The unofficial Shadow Defender Support Thread.

For example - Microsoft Security essentials
Windows 7

C drive is shadowed - so un-shadow
make a folder in c:\windows
c:\windows\startup-shutdown
create a text file named shutdown.txt
in this file put
reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware" "D:\Data\Reg.reg"
rename shutdown.txt to shutdown.bat and run it.
Edit shutdown.bat and modifiy it to
del "D:\Data\Reg.reg"
reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware" "D:\Data\Reg.reg"

Why? Because when this runs at shutdown, it has to delete previous reg.reg before saveing latest version - everytime.

I don't have D drive shadowed - you have to pick a drive that is not shadowed.

Now, create startup.txt
In this file put
reg import "D:\Data\Reg.reg"
"C:\Program Files\Shadow Defender\DefenderDaemon.exe" /auto

Why? You want the reg copied into the registery before Shadow Defender starts.

Rename this too, startup.bat

Edit group policy by clicking start, typing gpedit.msc
Click computer configuration - windows settings - Scripts
In the right pane "add" enter
C:\windows\startup-shutdown\startup.bat

In the left pane go to User Configuration - windows settings - Scripts
In the right pane add "logoff" enter
C:\windows\startup-shutdown\shutdown.bat

Why? Because the first one is system - it will copy the reg.reg before Shadow Defender starts
The second one is user logoff - copies the reg before Shadow Defender quits and you loose it.

Close out gpedit.msc

go to where your Shadow Defender starts
C:\Users\userName\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

userName is the name you use to log on with in windows
or it may be all users
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

What you are looking for is Shadow Defender link. You need to change it to
"C:\Program Files\Shadow Defender\Defender.exe"
from
"C:\Program Files\Shadow Defender\DefenderDaemon.exe" /auto

Why? You won't see the icon in the bottom right of your task bar if you don't.
Also by adding Shadow Defender to the group editor, Shadow Defender will start first before anyone logs on and before anything else starts up.

In Shadow Defender exclude
C:\ProgramData\Microsoft\Microsoft Antimalware\*

There is a question in my mind as to whether this actually works. Looks right. Makes sense.

Any comments or corrections are welcome. It just seems to me that it isn't working because when I reboot, my securiy essential icon is red until the computer has run for several minutes. To test it, I could have the startup.bat and shutdown.bat create a file on C drive and see if the file updated after reboot. I guess that would have been too simple.

 

To those who are using Sandboxie together with Shadow Defender, do you have C:\Sandbox in the exclusion list of SD? Just curious.

 

Nope, if i downloaded something i deem trustworthy (after testing it on shadow mode) then i move on normal mode and download it again.

 

I m not running either right now, but i don't see why exclude the Sandbox folder. By not excluding it, you have a Sandbox inside a sandbox. I would exclude the directory where Sandboxie recovers the data you want. For example if you save your downloads to C:/username/Downloads (autorecovery function in Sandboxie) , that's what i 'd exclude, so the data there would be untouched by Shadow Defender too.

 

There is no disadvantage to excluding C:\Sandbox from a security perspective as the main part of system space is virtualised by Shadow Defender. I imagine the decision would partly depend on whether there is any noticeable increase in speed from avoiding the double redirection of disk writes by sandboxed applications: first by Sandboxie when redirecting file system writes to C:\Sandbox; and second by Shadow Defender when redirecting disk sectors belonging to C:\Sandbox to its own disk sector cache.

In my case, I got the best performance improvement with Sandboxie by moving the sandbox container folder to a RAM disk, which also avoids the need for secure sandbox deletion if privacy is an additional goal.

 

Thanks for the inputs

 

I have one folder excluded from shadow defender called my downloads
just incase i want to save something while in shadow mode,its covered with full sandboxie restrictions.

 

After using Returnil for several years, I am now using SD.

I had previously found that in Returnil, if a I made a change to the boot files using EasyBCD while in virtual mode, the change passed to the real system.

Out of curiosity, I tried in SD. While in shadow mode, I renamed the boot menu title from "Windows 7 Home Premium" to "Windows 7 HOME PREMIUM". Upon reboot, Windows detected the change and presented the boot menu screen with the new name.

So, the changes made with EasyBCD in shadow mode appear in the system after reboot. Does anybody know why this happens?

 

As far as I know, SD does not wipe anything.

 

No light virtualization/rollback app, Shadow Defender, Returnil, or Rollback RX, etc., protects the Master Boot Record. The MBR is what EasyBCD manipulates. Shadow Defender's driver is loader after the MBR and thus cannot protect it. That's the reason why imaging and light-virtualization goes hand-in-hand; as a safety net.

 

Many here have questioned Tony's disappearance from this forum (although he has recently 'surfaced'). Perhaps the following article might shed insight into (and understanding of) the related issues...

http://www.nytimes.com/2012/12/29/world/asia/china-toughens-restrictions-on-internet-use.html

TS

 

Yes, I've posted a few times about this maybe being an aspect of the problem, see my post #1418 with two links, I had the feeling that my emails might be blocked at times.

 

When I emailed him, it said that his emails were coming from Texas according to Mailhops on Thunderbird. I guess he may have to use a proxy or a VPN just to contact people. Tony replied to all my emails with a real civility. I guess something like SD would be an annoyance to certains regimes.

 

I installed SD for the first time, its working very well in my W7 32 bits. After re reading this thread, I decided to install version .346. No glitches.

Easy to figure out, as easy to use as the other LV programs that I used in the past. I like the option to right click on a file to commit, really nice.

Bo

 

When I do occasionally run SD that is exactly how I use it.

My only exclusion is my "downloads" folder which is under the supervision of Sandboxie (forced).

Combines the best of both worlds imho.

 

Thats how I have mine.

Use Sandboxie as you normally use it.

Bo

 

Yes, Shadow Defender and Sandboxie, great combination but I also use Avast and Malwarebyes to check any file before I allow it in permanently.

 

Using the latest version of SD here and Windows 7 x64 Home Premium.

Windows suddenly doesn't recognize the publisher of SD and gives a yellow warning in a UAC prompt when accessing SD's main window. I am sure it recognize the publisher last night. Downloading the installer of SD and now it also gives a yellow warning. Anybody else having the same issue?
EDIT: Looking at the properties of the installer and files that are installed in my comp, SD still has the valid signature.
EDIT: Now I get it, one of the countersignature expired. lol

 

One thing I don't understand, if SD writes to my HD, what happens to all that data once I leave Shadow mode?

 

I don't think Shadow Defender writes the changes directly onto the harddrive. I think it uses a Journal file and writes all changes into that single file. So when ever you commit changes Shadow Defender Looks into the Journal file and kinda copy pastes whatever you Chose to the real harddrive.

I downloaded a few really big files while in shadow mode and then committed them. You can see that committing takes quiet Long as if something is copied. If Shadow Defender stored all files on the harddrive in Shadow Mode committing would only take some seconds I guess.

I'm not quiet sure about all this but I think works more or less like this.

 

SD writes to a disk cache. When you leave shadow mode, it is deleted. It´s the same that happens what you delete a directory or file.

 

Thanks Arcanez and Robin. While it's great to enjoy the benefits of SD it's even better to know what's going and how it works properly. I'm still very new to security and to an extent computers.

 

The name of the file is diskpt0.sys. Shadow Defender places it in C when you enable protection and it gets deleted when you reboot the computer.

Bo

 

If TrueCrypt is being used with ShadowDefender, is the temporary file that ShadowDefender creates when in Shadow Mode encrypted?

 

Thank you. I've got a much better understanding of it now.