A little ShadowUser story.

Pete, you might want to edit your first post as it contains links to the .jar file which contains:

Trojan.Java.ClassLoader.c

Exploit.Java.Bytverify

Trojan.Java.ClassLoader.Dummy.d

Trojan-Downloader.Java.OpenStream.d


Regards,
Jade .

 

Resouce-usage at start-up in ShadowMode. Bare in mind that everything I've got here is on "C" drive (not partitioned). This is the shot of the SU "Statistics" page.

 

From DCS's WTM

*Bowserman, got it, thanks.

These figures are gong to gradually increase as time goes on - I'll try to give you two more screenshots just before leaving for work.

 

snowbound - Screenshot of part of my "Exclusion" list.

All defensive programs are able to be updated while in SM because they're "excluded" (automatically get written back to the actual areas they need to be in after shutdown/re-start to normal mode). This definitely works - I've checked it time and time again.

Could everyone please keep in mind that currently I'm using the 2.5 beta?

As for the "how it works" remark, do you mean nuts&bolts setting it up-wise, or what's it actually doing?

What SU is actually doing is just picking an un-used portion of your disk, transferring copies of needed system files there so that you can actually run your computer, then when you're done, all that space used is simply deleted (NOT "erased" ) except for the things you've got excluded, which go back to the actual files. It's a "virtual volume" type-of-thing. And I run Eraser nightly - OUT of SM - to take care of data recovery issues.

I added the mwsnap folder to the "Exclusion" list, because if I didn't, my screenshots taken during the SM session would disappear, too, upon re-boot.

Kaupp - Have you got shadowuser.exe and suatshut.exe included in PG's "Protection" list? I've not really checked whether changes to PG itself "stick" after coming out of ShadowMode, but I will tomorrow since I just changed a bunch of stuff in there right now while in SM, okay? But remember - everything here is on "C" drive, whereas on yours, PG (the folder) is on "D" drive (I don't know if that'll make a difference or not).

Bruce - I don't know about how it deals with SystemRestore - I don't use that here. I think my previous answer to snowbound about "how it works" might answer your other questions. Nothing that is not "Excluded" ever goes back to the original system files UNLESS you choose to "Commit" something individually (I'll show you a screenshot when I get ready to come out of ShadowMode) like when one of my kids tells me they want something saved at the end of their session in SM (they could do it themselves if I didn't have the program itself passworded - keeps it from being shut down, or from having them save stuff back indiscriminitely). (I didn't need to shut it off to get you the screenshot).

coldshoulder - I don't know what you mean by "extract contents of dvd filling protected C:\ drive" , sorry. As far as doing a free space wipe while in SM, I imagine it wouldn't work (it'd probably get locked in a loop like it does if you try to defrag while in SM). It's just much easier to come out of SM and do your free space wipe then, if that's what you're asking. Programs like TracksEraserPro/CrapCleaner/SBS&D/AA, etc. will run in SM (because I have them excluded), but I'm not sure whether it actually does any good to run them or not - I've never checked, just use them for informational purposes if something DOES pop up while in SM.

I think that catches everyone up to this point - doing my best to keep up. Pete

 

Bruce - "Choice" screen when fixing to exit SM. Pete

 

Looks like u explained it all Pete.

Thanks.

I figured u were running the beta as all i could find is 2.0.23

After taking a closer look, i think i'll give it a shot.



snowbound

 

Sounds like you have system restore turned off as I do Pete
What I ment was anytime you download an exe ect with restore turned on
a copy is put in your restore volume.
So I was wondering if the undo changes also include the files written to the system restore folders?
I am not sure I am asking in the right way. LOL

I did look over the site though and like the virtual disc idea.
Wouldn't it be cool if the virtual disc was on ram really compressed?

How is the beta working for you pete and how did you get it, you stinker?


Bruce

 

As a registered user of the program, I emailed them, asked them if anything new was happening (there's no automatic check for updates in the program), and asked them to send me anything they had in the works since I enjoy "beta'ing" things.

They did.

Actually, what I'd like to see is for them to come up with a program that combines the best of both SU/SS and an automagically deployed, properly set up RAM drive.

That way, you'd have all the advantages of not getting infected by anything combined with a total lack of concern about forensic recovery of anything you've gotten while using the ShadowUser RamDrive Edition.

My main complaint with the program at present is that all the info is still on the drive when you come out of ShadowMode - it's just marked as free for over-writing when it's deleted. That necessitates (if one isn't already doing so) daily runs with Eraser (or a like program) to actually attempt to make the data irrecoverable.

Having ShadowUser mount into a RAM drive (and place all its' copies of everything it uses there) would both prevent altering of real system files by any type of malware and totally prevent any effort at recovery of any data received while in ShadowMode.

It's harder to do than it sounds (I suggested this course to them a good while ago), not just from a programming standpoint (it would have to properly set up and deploy a variably-sized RAM drive on any machine trying it out that would absolutely prevent the possibility of passing anything bad back to the actual system files, then load ShadowUser into it) but also from the standpoint of how much RAM would be required to accomplish this (witness my system, where everything's in "C" drive and all defensive programs are running in SM).

Bruce - I just don't know about the SystemRestore question - I don't use it either. Pete

 

Usage after getting home.

 

WTM usage.

 

WTM usage suatshut.exe

 

Re: A Deep Freeze Experience

Deep Freeze is much better than ShadowUser. It's used by the government. I've used it a long time and it's never ever tossed any errors or caused a slowdown on this old computer. What I like most is how it's a set it and forget it program with no learning curve.

I dunno whats all this nonsense about not being able to update your antivirus with Deep Freeze. All you gotta do is first set it so it updates every time you connect to the internet (and every 5 minutes thereafter for power users). That way you always get the latest updates! Why reboot to install something you replace every other day?

 

And it doesn't take but a few seconds to download updates with dsl like a lot of people use. So dont tell me youre gonna get hit with some super virus or privacy mashing keylogger in that short amount of time.

 

Pete

AS you know I would love to see the RAM drive option too

I am not sure how many companies make physical RAM drives at the moment.
I just saw the one and that was the company that makes VMWear. They claim some users use VMWear with their RAM drives to set up Honey Pots.
I tried VMWear but couldn't get it to install. I think my System was corrupt.

Their RAM drives are for desktops only though. THey are just PCI drives loaded with memory which the OS assignes a drive number to just like a regular drive.
My question is, do you need to run Shadowuser on the current boot drive. The one that contains the OS or can you run it from a PCI RAM drive?

Bruce

 

Re: A Deep Freeze Experience

Now there's a ringing recommendation for the program if I ever heard one! ( <g> )

Edd - I'm glad you like the program and that it's worked well for you. I don't personally agree with your "set it and forget it program with no learning curve" assessment of DF (although I'm not going to argue about it since I've never had DF) simply going by the screenshots that are available of the two programs' interfaces.

Very good point, Edd. You should tell the guy in the other thread about that: https://www.wilderssecurity.com/showpost.php?p=445899&postcount=101 . Pete

 

I really don't know, Bruce - try registering and posting the question here: http://forums.shadowstor.com/Forums/ . Pete

 

>Quote: Now there's a ringing recommendation for the program if I ever heard one! ( <g> )

Somehow I knew you'd like that one!

>Quote: Very good point, Edd. You should tell the guy in the other thread about that: h**p://www.wilderssecurity.com/showpost.php?p=445899&postcount=101

Naw. The guys in the other thread can come over here if they want to talk about Deep Freeze. LOL

 

Yes - both threads seem to be prone to terminal over-lap and hi-jacking. It's way too late to do anything about it now, so I'm just along for the ride - in whichever vehicle! Pete

 

OK I was starting to feel guilty that there are two threads, one deepfreeze & one shadowuser but I didn't start it LOL

Pete? I don't see much going on in the forum. Is this a new forum?

Bruce

 

Actgualy after thinking about it. I don't see any point in finding things wrong with the trial version. Sorry for stepping in.


Bruce

 

I have some questions, if someone doesn't mind answering.
Will this app leave in ADS tags, if uninstalling, like Kaspersky and will it affect system restore - like it has for some users of KAV?

Is it possible to delete only Kaspersky ADS tags while leaving in Shadow's? I installed Kaspersky and did not even use it as my computer froze - I have found many ads tags ("KAVICH" - something like that) cleaned most of them but C drive. Perhaps I need to uninstall Shadow and start over fresh.

Regarding exclusions/autocommit: How do I determine which of the files, I want excluded or auto committed, are important. Some are in Program files and others are common - yet some are in Application data.

It also says:

I have 2 drives and 4 partitions. What do they mean by seperating system and data? Do they mean moving my program files and application data files away from C?

Thanks for your help

 

I've never seen "ads tags" generated by ShadowUser, so I'm not really sure where you're coming from with that. I just ran a scan with ADSSpy from merijn to make sure (I'm in ShadowMode right now). If you need to get rid of all the ads tags left behind by your KAV install, there are a couple of programs to do that with. You would remove them while you're OUT of ShadowMode, of course. Then the next time you went IN to ShadowMode, they wouldn't be there, either.

I don't use SystemRestore here, so I can't answer that one.

Can you put up some screenshots of what you're actually seeing there? Because I'm not understanding how ShadowUser comes into play in this scenario you're describing at all - it seems totally KAV-related.

When in doubt, I usually just put anything I'm sure I need into the "Exclusions" tab - but as I have everything on "C" drive here, that might not work for you. I don't think the location of the files matters. How you determine which ones are "important" is rather hard to describe - only YOU would really know that.

As best I can tell, it means that they recommend that system files only should be on "C" for maximum flexibility and protection of the OS itself - everything else (program files and application data files should be on other drives).

I'm sorry I can't help you more - I just don't have anything approaching what you're running there. Pete

 

Remember that dll your were inquiring about while back that was associated with ShadowUser? I thought I read somewhere googling for it, that it was creating ADS tags. Perhaps I misread but every time I open a new app, I get a pop-up saying components have changed and that same dll is shown associated with the channge.

**edit - here it is. You show screenshots that indicated it's ADS: https://www.wilderssecurity.com/showthread.php?t=69704&highlight=ShadowUser

In fact when I googled, this is all you: http://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=vsmvhk.dll

 

I remember that one. Right now, I'm still not seeing it showing up again in ADSSpy (I'm running Crucial's ADS right now to see if it confirms).

Two possibilities here: Either that particular thing went out the window with the SU 2.5 Final (that I'm running now that I wasn't running then, I was running the beta 2.5 at that time) or, since I'm in SM right now, it's just not showing up.

I'll let you know in a while (i'll come out of SM and re-check when I wrap up what I'm doing at the moment, if I have time before leaving for work). Pete

*Nope, not seeing it after the CrucialADS scan, either.

 

I am not saying it is like KAV but will say that with KAV the "stream" didn't show up untill you uninstalled KAV.

I sure wouldn't do that just to check. I will be doing an uninstall of shadowsurfer
after my trial since I will be going to Shadowuser. I dought Shadowuser would use streams and not Shadowsurfer, but ya never know.

Bruce