The unofficial Shadow Defender Support Thread.

Discussion in 'sandboxing & virtualization' started by Cutting_Edgetech, Feb 14, 2011.

  1. Timok

    Timok Registered Member

    Joined:
    Jul 3, 2010
    Posts:
    58
    Location:
    Germany
    Hi

    Is there any manual etc on witch way I can keep changes in the shadow mode over a reboot in shadow mode without writing it to the real system like Acronis Try&Decide? The reason for this question is that you have sometime software you cant test / use without reboot.
     
  2. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,280
    Location:
    UK
    A Shadow Mode session can't persist over a reboot so, unfortunately, this isn't possible with Shadow Defender.
     
  3. TerryWood

    TerryWood Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    1,037
    What Am I doing Wrong

    Hi @ ShadowDefender

    I am using Win 10 64bit Latest Shadow Defender 617

    When I elect to use enter Shadow Mode on Boot, nothing seems to happen. By that I mean it goes into Shadow mode but when I reboot it is still in Normal mode. ie I am not in Shadow Mode.

    Even if I reboot again I still remain out of Shadow Mode. has anyone experienced this?

    What do i need to do to keep in Shadow mode after a reboot?

    thanks

    Terry
     
  4. sdmod

    sdmod Shadow Defender Expert

    Joined:
    Oct 28, 2010
    Posts:
    1,158
    Hi Terry,
    I've sent Tony an email...I will let you know if I get a reply.

    Patrick

     
  5. Robin A.

    Robin A. Registered Member

    Joined:
    Feb 25, 2006
    Posts:
    2,555
    I coudn´t replicate it (Windows 10 x64), system entered in Shadow Mode after reboot.
     
    Last edited: Apr 5, 2016
  6. Tyrizian

    Tyrizian Registered Member

    Joined:
    Apr 26, 2012
    Posts:
    2,839
    Just curious, is Tony the only one working on Shadow Defender, or is there a team behind it all?
     
  7. sdmod

    sdmod Shadow Defender Expert

    Joined:
    Oct 28, 2010
    Posts:
    1,158
    Tyrizian
    As far as I know, he is on his own.

    Patrick

     
  8. sdmod

    sdmod Shadow Defender Expert

    Joined:
    Oct 28, 2010
    Posts:
    1,158
    Re: 1.4.0.617 maybe problem 5 april 2016‏

    support@shadowdefender.com
    2:17 AM

    To: Patrick
    Hi Patrick,

    Thanks for your feedback.
    Did he use any software to replace the original Windows desktop?

    Best regards,
    Tony






    On 2016-04-06 03:05 , Patrick Wrote:

    Hi Tony,
    Someone on Wilders forum says
    https://www.wilderssecurity.com/threads/the-unofficial-shadow-defender-support-thread.293075/page-179

    #4453

    'What Am I doing wrong?

    Hi @ ShadowDefender

    I am using Win 10 64bit Latest Shadow Defender 617

    When I elect to use enter Shadow Mode on Boot, nothing seems to happen. By that I mean it goes into Shadow mode but when I reboot it is still in Normal mode. ie I am not in Shadow Mode.

    Even if I reboot again I still remain out of Shadow Mode. has anyone experienced this?

    What do i need to do to keep in Shadow mode after a reboot?

    thanks

    Terry'
    ...........................................................................

    best wishes

    Patrick


     
    Last edited: Apr 6, 2016
  9. TerryWood

    TerryWood Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    1,037
    Hi Patrick

    Not sure what you mean by "replace Desktop", but I am using Backgrounds that I have downloaded from reputable sources ie. These are pictures of for example cities that change every few minutes.

    Hope this is clear?

    Thanks

    Terry
     
  10. TerryWood

    TerryWood Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    1,037
    A Bootkit

    Hi Patrick

    Another one for your team to help with if possible.

    As you can see I am using Shadow Defender more often and by chance, in Shadow mode I did a scan using Hitman Pro Free WHEN IN Shadow Mode. Shock horror it revealed the following.

    Volume Boot Record (Sector 20684:cool:

    BootKit

    C:$VBR_206848

    You are probably aware that you cannot take any actions with Hitman Pro Free. I have never had any viruses before and Scan regularly with BitDefender, MalwareBytes and HMP Pro.

    I did a search on Google which came up with this link to Bleeping Computer under the heading "Zero Access RootKit"

    http://www.bleepingcomputer.com/forums/t/497305/infected-with-zeroaccess-rootkit/page-3

    I then shut down the PC and came out of Shadow Mode and rebooted to normal non Shadow mode. Then re-ran the HMP pro scan again. Result NOTHING.

    Just to rule out that I might have picked up a rootkit and then removed it on reboot, I returned to Shadow Mode and re-ran the HMP Pro scan, AND, sure enough it picked up the BOOTKIT again exactly the same as shown above.

    So, Questions

    Is HMP Pro picking up a false positive when Shadow mode is running?

    Or has Shadow Defender got a "nasty" lurking within it?

    For information I am using V 1.4.0.617 downloaded from the authors Shadow Defender site.

    What do I do next?

    Thanks

    Terry
     
  11. guest

    guest Guest

    False Positive; because in Shadow Mode, SD manipulate the MBR , so detected by HMP; same issue with Rollback RX.
     
  12. Tyrizian

    Tyrizian Registered Member

    Joined:
    Apr 26, 2012
    Posts:
    2,839
    Oh ok, thank you, Patrick
     
  13. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    554
    Location:
    Croatia
    Is this program (when is set to go in Shadow Mode on boot) protect MBR and things like Petaya Ransomware?
     
  14. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,997
    Location:
    Poland - Cracow
    Yes...SD should protects MBR but probably nobody did test it against Petya.
     
  15. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,788
    Location:
    .
    I have a spare HDD to test but can't find a link to download Petya. Perhaps a PM to me?
     
  16. I L M B

    I L M B Registered Member

    Joined:
    Mar 29, 2016
    Posts:
    7
    Location:
    Seattle, WA
  17. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    427
    From what I've read the 'giveaway' version is one off from the official version (eg a tad older) but for a new user it might be a good option to use (disable auto-updates though as it doesn't upgrade and stay registered) then if you like it and want to update you could purchase it via the official site. I also read the giveaway uses online activation whereas the the original/official version doesn't use this.
     
  18. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    554
    Location:
    Croatia
    This is excellent offer for all.
    Here is info about it.
    Terms and Conditions:
    This is a 1-computer lifetime license, for noncommercial use
    You get free updates
    You get free tech support via email
    Must be downloaded and installed before this offer is over -- you cannot install / reinstall later, such as if you get a new computer
    May not be resold


    Thank you for testing it (could you send my Petya sample in PM?), waiting for screenshots.
     
  19. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    3,342
    Location:
    Europe, UE citizen
    Well, just to understand: I installed SD and I tried it: it worked. Then it says that there is a new version ( 1.4.0.617 ), and I install it. After the reboot SD don't work and say to me that the trial version is expired ( ? ). So I decide to uninstall the new version. But after the reboot BSOD. I try a second reboot and new BSOD. I restored a disk image, but I wish to understand what happened.
     
  20. kenjie

    kenjie Registered Member

    Joined:
    Apr 9, 2016
    Posts:
    2
    time is always late or advance in my pc when im in shadow mode
     
  21. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,788
    Location:
    .
    Thanks @ichito for the sample.
    Good news! I run Petya on my Win8.1 x64 PC on shadow mode and Petya didn't survive upon reboot. :thumb:

    Edit:
    I run my real machine (not VM) on shadow mode then I run Petya sample. Next the infamous BSOD:

    BSOD.JPG

    Afterwards I had to press the reset button and Windows was safe. Shadow Defender is set to boot in non Shadow Mode.

    Finally I tested Petya sans Shadow Defender. I even uninstalled it for not to interfere with my tests.
    I run Petya then the BSOD, next press the reset button on the case. Then the famous fake chkdsk pops up:

    CHKDSK.JPG

    Upon restart by pressing the button all I got was this, a blinking cursor on the screen. Not the expected red screen where the ransom is asked:

    BLINKING CURSOR.JPG


    An important step I followed was to restore C: drive image from a backup using IFL boot disk with these settings:

    IFL.JPG

    As expected IFL did its job flawlessly and my files (PDFs, images, text docs, etc.) on partition D: remained untouched.
     
  22. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    554
    Location:
    Croatia
    So Petya don't encript files just screw MBR?
     
  23. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    That is almost correct. I screws the MBR, and then on reboot it encrypts the MFT. That's the damaga
     
  24. kenjie

    kenjie Registered Member

    Joined:
    Apr 9, 2016
    Posts:
    2
    After u press enter shadow mode u need to select commit
     
  25. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,638
    Location:
    Under a bushel ...
    Mode Setting>Schedule>Enter Shadow Mode on Boot?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.