Zo said:
Just curious, is anyone using this one? Appreciate any user feedback.
Thanks.
http://www.returnilvirtualsystem.com/products#compare
The free version of Returnil System Safe is free and necessary
antivirus protection for every home PC user.
That's stretching the truth. While it's not a bad AV product, there are
better, like Avast and Avira. I'd suggest disabling their AV component
and use your preferred AV solution.
Anti-malware and anti-spyware
Necessary real-time and on demand protection against viruses and
spyware for all PC users
All changes made to the hard disk (the partition for the OS) are
virtualized. All the other hardware is real, so it's not as slow as
using a virtual machine to test unknown software. When you reboot, all
changes are gone (since they were never made onto the real hard disk).
So while a reboot will restore your host back to the state it was in
before you used their Safe Mode (disk virtualization), that doesn't
preclude a keylogger sending out info while in safe mode. If you
install or get infected by a keylogger while in RSS safe mode, it can
send out whatever it wants. It will have access to the keyboard and to
any files in your file system. Same happens inside a sandbox (with
perhaps an option to configure the sandbox to block access to anywhere
but select folders in the file system). A virtual machine has its own
separate file system but a keylogger can still send whatever you type
inside a VM along with accessing any files inside that VM's file system.
Without the restrictions of a VM, Returnil lets you run at native speed
because you're using the real hardware. It's "magic" is that upon a
reboot that anything that got onto your host, like malware, or any
****ups made by someone you let use your host, are discarded when you
reboot the host. So you can get messy, reboot, and back to the way it
was before.
Virtual Mode
Keeps you safer with an extra layer of protection while browsing the
web or running unknown applications
Well, "extra" only if you consider using their AV component. I
continued using Avast and disabled their AV component. So I don't
consider the disk I/O virtualization as extra protection. In fact, it
is (to me and many others) the primary protection afforded by this
security product. The whole point of disk virtualization is to isolate
any changes made to the file system (and remember that the registry is
just .dat files) and then discard them to revert your host back to a
prior state.
Cloud-based protection
Utilize the community to find and clean virus infections sooner
Yeah, cloud-based stuff, woo hoo. I don't think that helps solve any
infection faster on your own host. It helps them determine patterns in
infections and possibly help update their heuristics.
I've trialed Returnil System Safe (freeware version) several times.
Nice idea but has some flaws. First, I wouldn't bother with their
Anti-Virus component (which expires after the trial period, anyway).
Just disable it after the install. Second, if your host goes
unresponsive at times, check Task Manager to see if rvsmon.exe is
consuming gobs of CPU time. In each trial over several years, I've been
hit with the high CPU usage that lasts for a minute or two (and it's not
the AV update because that's disabled). Eventually I can't stand the
repeated unresponsiveness of my host and have to uninstall Returnil.
Maybe it doesn't hit all their users but enough complain it and many
times with the typical response is to uninstall the old version and hope
the new version fixes the problem - which is really to say that they
have not specifically addressed this problem and just hope that some
changes they made might circumvent it.
As far as protecting your host, seems to be just as effective as using a
virtual machine (which I do use). A VM and this product (disk
virtualization) are good ways to test unknown and untrusted software
(besides those that want to wipe all changes on their drive, like
cookies, index.dat, remnant registry entries, etc). Unlike using a VM
that emulates all hardware except the CPU, Returnil just virtualizes all
disk I/O (to discard all changes on a reboot) so you still have access
to your real hardware which is needed, for example, if you want to play
a game or test a video editor while the disk is virtualized.
If it weren't for the problem of smacking my CPU to over 80% for a
minute at repeated times, I'd still be using it. However, I use
Returnil as a test platform so I'm not using that often. Some folks
using it like SteadyState and have it active on every boot so on a
reboot all changes are discarded, something handy when doling a host
over to a kid or giving your machine public access.
Returnil will disable the defrag API in Windows so you don't
accidentally (like with a scheduled event in Task Scheduler) happen to
defrag the virtual disk. There's no point since all those changes are
going to disappear when you reboot, anyway. Same for using some other
AV program, like Avast, in that, yes, they may tell you that you just
got infected with that new download and install but anything they do to
disinfect or eradicate or quarantine the pest is of no value. You get
told about the pest but remember that when you reboot that the pest and
anything the AV program did will be undone. Returnil also protects the
MBR so rootkits won't survive the reboot. Of course, any changes you
make to your documents won't survive the reboot, either. If you have
another drive (in a different partition on the same hard disk or in a
partition on a different hard disk), you can save your changed docs over
there. It has a virtual drive it creates that will retain its state on
the reboot where you can save your changed docs but then having a
partition separate somewhere else from the OS partition that Returnil is
protecting works just as well and you're not relying on Returnil's
functionality.
I use a VM to test unknown/untrusted software. The next step would be
to use Returnil to protect my OS partition while testing the unknown
software but have access to the real hardware, plus Returnil's
virtualized disk I/O is pretty fast (you won't notice much impact)
compared to how slow everything runs inside a VM. The next step would
be to use a sandbox in which to run the unknown software. And lastly
would be to run it unvirtualized and unsandboxed after you decided you
wanted to keep the software and it hasn't misbehaved so far, and during
all those tests you can still use your security software to monitor the
operating of that unknown software; however, I don't bother in the VM
since I want the software to be free to exercise any nastiness so I can
see it in action whereas security software might mask the program from
misbehaving.
If they'd just fix that damn sporadic high CPU usage problem then I keep
it around. I'd only use it for testing so I don't configure it to
activate on every Windows startup. If you're handing your computer over
to someone else, Returnil lets them play with it but on a reboot then
whatever they did is all gone. Note that if you install anything that
requires a reboot to complete means that the partial install will
disappear. A reboot discards all changes that went to the virtualized
disk. They say they're working on saving state between reboots but
still give you the opportunity to reboot and wipe back to a prior state
but they've been saying that for a couple years.
Since this is installing a kernel-mode driver and probably some other
stuff, I'd suggest saving an image of your OS partition on a different
hard disk or removable media before going forward to trial any product
that digs into your OS to protect it.
Rather than virtualizing the machine (all the hardware except the CPU)
as with virtual machines, Returnil just virtualizes all the disk I/O.
All changes go to a virtual disk, not to the real disk. Just the
changes go to the virtual disk. It's not a clone of your drive. On a
reboot, the virtual disk is discarded. You can choose to wipe the
remnants in that virtual disk file when you reboot but that takes awhile
and will severely slow the time to boot into Windows; however, if you're
a paranoid type then there is this option (and, of course, if you're
that type then you should've already been severely slowing the shutdown
of Windows by having it wipe its pagefile on shutdown, too).
