A little ShadowUser story.

Discussion in 'other security issues & news' started by spy1, Jan 29, 2005.

Thread Status:
Not open for further replies.
  1. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    So I come home from work last night (the computer's still in ShadowMode like I left it when I left for work, and ProcessGuard's "Locked" and "Block new and changed applications" is check-marked) and check my email with MailWasher.

    Two emailed virus alerts from NOD32:

    Time Module Object Name Virus Action User Info
    1/28/2005 18:09:00 PM IMON archive
    ht tp://w12.biz/v6/ar.jar multiple infiltrations error quarantining the object - NONE-8EE7DS6F1Q\Family

    Time Module Object Name Virus Action User Info
    1/28/2005 18:03:04 PM IMON archive ht tp://w12.biz/v6/ar.jar multiple infiltrations connection terminated NONE-8EE7DS6F1Q\Family

    (All defensive programs are running in ShadowMode, so my son's already aware that we'll be talking as soon as he sees the NOD alert flash up onscreen - he knows it automatically emails me about infections - oh, yeah, NOD's passworded, too).

    So I check the PG log for the approximate time indicated in the alert:

    Fri 28 - 18:00:48 [EXECUTION] "c:\program files\windows media player\wmplayer.exe" was allowed to run
    [EXECUTION] Started by "c:\program files\internet explorer\iexplore.exe" [1988]
    [EXECUTION] Commandline - [ "c:\program files\windows media player\wmplayer.exe" /ocx /nolibraryadd /play "http://galleries.jomg.com/content/mackenzie/04.mpg" /prefetch:10 ]
    Fri 28 - 18:05:09 [EXECUTION] "c:\program files\windows media player\wmplayer.exe" was allowed to run
    [EXECUTION] Started by "c:\program files\internet explorer\iexplore.exe" [1988]
    [EXECUTION] Commandline - [ "c:\program files\windows media player\wmplayer.exe" /ocx /nolibraryadd /play "http://www.realgirls4free.com/moviegallery/7/movies/erin019.mpg" /prefetch:10 ]

    (I won't bore you with the complete report of website's visited on the family profile that I got with Index.dat Suite).

    Anyhow, shut it down for the night after telling it to come out of ShadowMode on the re-start. Ran NOD32's "In-depth analysis" first thing after starting up this morning and making sure it was updated. See screenshot.

    Ran a full "Search" for w12.biz - v6 - and - ar.jar - no traces found anywhere.

    A scan with AdAware (free and updated) - set to "Perform full system scan" - turned up nothing related to the incident - not even cookies from any of those sites.

    Likewise, a full scan with SBS&D 1.4 b2 (updated and with all options set) found nothing relating to the incident.

    Okay, my point here isn't my son's surfing habits - the point is that as soon as you walk away from your personal home computer and other people start using it, you don't know where they're going to go and what's going to happen to it.

    That's why you should run a program such as ShadowUser.

    Furthermore, it's why you shouldn't even think about abandoning any of your defensive programs - from an "information" or "documentation" standpoint, they're invaluable - and indeed, regardless whether you run ShadowUser/ShadowSurfer, DeepFreeze or whatever, your defensive programs should be running within that environment.

    I came out of that little episode as clean as a whistle as soon as I came out of ShadowMode - but I was still notified of the event, was able to examine what went on and was able to ensure that there wasn't any damage done after return to normal running conditions.

    Just thought some might find it interesting. Pete
     

    Attached Files:

    Last edited: Jan 30, 2005
  2. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    Very good story.

    As I have stated in the "experiences" thread, Process Guard/SSM/FreezeX, an AV and a firewall are all important. But honestly, looking at your story, nothing happened that doesn't happen everyday on thousands of computers running Deep Freeze in schools, libraries, etc. all over the world, where a simple reboot is a simple fix.

    All of the "defensive tools" that were useful were your AV (only to warn you of the need to reboot as cleaning doesn't matter) and Process Guard told you nothing attempted to execute. Your firewall would have prevented any unwanted outbound connections. Those are the three things I believe one needs while running Deep Freeze and maybe Shadowuser, but I am not as familiar with that program so can't be as sure. Everything else you run "defensively" and checked after the fact only satisfied your healthy interest in security, which we all have here. I mentioned in the other thread that programs like Deep Freeze can take the fun out of all this as most of these tools are rendered obsolete with Deep Freeze use, and I stand by that.

    BTW, as you inquired as to where my article is in the other thread, I thought I would mention that I have expanded the scope to include not only Deep Freeze, but Drive Vaccine as well. Shadowuser will be mentioned, but as it works in a different way than the other two it will not get the "full treatment." I usually spend weeks, not days, on an article for publication and I am guessing it will be ready within 30 days or so. I was surprised to read your comments in the other thread asking about the state of the piece, now you know. The other thread was asking for experiences for me to use and that was the very earliest stage of my research. It's coming along fine and I am more convinced than ever that the my basic premise, which I have outlined in the "experiences" thread, is absolutely correct. Short version: Deep Freeze/Drive Vaccine, Process Guard/FreezeX, an AV and a good firewall. That's all one needs and every other tool is merely used for curiosity or verification. Which, BTW, is perfectly fine. Some like to run lean systems without dozens and dozens of "defensive tools" and DF/DV allows this with complete confidence in the security of their system.

    Thanks for sharing your story. It shows the need to run a program like these mentioned in order to return our computers to a perfect state within seconds. For those with families using their computers it becomes a must-have (as your experience clearly shows!)

    Gerard Morentzy
     
  3. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    I have been very happy with Deep Freeze, what are the advantages of ShadowMode over DF? I believe a good packet fileting/application firewall is the most important comlement to either of the above. Although programs like DF fix your computer on a reboot, they are unable to stop important information from leaking once you are compromised, until a reboot. An antivirus is also a good idea since you could blindly allow changes to be saved on a reboot after being infected and not knowing so.
     
  4. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Oops! You'd think he'd know better with such a beefy setup :) At least your computer is safe, but is he?

    You've actually piqued my interest in ShadowUser, especially since you seem to use your computer the same way I do (as discussed in the PG forum) :) DF sounds great for users that only do certain things with their system, and always want it to do just that, but ShadowUser sounds like a much better solution for people like myself.
     
  5. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    AJohn,

    I agree with you as per the firewall. To me, a firewall is just a given. You are 100% correct.
     
  6. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    Hi Notok,

    A lot of people say that but are unaware that you can do anything at all while in a frozen state with Deep Freeze. One of the great things for some people are being able to trial programs for hours and it's gone on reboot. If you like it, simply go back and install while in a thawed state. If you didn't want to keep it, or the program has served its purpose, reboot and it's gone! Some of the most avid users, as I understand it, are people who like to trial tons of programs.
    Gerard
     
  7. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Gerard- Thanks, but I would actually want the ability to commit without rebooting multiple times, that would be way too much of a PITA for me. DF may be the solution for some but, just like most of the rest of life, not 100%.
     
  8. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    Yep, DF is perfect for playing around with settings or trialing apps. Im no longer worried about having to do a backup before installing things, I just go to town and if something happens I dislike I reboot. There are some programs where this will not work(programs that require a reboot to run), but for the most part this is not the case. Even if something gets through all my security layers, the worst possible thing that could happend is personal data leaking, and the important data is encrypted anyway :D
     
  9. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Gerard - I specifically posted this thread to discuss an incident that occurred here and how it was handled by ShadowUser the way I have it set up (with defensive programs included in the ShadowVolume).

    You, on the other hand, took this opportunity to (once again) thoroughly promote DeepFreeze at the expense of ShadowUser.

    I'm really beginning to wonder about your motives.

    Your position has changed radically on what you need to run with DeepFreeze since your first post - and your statements about what DF can and can't do have moved from fact to fancy, judging by the statement from you I quote below. (Just my opinion, of course).

    Totally untrue, Gerard (why are you lying to promote DeepFreeze?). You most definitely can not defrag or run disk management while frozen.

    Can you save programs that you've d/l'ed and installed while frozen, files d/l'ed with DF alone? On-the-fly? While in the protected state? If so, please point out to me where it says that in the program's documentation (thank you). If not, your statment is patently false.

    You can't defrag or run disk management in ShadowMode, either - but you can certainly do the rest by simply clicking the "Commit" item in the right-click context menu when you're a ShadowUser.



    Sounds amazingly like you can't commit stuff to the disk permanently without un-freezing, doesn't it?


    Notok - Not only can you "commit" on-the-fly with ShadowUser - you can also (as of v2.5) do a re-boot directly back into ShadowMode instead of to the clean state - thus by-passing the problem of programs that must re-boot the computer (and there are more than just a few of those out there) to "take" properly.

    I quite agree, AJohn - people should encrypt their valuable personal data if they have any on their computers.

    But get real - how many of them do?

    That's why I consider it so vital to have defensive programs up and running in whatever environment you're running in.

    Y'all have a great evening. Pete
     
  10. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    THnx, will give it a try ; D
     
  11. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    lol, that was actually my next question.. we seem to be "on the same wavelength" here :D I appreciate the more objective insight.
     
    Last edited: Jan 29, 2005
  12. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    ShadowUser Pro. is Way better than Deep Freeze Pro.

    ShadowUser actually has an exclusion list, instead of just excluding a partition, among many other advantages.
     
  13. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    Spy 1,

    To be honest, your attitude hardly deserves a response. I haven't said or done anything to deserve that outburst.

    You yourself mentioned Deep Freeze. I took this opportunity to say that your experience showed that programs like this are needed. Did I say more? Yes, but so what? Shall I count the number of times you have jumped in on Deep Freeze threads to "thorougly promote" Shadowuser?
    Because I said something about Deep Freeze in your Shadowuser thread? Please, you're being aggressive and accusatory when it's not needed. Should I remind you I mentioned, in this thread or another, that I have expanded the scope of my article to include a competing product of Deep Freeze? (Drive Vaccine)
    I have added that you need an AV (though if configured with data elsewhere, online scans would work fine) and I mentioned a firewall in my later posts after it was mentioned. I don't think of a firewall as being anything more than a given. I run a hardware firewall as well as Sygate. I don't think of those as being security add-ons like most of the programs we discuss here at Wilders. I think you're looking for things to be mad about when they are not there. What if I did change my opinion? Don't we all?
    You mention this quote.....
    Slow down. Lying? It is your misunderstanding of what I meant. I wasn't talking about running system utilities. WHY would one need to defrag a DF frozen disk? It is all temporary until reboot. It puts everything back as it was byte for byte. Defragging would be useless. You simply misunderstood. I certainly wasn't lying.
    I said that. That's what makes installing new programs to check them out so easy. Yes, you can save the program download to another partition. That's how I have it configured. I'm talking about the installation file. No, of course you can't save the program without a reboot. That's the DF protection and how it's different from Shadowuser. It's just different, that's all! The statement as I said it was absolutely true. It's not false in any way.
    And that's exactly what I said, Spy 1. In fact, you put my exact words in your post:
    I couldn't have been more plain. I don't get your aggressive attitude.
    I agree. It's different ways of the programs handling things. Not right or wrong, just different With Deep Freeze, as you install you can select "boot thawed x number of times. Meaning, you can boot into a thawed state twice so all programs will "take."
    You too, Pete. I don't understand all the anger you have unleashed at me. It sounds like I should be telling you to have a better evening. Something other than this is obviously wrong to cause such anger. I apogize for talking about Deep Freeze in your Shadowuser thread. It didn't even occur to me that what I said should not have been said in this thread, as you have been chiming in with thoughts/comparisions with DF and Shadowuser in my threads. Which is fine! I say there needs to be some calm and put this into perspective. I surely don't believe it's worth the upset.
    Gerard Morentzy
     
  14. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Gentlemen, keep it nice and calm and on topic, this being Shadowuser and Spy1's experiences with it.

    Cheers

    Blackspear :D

    PS. It has peeked my interest as well.
     
    Last edited: Jan 29, 2005
  15. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
  16. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Gerard: I really didn't sense any real anger or agression in Spy1's comments.. just perhaps a bit critical of the approach you've chosen to take. I hope you can take another look at his posts and consider them constructivly enough to perhaps include some more objective information on DF. I'm still waiting for some input on what it's like to use DF on a daily basis.. how much resources it uses, how much time it adds to startup, etc etc (yes I read the website material, it still left me with most of the same questions.. but thanks anyway :/ ) Spy1 has been very forthcoming with his experiences and how DF and SU could potentially fill different niches, I would very much appreciate it if you could provide some similar perspective on how it actually works in "the real world" Who knows, maybe some of us can help reason things out in a way that would be beneficial to your article :)

    I've been very interested in using some true sandbox software (not just behavior blockers) from the start (DF only kinda fits this catagory from what I can tell), but until I have the resources to obtain a second machine for testing, I am looking for more insight before trying a bunch of stuff. Between what you and Spy1 have provided, I have a much clearer idea of what SU is, what kind of users it could benefit, and who it would NOT be appropriate for. My problem(?) is that the more someone tries to 'pitch' something to me, without any technical details, the less likely I am to pay attention or believe what's being said.

    Back to the topic at hand...
    Spy1: What's SU like on resources?
     
  17. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Pete, i just want to know more about how this app. works. :D

    Currently, like u i think, I have no HDD backup..

    Iam looking for viable alternatives and ShadowUser looks very interesting to me.



    snowbound
     
  18. dog

    dog Guest

  19. controler

    controler Guest

    This might sounds silly but I wonder why the schools don't either run user accounts with NO install privialages or run other software that limits any users funtions, like installs ect. I am sure if your children are like mine they would be upset if you took their right to install their Bonzi buddy ect.?

    I guess I could give shadowuser a try since I just reformated this test box and so far only have spysweeper, BoClean, the latest version SSM and Look & Stop. May even try out Df if there is a trial.
    It does not take me long to reformat. All you need is a Windows SP2 CD, your security apps with keys on CD's and fast internet connection and you are good to go.

    Bruce
     
  20. Kaupp

    Kaupp Guest

    @Pete ,If I may I'd like to draw on your experience with Shadowuser

    I notice that there is no option to exclude single files,so the alternative is to use the auto commit feature which will save changes at system shutdown/reboot.
    The difficulty I have is with saving ProcessGuard settings,I added the pghash.dat and pguard.dat in the system32 folder to the auto commit list ,I then placed my C:Drive in shadow mode,incidentally the ProcessGuard main folder is installed on my D: partition which along with all partitions except for C: are excluded from ShadowMode.
    After a reboot I ran some new programs and let ProcessGuard allow them to run always,then another reboot to test if the new programs were saved in ProcessGuard during Shadowmode but for some reason they don't show up.
    What am I doing wrong here Pete,I take it ProcessGuard is working normally for you during ShadowMode.

    Any ideas?

    regards
    Kaupp
     
  21. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    ShadowUser.exe = 4,012 K
    suatshut.exe = 256 K

    I do not remember the exact number, but DeepFreeze used very close to 2,000 K total.
    I would have to say the extra 2,000 K ShadowUser uses is worth it, there are way more options. Both are great programs, but for a PC SU wins by far.
     
  22. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    Hi Bruce,

    I think this is the beauty of all of these programs. Whether it be Shadowuser, Deep Freeze, Drive Vaccine or Clean Slate. No restrictions! As you said, they are used in many environments, but Deep Freeze, for example, has 80% plus of the academic (High Schools and Universities) market to themselves. There is no denying that these programs are geared to schools, libraries, Internet cafes and corporate environments. Shadowuser is geared more to the personal PC user I believe. I think this is a smart move and one that the others should follow. I know Deep Freeze is now available for personal users for $29 but they really don't market it heavily toward individuals. Drive Vaccine has dropped their price for individuals to $49. The market for home use has finally been recognized by all of them.

    As you said, some schools do restrict everything and scrub the computers good each day. Most, though, have found the solution in these products. It's actually a good thing as far as computer education as well. It allows students to use a computer just as they would in the real world. They have access to 99% of the functions and are encouraged to "play around" with their own themes, downloaded programs, etc. In fact these products are actually called, "Non-Restrictive Desktop Protection." Meaning, simply, no restrictions to frustrate students in using the PC. They can do what they need to do and are not hampered in any way. Of course, upon reboot, it's back in a perfect state.

    Pete's experience truly does show exactly why these products are VERY benficial in a home environment. If a parent doesn't want to be hampered by the use of one of these products (though they are, as we've discussed, awesome security tools) they can setup a dual boot system. A normal Windows XP boot for Mom and Dad and a Family Boot that is protected from any destruction by Deep Freeze, Shadowuser, Drive Vaccine, Clean Slate, etc. The dual boot is a dream for some families. As Pete told us in his first post, the problems that got on their PC from his son's surfing was completely wiped out and a perfect state was restored upon reboot. I think this is the real beauty of these programs for schools: No Restrictions! It also reduces student hacking to get a system to allow them to download or whatever. But, for families, it's the same story but instead of 1500 kids, you're talking 1,2,3,4 - just the family. But our computers are worth protecting just as much as the schools.
     
  23. controler

    controler Guest

    Do these programs also deal with all the System Restore files and hidden system files?
    In other words, if you do get infected, do these programs delete the infected files in System Restore folders as well?
    Since I no nothing about any of these programs I will ask some questions.
    When you reboot does DF and SU actualy redo the intire drive or only the System folders including the REG?
    Does it delete the info then add back the good info or does it just write over the old stuff?
    It appears ther is a difference in how SU handles the user setting compared to DF. This may be because SU is dealing more with the registry settings on reboot?

    Thankyou

    Bruce
     
  24. controler

    controler Guest

    Also has anyone used a file checker during reboot to see what is actualy
    delt with?

    Bruce
     
  25. coldshoulder

    coldshoulder Guest

    @Gerard - I disagree on the protected/non-protected dual boot idea for obvious potential of malware to corrupt the CMOS n the non-protected drive thereby crashing DF install, + potential for someone to perform changes thru Windows Time/Date function possibly changing(?) or crashing (likely) DF configuration.

    What happens if...

    1 boot into unprotected drive,

    2 set the clock ahead past the DF trial expiration date,

    3 reboot into expired DF drive, install kazaa,

    4 boot back into non-protected drive, reset correct date,

    5 reboot back into DF drive.

    Would DF force a reinstall of itself, or restore the last config matching the correct date thereby removing the kazaa install?

    @Pete: What happens when you extract contents of dvd filling protected C:\ drive, or wipe the free space while in Shadow mode? Could you please try it and post results back in this thread? Thanks!
     
Loading...
Thread Status:
Not open for further replies.