Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Returnil vs. Faronics Deep Freeze


  • Please log in to reply
5 replies to this topic

#1 Becky99

Becky99

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 17 September 2010 - 02:19 PM

Hi all -- I'm looking for a little added peace of mind as I will shortly be doing a clean install of my OS. I came across these 2 products (both the same price) -- Faronics Deep Freeze and Returnil Pro. The former is a "System Lockdown" & the latter a system "Virtualization," both with nearly the same intentions using very different methods. My intention is to guard against/make things more difficult for hacking attempts. Any thoughts/comments would be greatly appreciated. Thanks! :thumbsup:

BC AdBot (Login to Remove)

 


#2 RVS_MikeW

RVS_MikeW

    Authorized Returnil Representative


  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:38 PM

Posted 21 September 2010 - 08:25 PM

Hi all -- I'm looking for a little added peace of mind as I will shortly be doing a clean install of my OS. I came across these 2 products (both the same price) -- Faronics Deep Freeze and Returnil Pro. The former is a "System Lockdown" & the latter a system "Virtualization," both with nearly the same intentions using very different methods. My intention is to guard against/make things more difficult for hacking attempts. Any thoughts/comments would be greatly appreciated. Thanks! :thumbsup:


Hi Beck99,
The choice really depends on your overall strategy. With that said, let me try to explain what Returnil System Safe is and what it does. Both RSS and DF virtualize your computer at the disk level rather than the Windows file system level. IOW, both RSS and DF place Windows in a fantasy world and any attempts to save content to the real disk where Windows is installed are not allowed. Restart your computer and all changes simply disappear (are lost).

DF provides this type of virtualization for non-system disks (data drive D:\, etc) whereas RSS Pro does not yet provide this feature. It is available in our RVS Lite 2011 series which I will explain it bit more further in this reply.

The major difference between RSS and DF is that RSS is already a layered security solution whereas DF is a single component of a layered security strategy. This is why it is difficult to compare them directly, other than as I describe above for the virtualization aspect (Virtual Mode in RSS/RVS). RSS Pro also has the following components which are not simply piled on, but specifically designed to cover the weaknesses in the other components:

1. Virus Guard with Cloud updates: full featured Antivirus solution that is designed to work as both a traditional AV when required and as a warning system while in Virtual Mode. When the system is virtualized, the risk of infection comes from the ability to make changes to Windows or other sensitive areas of the disk like the MBR so the real time monitor only needs to watch new content. Get a warning and simply restart the computer and the malware is gone. While this is also true for DF, it does not have the ability to detect or block malicious content without help from other programs.

2. Anti-execute: If it can't execute, it can't infect. To make it easier to use effectively we have refined it to allow only three choices - Let programs run as they will, allow only know services to run, or only allow known content that already exists on the real disk to run. IOW, allow it or don't with some flexibility.

3. System Restore: restore damaged/infected system files or the entire system when required.

RVS Lite 2011 is more like DeepFreeze as it is a strict virtualization solution, provides multi-disk virtualization, and like DF, targets a similar customer base. It is designed to be part of an intelligent layered approach so comes from a security focus rather than a restore solution perspective that is part of the DF legacy.

I hope this reply helps and suggest you not take what I say at face value; rather, try them all and get a feel for which program best fits your strategy.

With Kind Regards
Mike
Returnil Support

#3 Becky99

Becky99
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 22 September 2010 - 04:22 AM

Wow Mike -- You guys get an A+ for Customer Service (unsolicited - that's a first). I'm not too worried about data loss as I do daily backups (and system backups) every few days.

However, I do have one pressing question -- what does your program do to prevent a hacker gaining entry while I'm on the computer 12-14 hrs/day and during that time (assuming they slip by your virus analyzer) and alter the registry keys to your program so that it changes it behavior and (in the worst hypothetical situation) allowed writing to my disk/system files while I'm thinking I'm in virtual land within the safe confines of Returnil?

An improbable situation I admit (if using intelligent password management), but nonetheless I would need to know this before buying. Also, do you offer a free trial (I'd even be happy with 7 days)? Thanks so much for your kind and thoughtful reply! I hope that level of customer service will continue after you've pocketed my cash! Bye, -- B

#4 RVS_MikeW

RVS_MikeW

    Authorized Returnil Representative


  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:38 PM

Posted 22 September 2010 - 10:36 AM

However, I do have one pressing question -- what does your program do to prevent a hacker gaining entry while I'm on the computer 12-14 hrs/day and during that time (assuming they slip by your virus analyzer) and alter the registry keys to your program so that it changes it behavior and (in the worst hypothetical situation) allowed writing to my disk/system files while I'm thinking I'm in virtual land within the safe confines of Returnil?


Good question :thumbsup:

To answer it however, we need to look at the weaknesses of traditional approaches and how RSS address them:

1. AV/AS/AM - The most important and relevant feature of these programs is their ability to detect malicious and potentially unwanted content. It is their core competency but often fail due to the fact that even using advanced heuristics or other technologies, some content will go undetected. This is because they are based on a blacklisting approach that requires the developer to have a sample of the content in hand, investigate what the program does and does not do, determine if it is malicious or not, test the removal procedure in the lab, and then beta test in the field before a completely effective "signature" can be created to remove the content. This leaves a system open and allows the malicious content to do whatever it does for an extended period of time before it can be remediated.

In some cases, the remediation can be partial or even ineffective if a new variant of the content is released in response to an update in the scanning technology. IOW - AV's tend to be behind the 8-ball most of the time. With this said however, a strategy must have some form of feedback as to the efficacy of that strategy. While using a boot-to-restore solution will almost always return the system to a clean state with a restart of the computer, that content may be allowed to persist for long periods of time depending on how often the computer is restarted.

The Virus Guard in RSS 2011 works to minimize this time by providing a warning of its existence and allow the user to simply restart their computer and remove the malware quickly. In RSS we supplement this using our server side (Cloud) Artificial Intelligence and machine learing technology (AIM) that collects malware sample and behavioral data from all RSS users participating to provide:

A. Fast updates to all clients to address 0-day malware
B. Reduce false positive and false negative detections
C. The foundation step towards our plans to introduce true Distributed Immunity by adding the AIM technology at the client level to get ahead of a new malware outbreak and stop it in its tracks before it has a chance to get out of the network and to stop it from spreading within the network.

As described above however, detection has its weaknesses so we back this up through:

A. Virtual Mode with automatic MBR protection: With the Virtual Mode active, you can simply restart the computer and the changes are gone. In your question, this includes changes to the registry, system files, and even testing/attacks where important system files are deliberately deleted or infected - restart and the changes are gone.

B. Anti-Execute: Depending on the level you set this component feature to, it will stop the execution of anything unknown. In the case where a new malware is able to bypass the malware detection, it will still be prevented from infecting your system.

C. System Restore: If all else fails, you can restore a clean file from previous clean restore points or simply restore the entire system to a time before the infection/damage occurred

2. Virtual Mode: While virtualization itself is powerful, it can only do three things natively:

A. Drop all changes
B. Save some changes
C. Save all changes

It cannot detect or block malicious content and there are a small number of malicious families that are designed specifically to circumvent virtualization. This is why RSS includes automatic MBR protection, but is also why RSS includes the Virus Guard, Cloud AI analysis, and the Anti-Execute features to close this hole and keep the system protected over the long term. While not mentioned in the previous sentence, the System Restore feature also provides a backup when all else fails; again, returning the system to a clean state.

3. System Restore: You can restore files and the entire system as noted above, but this technology also has an Achilles Heel where malware will work to infect Restore Points as part of their modus operandi. This is why it is not always a given that the restore point you are trying to revert to is clean. This is why we have designed the feature to take advantage of the ability for the Virus Guard to detect the presence of malware, the A-E to block the activation of malware, and the Virtual Mode to remove the changes attempted by that malware.

The goal, as mentioned previously, is to reduce the Time-to-removal of malware. While detection is important, it is simply one part of the puzzle and our approach is designed to close the circle and give you multiple ways to protect your computer that work together by design rather than by accident when looking at a multiple application approach.

Mike

#5 Becky99

Becky99
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 22 September 2010 - 03:39 PM

Mike -- I get all your points, but I question the efficacy with respect to 0-day malware. Is there a number where either myself or my boyfriend could call you to discuss (as well as a convenient time)? We are definitely interested in learning more but have a few questions where the good ol' telephone will probably more expedient. Thanks.

#6 RVS_MikeW

RVS_MikeW

    Authorized Returnil Representative


  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:38 PM

Posted 22 September 2010 - 05:51 PM

Mike -- I get all your points, but I question the efficacy with respect to 0-day malware. Is there a number where either myself or my boyfriend could call you to discuss (as well as a convenient time)? We are definitely interested in learning more but have a few questions where the good ol' telephone will probably more expedient. Thanks.


No single technology is 100% effective as I have described in general. With this said however, our server-side analysis technology is extremely advanced and updates all connected clients frequent times a day after processing the information sent to it by the clients. It is only a component of the whole and works to improve RSS's detection and blocking quality.

As for contact via phone; we do not have a call center so resources for this are assigned strictly to the support of large corporate/educational customers by contract. We do offer direct e-mail support where we would be happy to provide detailed answers for any questions you might have. Simply shoot us a note at support (dash) tech (at) returnil (dot) com.

Mike




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users