Introducing Diskshot™ - an alternative to Shadow Defender

Discussion in 'sandboxing & virtualization' started by dax123, Oct 3, 2012.

Thread Status:
Not open for further replies.
  1. dax123

    dax123 Registered Member

    Joined:
    Jul 2, 2010
    Posts:
    58
    AFAIK SD has some flaw cause it does not provide offline MBR Protection.
    I'll take some test and will back to post again.
     
  2. sdmod

    sdmod Shadow Defender Expert

    Joined:
    Oct 28, 2010
    Posts:
    1,159
    As far as I know Shadow Defender does protect the mbr
    and mentioned in this thread and some info here
     
    Last edited: Oct 3, 2012
  3. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,997
    Location:
    Poland - Cracow
  4. dax123

    dax123 Registered Member

    Joined:
    Jul 2, 2010
    Posts:
    58

    Of course it does protect the MBR *after* windows loads the Shadow defender filter driver.
    I'm saying that SD does not provide MBR-level protection
    - which means even when shadow mode is protecting the volume, it's not the same as you use it.

    so here is the question: Is non-MBR based protection Secure?

    to prove that disk is being changed, I've take some test with these entries, which are loaded prior to windows drivers.
    the test was performed on my production machine, and was performed with this procedure:
    1. install & enable protection.
    2. boot & shutdown the machine.
    3. reboot with Windows PE - USB drive.
    4. check the SHA-1 sum.
    5. iterate (2-4) 3 times, and log the result.


    And to prove that SD allows changes at shutdown stage I took this procedure:
    1. boot the system without shadow mode.
    2. check the bootstat.dat SHA-1 sum.
    3. enable shadow mode and shutdown
    3. reboot with Windows PE - USB drive.
    4. check the SHA-1 sum.

    AND HERE ARE THE RESULTS :

    bcd2.png

    bootstat2.png

    SD cannot protect against changes before the driver is loaded.

    shutdown2.png

    and after unloading drivers, SD cannot protect the changes anymore.
    remember that these are only examples, there are more files to come. SD is not that identical!!

    result can be shown to this image:
    conclusion2.png



    SO CONCLUSION IS : shadow defender let some changes directly to a disk, since it's not the MBR-based protection.
    the volume is not protected before the driver is loaded, and after the driver is unloaded.

    whereas MBR-based protection (like DiskShot) can provide 100% - ideal - disk protection.





    P.S DiskShot detects almost all(not all, in case you just format ur drive :D) offline unwanted changes, and recover them if possible(at least notifies user that the volume is compromised, like this).

    BootGuard.png
     
    Last edited by a moderator: Oct 3, 2012
  5. ViVek

    ViVek Registered Member

    Joined:
    Aug 7, 2008
    Posts:
    584
    Location:
    Moon
    @dax123 when can we expect english version of Diskshot?
     
  6. dax123

    dax123 Registered Member

    Joined:
    Jul 2, 2010
    Posts:
    58
    I'm in contact of developer team to have multilanguage support,
    and at the same time I'm analysing the exetuables...
    anyway I'll try to make this software translated!! it's good to share worldwide!! :D
     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Dax, you are our ISR expert.:thumb:
    Windows 8 support?
    Will it support snapshots like rollbackrx?
     
  8. dax123

    dax123 Registered Member

    Joined:
    Jul 2, 2010
    Posts:
    58
    Thank you :D

    Yes, it already supports Windows 8!!

    Yes, snapshot feature will be supported in v4.X :)
     
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Thanks, that,s very interesting indeed.
     
  10. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,997
    Location:
    Poland - Cracow
    Hmmm...it looks very interesting and I could say even "fantastic great"...perfect as no other app...but in similar situations I always try to be careful, sceptical and aware that somewhere can be a trick...some small catch. The question is...where?
    o_O
     
  11. WSFfan

    WSFfan Registered Member

    Joined:
    May 10, 2012
    Posts:
    374
    Location:
    The Earth
    It would be better if there is a website in English for those who don't know Korean language.

    Is the license posted by you, free for lifetime use for those (who only activate now or can it be activated later) or only valid until 2014-07-1?What type of activation system is there?

    Can more than 8000 users activate using the key posted here or would the license expire after 8000 activations?

    Is this a complete freeware for home users?How can this be a freeware if only 8000 users can use the key?(Or)Will a new key be provided?

    Can Disk Shot be used alongside Rollback Rx without any problem?Any known issues with Disk Shot software?Looking to replace atleast SD at the moment.Hopefully,Disk Shot can replace Rollback Rx in the near future as well.
     
    Last edited: Oct 4, 2012
  12. majoMo

    majoMo Registered Member

    Joined:
    Aug 31, 2007
    Posts:
    994
    @ dax123, your image [post #29] Drive MBR Protection is indeed EXCELLENT! And very appreciated for the clarification that it allows. And thanks!

    Once, in general, light virtualization software virtualizes your OS and your system drive - it doesn't virtualize MBR! Some can use 'tricks' to protect MBR but doesn't virtualize MBR! Such was not well understood when some liked to say A is better than B because can protect MBR virus, etc.; some, not all...; tricks are tricks, not core engine.

    Nice to see Diskshot has another approach.

    Thanks again!
     
  13. arsenaloyal

    arsenaloyal Registered Member

    Joined:
    Nov 1, 2009
    Posts:
    513
    product looks intersting.

    can you give me the korean forum link ?
     
  14. PJC

    PJC Very Frequent Poster

    Joined:
    Feb 17, 2010
    Posts:
    2,959
    Location:
    Internet
    Introducing Diskshot™

    We are all ears (and eyes) for an English version...:thumb:
     
  15. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,797
    Re: Introducing Diskshot™

    That would include me.
     
  16. kupo

    kupo Registered Member

    Joined:
    Jan 25, 2011
    Posts:
    1,121
    Re: Introducing Diskshot™

    I have Keriver 1-Click Restore installed, and have enabled the recovery console. Will Diskshot be compatible with it? (I am not planning on backing up while in "sandboxed" mode).
     
  17. WSFfan

    WSFfan Registered Member

    Joined:
    May 10, 2012
    Posts:
    374
    Location:
    The Earth
    Re: Introducing Diskshot™

    You need to contribute some(do not know how many and how long would it take) useful posts in Korean forum to achieve the goal of 500 points in order to get an unlimited lifetime personal license.Correct me if i am wrong.

    @dax123: Please clarify the license model for buying Disk Shot and giveaway activation limits.Is it possible(for anyone) to buy a single user license of Disk Shot?Is Disk Shot a complete freeware for home users?
     
  18. dax123

    dax123 Registered Member

    Joined:
    Jul 2, 2010
    Posts:
    58
    :D
    I think so too!! maybe the developer is kinda sea sick of english.. :D


    Yes! just make some chitchat in the "Torque word" (or "Talk a word") board and you get unlimited license !!
    (and of course you can do some intelluctual contribution, which is way far faster to get the license, if you need any translation you can call me!! :D)
    //AND MORE : DiskShot uses license key method to prevent unauthorized use of commercial workspace, but DS@home is completely free for home users!!
    and AFAIK, you cannot buy DS@home, but instead you can buy DS@office. if you are interested in buying those license, you can PM me :)

    The key I posted is valid until 2014-07-19.
    this software uses Hardware ID validation, unless you change ur motherboard a key will be linked to your machine!
    And the giveaway key will be continuously supplied, as the developer team promises!! :D
    //AND MORE : For known Issus for Diskshot software, many malware authors are trying to break the security..
    (currently some kind of malware disguised to 'Warcraft3 anticheat' tries to "commit and exit" unauthorized.
    with commercial product(like DS@office) this attack can be Neutralized with proper security configuration, but DS@home is considered vulnerable.
    this vulnerability is announced today, and the developer promised the patch is on track)

    and it's being actively developed If any security breach occurs a patch will be supplied immediately.

    Unfortunately, both Rollback RX and DiskShot uses MBR approach
    (though security is different) you cannot activate both of it. :'(


    :D Here is the support forum link:
    http://www.diskool.com/diskshot
     
    Last edited by a moderator: Oct 25, 2012
  19. dax123

    dax123 Registered Member

    Joined:
    Jul 2, 2010
    Posts:
    58
    Re: Introducing Diskshot™

    It seems that it's a kind of disk imaging software !
    then of course you can use DS@home with Norton GHOST, Acronis True Image, or Paragon Backup etc.... :D

    (and I don't recommend backing up while in "sandboxed" mode, though DS@home has some kind of exception handling routine for that case)
     
  20. Night_Raven

    Night_Raven Registered Member

    Joined:
    Apr 2, 2006
    Posts:
    388
    Yeah, right! Nice try, but I'm not fooled by marketing nonsense.
     
  21. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA

    I love the Eye candy charts and it looks very interesting.
     
  22. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    I guess that das123 comes here with serious material more than simple marketing speech...
    Similar tests have already been discussed on this board
    https://www.wilderssecurity.com/showthread.php?t=276152&highlight=deep freeze test
    https://www.wilderssecurity.com/showthread.php?t=275876&highlight=deep freeze test
    https://www.wilderssecurity.com/showthread.php?t=276210&highlight=deep freeze test
    More similar products for future comparative testing
    https://www.wilderssecurity.com/showpost.php?p=1720521&postcount=147
    And most bootkits can be found on kernelmode forums.
    Even if tests can be summarised as a driver loading race (my driver will load and subvert the OS before yours).

    Regarding DeepFreeze i am fully agree with the bad faith of Faronics, who has launched in the past a defeating challenge that was easily won and then retired.
    As an anti-forensic solutions (used by awared security enthusiasts, libraries, schools and internet caffee to prevent malware code persistence, but also by child pornography distributors to hide evidences), i ve been interested from a forensic angle in products like DP since years.
    And yes, all do not vanish after a reboot...fortunatelly...
    http://www.forensickb.com/2010/10/forensic-analysis-of-frozen-hard-drive.html

    More over, and like New Model Army (GB) in the Rock Industry, there is many interesting but underated things from Asia.
    I have used for instance products from Fnet http://www.gotofnet.com/
    As i was looking for a solution that works like Lojack that rely on the Bios and HPA to make its protection immune from malwares and disk wiping. http://www.absolute.com/lojackforlaptops/technology

    Anyway, Security evolves by those who like challenges, and it seems the case of Disktool authors.
    For a French translation, some teams like Coloc can do this for free
    http://www.colok-traductions.com/

    Rgds
     
  23. Romagnolo1973

    Romagnolo1973 Registered Member

    Joined:
    Feb 17, 2009
    Posts:
    565
    Location:
    Italy - Ravenna
    someone speaking korean can ask to developers if Diskshot support trim?
    I have a ssd so is important have trim enableb to perform in symbiosis with operative system
    Thanks
     
  24. dax123

    dax123 Registered Member

    Joined:
    Jul 2, 2010
    Posts:
    58
    Yes!! As of v3.6 it support TRIM!!
     
  25. Cruise

    Cruise Registered Member

    Joined:
    Jun 10, 2010
    Posts:
    1,236
    Location:
    USA
    dax123,

    First, thank you for bringing this very promising software to our attention!

    Secondly, have you tested Sandboxie - re MBR protection? :doubt:

    Cruise
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.