The unofficial Shadow Defender Support Thread.

Discussion in 'sandboxing & virtualization' started by Cutting_Edgetech, Feb 14, 2011.

  1. The Shadow
    Offline

    The Shadow Registered Member

    Thanks aladdin. If I understand correctly, you are saying that it doesn't matter if IFW is installed before or after SD is installed, their respective UpperFilters position will be the same?

    If that's the case, do you have any theory re my SD-IE9 problem - which surfaced immediately after installing IFW?

    TS
    Last edited: Aug 1, 2012
  2. aladdin
    Offline

    aladdin Registered Member

    Can you please post the drivers shown in the UpperFilters of your registry?

    Please post them in the order they are shown.

    Best regards,
  3. EASTER
    Offline

    EASTER Registered Member

    sdmod

    To your knowledge of SD, is it at all capable of also dumping any type of file infector virus, that would let's say, when activated while "IN" ShadowMode would possess a coded payload to infect/distort exe files etc.

    Thanks and w/much anticipation looking forward to your answer.

    EASTER
  4. sdmod
    Offline

    sdmod Registered Member

    All that I can say Easter, is that at the time of the release of 1.1.0325 there was a concerted effort to show that Shadow Defender was susceptible to attack by various state of the art viruss/rootkits but as far as I know nothing touched it. There was some suggestion that Shadow Defender might have hidden Anti-Virus/Anti-Executable protection on ssj100 forum.
    http://ssj100.fullsubject.com/t147p45-shadow-defender-bypassed-by-tdl-rootkits



  5. The Shadow
    Offline

    The Shadow Registered Member

    aladdin,

    As of now the contents of the UpperFilters are as follows:

    phylock
    PartMgr
    diskp

    Now, having uninstalled SD and reinstalling it with IFW already on my system, I am no longer experiencing the IE9 lock-ups. :) ....and as I never checked the UpperFilters when I installed IFW after SD had been on my system for some time (when I started incurring the IE9 lock-ups), I don't know the order of the UpperFilters contents at that time!

    TS
    Last edited: Aug 2, 2012
  6. aladdin
    Offline

    aladdin Registered Member

    Dear TS,

    Thanks for posting the above. When you install a program, that program puts itself on the very top of the UpperFilters. Only SD which which puts itself in the bottom of the UpperFilters, just like in your case. So when you uninstalled SD and reinstalled SD the order of the drivers in the UpperFilters remained the same, and it didn't change, thus IFW had nothing to do with your IE9 lock-ups. It must be something else, not IFW.

    You remember your imaging problems when you installed IFW on top of RBrx and you tried to image your drive with IFW, which resulted only in your baseline of RBrx, it is because the UpperFilters in your system would have looked like the following as IFW was installed last:

    phylock
    Shield
    PartMgr
    diskp

    In the above scenario you should have only done HOT sector to sector imaging to capture all your RBrx snapshots, including the baseline snapshot. Only IFW allow this and no other imaging programs allow this.

    When you uninstalled RBrx and reinstalling it with IFW already on my system, your UpperFilters would have looked like the following, as RBrx was installed last:

    Shield
    phylock
    PartMgr
    diskp

    In the above scenario you would be able to image your drive with IFW and retain the current snapshot of RBrx.

    BTW, you can manually change the order of the UpperFilters while both IFW and RBrx installed to achieve the desired imaging with IFW. Or any other programs, such as O&O DiskImage, Best Crypt and so forth to ensure there is no conflict with RBrx.

    Best regards,
    Last edited: Aug 3, 2012
  7. aladdin
    Offline

    aladdin Registered Member

    Dear TS,

    I don't remember the name of the SD driver in the UpperFilters, as I don't have SD on any of my systems. However, I don't see the driver for SD in your UpperFilters.

    Is it diskp?

    Best regards,

    Edit: Is it diskpt and not diskp (a typo)?
    Last edited: Aug 3, 2012
  8. sdmod
    Offline

    sdmod Registered Member

    I think it's diskpt.sys

  9. Dark Shadow
    Offline

    Dark Shadow Registered Member

    Yes it is diskpt.sys
  10. aladdin
    Offline

    aladdin Registered Member

    LOL! I like your new name. Almost got confused myself with The Shadow.

    Many thanks to sdmod and you for confirming this.

    Best regards,
  11. The Shadow
    Offline

    The Shadow Registered Member

    Confirmed aladdin, it is diskpt in the UppperFilters ...sorry about my typo when posting the contents. :oops:

    But I'm confused about your recollection of my RollBack Rx issue (I always create a hot image when backing up). o_O

    TS
    Last edited: Aug 3, 2012
  12. aladdin
    Offline

    aladdin Registered Member

    If you remember correctly, you installed RBrx first and then later on installed IFW, thus resulting in the following UpperFilters:

    Phylock
    Shield

    And, then you are correct that your did HOT Regular image with IFW resulting in IFW capturing only your baseline snapshot of RBrx. Based on the above UpperFilters, you should have done HOT sector to sector image with IFW to capture all your snapshots including the baseline snapshot of RBrx.

    If you wanted to do HOT Regular image with IFW and to capture only your current snapshot of RBrx, then your UpperFilters should be as follows:

    Shield
    Phylock

    Rather than manually correcting the above in the registry, you correct this by uninstalling and reinstalling RBrx while IFW was still installed.

    You can go back to your thread and check. Being 60 years old, memories are only thing I have left ..... :D

    You are right at first I assumed that you did COLD Regular imaging with IFW ......

    Best regards,
  13. The Shadow
    Offline

    The Shadow Registered Member

    I'm glad that you are on top of this because it's rather much for me! In any case, now (and in the future) I shouldn't have any concerns about the relative positions of 'phylock' and 'shield' as I no longer use RollBack Rx - a really cool program when it works, but when it messes up.... :eek:

    But getting back on topic, my love affair with SD continues because it works simply and effectively! :thumb:

    TS
    Last edited: Aug 3, 2012
  14. Dark Shadow
    Offline

    Dark Shadow Registered Member

    Formely - Djohn.Yes sorry got tired of being a john but not that kinda of john.:p
  15. WSFfan
    Offline

    WSFfan Registered Member

    Re: Shadow Defender

    I have Rollback Rx installed.Can i install SD now?Will i have a problem?
  16. sdmod
    Offline

    sdmod Registered Member

    Re: Shadow Defender

    I love the idea of rollback/snapshot type programs but (in my own experience) even if they run well for some time there will come a day when you end up (usually through no fault of your own) with a mangled system. I would be very careful of putting a program like this alongside Shadow Defender.
    When I read reviews and forums I see that Rollback RX (although many extol it's virtues) can still cause some users major problems such as blue screens, spontaneous re-booting etc. I've often considered trying it myself but I think I would only risk it if I had a brand new operating system on and not a lot to lose if some unforseen conflict occurs.
    Maybe members that run in virtual environments have tested these together? Shadow Defender is robust (as far as I know) and I'd be interested to know if multiple programs like these can sit happily together for an extended period of time without conflict or causing mind boggling mental juggling. ;)

    PS If you are going to try anything like this have a good instantly useable backup of your system (made just before the "experiment") and kept outside your pc then you wont end up staring at a blue screen with lots of indecipherable numbers and letter with a very pale face if the worst happens. :)


    Last edited: Aug 4, 2012
  17. umbrapolaris
    Offline

    umbrapolaris Registered Member

  18. TaranScorp
    Offline

    TaranScorp Registered Member

    Ok, I want to try Sd. I find SD fascinating.
    Right now I'm using Opera12 as my browser and running WSA and EAM realtime.
    With Malwarebytes and SuperAntispyware on demand.
    Can anyone tell me what I should configure and look out for with this trio?
    My thinking is that SD will protect my system and WSA and EAM will protect any open vulnerabilities I will create by having exclusions and download folders.

    Great Thread
  19. sdmod
    Offline

    sdmod Registered Member

    When testing something new like this, don't rush, take your time, first make sure that you have a good instantly useable backup (kept outside the machine) (consider what you might have to lose in a worst case scenario) and that you do extensive research as to what to exclude/commit etc when running Shadow Defender particularly when configuring deep rooted programs like anti virus or other programs that might run at a kernel level (eg mangle up your entire system if anything goes wrong)

    nb
    Some of the things that you mention running I don't know what they are because I'm not familiar with the abbreviations.

    I tend to do my updating of Malwarebytes, anti virus etc when not in Shadow Mode so as to not cause problems but other members here have their own configuration strategies for programs like these..

    Last edited: Aug 4, 2012
  20. umbrapolaris
    Offline

    umbrapolaris Registered Member

    WSA = Webroot Secure Anywhere
    EAM = Emsisoft Anti-Malware

    I agree with SDmod , all must be done step by step after wise and deep googling.
  21. Dark Shadow
    Offline

    Dark Shadow Registered Member

    @ TaranScorp, As Sdmod said just be carefull.I have SD on one system and DeepFreeze on another and I have both systems to boot in virtualization.I usually never run reatime AV but yesterday I decided to trial WSA AV on the system with DeepFreeze and here is where it get crazy.

    Shorty after getting everything set up and playing nice I booted back to a frozen state with DF and at some point WSA flaged one of the two excutables and quarantined it.The excutable was the GUI control to disable DF from what they call Frozen or thawed.A restore from WSA quarantine did not help as the file was damaged-missing.Well turns out the service was still running so that left me stuck in a frozen state,meaning nothing will stick because all changes are disregarded after reboot.

    What does not work to fix this problem is reinstall a fresh copy becasue the system needs to be thawed first.Also Restore will not work on top of safe mode last good configuration.So basically what I am saying is have a back up plain in place a recovery image or a format ready.

    Shadow Defender works pretty much the same of what its intended purpose is while in Shadow Mode,.Just giving you a head ups for things can go wrong when a critical part is corrupted.

    I formatted mine and returned To DeepFreeze Minus any realtine AV or Am and runs perfect just as Shadow Defender does on my other system with no realtime AV or AM.

    Note! I am not saying dont use a Av but just keep in mind what happen to me can happen to you from a False positive.Sometimes a FP can do more damage then a virus and restoring from quarantine may not always work as in my case it didn't.
    Last edited: Aug 4, 2012
  22. TaranScorp
    Offline

    TaranScorp Registered Member

    Well i took a lot of notes after reading fourtyeight pages of SD material, so far I have excluded the WSA folder and the EAM signature folder am working on what Opera stuff to exclude. Oh yea, need to create download folder to exclude. Also I am excluding the mail folder in Opera.
    Last edited: Aug 4, 2012
  23. Dark Shadow
    Offline

    Dark Shadow Registered Member

    Providing everything goes good for you,I think your really going to like SD.best of luck.
  24. TaranScorp
    Offline

    TaranScorp Registered Member

    Well everything was going smooth as silk and then came the Opera. Opera12 is being really difficult at figuring out what to exclude to save your Bookmarks and Mail. No folders for these items that are traditional. Theres all the stuff in C:/Documents and Settings/Opera and a whole lot more stuff in C:/Program Files/Opera.
    Googling is not helping at all.

    Ok, I found all the correct paths to everything, you have to click on "About Opera" and you get a page with a listing of where everything is :)

    I have an external drive that I'm going to back up to so if something goes awry I can just take and install it in my machine and I'm good to go.
    Last edited: Aug 4, 2012
  25. EASTER
    Offline

    EASTER Registered Member

    Which is the current version "i use" as well as i'm sure most all others that are aware of it's capabilities/virtual protection qualities!

    One in my collection that i keep/study is a notorious virus named Sality that more than once i experienced some of it's dreadful coded results that wreaked incredible havok and NO AV whatsover to in my experience could clean ALL of it's infection, indeed, craftfully coded to exercise maximum disruption to the point of no remedy except full wipe and reformat. Given the nature of this thing, i been of course interestingly curious that thru some form of a formidable and intelligently virtual-state system, that this form of technology might just possess just the right combination of internal coding that could render such a virii just another entry to be erased after a simple reboot.

    SD dismisses Rootkits with simple ease, and in fact rootkits IMHO are inherently harmless anyway in that they rely on hidden means to carry out their coded instructions and/or lodge themselves in a system from place to place, seeming to disappear only to reappear somewhere else. Like hiding seek!
    File infector viruses on the other hand are designed to infiltrate as many executables & what-have-you by re-writing their code completely whether in the header section/end or wherever and render files completely useless, many times even if the best AV's claim to clean which they cannot eradicate completely or the user be assured all is restored normal again.

    This SD is proven vastly resilient in so many ways and especially when it comes to MBR Distorters or even if you manually fudge the MBR Table. A reboot and restoration is renewed again.

    I was just curious if the same might apply to virus file infectors while in ShadowMode

    Thanks SDmod for your insight, responses, and continued support of all us users of Shadow Defender.

    Regards EASTER