The unofficial Shadow Defender Support Thread.

Just used Shadow defender 1.1.0.325 on my W7 64 bit laptop with Norton AV 2011.I had excluded what I thought may cause problems with norton in SD exclusions.However upon reboot nortons live update appeared to be broken for about 5 mins ,while it attempted to repair itself which it eventually did.Anyhow are there any SD/Norton users here that recommend any other norton process I need to exclude from SD?.I thought i had all norton processes covered but obviously not
tia

 

CyerMan969,
Interest post about SD working with CTM. Just wondering do you take CTM snapshots when you are in shadow mode? Also, do you revert back to snapshots when you are in shadow mode and thanks.

In other words, I am trying to figure out if you use the CTM when only out of shadow mode or not and thanks.

Gary

 

There is NO way to take CTM SnapShots and/or revert back to them while being on the SD Shadow Mode.

 

Regarding snapshot creation or restoring while in Shadow Mode: CTM somehow manages to bypass SD. Any snapshots you take in Windows while in Shadow Mode are still there after exiting Shadow Mode, even if you reject all changes. This is definite, I've tried it. To me it would be pointless to make a snapshot with Shadow Mode on. When you restore such a snapshot the system will still load with Shadow Mode off. Also, CTM only restores snapshots at boot time. You can initiate snapshot restoration from within Windows but CTM will always reboot to restore.

As I already mentioned before, CTM won't install if SD is installed. This is pointless as they 'play' well together. You have to uninstall SD, reboot, then install CTM. On the next reboot CTM will create its initial baseline snapshot which obviously doesn't include SD. Once you're back to Windows re-install SD and reboot once more. When Windows comes up again, run CTM and configure its settings to your liking, then go to the "Reset Baseline" section and click reboot. System will restart and CTM will replace its baseline snapshot with a fresh one (including SD this time).

Regarding the CTM settings, I haven't enabled automatic snapshot creation at system start-up. There's no need for that at least for me, all I need is one clean baseline snapshot to return to so I can test new software. Too many snapshots will quickly eat up your disk's free space. If you do create a lot of snapshots make sure you defrag them often (CTM offers snapshot defrag functionality). I have also disabled the option where CTM takes a new snapshot of the current system before restoring a snapshot, I don't need it as I won't need to return to a state where test software installs were in place.

Accessing CTM at boot time: After the initial BIOS boot screens you can press the Home key just before the system loads from disk to enter the CTM boot-time interface. Once there you can create a new snapshot, restore an existing one, defrag or delete snapshots, even uninstal CTM, all before your system boots into Windows. These actions don't require a new reboot; the system will proceed loading as usual. Creating/restoring/defraging/deleting takes mere seconds too.

You can create snapshots from within Windows too, but as I said, if you want to restore one while in Windows the system will always have to reboot to complete the process.

A word of warning regarding traditional archive-based backups (Acronis, Paragon etc.) which include CTM: They won't work. After restoring the system from the backup, the CTM driver tries to load but can't find any snapshots so all you'll get is random flashing code on screen followed by a nice BSoD. Since CTM stores its snapshots on each protected disk's free space, I assume that if you make a sector by sector backup of the disk (including free space), then it should work. Haven't tried it though and it would be pointless anyway as you'll end up with huge backup files.

Also, if you have Acronis, Paragon, or any other similar backup software installed on your system alongside CTM or Rollback RX, then you're looking for trouble. The best thing to do is not to have such software installed, just use them from a boot disk. I personally use an an Acronis boot CD and boot USB stick which I had created some months ago when Acronis was installed on my system. It also contains Acronis Disk Director so it's double handy. With the boot disc/stick I can boot into the Acronis Linux-type interface when the system starts, and perform any backup/restore operations without having to have Acronis actually installed in Windows. This way you're saving yourself from possible conflicts between Acronis and CTM or RX.

Acronis is not the only one by the way, as far as I know the vast majority of image creating software have problems with snapshot programs like CTM, Rollback RX or similar. Unless you want to start repairing MBRs, don't create any traditional backups that include snapshot software. Best thing to do is to create a clean, up-to-date backup with your system configured as you want it BEFORE installing CTM (or Rollback RX). Then install CTM/RX. With CTM/RX on you won't have to touch that backup - unless you manage to land a brand-new rootkit, or god-forbid, your disk dies... This is also true not just for full backups but for incremental or differential ones too: If they include CTM/RX you are asking for trouble. So if you want to create a new backup do the following:

• Revert to your best clean snapshot which includes what you want to keep, then install any other software or run any updates that you want to include in the backup. Make sure you don't have Acronis or any other traditional backup software installed in Windows. Instead, have a boot CD or USB stick made, containing your favorite backup software.

• Uninstall CTM/RX and reboot your computer at least once.

• Boot from your Acronis (or other) CD/stick and create a new backup of your system disk. Don't forget to always verify the created image for corruption after its creation.

• Go back to Windows and re-install CTM/RX. If you want to use Shadow Defender with it follow the instructions mentioned earlier in this post.

CTM serves well as a day-to-day souped-up unistaller for any software that requires a reboot, or for any software-based system f@'k-ups. Regarding malware it also adds an extra layer of security to your system, (although there is not much need for that with SD/Sandboxie already active). What is invaluable to me is it's ability to completely undo system changes and revert to a clean state in mere seconds.

 

Wrong. I was very surprised to find out that CTM keeps any snapshots created while in Shadow Mode. No exceptions have been applied in SD and nothing was commited, still upon rebooting the new snapshots are still there. Also, when you initiate snapshot restoration while in Shadow Mode, on next reboot CTM just restores the snapshot as normal. I wasn't expecting that. CTM somehow seems to be able to bypass Shadow Mode.

 

I gave up ages ago trying to get anything other than pure cloud AV's like PrevX to work with SD, Returnil or any other brand of system wide light virtualisation running permanatly ( or mostly). The problem with any I tried was that definition updates, if not always then frequently, also make registry changes which cannot be excluded. So while the defs database and program files are up to date after the re-boot the data on the drive does not match with the info stored in the registry so causes integrity errors.

Might be what happened here. I also seem to recall Norton updates dropping and running unsigned files in user space to complete the updates that caused issues with some HIPS I used. Can't remember where though.

There might be some AV's out there that will work with SD (potentially NOD 32 I have heard subsequantly) but I did not find any even those that allow the defs database to be stored on a non-system partition not under SD protection.

Now SD coupled with things like AppGaurd, Defensewall, Geswall or even srp produces solid problem free protection.

Cheers

 

Your experience exactly echoes mine. I could never get AV definition updates for any conventional AV that I tried to stick with SD on a reboot because of the registry changes which nearly always seem to occur. Prevx works just fine though, partly because it is a cloud AV and partly because Prevx setting changes, scan results, etc, do not update the registry. Instead they are all held within a single folder in user space that is easily excluded from SD protection.

I did also find that NOD32 works well with SD. NOD32 definition updates are so transparent and seamless that I found the easiest way with minimum hassle was not to try and make exclusions for NOD32 but just to allow NOD32 to update its definitions on each reboot.

I agree that system-wide virtualisation when combined with system-wide policy restriction provides very strong protection. This combination is what I rely on for primary protection.

Regards

 

If this is the case, then, why do you need SD, since CTM bypasses the Shadow Mode of SD

 

If you read my previous post #379 (which I updated a few minutes ago), you probably wouldn't need to ask. Because CTM bypasses Shadow Mode it doesn't mean that SD is pointless! Both programs offer different functionalities and complement each other. SD will still stop some malware that CTM alone can't, and while in Shadow Mode I can install software that don't require reboots and test them without having to restore the snapshot every time. If a software requires a reboot then I can try it, safe in the knowledge that I won't have to load my full backup every time in order to get my system back; loading a snapshot on next reboot undoes it all in seconds.

If you are worried about possible vunerabilities having CTM on (as it seems to be able to bypass SD), think of this: How many malware programs are able to bypass Shadow Mode? As far as I know only some rootkits can and this is still debatable. If you use some decent anti-execution software alongside SD, then you wouldn't have to worry about some malware highjacking CTM in order to get through SD. We all know that any potent rootkit has to install some kind of driver on the system anyway; anti-execution will stop that. CTM is freeware and it works great alongside SD, providing functions that I've always wanted to see in SD (like undoing software that require reboots). What's not to like?

 

Frankly, I consider running both an ISR and a B2R an exaggeration...But it is your decision...

 

I used to restore my Acronis backup at least once every few days on average just to undo installations of software I tested. It involved loading Acronis from a USB stick, then waiting for the interface to appear, browsing for the backup, selecting target disk, etc. Overall it took me about 10 minutes to reboot to a clean system, and then I had to do it all over again a few days later. With CTM I get the same functionality between reboots and restoring takes seconds. For software testing this is invaluable but I do understand that if you don't test a lot of software, then you probably wouldn't need the added functionality that CTM provides. Why do I need SD as well? Well, anti-execution stops rootkits from installing drivers. SD on the other hand serves as my primary shield against most other malware, as well as undoing software installs that don't require a reboot.

So why shouldn't you run both when they complement each other so well? System resources? They hardly take any. Possible conflicts? There are none, at least on my systems as long as you don't make traditional backups which include CTM or Rollback RX. Running out of disk space on protected drives? Not an issue if you limit the number of snapshots and defrag them regularly. I only use a single baseline snapshot of my system disk.

Are there other factors that I should be aware of? If there are any possible issues attached to this please elaborate; your input would be greatly appreciated!

 

Thanks for the info.I guess on reflection I just as well disable norton just before I enter shadow mode,although Im not sure disabling the av disable live update too.Ill have to check.I hope to try SD with defencewall in the future.Im just waiting for the 64 bit version .
ellison

 

I'm not sure that is required depending on how you run and how keen you are to keep the AV layer of protection.

If you are only periodically entering shadow mode or regularly boot into normal session then enter shadow mode I would simply remove the Norton files from exceptions and let it update as normal. The updates applied during the shadow mode session will keep protection optimised but be lost on re-boot. They will simply be downloaded and applied again though the next time you start the machine.

Even if you run in shadow mode permanantly as long as you drop-out of it every few days or so to allow the updates to take place on the real machine it is probably manageable. Norton updates are small and frequent so even reloading a day or two's worth every time you restart should not be too significant in terms of system impact.

That might work for you and is cleaner than trying to get the updates to 'survive' a shadow mode session. It appears to be what pegr suggesting he did with NOD32 I think.

Cheers

 

http://www.shadowdefender.com/cgi-sys/suspendedpage.cgi

 

So, Shadow Defender is officially dead now?

 

Hmmm..."no site - no program - no problem"
It's so more strange because registration expires on 2012-04-25...why they closed this site?

 

As it seems...

 

It's so ~ Snipped as per TOS ~ sad for such a brilliant little app to die out like this. I wish it could have been open-sourced, I'm sure there are a lot of good coders out there who would love the challenge of developing it further.

 

Looks like the Shadow Defender Website has been suspended. Does anyone know how long the site has been like this?

 

I guess I should have read above. Looks like my last post was old news, but still interested in knowing how long the site has been like this. Does anyone know?

 

Aug 9 2011 05:40:24 GMT.Last time I visited the site

 

Shadow Defender RIP

 

OK so I recently started using SD and I download a lot of torrents through Bittorrent, but when in SM my downloads fail and If I commit/Exclude the folders...it STILL fails....can someone help??

 

I am also a mod at SD forum and i think we can now call this abandon software.
Unless Tony or someone who maybe knows Tony like hany3 or one of the translators makes contact within the next 24 hours then i am going to give up moderating on the forum, it is far too time consuming dealing with the volume of spam.

A real shame as it was a fantastic piece of software, but it is not the first nor will it be the last to disappear from our computer screens.

 

The website is working http://www.shadowdefender.com/

but of course if you open this link -www.shadowdefender.com/cgi-sys/suspendedpage.cgi- is not gonna work

Anyway is quite extrange that after being up and down the owner haven't appeared.