The unofficial Shadow Defender Support Thread.

Discussion in 'sandboxing & virtualization' started by Cutting_Edgetech, Feb 14, 2011.

  1. Telos

    Telos Registered Member

    Joined:
    Jul 26, 2016
    Posts:
    171
    Location:
    Frezhnacz
    Patrick, Some time ago Tony set me up with a custom build (1.4.0.589) which solved a reboot problem I had with an encrypted EVO SSD drive (back in the days of the SD forum). I'm curious if the newer releases are now compatible for me, or must I stay with my existing build?
     
  2. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    Since, you mention hang. I recall email from Tony.
     
    Last edited: Aug 6, 2016
  3. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    5,614
    Location:
    Milan and Seoul
    Thanks, I'm aware that too much RAM assigned to the write cache may slow down the system and eventually freeze it once it is used up... I have 8GB of RAM and I have never assigned more than 3-4 GB. The problem would occur intermittently especially when many USB flash drives were plugged in during a shadow session (in my job sometimes that happens). It is not a real problem though, the beauty of SD is that no matter what happens, it will always allow you to reboot out of shadow mode to the original volume.
     
  4. sdmod

    sdmod Shadow Defender Expert

    Joined:
    Oct 28, 2010
    Posts:
    1,159
    Good question Telos,
    I don't know for certain but if you are not having the problem I would stay with 1.4.0.589 for now.
    I think that probably you would be ok. I've emailed Tony and will post here if/when I receive a reply.

    Patrick

     
    Last edited: Aug 6, 2016
  5. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    I am a newbie to SD.
    "current volume status" is not showing all my volumes.
    It is getting the main volumes on my SSD, but I have a HDD that is divided into two simple NTFS volumes, and SD is only showing one of them.
    I want SD to protect my whole system.
    what to do?
    see attached screenshots
    SD Version: 1.4.0.648
    windows 10 x64
     

    Attached Files:

    • 1.PNG
      1.PNG
      File size:
      7.8 KB
      Views:
      18
    • 2.PNG
      2.PNG
      File size:
      59.3 KB
      Views:
      19
  6. Telos

    Telos Registered Member

    Joined:
    Jul 26, 2016
    Posts:
    171
    Location:
    Frezhnacz
    Once upon a time drive designations "A:" and "B:" were set aside for floppy drives. I'm wondering if that might not be your problem. Can you temporarily change the drive letter for your Backups volume to see if that has an effect?

    I'm just guessing here...
     
  7. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    hey, good call! that was it. I thought 'B' for backup was a really cute idea...

    and I assume I don't have to worry about SD seeing the little system partitions?
     
  8. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,997
    Location:
    Poland - Cracow
    Those are hidden partition which aren't for normal use...so SD is not able to cover them.
     
  9. Robin A.

    Robin A. Registered Member

    Joined:
    Feb 25, 2006
    Posts:
    2,557
    SD automatically protects the boot partition, even if it doesn´t appear in the Windows Explorer or in SD because it doesn´t have a letter assigned.

    If you want to protect the "Recovery" partitions, you may assign a letter to them, so that they appear available to virtualize.
     
  10. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    849
    I'm posting this just to make sure SD users are aware: it's probably been posted before but, it's never a good idea to allow kernel mode access to untrusted programs. Once they've gained kernel access/installed drivers they have the same level of privilege as SD and can bypass it if they're specifically programmed to.

    If you're interested in testing, download Hitman Pro and install it in Shadow Mode. Perform an Early Warning Scoring scan (has to be enabled in options), and depending on some factors (file date etc.) it should detect critical drivers and windows components, including diskpt.sys from SD.
    Capture1.PNG Capture2.PNG
    Mark the diskpt.sys file for deletion and reboot. You'll end up with this:
    Capture.PNG

    In HMP you'll be able to delete drivers that aren't protected by Windows File Protection. I've managed to screw up my Ethernet controller driver this way.
    Capture3.png Capture4.png
    SD is good if you have additional layers of protection. Otherwise, use it only for trying out known good programs and as a privacy tool, nothing more.
     
  11. Robin A.

    Robin A. Registered Member

    Joined:
    Feb 25, 2006
    Posts:
    2,557
    A driver installation usually requires a reboot. So, how can you install a driver in shadow mode?
     
  12. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    849
    Lots of applications don't require a reboot when installing drivers. That's how SD users test out AV programs, since the majority of them don't require a reboot to install drivers.
    And you can bet malware authors won't want to wait for a reboot to get their drivers running. They also implement reboot-less driver installation ;)
     
  13. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    5,614
    Location:
    Milan and Seoul
    It's good to know thanks. Any security application (in this case a virtual system) can be bypassed or neutralized if it is specifically targeted by the malware author. I have used SD for many years in my job, and it has survived literally hundreds of malware instances detected by Eset and Avira.

    I often thought that whatever might have escaped from the AV's radar would somewhat be killed by rebooting. I wonder now, as per your conclusion, what would have happened if I had had no AV installed, although I have never had any problems in 8 years.

    I also think that from a malware writer perspective, to attack SD's driver is counterproductive and destructive as it is probably more profitable to steal data as SD does not provide any protection while in shadow mode. It goes without saying that a good backup/imaging program remains the only certain way to restore a system.
     
  14. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    849
    Of course. I showed driver deletion as it's the easiest to see the repercussions of. Infecting a system driver is just a step away from deleting it. :)
     
  15. sdmod

    sdmod Shadow Defender Expert

    Joined:
    Oct 28, 2010
    Posts:
    1,159
    I've emailed Tony, to see what he thinks about it, although for about a month or more I have been having email returned unsent Delivery Status Notification (Failure) both to support@shadowdefender.com and support@xoslab.com.
    Yesterday I sent an email to each asking Tony if he is getting my mail, they went through without problem and then I sent one to each address asking Tony to look at this thread and they were both returned Delivery Status Notification (Failure)

    I've sent an email to both addresses today which up to now (five minutes after posting) have not been returned.

    I will post here if/when I receive a reply

    Patrick

     
  16. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    849
    Thanks for looking into this Patrick, appreciated. Unfortunately, I don't think that the issue can be addressed in its entirety. Sure, SD could probably fix this issue with Hitman Pro, but there's so many other ways/APIs to achieve the same.
    In my opinion, there should be an optional "Deny kernel access to newly installed applications" option. That way the users can choose more security over compatibility issues with newly introduced applications. It's a touchy area for sure. Looking forward to Tony's reply, if you end up receiving it. :)
     
  17. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,792
    Location:
    .
    Checking updates with SUMo and a new version of Shadow Defender showed up: 1.4.0.650
    Not officially released yet.

    Code:
    www.shadowdefender.com/download/SD1.4.0.650_Setup.exe
     
  18. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,997
    Location:
    Poland - Cracow
    I highlighted some words because we should look at this thing from different side - it's not SD issue, it's a HMPA matter and we know that this app is wellknown to have sometimes very strange FP eg. important windows or security apps components.
    Normaly you can't delete diskpt0.sys you even haven't right to view and editing settings of rights of this file so it's not easy and in most situation is just impossible to delete it and than crash SD.
    I've tested for few years hundrets of strange and unknown apps and nod so often but some malware also and SD on my machines always could give me clean system.
     
    Last edited: Aug 21, 2016
  19. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    849
    I did a bit more investigating (I should have done this when I first posted about it, but better late than never :oops:). I tried the new 1.4.0.650 version, and unsurprisingly the issue is there.
    What I didn't mention previously was, the driver for the Ethernet controller (and diskpt.sys by extensions) aren't outright deleted but the file header of the driver is changed from the standard MZ to SR. I'm not sure if HMP does this intentionally (SR=SurfRight ?), but the file is modified and unusable nonetheless, which shouldn't happen in shadow mode.
    Capture.PNG

    That's all well and good, but malware that you encountered probably wasn't written to specifically exploit SD weaknesses, since SD isn't as widely used.
     
  20. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    554
    Location:
    Croatia
    This morning I experienced something unusual.
    3 days ago I put Windows 10 AU and after that SD v1.4.0.648.
    I set it to go into shadow mode on boot.
    Yesterday I installed Kaspersky Anti-Ransomware (in Shadow Mode), in the evening I turned off the PC (I even took out the power cord), this morning I turned on the PC, and Kaspersky Anti-Ransomware is still on the PC?

    In the previous version of Windows 10 and earlier version of SD it never happened, after closing down the PC and turn it on again PC would be clean and all the changes made to the Shadow Mode would be deleted.
     
  21. sdmod

    sdmod Shadow Defender Expert

    Joined:
    Oct 28, 2010
    Posts:
    1,159
    Hi Patrick, Thanks for your information. I have tested Hitman pro in Windows 7 x64 but cannot reproduce this issue. I have enable Early Warning Scoring. Is there anything i should pay attention to? Best regards, Tony On 2016-08-21 21:19



     
  22. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    849
    Shadow Defender needs to be freshly installed on the test system. A recent appearance of an unknown driver on the system (diskpt.sys) should trigger the scan warning from HMP Early Warning Scoring.
    I tested on a VM that is only a couple of days old and SD was installed on that day of testing, which is why I got detections on system drivers in addition to diskpt.sys.
     
  23. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,997
    Location:
    Poland - Cracow
    @3x0gR13N
    Oh please...your nick!...why so "simply"? :)
    As I remeber in last 3-4 years back it was probably only one case in real-world when SD had been bypassed...there where SD v.1.331 (perhaps) and bootkit Sinowal and test was made on virtual machine. In your example the test was also on VM and because of some possible conflicts between SD and VM I think you should make it again in real system. We will see what will the result.
    As you wrote there must be some specific condition to bypass SD so my question is - how many times you install SD on day/week/month...? Probably few time a year and it's hard to have "fresh" SD in system. Next thing - SD is specific app that can protect system only by one way - by virtualisation - no detection, no signatures, no other "anti-something" technology, no restriction, etc so it's obvious that each user should have additionaly some others layers of protection. And those other apps have to protect not only system but other application including security app also...or not to interfere whit such apps in damaging way...like HMPA.
     
  24. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    849
    @ichito
    It could be because of using a VM. I didn't want to potentially thrash my real system, and I'm sure regular users not interested in testing and tinkering don't want to either. Patrick was kind and prompt enough to contact and get a response from Tony, who is the only person who can asses the issue.
    The general rule still holds: if something has equal rights on your system as your protection does, it could bypass it. That is why some other "isolation" applications limit access to the kernel (like Sandboxie).
    It's inspired by a CAPTCHA image, hence the "simplicity" :D
     
  25. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,997
    Location:
    Poland - Cracow
    Yes...it's true...basic question (I think) is - what works "deeper" in system (even in machine)?

    OK...thanks for answer :D
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.