What is the "antivirus" for?

Discussion in 'General Returnil discussions' started by fuquen, Jan 9, 2010.

Thread Status:
Not open for further replies.
  1. fuquen

    fuquen Registered Member

    Joined:
    Jan 3, 2010
    Posts:
    95
    Within the Returnil Virtual System Home 2010,
    there is an ANTIRIVUS SOFTWARE.

    Question:
    1 .
    Is it for protecting Returnil Virtual System?
    And so also for the virtual partition?
    2 .
    Will this ANTIRIVUS SOFTWARE conflict with
    other softwares of the similar classification?
    3 .
    If the answer to the question as above 2. is positive,
    how to avoid this?

    Thank you!
     
    Last edited: Jan 9, 2010
  2. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    fuquen:

    1. It's really for standard realtime/demand protection - think of it as an embedded standard AV for conventional coverage.
    2. I've not seen that occur in my experience, but if you choose to run an alternate AV, I would recommend that realtime monitoring be disabled. The reason for this is not so much related to possible conflict but avoidance of duplication of coverage. Note - the demand scanning capabilities are still available.

    Blue
     
  3. fuquen

    fuquen Registered Member

    Joined:
    Jan 3, 2010
    Posts:
    95
    Blue:

    Thank you!

    Really appreciate your explanations and recommendation.
    Thanks again!
     
  4. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    The Virus Guard (and the AI/machine learning engine/distributed immunity when ready) are for both self (RVS) and user protection, especially against malware that is designed to circumvent virtualization.

    The design behind RVS is to enforce accelerated "time to removal" rather than detection AND THEN removal of malicious and/or potentially unwanted content. To do this, the virtualization is the key component that keeps the system clean over time regardless of whether the content is detected.

    Ex:

    1. 2 systems with the same specs, OS, and installed software (except as noted)
    2. System 1 has RVS 2010 installed with System Safe "always on" and Virus Guard active
    3. System 3 has a traditional security line up (simple for this example) of a top tier AV/AS, software firewall, and a supplemental on-demand scanner of some type.
    4. Both encounter a new "zero-day" malware that is unknown to any installed AV or AS

    Lets further assume both computer become infected. For the system in #2, the malware will persist until the scanners are updated to detect AND remove the infection whereas #1 with RVS virtualization always on will be clean after the computer is restarted regardless of whether the user even suspects an infection.

    Mike
     
  5. cyberdiva

    cyberdiva Registered Member

    Joined:
    May 30, 2007
    Posts:
    71
    But wouldn't this be true for system #1 even if the Virus Scan were not on? The beauty of RVS virtualization is that whatever bad stuff gets onto the computer while Returnil's System Safe is active will be flushed upon reboot, yes?
     
  6. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    In ~99.9% of the cases, yes. There is however a small subset of families that were designed to circumvent virtualization. In the past, when a new example was discovered, a new RVS would be released that was hardened against it. This becomes impractical in the long run.

    With this said, it is also important to remember that ISR (Instant System Recovery) can only do three things:

    1. Drop all changes
    2. Save some changes
    3. Save all changes

    It cannot distinguish between what is good, bad, or indeterminate. Further, ISR cannot stop the activation of malicious content. This means that while the real system is kept clean, you may have an infection that is undetected while working in the virtual environment. The RVS VG is there to provide a means to warn the user that the malware is present, thus reducing the time to removal of said malware.

    Mike
     
  7. cyberdiva

    cyberdiva Registered Member

    Joined:
    May 30, 2007
    Posts:
    71
    Thanks, Mike, for your quick and helpful response. However, I thought that my regular apps--including security apps--will work in the RVS virtual environment. If that's the case, why wouldn't my regular AV app or an app like Malwarebytes' Anti-Malware Pro detect baddies just as well as F-Prot (and without F-Prot's love of false positives :D )?
     
  8. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    The goal is to eventually reduce the number of security solutions you think you need to what you actually need. Though you are correct in what you are saying, there is also a performance hit your will have to take by using multiple apps. RVS is designed to reduce that while improving your overall computer experience.

    For example, on a new 64bit system I have, I only use the built in Windows features (Firewall and Windows Defender) with the latest version of RVS 2010...

    Mike
     
  9. cyberdiva

    cyberdiva Registered Member

    Joined:
    May 30, 2007
    Posts:
    71
    Thanks once again, Mike. I'm glad to know that my understanding was correct. I agree that my system is likely to take a performance hit if I have too many security apps running at the same time, especially two antivirus programs. However, for me the answer is to disable RVS's F-Prot, which I have found to be very prone to false positives, and to depend instead on the antivirus program that has served me well for several years. Of course, if F-Prot works more reliably on your system, and if you're keeping Returnil on all the time, I can see how the arrangement you describe would also work well.
     
  10. fuquen

    fuquen Registered Member

    Joined:
    Jan 3, 2010
    Posts:
    95
    Coldmoon and cyberdiva

    Thank you, both of you, very much for the informative discussions!
    Fuquen
     
Thread Status:
Not open for further replies.