The unofficial Shadow Defender Support Thread.

BCD editing still gets through if I use SD alone. I'm always double virtualizing now adasy Deep Freeze first and Shadow Defender right after, which DF blocks BCD so doesn't bother me.

 

coffeetime,

I'd appreciate it if you would provide your Windows version, SD version, and whether this happens on a BIOS or EFI system?

TS

 

Known fact (at least for me). I posted about it some time ago. I detected it making trivial changes in the BCD using EasyBCD. As I recall, someone posted that this is necessary to support hibernation in shadow mode.

 

Again I would like to know... for which Windows and SD versions?

TS

 

In my case, it was Windows 7, BCD in the Windows or OS (C) partition (which implies that this partition wasn´t wholly virtualized). I don´t know what SD version I was using at the time, but it wasn´t 1.4.0.519. I haven´t checked this recently.

 

Thanks for the info Robin. Just one more question... are you using an EFI-based system?

Fwiw, this definitely should not happen with build 519!

TS

 

I just checked with SD 519, Windows 7 SP1. The same as before. Being in shadow mode, I made a trivial change in the BCD using EasyBCD, then rebooted. After the reboot, the change remained.

I think this is not very important in terms of the "quality" of SD. And, if what I posted above is true, the BCD is excluded in order to support hibernation in shadow mode, which can be a useful feature.

I haven´t checked this in UEFI and Windows 8.1. I think I read somewhere that EasyBCD doesn´t support these systems.

 

Hmm, when I get home tonight I'll make a BCD edit in shadow mode to see if I can confirm this anomaly...

TS

-------
Result: I edited my system's BCD (C-volume in shadow mode), and after restarting my system the changes were indeed still there! My Win7 system is EFI-based so the BCD registry file is located in the EFI boot partition, and with v1.4.0.519 it is said... "New: Hidden boot volume will be shadowed automatically when system volume is shadowed" ...so it would seem that something isn't right here!

 

Yes I know.. Have been following Shadow Defender for quite sometime...

 

I've just emailed Tony, citing this thread and post number. I hope that he receives the email as I have had a problem with communication for a while (unanswered emails etc).

Patrick (admin, The Official Shadow Defender Forum)

 

here simple test
go to shadow mode open cmd as admin
type bcdedit /set testsigning on
execute command restart PC now on the
right side of screen you see some text "Test Mode Windows 8.1 build xxxx"
to turn off it
bcdedit /set testsigning off

 

Another "issue" similar to the "exclusion" of the BCD: If, while in shadow mode, I change the system date (say from 21/07/2014 to 23/07/2014), the change remains after I reboot (Windows 7 SP1, SD 519).

Edit: It also happens in UEFI, Windows 8.1, SD 519.

 

Hi Robin, The Shadow and myself have sent off emails regarding the first issue...if you could send an email including the latter issue it might add weight to it support@shadowdefender.com

Patrick

 

Yes, I will.

 

Patrick & Robin,

The date & time in the system tray and any changes made therein affect the real-time clock settings in the motherboard's CMOS. Shadow mode can not virtualize the CMOS, so this is not a bug.

TS

 

It´s not necessary to report a possible bug, then.

 

As I said we've reported the first one and The Shadow says that the second one is not a bug. I've not had a reply yet to my first report bug email. Another email would probably be a good thing about your first bug.

Patrick

 

SD in its latest version continues to be a very important part of my daily computer use and it has not given me reason to question its reliability. But having read of the BCD concerns by coffeetime, Robin and Shadow I sent an email off to Tony asking if this is an actual problem, or of little consequence in everyday use of SD. He has always gotten back to me within 48 hours, that is except during the 8-months he 'disappeared' (for reasons unknown)...

Cruise

 

I received a reply from Tony re EasyBCD issue

Patrick
...................................

Re: urgent Shadow Defender bypass‏
support@shadowdefender.com
2:03 AM
To: Patrick
support@shadowdefender.com

Hi Patrick,
Thanks for your information.
I am digging this issue.
Best regards,
Tony
On 2014-07-21 13:42, Patrick wrote:
> Dear Tony,
> It looks like Shadow Defender might be bypassed by a tool called BCD
>
> see post here at
>
> https://www.wilderssecurity.com/threads/the-unofficial-shadow-defender-support-thread.293075/page-138
> [1]
>
> post
>
> #3432 [2]
>
> here is a link to the software
>
> http://www.softpedia.com/get/System/OS-Enhancements/EasyBCD.shtml
>
> best wishes
>
> Patrick

Patrick Admin The Official Shadow Defender Forum

 

I think the important part of the message went through.

To clarify, the case seems to be that the BCD is excluded from virtualization. This can be "verified" using EasyBCD or other tools, as co22 pointed out above.

 

SD allows certain writes to occur to a shadowed volume (eg. BSOD crash dump) and some of these hard-coded exceptions may be for compatibility. This BCD behaviour may be to do with that.

I would like to see a checkbox option so that these hard-coded exceptions can be disabled when in shadow mode, so nothing gets through. Even better would be the ability to selectively choose which exception you want to allow (eg. allow BSOD crash dump bit nothing else) - this way an exception could be added to SD to make it work with some software you use, but other people could disable this exception.

 

Sounds good to me. Please email Tony with that suggestion and thanks for posting it.

Gary

 

Yes, it may be useful for experts. But I fear that with such specific options the handling of SD will become more complicated for the average user (like me ). One of SD's virtues is its easy way to use it. This virtue should not be abandoned (unless this is necessary because of security reasons).

 

I received a reply from Tony this morning to the effect that he has not been able to reproduce the reported BCD problem, asking me for details about my system partitions. I replied with all of the details he requested along with exact info as to the BCD-file edit that I made while in shadow mode - surviving a system restart (which in my mind is an SD bug)!

I'm really surprised that Tony has not been able to reproduce the problem because I only verified what others (coffeetime and Robin) reported re BCD-edits (in shadow mode) surviving a system restart.

TS

 

I haven't seen evidence of any such SD hard-coded exceptions, but if there are any they must be there for system stability reasons and I don't believe it's wise or productive to allow users to mess with SD's underlying code!

In any case, the BCD issue is not and should not be considered a deliberate exception to shadow mode protection. It is, pure and simple, an unwanted outcome which opens a back-door for malware! It is therefore a bug and I don't think it serves our purpose of the moment bothering Tony with extraneous issues when he is trying to reproduce and fix the reported bug.

TS