However, I do have one pressing question -- what does your program do to prevent a hacker gaining entry while I'm on the computer 12-14 hrs/day and during that time (assuming they slip by your virus analyzer) and alter the registry keys to your program so that it changes it behavior and (in the worst hypothetical situation) allowed writing to my disk/system files while I'm thinking I'm in virtual land within the safe confines of Returnil?
To answer it however, we need to look at the weaknesses of traditional approaches and how RSS address them:
- The most important and relevant feature of these programs is their ability to detect malicious and potentially unwanted content. It is their core competency but often fail due to the fact that even using advanced heuristics or other technologies, some content will go undetected. This is because they are based on a blacklisting approach that requires the developer to have a sample of the content in hand, investigate what the program does and does not do, determine if it is malicious or not, test the removal procedure in the lab, and then beta test in the field before a completely effective "signature" can be created to remove the content. This leaves a system open and allows the malicious content to do whatever it does for an extended period of time before it can be remediated.
In some cases, the remediation can be partial or even ineffective if a new variant of the content is released in response to an update in the scanning technology. IOW - AV's tend to be behind the 8-ball most of the time. With this said however, a strategy must have some form of feedback as to the efficacy of that strategy. While using a boot-to-restore solution will almost always return the system to a clean state with a restart of the computer, that content may be allowed to persist for long periods of time depending on how often the computer is restarted.
The Virus Guard in RSS 2011 works to minimize this time by providing a warning of its existence and allow the user to simply restart their computer and remove the malware quickly. In RSS we supplement this using our server side (Cloud) Artificial Intelligence and machine learing technology (AIM) that collects malware sample and behavioral data from all RSS users participating to provide:
A. Fast updates to all clients to address 0-day malware
B. Reduce false positive and false negative detections
C. The foundation step towards our plans to introduce true Distributed Immunity by adding the AIM technology at the client level to get ahead of a new malware outbreak and stop it in its tracks before it has a chance to get out of the network and to stop it from spreading within the network.
As described above however, detection has its weaknesses so we back this up through:
A. Virtual Mode with automatic MBR protection: With the Virtual Mode active, you can simply restart the computer and the changes are gone. In your question, this includes changes to the registry, system files, and even testing/attacks where important system files are deliberately deleted or infected - restart and the changes are gone.
B. Anti-Execute: Depending on the level you set this component feature to, it will stop the execution of anything unknown. In the case where a new malware is able to bypass the malware detection, it will still be prevented from infecting your system.
C. System Restore: If all else fails, you can restore a clean file from previous clean restore points or simply restore the entire system to a time before the infection/damage occurred
2. Virtual Mode
: While virtualization itself is powerful, it can only do three things natively:
A. Drop all changes
B. Save some changes
C. Save all changes
It cannot detect or block malicious content and there are a small number of malicious families that are designed specifically to circumvent virtualization. This is why RSS includes automatic MBR protection, but is also why RSS includes the Virus Guard, Cloud AI analysis, and the Anti-Execute features to close this hole and keep the system protected over the long term. While not mentioned in the previous sentence, the System Restore feature also provides a backup when all else fails; again, returning the system to a clean state.
3. System Restore
: You can restore files and the entire system as noted above, but this technology also has an Achilles Heel where malware will work to infect Restore Points as part of their modus operandi. This is why it is not always a given that the restore point you are trying to revert to is clean. This is why we have designed the feature to take advantage of the ability for the Virus Guard to detect the presence of malware, the A-E to block the activation of malware, and the Virtual Mode to remove the changes attempted by that malware.
The goal, as mentioned previously, is to reduce the Time-to-removal
of malware. While detection is important, it is simply one part of the puzzle and our approach is designed to close the circle and give you multiple ways to protect your computer that work together by design rather than by accident when looking at a multiple application approach.