The unofficial Shadow Defender Support Thread.

Hi Osaban,

You're most welcome and thank you for the kind words.

Regards

 

Hi AaLF,

Speaking personally - and not making any recommendations as to what you should do - I would give up AppGuard before I would give up Shadow Defender.

I'm a firm believer that virtualization is the way to go. Shadow Defender is so easy and intuitive to use; and doesn't require any configuration to get the best out of it. It's also good for testing software that doesn't require a reboot, which sounds as though it will suit you if, as you say, you enjoying trialling new software.

As you are already using Sandboxie, I doubt that you need AppGuard as well. The combination of Shadow Defender and Sandboxie should be more than enough. The only reason I don't use Sandboxie more often is that it doesn't run well on my system. I sometimes get a slow scrolling problem when inside the sandbox.

I don't know whether or not you are the sole user of your machine; but if you share it with other family members, with you as administrator, another advantage of a lightweight virtualization program like Shadow Defender is the ability to lock down the system against unauthorised changes if you feel it necessary.

 

That's Pegr. That's how I've been thinking too. But not being knowledgeable I needed to check. LoneWolf put me onto SD but I put it aside for awhile to test other products and then forgot about it. Until I spotted LoneWolf's signature which reminded me of SD.

Thanks Pegr and thanks LoneWolf

Its good to find a product that feels like a comfy lounge chair.

 

From my experience with testing some RansomWare Rootkits that encrypt your files, i would say, it's Extremely important. I watched them beginning to encrypting my files, on both my C: & D: drives in real time

As i was in SD mode i wasn't too concerned but if i hadn't chosen to include my D: partition as well, i would have had a Real headache trying to sort it out

Of course having an AntiExe App would have prevented the installation in the 1st place And i do use ProcessGuard but allowed the nasties to run just for the test.

I tried to locate the tests i did with screenies on here, but couldn't ! Maybe i've forgotten what the thread was called ?

 

That could be dangerous. What about exlusion folders? At what point are they vulnerable?

 

Exclusion folders on the system partition are vulnerable in the same way that a non virtualized data partition is vulnerable; there is no difference. An alternative to folder exclusion would be to use the Commit Now feature to manually save all changes that you want to keep. The downside of doing it this way is that you may lose data if you forget.

A fundamental point that is sometimes overlooked is that virtualization isn't a complete security solution by itself and some kind of policy restriction is still needed to prevent the damage that malware may still do if allowed to run unchecked on the virtual system. This includes, but is not limited to, data and identify theft.

My point was that the policy restriction doesn't have to be provided by AppGuard. In your case you are using Sandboxie, which contains strong policy restriction features of its own. A properly configured Sandboxie provides a very high degree of security, including its ability to lock down read access to private and confidential data - a feature that AppGuard also has.

Of course, if you want to use Shadow Mode to deliberately test malware outside of Sandboxie's sandbox, you should definitely put every partition into Shadow Mode prior to testing for exactly the kind of reasons that CloneRanger describes.

For normal use, providing you are running your high risk applications inside a sandbox, you have nothing to fear. If you want the extra security of system-wide policy restriction at all times though, AppGuard makes a good partner for Shadow Defender.

 

1. When running in Shadow Mode where should SBiE's SANDBOX folder sit? Inside the ShadowMode or excluded?

2. Generic question: Apart from "Save to" folders what else do you guys exclude from the ShadowMode?

 

1. When I ran Shadow Defender and Sandboxie together my entire C drive was in shadowmode, Sandboxie's sandbox folder included. Reason being was in case something bad escaped the sandbox(highly unlikely) or if I mistakingly let something bad out.(more likely)

2. I have nothing in my exclusion list, reason being is I do not wish to leave any chance of a possible hole in Shadow Defender. If I need to update something I will exit shadowmode,update, then return to shadowmode. If I want to save something else I will use the commit now feature.

 

I have a tendency to reboot/shutdown first then remember to reach for the Commit Now. Hence the need for exclusion zone 'save to' folders.

 

In my situation I need to have a hole in Shadow Defender to save stuff to & distribute to permanent folders/partitions later.

So where best to place this folder?
My Documents?
somewhere in C Drive?
On data partition D drive?

how can I make the folder less vunerable?
Does it matter?

 

I would

You could make a new folder & put everything in there & then use for eg. Axcrypt to encrypt whatever. When you're ready Decrypt & move to wherever.

EDIT

Obviously if you are including the D drive then the above won't work, unless you use commit now etc to just the D drive

You could save whatever to a USB Stick/Drive & copy over to the C Drive when convenient, maybe on rebooting.

 

If it's inside Shadow Mode, file system redirection (Sandboxie) and disk sector redirection (Shadow Defender) will occur together, which is unnecessary. To avoid double virtualization of sandboxed applications, either exclude the sandbox folder from Shadow Mode and leave it to Sandboxie to manage it, or relocate it to the data partition, which I assume will not routinely be in Shadow Mode.

As you are also trialling AppGuard, an advantage of relocating the sandbox folder to the data partition is that AppGuard would work with Sandboxie without the need for an AppGuard folder exclusion to remove the sandbox folder from System-Space, as the sandbox folder would already be in extended User-Space.

 

Appguard is on the back-burner for now. I'm just running with SBiE & shadow Defender (& my trusty Snapshot as last resort).

SBiE's box outside of Shadow-mode - done.

Other sources say that one should "shadow-mode" the D partition too. And its a standard option on Shadoe Defender. How are these malware designed? Are they programmed to seek out the Operating system and My documents AND other partitions? Or just roam and pillage the C Drive.

 

Providing you are running your browser and any other high risk applications you may have inside the sandbox, you don't really need to worry. You can configure Sandboxie to prevent read access to any folders that contain personal data. Even without doing that, a sandboxed application can't destroy any data outside of the sandbox. You do need policy restriction in addition to virtualization for a complete security solution, but with Sandboxie you already have that.

The downside of keeping the data partition permanently virtualized is that you must manually commit all changes that you want to keep. It's more secure but it's also inconvenient, and the risk is that you forget to commit and lose some data as a result. All security involves a trade-off between risk and convenience. Only you can judge what works best for you.

 

How does one go about doing this? Got a guide?

 

1. Open Sandboxie Control.
2. From the Sandbox menu choose the sandbox you want to configure and select Sandbox Settings.
3. Navigate to Resource Access-->File Access-->Blocked Access and you can add the folders from there.

 

Wooooooooo. Thanks Pegr. What a great little program this SandBoxie is. Everday I discover another plus for it.

And coupled with Shadow Defender holding the big umbrella I feel very comfortable indeed. So much so, I'm putting Revo up on the shelf for awhile. My searching for a security setup is done for awhile. At least until the switch to 64bit x Win 7/8. God willing that's a way off yet.

 

You're welcome.

Providing you run your high risk applications inside a sandbox, in addition to the file system and registry virtualization the sandbox provides, Sandboxie has got all of the additional policy restriction features you'll ever need.

The Sandboxie threads are a good source of information. If you search for threads with Sandboxie in the title, you will find a lot of information that will help you learn about Sandboxie and configure it. Even on default settings Sandboxie is very strong but with a little additional configuration it can be made so secure that malware has virtually no chance to operate inside the sandbox.

Regards

 

I have used SD for a couple of years with Vista 32 bit and it has served me well. I recently got a new laptop with W7 64 bit and wonder if there is a reliable/safe place to download a stable 64 bit version of SD. I don't want to take a chance on the SD website.

 

@ Ed_H:

Take a look at this posting by Cazandros:
https://www.wilderssecurity.com/showpost.php?p=1939324&postcount=418

 

Thanks Peter 123...I had missed that. Also thanks to Cazandros.

 

Is there a way to determine if shadow mode is active, on a certain drive - without observing the fact in the UI?

I have a 1 click system for activating/deactivating SD, it uses its own ini file to keep track of SD. However, on very rare occasion, during power-outage, system-stall SD may not be properly turned off/on.
In this case I need a way to detect its status.

Thanks

 

That's an interesting feature you got there Kircho. What's the process to create this 1-click on/off? If you share we can all add our thoughts after trying it.

 

When a drive is in Shadow Mode, a hidden protected operating system file called diskpt0.sys is created in the root directory of the drive. It holds the redirected disk sectors while in Shadow Mode and is deleted on exit from Shadow Mode.

You may be able to check the Shadow Mode status for a drive by checking for the existence of the diskpt0.sys file.

 

Thank you pegr, that did the trick.

Its really troublesome not having command-line support.

AaLF: I've just automated the clicks/presses and added some reliability measures(as per my question). Its reliable and useful enough that the 15 clients for whom I've installed it, don't complain - SD would be useless for them without it.

Use at your own risk(x86 and x64):
http://www.mediafire.com/?b168vbfwd29w5x6
http://www.mediafire.com/?89l1nlbtdob8zkq

To use, just double click the exe(I have it pinned to the taskbar) it will confirm the operation - make the decision and wait till it finishes.

Note: If SD is not installed in "C:\Prog....", then it will ask you to choose the install dir. Its meant to protect C: while D: stays unprotected, so if your shadowing just C: or another drive letter, it won't work for you.