Webroot Rollback Feature?

I have been considering trialling WSA, but I am trying to understand whether the WSA rollback feature is compatible with Shadow Defender, which I use in conjunction with AppGuard.

I have two partitions: a system partition which is permanently in Shadow Mode (virtualized), except for regular maintenance slots; and a data partition, which is in Normal Mode (non-virtualized).

On the assumption that the monitoring done by the WSA rollback feature for all partitions is recorded within a single unified set of log files on the system partition, I am wondering how this would work with Shadow Defender in my case.

If the WSA monitoring log files are not excluded from Shadow Mode then all changes to the system partition logged by WSA while in Shadow Mode will be discarded on reboot. This is fine for the system partition as there would be nothing to roll back, but the data partition may have had changes that could not now be rolled back later if necessary.

Alternatively, if the WSA monitoring log files are excluded from Shadow Mode then all changes recorded in the WSA log files while the system partition is in Shadow Mode would persist within the log files on reboot. The WSA log files would then be corrupt as they would contain a log of changes to the system partition that no longer exist on the partition after the reboot.

Of course, if a separate set of WSA monitoring log files is maintained for each partition, with each set recording only the changes taking place on the associated partition then there shouldn't be a problem, providing they are clearly identifiable so that the appropriate Shadow Defender exclusions can be made; but I don't understand enough about the WSA rollback feature to know if that's how it works.

 

Hello pegr.
Although I don't use Shadow Defender myself, WSA should be fully compatible (incl Rollback) with it, and I daresay many have both installed, without issues. There may be a need for some whitelisting of files, depending on what you find.
I can't see many reports of problems with SD and WSA at Webroot Community, but these two threads are probably worth a read.
https://community.webroot.com/t5/We...ctionality-of-Shadow-Defender/m-p/62687#M3226
https://community.webroot.com/t5/We...ills-Shadow-Defender-at-boot/m-p/132485#M7778

compatibility addition in WSA 8.0.1.165 changelog:

https://www.wilderssecurity.com/threads/wsa-update-v8-0-1-165.321480/#post-2037530

edit: Your question/theory re partitions is best answered (hopefully ), by more knowledgable member than me.

 

What about when the shields do not block the communication? https://www.mrg-effitas.com/wp-cont...tification-Project-2014-Q2-Report-Level-1.pdf

(It was not a simulator.)

 

Thanks for the reply and the links to the threads, Dermot7.

My main concern regarding compatibility is in relation to the WSA rollback feature. Unless WSA maintains separate monitoring log files for each disk volume, I can't see how the WSA rollback feature could work across multiple disk volumes without SD's Shadow Mode causing the WSA log files to become corrupted on reboot.

 

Hell Pegr, I have not used Shadow Defender but I am going to test it now. I know a number of people use it on our community without any issues. You are correct journalled files are stored in a central location, it doesn't matter where the original files executes from be it another physical drive, partition, external drive etc. You could always set Shadow defender to the allow list and WSA wont monitor it. However I wont say much more until I test it. I will get back with my findings later today.

 

And what about the installing WSA only after having infected the system? There is of course space for improvement but, for example, the Spyeye sample that managed to communicate to the internet was fully killed if installed after WSA

 

That's a tidy piece of software that Shadow Defender.To the people that use it on here can you explain your thinking behind using it rather than sandboxie or similar? Just interested to get peoples views.

I am going to keep testing it as I have a few things I want to throw at it.

 

@Rakanisheu

I use ShadowDefender to test-drive programs for which Sandboxie is unsuitable, like when the program requires to install a driver or service.

 

Perfect thanks!

 

Hi Roy,

Apologies for the delay in replying but my Internet connection has been down.

There are two ways people typically use Shadow Defender. Some just use it on demand for software testing and higher risk activities, e.g. web browsing. Others, like myself, prefer to keep the system partition permanently virtualized during normal operation to maintain a stable system state, only bringing the system out of Shadow Mode to apply system and other software updates.

With WSA central logging, all changes recorded in the WSA change logs while Shadow Mode is enabled on the system partition will either be discarded or will persist after a reboot, depending on whether the WSA change logs were included in, or excluded from, SD virtualization. Either way, the WSA central logging of multiple partitions will be inconsistent with the changes to the file system if not all partitions were in Shadow Mode before the reboot. Adding Shadow Defender to the WSA allow list wouldn't help.

Providing the WSA rollback feature never gets activated, I don't see a problem using SD and WSA together, but I don't know whether there would be a risk of file system corruption after an attempted rollback of file system changes using WSA change logs that no longer match the state of the file system as it exists on disk.

Regards
pegr