The unofficial Shadow Defender Support Thread.

Now that I think about it, I may have seen such evidences recently. I had several BSOD events, while in shadow mode ("The sysyem has closed to protect your computer... ", or something similar, also references to a driver). The computer rebooted automatically, and after the reboots I found records of the crashes in the event viewer. At the time I concentrated in finding out what had caused the BSODs, and didn´t think about why SD had allowed the records to be written to the real system.

 

Hi Robin,

As TS suggested, there may be such exceptions for system stability purposes and what you describe seems to 'fit that bill'.

I don't mean to speak for TS, but it seems to me that the point he is making is that the BCD issue should not considered in the same light as a BSOD or crash report occurrence. Rather, TS points out that the BSD issue introduces a serious security flaw in SD which malware could exploit. As far as I'm concerned it's critical that Tony give this his undivided attention at this time!

Cruise

PS. Kudos to you guys for uncovering this BCD issue!

 

The example I gave of BSOD crash dump is one such exception. To reproduce, enable the Pagefile (dump cannot be created without it), put your system in Shadow Mode and then force a BSOD with a tool like BANG! (http://www.osronline.com/article.cfm?article=153).

The actual crash dump is created on boot (in C:\Windows\Minidumps), but uses data written to pagefile.sys when the crash occurs (ie. when it is in shadow mode). A solution to this is to disable the pagefile altogether, and then nothing can obviously be written to it.

There are other cases that SD gives special treatment to.

My suggestion is not to allow users to mess with SD's underlying code, but to give the option for them to shadow absolutely everything, without exception, apart from when that interferes with SD's/Windows stability.

@Peter 123 - The simple implementation would simply add one extra checkbox to the Administration section. eg. "Don't allow hard-coded exceptions". The more flexible solution would also need some kind of list with checkbox items for each exception, which the user could then enable/disable per their requirements.

@huntnyc - Sent an e-mail to Tony suggesting this.

 

Hi guys, I got a chance to pop-in and read the reports about a possible BCD-centric bug so I fired up my W7 notebook, entered shadow mode and, using BCDEDIT, made a change (that would be very apparent) to my BCD file... Disappointingly, the BCD change that I made (while my system volume was shadowed) took effect after rebooting!

So I too can confirm this bug and I will send-off an email to Tony this evening with my observations.

Wendi

 

Earlier this morning I received a pm from Wendi. She said that while she encountered the BCD issue on her Win7 home laptop last night, curiously enough she does not experience the problem on the Win7 PC at her school this morning and would send her observations to Tony.

I just received an email from Tony notifying me that he knows the cause of the BCD problem. According to Tony, systems with SRP/EFI partitions will not experience the reported BCD problem. He tells me that it will only occur on systems where the BCD file is stored on the C-volume (rather than in a SRP/EFI partition).

Tony went on to say that this will be fixed in the next build of SD (which I expect to be released in a matter of days)...

TS

 

Excellent TS, that great news I love to see everyone pulling together. This is what it's all about for me. I'm no expert myself but I love the development when it works out like this.
'Well done!' everyone for submitting your reports and of course not forgetting Tony

 

Doesn´t Secure Boot prevent changes to the BCD in UEFI systems, independently of SD?

 

I wouldn't know that for sure Robin, Win7 doesn't support secure boot and that's my OS of choice. Afaik, secure boot checks that Win8 is using trusted boot software. I doubt that a BCD edit would invalidate the BCD file's signature, but as I said, I really don't know since I'm a Win7 guy.

TS

 

So does this issue apply to UEFI systems only?? Still using XP here.

 

Tom,

You're safe with XP (at least as far as the BCD issue is concerned). The BCD issue only affects certain configurations of Vista, 7 and 8, specifically those configurations where the BCD is stored on C:

Wendi

 

Well. . . one plus for XP

 

Has anyone had any issues with webroot and SD? I just installed SD on a spare machine and everytime I boot up webroot kills sd!
The tray goes away and even the process's...I don't think it's my other security because I have ran SD alongside ERP and VS.
When I try to add SD to the exclusions in webroot it doesn't show defender in program files but defender.exe in the temp folder in appdata

 

I'm pretty sure that's a WSA issue. When this happens save and open the WSA log. If you see any SD entries marked as (U)ntrusted you need to send the log to Webroot Support advising them that SD is to be trusted.

TS

 

BCD doesn´t exist in XP. It was introduced in Vista.

 

Hello,

Shadow Defender (100% Discount)
For those interested, there is a giveaway going on right now at WindowsDeal.com for Shadow Defender (expires in 3 day(s) 8 hour(s) 30 minute(s) from the time of this post). You may access it here: http://www.windowsdeal.com/w/shadow-defender-discount-coupon/

 

re: giveaway

Hmm no code in the email.
Is it an unprotected archive that is downloaded and so no code is required?

 

Thanks, where do I find the logs?

 

It is definitely a webroot issue cause I have realtime shield off and SD loads fine, now how do I fix this?

 

You download the installation pack included shadow-wd.txt and Setup.exe...inside text file we have info

 

I am running Avira and EXE Radar Pro, with Shadow Defender

I added the following to the File Exclusions List.

C:\Program Files (x86)\Avira\*
C:\Program Data\Avira\*
C:\Program Data\NoVirusThanks\EXE Radar Pro\*

Now, my question is, Is the above enough to retain/auto commit changes when updating Avira and Making decisions within' EXE Radar Pro (Whitelisting, Blacklisting, etc.)?

Am I missing anything, or are these settings just fine?

 

btw: Another source where you can get Shadow Defender for free (no updates, does not expires).

 

I can't really see the point or reasoning behind the release of these nobbled versions.

 

Try right-clicking on the WSA icon in system tray. Save the log and if you see any SD processes preceeded by a {U} notify Webroot Support.

TS

 

The purpose is to get your e-mail address.

 

thanks ichito