Returnil System Safe Free 2011

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Just curious, is anyone using this one? Appreciate any user feedback.

The free version of Returnil System Safe is free and necessary
antivirus protection for every home PC user.

Anti-malware and anti-spyware
Necessary real-time and on demand protection against viruses and
spyware for all PC users

Virtual Mode
Keeps you safer with an extra layer of protection while browsing the
web or running unknown applications

Cloud-based protection
Utilize the community to find and clean virus infections sooner


"Man wanted to work in dynamite factory. Must be willing to travel."

Re: Returnil System Safe Free 2011

Quoted text here. Click to load it

First I ever heard of it.  Site created in '06.  St. Petersburg Russia.

What bothers me is that there is NO malware related info at the site.

But it has been tested...

Multi-AV Scanning Tool -

Re: Returnil System Safe Free 2011

David H. Lipman wrote on 12/29/2011 :
Quoted text here. Click to load it

thanks for the info

I came across this article while trying to find out info about it:

The forums appear active and from reading some of the feedback, RSS as
it is called, is supposed to work fine along side of most 1st and 2nd
tier antivirus programs.  Maybe worth a try sometime in the future.


Nothing adds Excitement like something that is none of your business.

Re: Returnil System Safe Free 2011

David H. Lipman wrote:

Quoted text here. Click to load it

Avast comes from Russia (Ukraine).  Easeus stuff and FormatFactory come
from China.  Piriform, maker of CCleaner, Recuva, and Speccy, hides
behind a private domain registration (i.e., registrar GoDaddy is the
responsible contact for the domain while the real registrant is
unlisted).  These products, like Returnil, have established themself
over many years to be trustworthy products.  Returnil has proven
themself a reputable company.  

Also note that Returnil's forums are NOT hosted at Returnil.  That is,
Returnil doesn't get to strangle the conversations by their users.  I've
been disgusted with some vendor-supported forums that censor any threads
that disparage their product either by discussing problems with it or to
compare it against their competitors' products.  Returnil's forums are
hosted over at which is pretty good regarding the
level of expertise on security products.  While there is a free version,
they are a commercial enterprise and I doubt if they were doing
something nefarious with their business customers that they would've
survived this long.  I know of sysadmins and IT folks in software dev
companies that are damn good at monitoring and analyzing this kind of
stuff and I haven't heard any of them voice concern that Returnil is

That's not to say Returnil System Safe is perfect.  What software is,
especially when the landscape (platform) keeps changing not only with OS
updates but also with other software installs.  While not an issue with
me (because I don't bother with it), there have been reports of Returnil
causing problems with System Restore.  However, almost everyone that
I've seen going to this level of protection by using disk virtualization
with Returnil already has a decent backup plan in place, and backup
images are far better than system restore points.  Best to learn of any
bugs or deficiences in the product is to peruse through wilderssecurity
forums for Returnil.

I think it's been since around 2007 or 2008 when I first heard of
Returnil, investigated it, and have repeatedly trialed it.  Alas, in
each trial, I've found some quirk that I disliked enough to terminate
the trial.  Not that it caused any corruption and severe problems but
some nuisance that I choose not to tolerate.  In my last trial ending
last week, everything was great except for the occasional high CPU usage
that lasted a minute and occurred a dozen times per day - and that was
when I wasn't in its "safe mode" (where the disk I/O is virtualized).
It shouldn't be doing anything when it's not active (I disabled its
anti-virus component because I don't consider it a strong contender).
Enough other users report the high CPU usage problem that it isn't just
a problem with my particular setup, plus I just did a fresh install of
Windows XP due to a hard disk crash (I could've restored from backups
but figured after 4 years it was time to get a cleaner install again).

There has been a lingering conflict with Avast which is usually blamed
for the high CPU usage.  They recommend uninstalling Avast, installing
Returnil, and then reinstalling Avast.  This is likely due to a problem
in the order in which they stack the kernel-mode handlers: sometimes
order matters when hacking into the same API function.  In my case,
however, I hadn't yet installed any security products.  Returnil was the
only one yet installed and still have the high CPU usage problem that
occurred a few times per day and lasted long enough that I'd start
wondering why some app I was using had frozen.  It's one of those things
where you have to see if it happens on your host.  I also have a
continual problem with Avira when I test it that anything using SMART to
interrogate the drives (for removable media) will trigger Avira into
polling those drives at 1-minute intervals.  It's a 4-year old problem
they haven't fixed but only happens with a few users, and I happen to be
one of them.  So it looks like Returnil and my old computer just don't
like each other.  It's "that close" to being a great product but, for
me, has that one nuisancesome flaw of occasional high CPU usage.

Re: Returnil System Safe Free 2011

Zo wrote:

Quoted text here. Click to load it

That's stretching the truth.  While it's not a bad AV product, there are
better, like Avast and Avira.  I'd suggest disabling their AV component
and use your preferred AV solution.

Quoted text here. Click to load it

All changes made to the hard disk (the partition for the OS) are
virtualized.  All the other hardware is real, so it's not as slow as
using a virtual machine to test unknown software.  When you reboot, all
changes are gone (since they were never made onto the real hard disk).

So while a reboot will restore your host back to the state it was in
before you used their Safe Mode (disk virtualization), that doesn't
preclude a keylogger sending out info while in safe mode.  If you
install or get infected by a keylogger while in RSS safe mode, it can
send out whatever it wants.  It will have access to the keyboard and to
any files in your file system.  Same happens inside a sandbox (with
perhaps an option to configure the sandbox to block access to anywhere
but select folders in the file system).  A virtual machine has its own
separate file system but a keylogger can still send whatever you type
inside a VM along with accessing any files inside that VM's file system.
Without the restrictions of a VM, Returnil lets you run at native speed
because you're using the real hardware.  It's "magic" is that upon a
reboot that anything that got onto your host, like malware, or any
fuckups made by someone you let use your host, are discarded when you
reboot the host.  So you can get messy, reboot, and back to the way it
was before.

Quoted text here. Click to load it

Well, "extra" only if you consider using their AV component.  I
continued using Avast and disabled their AV component.  So I don't
consider the disk I/O virtualization as extra protection.  In fact, it
is (to me and many others) the primary protection afforded by this
security product.  The whole point of disk virtualization is to isolate
any changes made to the file system (and remember that the registry is
just .dat files) and then discard them to revert your host back to a
prior state.

Quoted text here. Click to load it

Yeah, cloud-based stuff, woo hoo.  I don't think that helps solve any
infection faster on your own host.  It helps them determine patterns in
infections and possibly help update their heuristics.

I've trialed Returnil System Safe (freeware version) several times.
Nice idea but has some flaws.  First, I wouldn't bother with their
Anti-Virus component (which expires after the trial period, anyway).
Just disable it after the install.  Second, if your host goes
unresponsive at times, check Task Manager to see if rvsmon.exe is
consuming gobs of CPU time.  In each trial over several years, I've been
hit with the high CPU usage that lasts for a minute or two (and it's not
the AV update because that's disabled).  Eventually I can't stand the
repeated unresponsiveness of my host and have to uninstall Returnil.
Maybe it doesn't hit all their users but enough complain it and many
times with the typical response is to uninstall the old version and hope
the new version fixes the problem - which is really to say that they
have not specifically addressed this problem and just hope that some
changes they made might circumvent it.

As far as protecting your host, seems to be just as effective as using a
virtual machine (which I do use).  A VM and this product (disk
virtualization) are good ways to test unknown and untrusted software
(besides those that want to wipe all changes on their drive, like
cookies, index.dat, remnant registry entries, etc).  Unlike using a VM
that emulates all hardware except the CPU, Returnil just virtualizes all
disk I/O (to discard all changes on a reboot) so you still have access
to your real hardware which is needed, for example, if you want to play
a game or test a video editor while the disk is virtualized.

If it weren't for the problem of smacking my CPU to over 80% for a
minute at repeated times, I'd still be using it.  However, I use
Returnil as a test platform so I'm not using that often.  Some folks
using it like SteadyState and have it active on every boot so on a
reboot all changes are discarded, something handy when doling a host
over to a kid or giving your machine public access.

Returnil will disable the defrag API in Windows so you don't
accidentally (like with a scheduled event in Task Scheduler) happen to
defrag the virtual disk.  There's no point since all those changes are
going to disappear when you reboot, anyway.  Same for using some other
AV program, like Avast, in that, yes, they may tell you that you just
got infected with that new download and install but anything they do to
disinfect or eradicate or quarantine the pest is of no value.  You get
told about the pest but remember that when you reboot that the pest and
anything the AV program did will be undone.  Returnil also protects the
MBR so rootkits won't survive the reboot.  Of course, any changes you
make to your documents won't survive the reboot, either.  If you have
another drive (in a different partition on the same hard disk or in a
partition on a different hard disk), you can save your changed docs over
there.  It has a virtual drive it creates that will retain its state on
the reboot where you can save your changed docs but then having a
partition separate somewhere else from the OS partition that Returnil is
protecting works just as well and you're not relying on Returnil's

I use a VM to test unknown/untrusted software.  The next step would be
to use Returnil to protect my OS partition while testing the unknown
software but have access to the real hardware, plus Returnil's
virtualized disk I/O is pretty fast (you won't notice much impact)
compared to how slow everything runs inside a VM.  The next step would
be to use a sandbox in which to run the unknown software.  And lastly
would be to run it unvirtualized and unsandboxed after you decided you
wanted to keep the software and it hasn't misbehaved so far, and during
all those tests you can still use your security software to monitor the
operating of that unknown software; however, I don't bother in the VM
since I want the software to be free to exercise any nastiness so I can
see it in action whereas security software might mask the program from

If they'd just fix that damn sporadic high CPU usage problem then I keep
it around.  I'd only use it for testing so I don't configure it to
activate on every Windows startup.  If you're handing your computer over
to someone else, Returnil lets them play with it but on a reboot then
whatever they did is all gone.  Note that if you install anything that
requires a reboot to complete means that the partial install will
disappear.  A reboot discards all changes that went to the virtualized
disk.  They say they're working on saving state between reboots but
still give you the opportunity to reboot and wipe back to a prior state
but they've been saying that for a couple years.  

Since this is installing a kernel-mode driver and probably some other
stuff, I'd suggest saving an image of your OS partition on a different
hard disk or removable media before going forward to trial any product
that digs into your OS to protect it.

Rather than virtualizing the machine (all the hardware except the CPU)
as with virtual machines, Returnil just virtualizes all the disk I/O.
All changes go to a virtual disk, not to the real disk.  Just the
changes go to the virtual disk.  It's not a clone of your drive.  On a
reboot, the virtual disk is discarded.  You can choose to wipe the
remnants in that virtual disk file when you reboot but that takes awhile
and will severely slow the time to boot into Windows; however, if you're
a paranoid type then there is this option (and, of course, if you're
that type then you should've already been severely slowing the shutdown
of Windows by having it wipe its pagefile on shutdown, too).

Re: Returnil System Safe Free 2011

Quoted text here. Click to load it

Even Sandboxie can leak. I prefer to load a special image I use for testing
and when done, re-load my regular image.

Takes about 30 minutes each way which is no bother to me as I choose a time
to load and re-load to coincide with other activities I do away from the I never notice.

Must Do: System image and automatic real-time off-site data backup
Recommended tools: EaseUS Todo Backup and SugarSync

Re: Returnil System Safe Free 2011

Bear Bottoms wrote:
Quoted text here. Click to load it



Re: Returnil System Safe Free 2011

Quoted text here. Click to load it

Sandboxie is exploited from time to time. The author is diligent on
correcting that as soon as it occurs. The forum on sandboxie has more
information. You can also acquire those custom dlls I mentioned. They have
the effect of preventing the leaks. :)

Character is doing the right thing when nobody's looking. There are too
many people who think that the only thing that's right is to get by, and
the only thing that's wrong is to get caught. - J.C. Watts

Re: Returnil System Safe Free 2011

Dustin wrote:
Quoted text here. Click to load it

Thanks again Dustin. I was actually wondering what Bear Bottoms meant by
that remark specifically in reply to VanguardLH's post. I've been using
it to run 'PDF Stream Dumper' which runs possibly malicious scripts 'live'.

Re: Returnil System Safe Free 2011

Quoted text here. Click to load it

Yes. It can. It's best to analze the suspect malware to see if it has
sandboxie attack routines. If it does, you can disable them in most
cases. In fact, some malware samples will look for sandboxie; you'd have
to do a little patching to run them under it.

I do have customized .dll files which allow sandboxie more control and
take the ability from most malware to escape it. This allows for more
intense study in that situation as the malware sometimes creates
temporary files and removes them; default sandboxie will comply. As a
researcher tho, you want to checkout those temporary files.

If you browse the sandboxie forum you'll discover all sorts of 3rd party
addons for the improvement and specialization of sandboxie.

You also have the choice of VM environments, but again, malware
sometimes has to be slightly edited to make it run under those
conditions so that you can study it's actions in a simulated realtime
Quoted text here. Click to load it

While I do maintain accurate images on seperate external HDs using ghost
11 under a modified Bart PE disc, I still see no reason to always resort
to them if the issue is minor in nature.

depending on the amount of data iso'd it can take this machine will over
2 hours to restore the image. Processor power and onboard ram do play a
significant role, Bear.

Character is doing the right thing when nobody's looking. There are too
many people who think that the only thing that's right is to get by, and
the only thing that's wrong is to get caught. - J.C. Watts

Site Timeline