The unofficial Shadow Defender Support Thread.

Yes, I do hope it is him! It's just very difficult to know for sure. I do want to see SD excel! I also do care about Tony's well being! I believe the best indicator we will have whether it is Tony will be in the quality of coding in upcoming releases. I believe in Tony's quality of work. IMO, SD is one of the best security applications ever developed!

 

Dear Cutting_EdgeTech,

Well said and I couldn't have said it any better!

SD had been a quality product and for this reason it has a massive geek following. Those of us who love SD, want to ensure that SD keeps this quality edge, the Cutting Edge Tech like Sandboxie.

Best regards my friend, and best of health for a long, long time to come.

Mohamed

 

good question i wouldnt know

 

Not specifically. SD places user-selected disk volumes into Shadow Mode protection (not the MBR). SD's protection doesn't start until Shadow Mode is enabled (i.e., the Shadow Mode driver is loaded). After Shadow Mode is enabled all (non-excluded) changes are retained in its cache which is flushed when Shadow Mode is manually disabled for the selected partition or when the system is restarted.

While Shadow Defender can provide very good malware protection (better than most light virturalization programs) it is not impenetrable! SD is just one (very good) component in a layered anti-malware protection scheme.

Nate, while I'm sure you are aware of this it bears repeating; the last line of defense is a disk-image backup. Most disk-imaging programs backup the MBR automatically and most of them provide the option to restore the MBR.

TS

 

Of course. Ive been using an imaging for years. Now I use Drive Snapshot and Image for DOS. But still it's worth mentioning the SD does not protect the MBR, which I think is a glaring chink in its armor. With rootkits the way they are these day I think that's important. Yes, if you use a decent imaging application then light virtualization doesn't need to have MBR protection. But why not use one that does? What's the risk to the user? Especially given that SD has been having some very weird issues (going back to the "clean" .325) I don't think it's much risk at all.

 

Because most LVs (even those professing to have MBR protection) have bigger chinks in their armor than SD! I am not aware of any LV app that's invulnerable to all malware, with the possible exception of Diskshot (which unfortunately is not available in English!)...

...and by using DS and/or IFD (on a regular basis) your MBR is well protected (as long as the backup was made prior to when your MBR was compromised)!

 

I have never seen any proof that SD 1.1.0.325 has ever been bypassed. Even the worst rootkits like the TDL rootkits that have bypassed all other light virtualization applications that were around at the time. That leads me to believe there is more to SD's method of protection than can be seen from a surface view. Tony is not going to give away SD's complete method of mitigating Malware.

Diskshot is fairly new, and IMO has not been around long enough to be put to the test yet. Also, I would think it is only being used by a very small user base. Even considerably smaller than SD's user base. This also limits it's exposure to the large amount of Malware in the Wild. Theoretically Diskshot is rock solid, but only time will tell. I do believe Diskshot will be a great product, and I do wish it was translated into English.

Here are some old test I have posted before in this thread http://ssj100.fullsubject.com/t166-light-virtualization-software-partial-sandbox-test

 

Shadow Defender 1.1.0.325 vs MBR Rootkit (Sinowal)
-http://i.imgur.com/WSA5Dt3.png-

 

I've said this before but I have to repeat it for the benefit of new member like Space Ghost:

Malware resistance tests within a VM are practically useless IMHO. One can only get accurate results when such tests take place on actual test beds and not within a VM. Testing should also include different operating systems as results can vary between WinXP, Vista, Win7 and Win8 wih both x86 and x64 kernels.

If anyone of you guys can find a Sinowal executable sample please PM me because I would like to test it on a real system. Also please send it to Tony. Make sure you zip it with a password first in order for the sample not to get caught by antivirus software when it lands on his e-mail.

 

Real PC (XP Pro SP3)
-http://i.imgur.com/xw94m.jpg-

 

Dear CyberMan969,

Doesn't mean one is new member on Wilders, he/she is not a experienced computer user and/or also an experienced SD user.

Best regards,

 

Dear Space Ghost,

In your above .jpg image, SD is not under Shadow Mode.

Does SD protects the MBR only in Shadow Mode or in both modes, (Shadow and non-Shadow modes)?

Best regards,

 

Of course not, I just meant it in the context that being a new member he probably hasn't seen my statement on this issue before.

If you guys find a Sinowal executable sample please let me know

BTW I asked Tony again the MBR issue, I will share if/when I get an answer.

 

Of course, I left Shadow Mode after running the malware sample (exit Shadow Mode and restart).

 

Dear Space Ghost,

Thanks for the confirmation. Still I would like to know from you or someone as experienced like you, if SD protects the MBR while not in Shadow Mode?

Many thanks in advance for your reply.

Best regards,

 

CM, would you please provide your reasoning for the above statement? Mind you, I'm not challenging the statement, I'm just very curious as to why you believe that.

Cruise

 

Hi aladdin,

I can tell you categorically that Shadow Defender doesn't protect anything when not it Shadow Mode! And according to The Shadow's response to n8chavez in post #2204 (above) it doesn't directly protect the MBR even when in Shadow Mode.

Cruise

 

I'm interested in as well, not because of that I don't believe you, rather due to my lack of knowledge about it.

 

Hi Cruise

I've tested SD on three real machines in the past and it has succesfuly contained certain rootkit samples which had failed when I ran the same tests with an identical software setup within a VM. This has led me to the conclusion that VM malware resistance testing is not always reliable.

 

Thanks for this,,,,, your experience is good enough for me. I thought that testing on a VM with the same hardware and software setup would provide conclusive proof. Now I know better. Its a good start but until you get the thing in the real world you will not know for sure.

I must admit this is a tad distressing though.

 

Sometimes VM malware tests fail even if the host machine runs on a different OS than the virtual OS. I'm not an expert on this and I haven't performed extensive tests like some other users have. I just remember that my two SD failures happened when I ran a WinXP image within a Win7 host. But when I loaded a Win7 image within the same host, SD managed to kill both samples. I then ran the same two samples on three different real Win7 machines and SD cleaned them every time.

I've got no idea why this happened. But the logical conclusion to this is that VM testing is not always reliable.

 

CM, I find that very interesting and while I accept your observations I sure would like to understand why that happens (if the virtualized system was indeed a 'mirror' of the real system). If that's really true, then would it not cast doubt on the validity of any tests conducted in a virtualized enviroment?

Cruise

PS. Which virtualizer did you use (VMware, VBox, or...)?

Edited just to clarify my concern...

 

I used VMware. The guest Win7 OS was actually a clone of the host, converted with VMware's converter tool. SD running withing the cloned guest Win7 managed to beat the two samples on which it had failed when the guest was XP. I wish I knew why Cruise, as I said I'm not an expert with VMs. But the logical conclusion of that failure indicates that VM malware resistance testing cannot always be accurate.

 

Did you conduct the test? Is there a video of it? No disrespect intended, but only a picture by itself is not proof. Someone should be working with Tony on this so he can see where SD has failed if this is indeed true.

 

Space Ghost's last post indicated that he ran that test. I PMed him asking for the sample (if he has it), or for a web address (in case he got it by visiting a malicious website).