed the program, and did not create virtual partition Z.
When the system boots, the tool tip shows that protection is OFF,
and the tray icon is green.

Can someone confirm if my understanding of the following hypothetical
scenario is correct?

1. I click Session Lock and the tray icon turns red. Now, the only way
to turn it off, is to reboot.

2a. I download a document to my Desktop on C:\, and
2b. copy the document to Data partition E:\.

3. While surfing, I pick up a drive-by root kit.

4. While surfing, my AV auto-updates.

5. I reboot the machine.

6. The desktop comes up on C:\, the tray icon should be green,
protection is again OFF. The document on my desktop, the root-kit,
and the AV updates, are history, but the copy of the document on
E:\ is still there.

7. If I decide I don't like Returnil, I restore a pre-install ATI image
of C:\, and the installation of Returnil will have done nothing
to the partition that will prevent a perfect ATI restore.

Do I have that right? Any suggestions?

Thanks

 

6. Yes, that is all correct. Returnil currently will only protect/virtualize C:\ or your system partition (where Windows is installed). Anything installed on C:\ will be gone at reboot. There may be some exotic/rare malware or POC that can bypass the protection, but it appears that Returnil reacts very quickly to fix any vulnerabilities.

7. I'm not sure, but I would guess yes. I'm new to imaging myself and I'm also using DiscWizard/ATI. I hope someone can confirm this.

When I first installed Returnil, I played around with it a bit. I turned on protection and then created a file just to see if it was gone on reboot. Of course it was. I installed the VP and when it was mounted your could move files back and forth freely with Returnil's protection on or off. It was just like a real partition. I've also tried installing programs, extensions, etc. with protection mode on and when I rebooted, they were gone. Returnil has also been very stable for me. I have only turned on protection by the Session Lock. I haven't needed the other features yet.

 

Good evening, innerpeace, & thanks for responding.

The reason I didn't create partition Z, was out of concern that if it
somehow altered C:\, it might interfere with an image restoration.
Already having a separate data partition, I didn't see any immediate
need for it. Any suggestions received in this thread will affect how
Returnil is finally configured in the working machine. I will run every
possibility I can think of on the test box before reaching a final
decision.

Thus far, it seems to be nice icing on my security layer cake.

 

Hello FadeAway,

Your right, there is really no need for the Virtual Partition (default Z:\) if you have somewhere else to store what you want to save. I've just very recently created a data partition myself and opted out of making a VP. However, Peter2150 does use the VP as a sort of safe place to store data as it can be password protected.

When the VP isn't mounted, it's just like another file sitting on your computer. It and the Returnil folder are now hidden in this new release. C:\Returnil is where they are located if you can view hidden files/folders.

If you use the VP, and it's not mounted, I don't see a problem with imaging. Coldmoon/Mike will give you better info.

I also think that Returnil is "icing on the cake" and I am slowly trying to find a way to use it full time. I hope this helps and I will step aside so you can get other opinions.

 

I would only add that 2.0's repair feature will allow you to delete the VP file before imaging and then recreate it later if needed without a full uninstall/reinstall process

Mike

 

Although I have not tested the creation of an image with both the
virtual partition file installed, vs. without it installed, I assume
that without it, the size of the image file would be significantly reduced.

 

Yes

Mike

 

I new to trying Returnil and my question Is If protection Is on and lets say my antivirus updates, I am assuming the update will not be applied after reboot would that be a correct assumption? Edit seen post above opps

 

hello djohn,

I've been using Returnil regularly on the main machine for about two
weeks now, & it has, in all instances, performed exactly the way it
is supposed to. When you turn on Session Lock, the system partition, C:\,
acts as if that part of the HDD upon which it resides is frozen
solid. Everything from that point on is done, I think, in RAM.

On reboot, C:\ picks up exactly where you left it at the point of
initiating Session Lock. Or at least that is the way it appears from
the user's point of view. I'm not a technical type, so my explanation
may be a bit crude, but so far it has worked very much to my
satisfaction on XP SP2. Combined with my disk imaging program, with which
I do full back-ups of C:\ on a systematic schedule, it provides me
with a warm, fuzzy feeling inside. Whenever I start following unknown
links, I just turn on Session Lock. If I want to save something, I
move it to the Data Partition before rebooting.

I've read some comments that there may be some theoretical methods
with which malware could bypass Returnil's protection, but with the
other proper back-ups in place, that does not concern me.

 

thank you you for the replay I now understand it better and I Hope it works good long term.