Sign in with
Sign up | Sign in
Your question
Closed

Returnil System Safe Free 2011

Last response: in Windows XP
Share
June 27, 2011 9:44:39 PM

Has anyone ever used this program? I read the publisher's description of the product and a couple of reviews --

< http://download.cnet.com/Returnil-System-Safe-Free-2011... >

I am wondering if it is as good as they claim it is. My XP computer has about all the security I think is needed, but virtualization is a different category. I have Avira Antivir, SpyShelter, Malware Defender, and Filseclab Personal Firewall, among other things already on my XP. If anyone has used the free Returnil program , could you give us some feedback on your experience with it?

Ricochet_16
June 27, 2011 11:23:08 PM

well going by the description, it will add:
significant extra HDD space usage, probably extra background CPU and ram usage, if not background HDD usage.
Now, provided you are ok with all that, it could work great wonders for you.

That being said, I didn't use the program, so take my 2 cents with a grain of salt.
Score
0
June 28, 2011 3:14:27 AM

Yeah, I don't know. Looks like there have been a lot of downloads, but I am a little concerned that it might not work that well. I guess I wouldn't know until after I downloaded it.

Ricochet_16
Score
0
Related resources
June 28, 2011 4:03:28 PM

Hello Ricochet_16 and AntiZig :) 

Quote:
I am wondering if it is as good as they claim it is. ...


This is a subjective question, but my reply will be a resounding YES! ;)  Though you have asked about the freeware version, my reply below is based on the Pro version so the entire strategy can be described for your consideration of the technology and approach overall:

Why do I say that outside of my obvious role in support of our products? The key is in the design and what the software's strategy is overall. The RSS series is not a bundled solution; rather it is designed to cover the holes in current/past PC security thinking where each component part of the software is designed to cover the inherent weaknesses in the other components with vertical layering.

1. Virtual Mode: The virtualization in RSS/RVS is system level (disk I/O focus). This means that it tracks changes made or attempted to the system and then drops those changes at restart of the computer. From a user perspective, you can do anything you want and then it all simply disappears at restart as though it never happened. This includes any malicious and/or PUP content as well as what you might consider "good" as there is no distinction regarding "changes". This is the component's strength, but the technology has some downsides that must be accounted for:

a. Virtualization cannot make decisions or present advice regarding changes
b. Virtualization can only do three things: drop all changes, save some changes, save all changes

While content/changes are removed at restart, virtualization cannot block or detect harmful content, behaviors, or tell you whether a change is good or bad. This means that malicious content can run and do what it wants to do within the virtual System (fantasy world) which can have potential consequences. It is however a seamless and efficient malware/spyware removal technology where you will not encounter potential problems due to improperly or incompletely formatted antimalware signatures - simply reboot and get back to a clean system as well as ensure a clean system over time.

2. Virus Guard/Cloud: Think of the VG as your canary in a coal mine. All security strategies need feedback on the efficacy of said strategy, but you also need an efficient warning system to tell you that potentially harmful content might be present. This is the core competency of traditional Antimalware. Where AV/AMs fail:

a. Bad signatures and potential system damage from an partial or improper removal (bad sigs to false positives and false negatives)
b. Inability to cope with industrial malware releases, 0-day content, etc: IOWs, you need to have samples in hand to create and maintain effective signatures. While heuristics and behavioral models help to expand the efficacy, independent studies over the years have painted a dismal picture of the long term viability of traditional AV technology with most showing that on average, any given AV is likely to be able to only detect 30% - 50% of all potential malware in existence at any specific point in time. This should give no one a warm fuzzy feeling of safety and highlight areas of concern in current security strategy and thinking.

Trying to cover this gap horizontally is not an effective means to close this hole as you are not able to use more than one traditional scanner in real-time mode; and even if you were, the results tend to overlap with not a great deal of gain for the loss in performance. We HAVE however designed the Virus Guard in RSS to be a team player which means that you CAN use the RSS VG in combination with most 1st and 2nd teir antivirus solutions you may be using now. This is for the following reasons:

a. Time to removal of malware is certain: Because the RSS VG is designed to work with the RSS Virtual Mode technology, it is backed up so you are certain of complete removal of malicious content even if said content goes undetected.
b. Having backup changes your real-time focus: With the Virtualization, it is assumed that the system is clean. This fact changes the real time focus of the VG to one where new content, in-coming content, etc is the major focus of scanning/detection. This also introduces a significant performance boost as RSS could care less what changes are made other than to warn you that something is afoot and give you the opportunity to restart your computer to get back to your work/play quickly with a simple restart of the computer.

3. Anti-Execute: Block what is unknown and white list what is known to be good. This is all well and good until the novice to average user needs to respond to cryptic questions or create new rules. Answer wrongly or format a bad rule and the game is up. What we have done in RSS and RVS 2011 is to make this a default deny approach with three simple settings:

a. let programs run as they will
b. Trust only known services from the real disk
c. Trust only know executables from the real disk

Our server side Artificial Intelligence and Machine learning technology (Cloud) analyzes both unknown programs AND behaviors from all participating copies of the software and then updates all clients in turn with both white and black lists for better overall performance, better user experience, and elimination of false positive/false negative issues as quickly and automatically as possible. Both the A_E and VG components are updated this way so there is less need for user intervention and no need to answer any questions or write any rules.

4. System Restore: Take your computer back in time to remove malware and/or address bad configurations changes. While on the surface this is a great idea, the approach is vulnerable to malware designed to inject itself into the Windows restore points and/or other backups and images. In RSS we currently use the native Windows Volume Shadow Copy technology but add some important extras that make it more powerful than the native Microsoft offering:

a. When a restore point, backup, or image is created, RSS will know and track these events. When you open the Full Restore section, you will be presented with a list of all RPs, BU's, and images currently on the system and available to the user.
b. Is the RP clean? The first thing that happens upon accessing the Full Restore option in the RSS System Restore feature is a deliberate scan of the first RP, etc list item. IOWs, the most recent restore point or backup is scanned for malware automatically with an option to analyze any other existing RP/backup in the same way. This is always a new scan with each access so that updated signatures are always taken into account.
c. Undo restore: RSS System Restore allows the recovery of specific files from the previous machine state if required or desired.

As to whether this is better than you current strategy I challenge you to test this and let us know what you thought of the approach and how well it works overall. We value all feedback whether good or bad as the first validates our efforts and the latter is seen as an opportunity to improve our solutions going forward.

Quote:
well going by the description, it will add:
significant extra HDD space usage...


RSS/RVS use Dynamic caching as opposed to the older techniques where a static disk cache was required. Our approach incorporates both Memory and disk so that overall disk use is efficient and minimized. IOWs, tracking begins in RAM and then moves to disk as needed. further, the disk cache is designed to use all available free space on the System Partition whether that space be contiguous, fragmented, or neither. With older technologies, the space had to be both defragmented and contiguous which limited the total amount of space you could actually use. This provides a better user experience and significantly extends the time required between restarts to reset the cache for a new Virtual Mode session.

Though Windows may report the space as used, it is an artifact of the limitations of Windows reporting as space is only used as required to maintain the tracking of changes and is overwritten in a similar way to how the Windows pagefile is overwritten every time you restart the computer. This means that you still have the same disk space after a restart as you had when the Virtual Mode was activated minus any specific changes you purposely save to the real disk.

Quote:
...probably extra background CPU and ram usage...


Not at all. the actual space used within RAM is amazingly small and very efficient as far as performance goes. The only slowing you might see is at the low end of the performance scale with commodity systems that are already performance challenged without adding and AV for example. Give it a try as stand-alone and with various other security solutions you may wish to use to see how well it performs overall.

Quote:
... if not background HDD usage....


The disk use is going to remain the same as the only thing that is changing is within the cache/Virtual System and not the real disk. turn off the Virtualization and your reported disk use will be the same as it was prior to using the virtualization. While using the VM, space WILL be used in the cache, but that space will return at restart with the reset of the cache and at the extreme end where there is no space available in the cache, a simple restart will get you back to normal use quickly.

Quote:
Yeah, I don't know. Looks like there have been a lot of downloads, but I am a little concerned that it might not work that well. I guess I wouldn't know until after I downloaded it.


Kick the tires HARD!. You cannot really get a grasp of the information I have provided above until you see what RSS 2011 can do for yourself.

With Kind Regards
Mike
Returnil Support

PS: More information is available should you like to review the extensive number of questions and discussions at our official on-line support forums at Wilders Security: http://www.wilderssecurity.com/forumdisplay.php?f=100

Score
0
June 28, 2011 5:03:44 PM

well, thanks for the sales pitch. You did give quite a lot of more detailed information, but I'm still standing by my opinion, you didn't refute any of it, you just stated that those usages will be minimal.
Score
0
June 28, 2011 5:59:03 PM

Hi AntiZig,
I wasn't trying for a sales pitch, just trying to answer the questions/statements with as much detail and transparency as possible given the questions themselves. I hope you try RSS and see what it can do for yourself as words are just that - words until they are put to the test...

Mike
Score
0
June 28, 2011 7:26:21 PM

I personally feel the same way, if you think he software might work for you try it. but that's up to the OP to try it out.

I do not have any need for such program at the moment, but it's nice to have something in mind if I ever do find a need for such application.
Score
0
June 29, 2011 4:40:05 AM

Thanks, Mike, for taking the time to explain it to us in such detail. I still don't understand all of it, but more than I did when I posted the question. It seems better than Microsoft's startup mode to use the last known good configuration, or the restore function to an earlier time, to correct problems. Let me see if I understand, if you get a virus while in virtualization mode, just restart and your system will return to the state before the virus was introduced. Is that correct? And, any changes that the user makes intentionally, such as new downloads, deletions, registry, virus removals, or other changes while using virtual mode will remain upon restart? And, conversely, any changes made by a virus that remains uncorrected will be undone upon restart?

Ricochet_16
Score
0
June 29, 2011 4:57:50 AM

I just read Returnil description on CNET downloads -----" When an infection is found, our system restore feature will automatically find an earlier version of your infected file which is clean, so your data loss is minimized. Returnil virtualization technology clones a computer's System Partition and boots the PC into this system rather than native Windows, allowing you run your applications in a completely isolated and secure environment. All activity is then performed within the virtual environment, ensuring that the operating system itself cannot be compromised by viruses, other malicious software, bad installations or user error." --- which kind of answers my previous question.

On both my Win XP and 7 computers I have the Vidalia/Tor Network, as an extension to my cable internet network. Would that affect or restrict the usage of RSS?

Ricochet_16
Score
0
June 29, 2011 5:16:32 AM

I just downloaded Returnil and noticed that there is a Virus Guard. Should I disable Real-Time Protection, since Microsoft Security Essentials and Panda Cloud Antivirus are currently protecting my computer? Would there be an incompatibility issue with that additional protection? Prior to downloading it, I thought the Virtual Mode was the only part of it.

Ricochet_16
Score
0

Best solution

June 29, 2011 3:25:53 PM

Quote:
...I still don't understand all of it, but more than I did when I posted the question....


The key to understanding what the software is working to achieve is the concept of "Time-to-removal" of malware with a layered security approach rather than the traditional focus of detect and attack. RSS is designed to have multiple layers that work together towards the goal of minimizing exposure to malware regardless of whether it is detected outright.

The most direct example would be something like what happened with the old Rustok C. It was in the wild for over a year before a real sample was found and analyzed by researchers with an additional period of time needed to complete the analysis, signatures created, and then having the sigs tested before release. Up to that time, the malware simply existed and did what it was designed to do while going undetected.

With a layered strategy with virtualization however, the malware itself would have survived only until the next restart of the computer and thus significantly reduce the user's overall exposure time to that infected boot session rather than for an extended period of time that could have been upwards of a year.

Quote:
...Let me see if I understand, if you get a virus while in virtualization mode, just restart and your system will return to the state before the virus was introduced. ...


Yes, this is the main focus of the Virtual Mode feature: seamless removal of malicious and/or potentially unwanted programs (PUPs) even if they go undetected by real-time monitoring or unblocked for any reason through HIPS, A_E, etc.

Quote:
...And, any changes that the user makes intentionally, such as new downloads, deletions, registry, virus removals, or other changes while using virtual mode will remain upon restart?...


Be careful here, RSS/RVS do not use exclusions while in Virtual Mode except for the RVS Lite series which is designed for a completely different type of network environment than the 3x versions. In RSS, you need to define what is to be saved using the File Manager OR storage of the content on a non-system disk or partition. What does this mean?

First, the File Manager is only available in the paid versions (Pro) and is more secure by default than simple exclusions. What it does is to enforce the Virtual Mode for that content and only release the virtualization for the short period where the changes are being saved to the real disk. Immediately following the save to disk, the content is again returned to the protection of the Virtual Mode feature. In the exclusions approach, content is simply left un-virtualized which means it can be exploited, no matter how difficult that would be to pull off for whatever reason. In the FM approach, that content is protected, locked by the save process, then re-protected without gap...

In the free version of RSS, the File Manager is not available (premium feature), but you can still save your downloads and data while virtualized by saving it to a non-system disk.

EX's:
1. Data drive D:\
2. USB backup drive F:\
3. Returnil Virtual Disk Z:\: This is included in all versions and is a convenience feature that creates a large, empty file with special properties that forces Windows to see it as another disk or disk partition attached to your computer when it is mounted (read: opened for use). You can store data, files, etc witnin the VD which can only be mounted by a copy of RSS/RVS so the contents remain non-accessible until you actually open (mount) the VD.

Of note: We strongly recommend that this be used as temporary storage as it is really just a file and files can become corrupted over time for any number of reasons so it is good to explore saving of important data to backup or dedicated data partitions (real).

In the Paid versions, the File Manager has an autosave option that will automatically save all changes to the real disk at the intervals you configure from every 1 minute - 24 hours and at account log-off and/or computer shutdown. With Windows Vista and Win 7, we recommend using the intervals rather than the @log-off/shutdown if you have very large changes or a large number of changes to save to the real disk due to the time that this might take to complete (ref: user may think the program has frozen due to the terminate or continue message the OS delivers when there is something delaying the shutdown of the computer).

In general, and to more specifically answer your question here without the side notes above, the Virtual Mode will return your System to the state it was in when you activated the VM at restart. So if you had a malware present when you activated the VM you might actually see what I like to call the bouncing ball issue. You enter Virtual Mode infected then remove that malware while virtualized. What happens here is that the malware is only removed from the virtual system while still remaining on the real system and a restart of the computer would cause that malware to persist.

This is specific to other AV's and/or AM's you may be using with RSS at the same time. Of note here is the fact that when you activate the Virtual Mode, Returnil takes control of the real disk and can actually access the real disk when required. This means:

1. RSS/RVS can save content to the real disk
2. The Virus Guard in RSS can also access the real disk. As this feature can perform like a traditional AV with its own internal removal engine, you can use it to remove detected malware on the real system even while in Virtual Mode...

Quote:
...And, conversely, any changes made by a virus that remains uncorrected will be undone upon restart? ...


IF the malware infects the Virtual System only, then it would be gone at restart of the computer as expected. For malware on the real system, refer to the previous information above.

Quote:
...On both my Win XP and 7 computers I have the Vidalia/Tor Network, as an extension to my cable internet network. Would that affect or restrict the usage of RSS?


Not at all. RSS does not care about your browsing or how you do that browsing. The only things to be aware of are with the Virus guard and the Anti-Execute (Virtual Mode > Settings > Additional Protection Options):

1. The VG might detect malware as it is downloaded to your computer and react
2. Depending on your A_E setting, some content on websites might be blocked as untrusted/unknown content. As there are only three settings to experiment with, you should be able to configure the A_E to your own preferences/comfort level quickly.

Quote:
I just downloaded Returnil and noticed that there is a Virus Guard. Should I disable Real-Time Protection, since Microsoft Security Essentials and Panda Cloud Antivirus are currently protecting my computer? Would there be an incompatibility issue with that additional protection?...


No need. We have designed the Virus Guard as a team player that is compatible with most 1st and 2nd teir AV's and we regularly test against both MSE and Panda in our QC labs. The reason they are compatible is due to what the focus of the VG actually is and how it can work with both virtual and real systems. The former focus is on new content introduced, created, or connected to the system at any given time and the later is a special case where the RSS VG actually works like a mobile AV doing a scan from outside the system.

To make that last a bit easier to conceptualize, think of it this way: You have a computer that is infected and need to clean it before you can actually get it to boot up. What do you do? One common technique is to slave the drive and clean it from a different computer or use a Linux/Win boot disk to do the same thing on the computer itself. While RSS DOES NOT use an alternate boot OS, it simulates this in Virtual Mode by creating the Virtual System while the Real System is kept static. As RSS controls the disk, it can then scan/clean the Real disk from a simulated "outside" which makes the removal process that much easier to accomplish.

Quote:
...Prior to downloading it, I thought the Virtual Mode was the only part of it.


Think of RSS as a vertical layered security solution. It has Virtualization, Antimalware, Anti-Execute, and System Restore features designed to work with one another to create a stand-alone strategy. It is not limited to this role as it can also be used as part of a larger overall strategy if required. Those looking for just the virtualization feature can explore the RVS Pro 2011 and RVS Lite 2011 versions as they were designed specifically to be part of a layered strategy rather than an all-in-one type of approach that is the RSS Pro 2011 version.

Mike
Share
June 29, 2011 3:31:57 PM

Mike, I would like you to clarify a few more things. To save any program or file to the real disk drive while using the free program, the Virtual Mode would have to be closed, correct? So, remaining in the Virtual Mode of the free version would only be useful for surfing without saving anything. And, with the paid versions, Lite or Pro, you would have access to the File Management that would allow you to save anything to the real disk while in Virtual Mode, is that correct? And, would the one fee for the Lite version cover licenses for two or three home computers, or would one have to purchase the Pro for that? I am now using the registered free version, and was having difficulty reconnecting to the internet when I restarted my computer. Neither the TOR nor my wireless connection through my cable would connect until I did a second reboot. The first time, I stopped the Virtual Mode before shutting down my computer, instead of letting all the programs shut down automatically. Could that have been the problem? Everything seems to be working alright now. If a virus had made changes while in Virtual Mode, would it matter how Virtual Mode was shut down when my computer was rebooted back to the real disk?

Until I hear from you, I am going to run Returnil without the Virus Guard Real-Time Protection. In addition to my antivirus protection, I have Trusteer Rapport website protection on my Win 7, and Spy Shelter on my XP, to prevent keylogging. I think now I am a bit top-heavy on protection, haha.

Ricochet_16


Score
0
June 29, 2011 4:51:00 PM

Quote:
...To save any program or file to the real disk drive while using the free program, the Virtual Mode would have to be closed, correct?...


Yes and no. If you need to make changes to the Real System partition, then yes, you would need to release the Virtual Mode in the free version. You can however use the Virtual Disk (inc. in the free version) or save that content to a non-system disk (anything other than your C:\ drive IOWs).

Quote:
...So, remaining in the Virtual Mode of the free version would only be useful for surfing without saving anything....


Not necessarily, see previous replies regarding strategies and where you can save data. Also, any mobile applications (does not require a restart to install) can be tested while in Virtual Mode and then removed with a restart.

Quote:
...And, with the paid versions, Lite or Pro, you would have access to the File Management that would allow you to save anything to the real disk while in Virtual Mode, is that correct?...


In the Pro series only. In the Lite series you have access to traditional exclusions and multi-disk virtualization as well. The reason that exclusions are used in the lite series is due to the fact that it does not have services where things can be scheduled and also because it is targeted at inner-ring and/or highly secured networks with little or no outside access. In this application it is assumed that these types of networks are inherently more static/secure with little need for saving changes regularly. This is why its remote management capabilities are LAN based whereas the Pro versions are manged remotely in networks through the Internet.

Quote:
...And, would the one fee for the Lite version cover licenses for two or three home computers, or would one have to purchase the Pro for that?...


The only series with a free version is RSS 2011 which is the successor to the older RVS 2010 versions. The RVS Pro and RVS Lite versions are only available in premium paid versions. Further, the Lite series has a 5 seat minimum whereas the RVS Pro series can be purchased in single units as is also true for the RSS Pro versions.

We do have some deals available through direct contact regarding promotional licensing configurations as you are suggesting. Simply send us a direct inquiry and we can assist you further with that type of purchase (support (dash) tech (at) returnil (dot) com).

Quote:
... I am now using the registered free version, and was having difficulty reconnecting to the internet when I restarted my computer. Neither the TOR nor my wireless connection through my cable would connect until I did a second reboot. ...


This is a strange report and not expected. Are you using dynamic certificates or some type of token access to TOR and/or your cable ISP? If not, are you using a proxy or gateway server to access the Internet? If the latter, open preferences > Communications tab and configure the appropriate information to connect through your gateway.

Quote:
The first time, I stopped the Virtual Mode before shutting down my computer, instead of letting all the programs shut down automatically.


This report was why I asked about dynamic certificates as there is a known issue where a setup using client/server certificates can become de-synchronized if the server updates the certificate on the client while the client is virtualized which then causes the client to revert to the older certificate in place when the Virtual Mode was first activated. This then causes the client to be seen as intruder by the server incorrectly.

The fastest work-around for that particular scenario is to release the virtual mode than the reset the certificate server so it updates the client which can then reconnect to the network properly.

Quote:
Everything seems to be working alright now. If a virus had made changes while in Virtual Mode, would it matter how Virtual Mode was shut down when my computer was rebooted back to the real disk?


How the computer is forced to restart will not have any effect on the real disk other than if you were attempting to apply changes to the real disk when this happened. All that would happen here though is that the computer would simply restart in the state it was in when the Virtual Mode was activated (Ex: power outage).

Quote:
Until I hear from you, I am going to run Returnil without the Virus Guard Real-Time Protection.


One thing to note here that you should be aware of in the current release build. there is a bug in the Cloud protection portion of the Virus Guard that will continue to download new updates specific to our own AM technology. This does not include the signatures for the Frisk engine related portion, but only to our own internal updates which come from our server side artificial intelligence/machine learning technology. This means you will most likely see connection attempts in your firewall and successful update messages coming from RSS itself. We should have this fixed in the coming REL 14 release build.

With these updates, the VG is configured by default to perform a re-scan using the Quick Scan option. You can turn the re-scan off and save CPU cycles in Virus Guard > Settings > Advanced section.

Mike
Score
0
July 1, 2011 2:03:52 AM

Thanks for the information. I am beginning to understand it a little better now, but I believe Returnil is best used by advanced users. I used a similar program several years ago, a type of sandbox that you would use to run browser programs in a virtual environment, but that program caused my Internet Explorer to freeze and I lost connectivity from the internet. There have been advances for those types of programs since then. You asked me how I connect to the internet now. I use a router connected to a cable network, then a wireless connection to that, and then Vidalia automatically connects me to the TOR Network. The TOR network prevents websites from locating my computer in the network, because my address keeps bouncing all over the globe through a network of volunteers.

Ricochet_16
Score
0
July 1, 2011 2:10:54 AM

Best answer selected by Ricochet_16.
Score
0
a b 8 Security
July 1, 2011 2:21:58 AM

This topic has been closed by Area51reopened
Score
0
!