RollBack Rx & Shadow Defender

We are told that SD will reverse ALL changes to a drive that were made while in Shadow Mode. It would appear that in at least one case this is incorrect. While in Shadow Mode I created a snapshot with Rx. Upon reboot the snapshot was still there. Given this, it would seem to me that if Rx snaps can be hidden from SD that malware could as well.

It is not my intention to knock or challenge SD but to get a better understanding of what it is capable of. Does it in fact add extra protection beyond what Rx can provide or do the 2 approaches to security complement each other. To this end I look forward to comments

 

Rollback Rx installs itself on top of Windows, thus it is available before Windows. However, SD puts Windows in Virtual Environment and when the Shadow Mode is on any infect is contained within the Virtual Environment and when you reboot this Virtual Environment is destroyed.

The snapshot, even though you took within Windows, it was taken outside Windows, as Rollback Rx sits on top of Windows. For this reason, you can uninstall Rollback Rx outside or inside Windows, take snapshot outside or inside Windows and rollback the systems outside or inside Windows.

IT ALL HAPPENS OUTSIDE WINDOWS.

Best regards,

KOR!

 

Take it easy KOR, no need to be so condescending and rude towards him.

 

I understand that Rx works underneath Windows, my question is does SD add any protection that Rx does not. In addition, if you need to reboot for both to get back to a known clean state is there any advantage to using SD on a system that has Rx installed or is it 6 of 1 and a 1/2 dozen of the other? I could see an advantage if you could exit shadow mode without having to reboot but seeings as you need to go through the somewhat longer Rx boot process in order to get out of shadow mode anyway the question is why bother with SD.

 

Absolutely. Tests have shown that Rollback can be penetrated by some serious rootkits, whereas SD is able to contain them within its virtualized environment (discarding them on reboot).

Because as useful as Rollback is there's malware out there that can penetrate Rollback's 'armor' to the extent of infecting all of its snapshots! So without additional protection (SD or anti-malware) you could get an infection where even rolling-back to a snapshot taken before the infection occurred still wouldn't result in a clean system!!!

Scott

 

Thanks Scott, I expected this answer or you would not be using the 2 together.

I had SD on my desktop and decided to try it on my laptop (where I have Rx) since you had said you used them on the same machine. When I ran the test noted in my OP I was mildly surprised to find that SD did not get rid of the snap (that is I did not really expect it to). I understand why but do not understand how SD can protect the PC if malware is able to penetrate to Rxs snaps. In fact, it seems to me that the ideal place for malware to hide would be where Windows cannot see it,,,,ie: where Rx stores its snaps etc.

Do you have any idea why it is the case that SD can protect against these nasties but Rx cannot? Its more a curiosity thing on my part. I have no trouble adding another layer of security to my PC even if I do not understand how or why (or even if) it works to enhance security, especially since the layer being added has no discernible negative effect on performance.

I kind of feel its overkill but ,,,,,,,,,

 

I said the opposite. I said that Rollback Rx works over, on top of Windows and not underneath the Windows.

Best regards,

KOR!

 

As far as I know SD protects the MBR, RBRx doesn't and therefore it is vulnerable to rootkits. Having said this, using any good antivirus with RBRx should be sufficient to block malware affecting the MBR. Even SD could be compromised by new malware eventually.

In my experience I found it overkill using the two together, as a matter of fact I'm not using RBRx at the moment until the activation issue is resolved, but this of course is another issue.

 

I'm not sure it's as broad as that, or that's the right way of explaining it. From previous discussions on this subject (including commentary from Coldmoon) SD has a very specific anti-malware component (under the hood) that is designed to block specific malware that targets the MBR.

It effectively does the same thing as the anti-exec and anti-malware components of Returnil without admitting that that's what it's doing, i.e. there's no setting in SD to "Disable Anti-malware/anti-exec".

 

The way I see it, SD puts your OS in a virtual state and clears that state when you shut down. RB is a snapshot of the present state of your OS and that's it. You can however, roll back to a previous snapshot should you need to.
I can cautiously suspect that the activation issue in RB may have been fixed with the last two builds. I just uninstalled and then installed the newest build smooth as silk for the first time without a problem activating.

 

It is good to know it works for you, I might give it a try soon.

 

I have a question. Please excuse if this is stupid,

If I install an application A with Shadowdefender turned on and then take a Rx snapshot with name S. Say after couple of reboots if I restore to snapshot S with Rx, will I get the Application A back that I installed?

 

I believe you would. I don't have either Rollback Rx nor Shadow Defender on my computer. Maybe, BGoodMan4 or Scott should try and let us know.

Best regards,

KOR!

 

Thanks KOR, I have SD and keriver free combo

 

You are welcome. SD is the best but unfortunately, I cannot use it due to having SSDs on my computers. Also, I have lots of paid imaging programs, and this includes keriver pro.

Best regards,

KOR!

 

This is a very interesting thread on how some of this software does its job behind the scenes.

Unfortunately, over on the Norton forums there are numerous reports of people with updated top of the line Norton software (N360 & NIS) getting infected with very nasty rootkits. I’m sure this happens with all brands of AV software as none offer 100% protection.

For better protection I supplement RBrx with an imaging software and regular backups to an otherwise unattached external drive.

 

Boy that's a riddle. If you have SD turned on and install app A, and then take a snapshot named S while still in SD mode, app A will be in snapshot S. As soon as you shut down while still in snapshot S you will lose the app in snapshot S. I'm guessing, but due to the fact that you aren't in the original snapshot any more it might still be there until you go into the original snapshot again while not in SD, and then you might lose the app there too.

 

So what are you trying to say

 

Didnt mean to confuse any users here but just wondering if there is an opportunity to commit virtual sessions as a backup.

 

"Best" compared to what, and according to whom?

That's YOUR assumed opinion.

SD in many people's opinion is a risky piece of worthless software, surrounded in controversy and uncertainty.

I wouldn't risk using SD. Besides it was doing strange things on my laptop, even the 325 version floating around from KOR, and many people have reported BSOD's etc.

 

Funny you should say that,,,,,after years of no activation problems I experienced the problem for the first time when I tried to activate Rx with the latest build. I went to Horizon live chat and had the problem resolved in minutes but the problem has not been fixed for everyone. Perhaps those who had issues previously will now be fine and those who were OK before are now in for a bit of fun.

 

Interestingly enough a snapshot taken while SD is in shadow mode does not pick up and retain the installation of an app and I would expect it would retain nothing else (new files, updated files, etc). I half expected SD to be active once I rolled back to the snap that was created while the PC was in SM but this turned out to not be the case.

 

ARGHH!

 

What it says. I am tracing what happens through the procedure. Am I correct?

 

Without going back to your post I am not sure exactly what the procedure was you were outlining. However it does not matter since even though Rx is taking and retaining a snap during the SM session it is not picking up what is happening inside the SM session. I suspect it is capturing the state of the drive outside the virtual PC, that is the underlying real drive. This frankly is a relief as it indicates that SD really does add an extra layer of security.

In addition and apart from the degree of security either program offers SD is able to restore the pre virtual state of the drive without a reboot. A simple shut down will suffice. With Rx you need to go through the rollback and boot procedure,,,,then, if you are done for the day, you can shut down the PC. So now, instead of having to rollback I can enter SM at the end of the day and check (for example) suspicious but possibly legit e-mails and then simply exit SM by shutting down the system. Not a big deal but it is more convenient than having to wait for the rollback process to take place.