Light virtualization: Returnil/PowerShadow/ShadowDefender/ShadowUser Pro

[BlueZannetti]

Since this is a topic of current interest, I thought that it would be worthwhile pulling together at least my own experiences with these products. For the record, I have current licenses for each product and am currently running three of them in combination with an AV and/or firewall, so my experiences reflect some level of extended usage and not simply trial runs of the products. The specific installation details are as follows:

• ShadowUser Pro - currently uninstalled. Have used it in conjunction with NOD32 AV (V 2.7), KAV WKS (6.0), and LooknStop firewall under Windows XP Pro without issue
• PowerShadow 3.0: Installed under Windows XP Pro with Dr. Web AV and LooknStop firewall. This is the main system partition I typically work from. See here for the home site in China.
• Returnil 2.0 beta (and previously V 1.7 Personal): Installed under Windows Media Center with Eset AV V 3.0.
• Shadow Defender V 1.0.0.130: Installed under Windows XP Pro with KAV WKS V 6.0.3.830 (note KAV WKS is basically KIS of the same major version number)

Some prior comments of mine focusing primarily on PowerShadow/Returnil are here. Overall, as far as I can observe, each of these products provides the functionality advertised by the vendor. I've not experienced usage instabilities with any of these options and would wholeheartedly recommend any of them to even inexperienced users. However, there are some distinct differences between the products that are useful to bear in mind. With respect to the specific products:

• ShadowUser Pro V 2.5:
  • While this is the oldest option in the group, it remains the only product that currently supports continuation of a single shadow session across restarts. If you wish to use this type of product for testing software, this facility is essentially required.
  • Clearly the costliest program in the group at $69.95
  • Currently possesses the broadest range of shadow session exclusion and commit options. During system configuration, a user can select the specific drives to a shadowed. In addition,selected folders/files on a shadowed drive can be excluded from shadowing at all (all changes immediately applied), or be selected to auto commit and changes will be permanently applied to these locations on a controlled shutdown or restart. Finally, a full session commit exists to basically commit all changes to the system. A user can also exercise a manual commit from the context menu
  • On the downside with respect to functionality, entry into a shadow session requires a full system restart. This, and a slightly aged user interface, are the only general program deficiencies that I've seen.
  • I've not directly tested whether SU Pro is resistant to direct low level disk writes (e.g. using Julie Lau's Sector Editor). The other three products are resistant to this type of change.
  • A trial version is available and activation is via a vendor supplied key code.
  • Support is via a vendor hosted forum (see here)
  • Current not Vista compatible, no publicly announced plans to release a Vista compatible product.
  • The current install executable that I have, which dates from Feb 3, 2006, is the latest version of the program. In many respects, this application was well ahead of it's time. The lack of any updates implies that active development is at least in hiatus. I have no idea if this will change in the current climate. If it did, the only way this application will compete is with a price cut to be in line with the competition.
• PowerShadow 3.0:
  • Able to enter shadow mode without a system restart, but currently cannot maintain a shadow session across restarts. This is also currently true for Returnil and Shadow Defender.
  • Shadow sessions can be started in either a single (system partition) or full (all partitions) shadow mode. Note, full shadow mode refers to all permanent partitions. Removable partitions are not shadowed and can act as intermediate storage locations for material to be saved from within a shadow session.
  • Protects against low level direct disk accesses (same for Returnil and Shadow Defender)
  • Does not support file/folder exclusion directly, but does offer a Folder Relocation facility to allow material resident on the system partition to be relocated to another partition. Note, this facility is operative in single shadow mode only.
  • Product activation is via a serial number and password supplied by the vendor on purchase, accompanied by communication with the vendor's home servers. One point to recognize is that this activation dialog binds the activation to the hardware configuration in use (primarily the HDD I presume). A change in hardware may necessitate generation of a support ticket at the vendor to allow reactivation if needed.
  • The English language site does not have a trial version available. A 30 day money back guarantee is provided. The Chinese website does provide for download of a Chinese language trial version (as PS2008 vs. PS 3.0 Workstation - it's unclear whether these are directly equivalent - a quick scan of the Chinese language site would suggest that PS 3.0 Workstation is, or is closer to, a single user variant of the enterprise level product)
  • As noted elsewhere on the site, PS contacts the vendor servers on a system restart and/or entry into shadow mode to apparently check for an update. Blocking this communication with a software firewall, at least in the short term, does not appear to impact program functionality. On a quick look at the information provided in this communication, no personal information is transmitted. However, PS does create a time dependent hardware ID tag that can be used in conjunction with a vendor supplied rescue utility in the event one is unable to exit shadow mode to allow disabling of PS (the vendor uses this code to create a rescue code - the hardware ID and rescue code can be used to disable PS. The codes have a 2 day lifetime). This ID tag is supplied to the vendor during this brief communication.
  • The primary support channels are via email and Windows Live Messenger, although live telephone support is also available. While the entire operation is based in Beijing, I've found their English language skills exceptional and support in general outstanding. The only minor support inconvenience that I've encountered is that it is available only during the normal business workweek (Mon-Fri; normal business hours, Beijing local time).
  • In fairly extensive usage, the only issue I encountered was what appeared to be a single install anomaly which caused the system to enter and remain in shadow mode. The problem was localized to one XP installation of my system and was reproducible. A repair XP install did not remedy the issue, but a complete nuke and pave of the system followed by a fresh XP install did remedy the problem. Reinstallation of all active applications did not recreate the problem. The underlying cause wasn't identified - although an errant driver or similar problem may have been at fault - I looked specifically for this, but couldn't identify any issues along these lines. For the present, I'd assume my system had some pathological state somewhere.
  • Full cost is currently advertised as $49, with a current special at 20% off ($39)
  • Supported OS's are Windows XP/2000/2003. Note: 64 bit OS's, RAID, Windows dynamic disks, compressed NTFS volumes are explicitly not supported at this time. PowerShadow, at least at the Chinese site, appears to target both single user and enterprise clients with centralized administration of enterprise clients
• Returnil V 2.0 (beta):
  • Currently supports system partition shadowing only.
  • Creates a virtual partition to provide a shadow session repository of information to be retained - useful on single partition systems
  • Provide specified folder and file commit, as well as full session save.
  • Has a free personal version. With the upcoming release of a paid premium version for personal use, the free version will possess a subset of the features of the paid variant.
  • Protection of non-system partitions has been mentioned as a future feature target
  • Protects against low level direct disk accesses (same for PowerShadow and Shadow Defender)
  • Has a good support presence here through ColdMoon and a forum just started at CastleCops, see here
  • The price for the paid premium version of Returnil 2008 is listed as $25/year, although it's unclear whether this is finalized pricing or brought over from the paid business product. I assume that the cost covers the initial license plus maintenance support with a renewal being charged for yearly maintenance support (i.e. any product assistance and/or upgrade); it's unclear whether a renewal would be at somewhat lower cost - I've not seen definitive information on this point. These details will be clear by release time.
  • Licensing/activation is via a vendor provided serial key code, with a 30 day trial also available
  • Supported OS's are Windows XP/2003 Server/Vista 32 bit.
• Shadow Defender V 1.0.0.130:
  • Effectively replicates the ShadowUser Pro feature set aside from the ability to maintain a shadow session across restarts. This capability is being worked on with a very provisional completion date estimate of ~ 2 months - roughly the end of Feb 2008. The specific features supported include user selectable protection by partition, specification of excluded files/folders, and commit to specific files/folders (selected or via context menu)
  • Protects against low level direct disk accesses (same for Returnil and PowerShadow)
  • Support has been variable, with my own experience as a paid license user disappointing (email requests sent mid September were never answered or acknowledged - requests sent from two separate ISP's, so filtering issues are unlikely). On the flip side, user support is only an issue in the event of a major system failure. Product usage is so simple that ongoing support is not required. That comment is true of all the products above. In addition, some users here have had no issues getting the attention of the support folks.
  • The current price is $35
  • Activation is via a vendor supplied serial key, with a trial also available
  • Supported OS's are Windows XP/2000/Vista.

That's a quick summary of information generally available and what I've experienced.

Thus far I don't see an overwhelming leader or trailer in the pack, and if there is one, in some respects ironically, it is ShadowUser Pro. The ability to quickly enter shadow mode live without a restart is a major operational advantage, and for most users, this is probably a more significant feature than the preservation of a shadow session across restarts. It significantly lowers the barrier to jump into a shadow session when you're surfing around and it occurs to you that some additional protective measures may be in order. ShadowUser Pro also suffers on the initial cost front, it is significantly more expensive than the other offerings, and there are no current plans to offer a Vista compatible product

At current pricing ($25 vs. $35 vs. $39), cost differences are fairly inconsequential. Of the three, only Powershadow does not have a formal trial available in the English language market. When I was having the install difficulty with PowerShadow described above, the support group in fact proactively offered a refund when it appeared that we were not making progress debugging the situation, so it's clear they will go the extra mile to keep clients satisfied.

In actual usage, the real feature set differences are actually a lot less than apparent. Shadowing of all partitions is a nice feature, but it's the system partition which is the critical one, so while Returnil may appear to lag on this front, it shouldn't be a deal breaker for any user. A similar comment applies to an inability to commit changes with PowerShadow in full shadow mode - it's a little less convenient, but a removable drive is always available to me to accomplish that.

So the punch line - in a vein similar to rating AV's - is that we have three top tier options based on feature set/support/price. In alphabetical order they are PowerShadow, Returnil, Shadow Defender. Depending upon the specific weight a user places on feature set, support options, or price, one of these products may clearly rise above the other two. ShadowUser Pro's feature set is exceptional, but from a cost benefit perspective, it clearly trails the newer offerings.

Blue

[Gargoyle]

I was thinking about virtualization programs and am delighted to see a serious discussion. However, my faith in these programs is starting to decline.

I may not be a power user but the things I download get me in trouble apparently. On two seperate instances, Powershadow 2.6 and Returnil 2008 Beta failed to protect my system when used as the only security application. I had to reformat my hard drives both times. Returnil 2008 Beta also caused BSODs when downloading questionable software when used in conjuction with Sandboxie.

So, now, can someone confirm for me whether there is MBR (master boot record) protection for Shadowdefender?

[Peter2150]

Blue, excellent summation. I don't believe ShadowuserPro protects against the low level disk activity. I only tested it against Killdisk, and it failed.

As to support, Shadowuser, of course is storagecraft and grnxnm is here as well as their forum. Same with Returnil, Coldmoon here and the new forum

ShadowDefender has been variable. Email communication seems back. But even when it wasn't I noticed if you reported a problem, there was silence, but then a new build popped up. I think the variable was a translator.

Pete

[Vikorr]

Gargoyle, the products are only good (in terms of security) for preventing driveby downloads / email infections of your OS. In that respect they are more reliable than any other.

But to install a program permanently you have to deactivate them - that's when you need an Antivirus etc.

[Coldmoon]

Quote:

Originally Posted by Gargoyle

I was thinking about virtualization programs and am delighted to see a serious discussion. However, my faith in these programs is starting to decline.

I may not be a power user but the things I download get me in trouble apparently. On two seperate instances, Powershadow 2.6 and Returnil 2008 Beta failed to protect my system when used as the only security application. I had to reformat my hard drives both times. Returnil 2008 Beta also caused BSODs when downloading questionable software when used in conjuction with Sandboxie...

Hello Gargoyle,
Please send us a detailed report using our support contact form page with the subject line RVS 2.0 Beta so it can be reviewed and investigated by development.

http://www.returnilvirtualsystem.com...actus_tech.htm

Kind regards
Mike

[trjam]

Quote:

Originally Posted by Gargoyle

So, now, can someone confirm for me whether there is MBR (master boot record) protection for Shadowdefender?

Asking for you now.

[Dogbiscuit]

Quote:

Originally Posted by Vikorr

Gargoyle, the products are only good (in terms of security) for preventing driveby downloads / email infections of your OS. In that respect they are more reliable than any other.

But to install a program permanently you have to deactivate them - that's when you need an Antivirus etc.

Vikorr, Excellent points. One question: how are they more reliable?

[Gargoyle]

Quote:

Originally Posted by Vikorr

Gargoyle, the products are only good (in terms of security) for preventing driveby downloads / email infections of your OS. In that respect they are more reliable than any other.

But to install a program permanently you have to deactivate them - that's when you need an Antivirus etc.

I have issues with people that they assume they know exactly what you did on the computer. And to give advice that isn't revelant to the topic at hand.

[BlueZannetti]

Quote:

Originally Posted by Peter2150

Blue, excellent summation. I don't believe ShadowuserPro protects against the low level disk activity. I only tested it against Killdisk, and it failed.

On direct challenge - no, ShadowUser Pro does not protect against low level activity

Quote:

Originally Posted by Gargoyle

I may not be a power user but the things I download get me in trouble apparently. On two seperate instances, Powershadow 2.6 and Returnil 2008 Beta failed to protect my system when used as the only security application. I had to reformat my hard drives both times. Returnil 2008 Beta also caused BSODs when downloading questionable software when used in conjuction with Sandboxie.

It's hard to discuss issues across versions, my personal experience is that PowerShadow V 3.0 is fairly robust. I have not used the earlier versions.

As for the need to reformat, was this a gross system instability that emerged or something easier to trace?

Quote:

Originally Posted by Gargoyle

So, now, can someone confirm for me whether there is MBR (master boot record) protection for Shadowdefender?

Well, when I attempt direct MBR edits, just like any other low level activity, it is blocked in the current ShadowDefender version (1.0.0.130).

Blue

[trjam]

Answer: Yes, SD does protect the MBR but does not overwrite it.

gee blue, you beat me to it. My answer did come from the vendor.

[EASTER]

Quote:

Well, when I attempt direct MBR edits, just like any other low level activity, it is blocked in the current ShadowDefender version (1.0.0.130).

Blue

Thanks.
This is vital and those are very useful results that need to be distributed in these type discussions per virtualization apps. Too many times users are faced with ever limited vague opinions, even if accurate, but are IMO too limited at times by single lone reports. The more results brought out like this widens the range of users and potential customers understanding to what they can expect, which is Maximum coverage from the potential of fatal disruptions, chiefly the forced modification of the MBR and other deep-level physical disk operations.

[Dogbiscuit]

Quote:

Originally Posted by Gargoyle

On two seperate instances, Powershadow 2.6 and Returnil 2008 Beta failed to protect my system when used as the only security application. I had to reformat my hard drives both times.

Gargoyle, can you provide any more details about what happened?

[Gargoyle]

The problem was that WinXP would not start. The famous Blue Screen would pop up with this:

STOP: C0000221 [Bad Image Checksum] The image version.dll is possibly corrupt. The header checksum does not match the computed checksum.

[Gargoyle]

Hello Coldmoon,

It may not be a fault of Returnil so much as it is a problem virtualization programs just can't deal with. Shadowdefender might fail as well.

I use the internet for more riskier interests than most of the people here--and I say this confidently after browsing this forum for months now. My experiences may not be the norm. For the record, I will still be using Returnil, just the old version - 1.7. Returnil's customer support really has no equal and I look forward to what Returnil has instore for us in the future.

Thanks,
Gargoyle

[Coldmoon]

Quote:

Originally Posted by Gargoyle

Hello Coldmoon,

It may not be a fault of Returnil so much as it is a problem virtualization programs just can't deal with. Shadowdefender might fail as well.

I use the internet for more riskier interests than most of the people here--and I say this confidently after browsing this forum for months now. My experiences may not be the norm. For the record, I will still be using Returnil, just the old version - 1.7. Returnil's customer support really has no equal and I look forward to what Returnil has instore for us in the future.

Thanks,
Gargoyle

Hi,
Regardless of what may be at fault, all information is valuable. We can't fix it if we do not know about it...

Mike

[Diver]

While not as comprehensive as the products reviewed, Sandboxie provides a form of virtualization. Of course it is application level.

Someone mentioned the usual objection about how a particular strategy protects against against drive by downloads, but not the user intentionally installing a Trojan program.

I am starting to believe there is not an automated solution for intentional user installation of a Trojan program that is not covered by AV signatures. Sure, a HIPS will through all sorts of warnings, but it will do that for legitimate software, and only an expert can interpret it, so that is hardly automated. Alternatively the HIPS must be turned off or down for the installation to complete, so defenses are dropped again.

All this said, I see the same objection every day here.

[BlueZannetti]

Quote:

Originally Posted by Diver

While not as comprehensive as the products reviewed, Sandboxie provides a form of virtualization. Of course it is application level.

Application vs. System partition (or system) virtualization. Both are useful. Since it's not as granular, system virtualization has ease of use at the expense of some potential downsides (Gee..., I guess it wasn't such a great idea to download/server delete all that email while in shadow mode..., huh? Oh, and about that multi-gig download....), although recovery measures are straightforward in some circumstances

Quote:

I am starting to believe there is not an automated solution for intentional user installation of a Trojan program that is not covered by AV signatures.

I prefer to think of it as a form of natural selection at work....

Blue

[lucas1985]

Quote:

Originally Posted by BlueZannetti

I prefer to think of it as a form of natural selection at work....

Would you mind expanding your theory?

[Huupi]

Quote:

Originally Posted by lucas1985

Would you mind expanding your theory?

forgive me to hijack your question,....... but what i guess he meant there are limits to stupidity.........or.......,just my two cents !?!

[Cerxes]

Personally I prefer using application based virtualization because of the above mentioned reasons by Blue, but mostly for the reason where you for example tweaks your system or make some other changes to your settings, and then forget to commit these changes... could be really frustrating.

Regarding the intentional user installation this is not necessarily "stupidity" (even if in some cases it could be just that), but this has always been the most common vector for delivering the payload. One could argue "only download from trusted sources", but that could be circumvented by site crackers. How to solve this? hash check is the standard solution to this problem. But if there´s no hash sum at the site to check with, what then? After an installation a restore to an earlier state using an Image backup would then be the standard solution, but that assumes that you even knows that your system is infected.

I think it´s something we have to live with regarding the fact that whatever security steps we take, we will always have some "window" open for exploits, whether it´s zero-day malware, drive-by infections or by user installations.

/C.

[BlueZannetti]

Quote:

Originally Posted by Huupi

forgive me to hijack your question,....... but what i guess he meant there are limits to stupidity.........or.......,just my two cents !?!

I believe it was Albert Einstein who noted "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."

Blue

[ErikAlbert]

Quote:

Originally Posted by Cerxes

Regarding the intentional user installation this is not necessarily "stupidity" (even if in some cases it could be just that), but this has always been the most common vector for delivering the payload. One could argue "only download from trusted sources", but that could be circumvented by site crackers. How to solve this? hash check is the standard solution to this problem. But if there´s no hash sum at the site to check with, what then? After an installation a restore to an earlier state using an Image backup would then be the standard solution, but that assumes that you even knows that your system is infected.

That is indeed a problem and no security software or visualization software will save you from that.
Any NEW object is a threat to your system and how do you know for sure that it isn't a threat ? It's simply a matter trust for average users and those who are able to analyze what a new object has done to their system, have an advantage, which is a minority group.

[BlueZannetti]

Quote:

Originally Posted by Cerxes

Personally I prefer using application based virtualization because of the above mentioned reasons by Blue, but mostly for the reason where you for example tweaks your system or make some other changes to your settings, and then forget to commit these changes... could be really frustrating.

Point noted.

For the sake of keeping this discussion open, it is probably worthwhile noting that the four products that I mentioned in the title represent something in the middle of a continuum of options. By light virtualization, I'm really only trying to exclude the creation of full virtual machines, and I've done that for a couple of reasons. First, that's a relatively costly path to follow for most home users and that setting is my primary focus. Second, the formal licensing requirements can get complicated in a full VM environment (basically you need separate licenses for each concurrently running instance of the OS, or a model that explicitly allows multiple running instances, say Windows 2003 Server), and I really don't want to deal with that complexity. So basically the discussion should revolve around options aside from full VM installation, which fits the four cited products well.

Now, as noted in threads such as deepfreeze VS shadow defender, DeepFreeze provides a related product approach that bears a strong relation Returnil/PowerShadow/ShadowDefender/ShadowUser Pro with the primary difference that the implicit system state is presumed to be primarily static as opposed to primarily dynamic. Aside from that difference, and how that impacts daily usage of the application, it provides a very similar functionality.

Finally, rather than virtualization at a system level, virtualization at an application level is possible through products such as SandboxIE and related tools where the primary focus is virtualization of applications which interact strongly with the external environment (i.e. the Internet and so on).

Quote:

Regarding the intentional user installation this is not necessarily "stupidity" (even if in some cases it could be just that), but this has always been the most common vector for delivering the payload. One could argue "only download from trusted sources", but that could be circumvented by site crackers. How to solve this? hash check is the standard solution to this problem. But if there´s no hash sum at the site to check with, what then? After an installation a restore to an earlier state using an Image backup would then be the standard solution, but that assumes that you even knows that your system is infected.

I think it´s something we have to live with regarding the fact that whatever security steps we take, we will always have some "window" open for exploits, whether it´s zero-day malware, drive-by infections or by user installations.

I absolutely agree. That's one of the reasons all of the configurations that I've mentioned above have been using a light virtualization product in conjunction with the "expert system analysis" provided by an AV. This pairing appears to offer a very reasonable trade-off in performance, ease of use, and security. The same can be said of an application based virtualization plus AV, while a user of solutions such as Deep Freeze tend to not require the AV component if the system configuration in fact adhere to the primarily static model. Naturally, use of an AV can take many guises from the typical realtime monitoring to on-demand scanning only of new content as required.

Blue

[trjam]

I agree, even though some may not, that using any of these types of products are only enhanced by using a AV. Actually the AV comes first, then this type of product. A very good combo.

[ErikAlbert]

In theory, you don't need an AV to protect your EXISTING objects in a frozen system partition. Any change done by malware is gone after reboot and that is alot better than scanners.
You only need security softwares that stop the execution of malware in a frozen system partition.

You only need an AV to verify NEW objects and your local AV is just not good enough. In that case I would prefer to use VirusTotal and Jotti, which uses 30+ scanners to verify a NEW object with the limit of 10mb, which is again an incomplete solution, which is very typical for security.