The unofficial Shadow Defender Support Thread.

Tony has told me in a very recent communication that he is currently still researching these things. He said that Drop Rights will be first, followed by the ability to virtualize all sectors as an option (disabled by dafault) added in the future.

Here's my mock-up of what it's going to look like:

 

SD virtualizes the entire OS now. The enhancements proposed by The Shadow and CyberMan will no doubt further strengthen SD, but don't lose sight of the fact that malware can infect your system and run while Shadow Mode is enabled. Even if a subsequent restart completely removes all such malware, your system's security can still be compromised during the time you are in Shadow Mode! The bottom line is that you shouldn't rely solely on SD for total security, now or with the proposed enhancements.

Wendi

 

+1 Wendi. Multi-layered protection is a must.

 

In practice it´s equivalent to using a non-virtualized data partition in the internal disk.

 

hitmanpro identifies Cmdtool.exe in the SD Installation Directory as a Virus and recommends to remove it.

 

Probably a false positive (HitmanPro is known for that). I have the latest 64-bit version of SD installed and cmdtool.exe checks-out clean.

Wendi

 

yes it does at least on virustotal

 

Hitman Pro is like a double-edge sword. While it is very good at detecting malware, its over-aggressiveness also produces quite a few FPs!

 

Would it be a good idea to use SD on a host machine and do malware testing in a VM and after reboot it will have the same snapshot, without changes, again?
(VMPlayer)

 

Everything that happen in Shadow Mode will be negated at next reboot.

But there is no point to do that, you can reset the VM's snapshot; and i am not aware of a malware jumping from a VM to the real system unless due to the user mistake.

 

VMPlayer does not have snapshot ability so I think this is a good choice.

 

Sp I guess it is part of the hard drive that is left unvirtualized?

I also use Sandboxie. I use an antivirus and I have USB vaccine. That's it. I do have a valid license for app guard that was causing problems on my Vista 64 bit comp. But I just bought a new laptop. Would you recommend AppGuard?

 

I also use Sandboxie, it is currently the safest way to browse the internet or to test unknown programs. SD leaves some sectors unvirtualized, and those are the sectors that malware like Sinowal write to in between reboots. The rootkit itself is now 100% flushed from the boot sector upon reboot, Tony has fixed that with the latest SD version. The only problem is that rootkits like Sinowal also write to those few sectors that remain unvirtualized. Those writes (which are usually just remnants of the rootkit's file system) will survive a reboot but since the rootkit itself has gone from the boot sector, those leftovers are not a security risk on their own.

Still, it bothers me to have malicious leftovers littering my disk, even if they are inert. SD is not virtualizing the whole writeable area of the disk, so we discussed with Tony the possibility of 100% all sector virtualization. It is possible and Tony will implement it after Drop Rights is done.

I have also spoken with Tony about adding proper anti-execution and folder protection modules to SD in the future (some of SD's competitors already have such features). He sent me an e-mail a few hours ago, saying that such features are possible and that he will consider adding them in the future. Along with the DropRights/BlockDrivers/BlockApplicationHooks features and the ALLSector™ Virtualization component, all these new options will result into a bullet-proof SD, a complete proactive layer of protection that will also protect the virtual environment itself. All those features together is what I call RogueGuardian™ Virtualization Technology. I just hope that Tony finds ways to code all those changes in the future.

The future looks bright for SD, and it's all thanks to user brainstorming and participation in the development. Many minds set to brainstorm on a task are better than just a single developer or a small team of engineers in a regionaly isolated coding team. Developers often miss what people really need. It is great for developers to listen to the users and implement things that their customers want. Tony is certainly making up fast for the lost time we have endured during his absence.

 

Thanks so much for your reply, Cyberman. I appreciate your input and your efforts. I will be really glad when Tony creates the option to virtualize all sectors. I can always disable SD and add files, update, or install new software.

If I understand correctly, Drop Rights takes away admin privilages so that it will be much more difficult for malware to create changes and install. Is this correct? So in Sandboxie under Sandboxie settings, and under Restrictions, I have Drop Rights checked. Are there any other changes in Sanboxie that you would suggest making?

Concerning an antiexecutable and all of these other options for SD, I am concerned. I was a long time fan and user of Returnil. But all of these extra features ruined it for me. It caused all kinds of problems. I was getting blue screens and my commputer just wouldn't run properly. But maybe Tony can make all of these things run smoothly together. He seems to be really talented! But maybe he can also make a stand alone pure virtualization option as well.

I went ahead and installed AppGuard. It seems to work pretty well except that I have to turn it off to start up a browser in Sandboxie, and also to start my VPN. But it turns back on by itself automatically. It does seem to effect browsing speeds and opening up new tabs. I'm not too fond of that. Do you use AppGaurd or a similar product? Thanks, Caspian

 

Really? I thought that an an external HD was less likely to be infected. I do have USB vaccine installed. Hopefully that will help to prevent any infections. I also installed AppGuard. So maybe I'm good to go.

 

Caspian, have a look here (or here in Polish, but with screens), it should solve your problem as far as AG + SBIE are concerned. I use it both and works very well

 

Thank you for your encouraging words Caspian. Yes, Drop Rights takes away admin privlileges from programs running in the virtual environment, so installers won't work. Drivers will be blocked too and application hooks hopefully. This was Shadow's idea, and a great one.

Pegr has suggested two options that SD's competitors currently have, folder protection and anti execution, both great ideas.

Wendi has recently suggested MBR, Track 0, or System Reserved Partition to be virtualized as well. I sent an e-mail to Tony about these, will share when he answers. I am confident that Tony will be able to blend these options properly in a stable SD that will be able to proactively protect both the real and the virtual environment. Users can still leave those options off, and just use the regular SD as we do now.

The website I work for (Tweak Town) is currently affiliated with Shadow Defender. I started this affiliation a few weeks ago in order to help out Tony, and also to try make SD more popular. Light Virtualization must come into the mainstream, and I can't see a better candidate for this than a future SD that offers in one lightweight package all the proactive protection that users would normally get from three or four different programs.

I published an SD review back in March:

http://www.tweaktown.com/reviews/52...e-review-and-guide-shadow-defender/index.html

Also an LV/IRS guide before that:

http://www.tweaktown.com/articles/5...erall-safety-net-for-your-computer/index.html

All the tips on what you can do with LV/IRS apps are in there. Also essential backup tips and Windows tweaks that are best to be applied before adding LV/IRS programs.

 

SD protects the MBR (by default) whenever Shadow Mode is enabled for any volume(s). Tony assured me of that on the old SD forum (about 3-years ago)!

TS

----
Edit: While I'm confident about MBR protection, I'm not at all sure about the other 62 sectors of Track 0, or the SRP.

 

I think Wendi meant to actually virtualize the MBR. Tony e-mailed me today:

Yes, SD doesn't virtialize the MBR, SD protects it only.
and the hidden 100MB is not protected.

So the next question is: Why the hidden system partition is left unvirtualized? Important boot files are in there. Still waiting his answer on that.

 

That's a good question CM! Tony's answer seems evasive as to how he protects the MBR if it isn't virtualized. Also, what about the other 62 sectors of Track 0? I've read that some rootkits can hide there!

TS

 

That's why I wanted to have 100% sector virtualization. If Tony manages to code this thing then everything would be virtualized, with no space for malware to store code between reboots. Of course it would be optional and disabled by default, users will activate it if they need this functionality.

Maybe Tony can add the hidden partition on the list of volumes so we can put it in Shadow Mode. I'd like to see this done soon. Later on when he develops Drop Rights and this ALLSector thing, this will take care of the track 0 and MBR concerns as well.

 

Hi CM,

I don't see why it's necessary to place all-sectors of an entire drive into Shadow Mode in order to just enable Shadow Mode for Track 0 and the SRP. For many of us, placing the entire drive into Shadow Mode simply isn't necessary. Furthermore, that would result in a very large SD cache size which will, for many of us, overflow the amount of memory that we can safely allocate for RAM-caching (your system being one of the relatively few exceptions)!

TS

 

I understand your concerns Shadow, however even if track 0 and MBR are virtualized there will still be some other sectors that will still remain unvirtualized, Tony has admitted that. The ALLSector option would be developed last, after Drop Rights anyway; so Tony won't need to divide his time doing two major things at once.

For security freaks like myself full virtualization would be the option that would deprive future malware from any space to store malicious code between reboots. So even if something somehow breaches proactive protection (due to human error or whatever else), all of it will get flushed upon reboot along with everything else inside the buffer. For many people this would be ideal. If we want to update software we'll just have to take disks out of shadow mode first. This feature will be purely optional and disabled by default. Along with Drop Rights this will ensure enhanced resistance against malware.

I think that the future looks bright for SD. If Tony manages to code these things of course. It's a serious challenge for him but he is good. I hope he adds the hidden bitlocker partition into the volume list first of all, this needs to be done sooner rather than later.

 

Hello,
I have some questions for you that to know very well Shadow defender:

1) The latest versions of SD (especially the 1.2.0.376 version) are robust and reliable as the old version of 2010??

2) Can SD work without any problems on systems with Win-7 64bit professional?

3) Finally,it was announced if the developer of SD remained the same as before (the great Tony)?

4) Who is the better between SD and Toolwiz timefreeze about the level of isolation?

Thank you for any response.

 

1. Yes; except for certain folks who have some problems such as Task Scheduler corruption. Still unverified as to what's causing them though coz not all users face the same issue.
2. Usually Yes
3. You either believe he is or you don't. Tony has posted earlier on this thread but not everyone believes it's the 'original' Tony. It's anyone's guess.
4. This is SD thread. Which one do you think people will choose?