Shadow Defender Bypassed

Discussion in 'sandboxing & virtualization' started by caspian, Sep 10, 2012.

Thread Status:
Not open for further replies.
  1. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    I enabled SD a while ago and checked my email etc... I then downloaded a music video from Youtube and uploaded it to another social networking site. I decided to run a scan with malwarebytes. It had been a while. So it wanted to install the latest version. I installed it but then it wanted to restart. I told it to restart later. Then I got an error message. So I went ahead and restarted. SD was enabled. I am certain of that. I just thought that I could update MB with SD enabled and then update it again later when it was disabled. I use to do that kind of thing with Returnil all the time.

    Anyway, when my computer was trying to restart I got an error message
    When my computer finally restarted, the new shortcut for malwarebytes was there and so was the video that I had downloaded. The only thing that I have done differently is that I have recently added Appguard. I am wondering if Appguard has caused this? It is causing some other problems. My OS is Vista 64 bit.

    I just wonder if anything like this has ever happened to anyone else. I am wondering if I should uninstall Appguard or if I should go back to using Returnil 2010. I am so disappointed.
     
  2. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,960
    Location:
    Boston, MA
    First of all, how was your computer bypassed? Did you find a virus or malware?
    Where do you have SD enabled? Which drive is it shadowing? What are your settings in appguard? Lockdown or HIgh and Is SD a guarded app?
     
  3. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    I have been using Shadow Defender and AppGuard together for nearly three years now and they have always operated flawlessly together. I haven't seen any other reports of AppGuard interfering with Shadow Defender's operation so it seems unlikely that AppGuard would have caused Shadow Defender to malfunction, although without more evidence, one way or the other, it's difficult to be sure.

    The first thing I would suggest doing in order to investigate further is to check the Windows Event Log around the time of the MBAM upgrade. AppGuard logs all of its alerts in the Application Logs section of the Windows Event Log, with the Source column set to BlueRidge AppGuard for identification.

    If Shadow Mode was truly enabled, there will be a time gap in the Windows Event Log during the whole of the period that Shadow Mode was enabled. If there are entries in the Windows Event Log during this period then Shadow Mode was not enabled, in which case you will be able see all entries written by AppGuard to see what AppGuard was doing around the time of the MBAM upgrade.

    In case you have never used the Windows Event Viewer before, the following link contains instructions on how to launch and use it: -

    http://www.computerperformance.co.uk/vista/vista_event_viewer.htm

    Once you've established from the Windows Event Log whether or not Shadow Mode was enabled, post back with the results and we'll see where we go from there. Also please answer kjdemuth's questions: they are all relevant.

    Kind regards
     
  4. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    I should have looked at Appguard yesterday right after it happened. It is only showing the events of today right now. I am willing to consider tht maybe I did not have SD enabled. But I could swear that I did. It is a ritual for me every time I turn on my computer. But I will go ahead and look at the Windows Event Viewer to see what I can find there. Thanks for the input!
     
  5. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    I just looked at event viewer. I guess when I ran some cleaners a while ago, it erased the logs. I didn't realize that it would do that. I guess it was R-wipe.

    But even though I was sure that SD was enabled, surely I was mistaken. I don't see how it could be possible that these things would persist after reboot.
     
  6. bgoodman4

    bgoodman4 Registered Member

    Joined:
    Jan 13, 2009
    Posts:
    3,130
    Just a thought

    The way to find out for sure would be to try the entire sequence again. Since there was no damage to your system the last time its not likely to lead to damage this time and you would know one way or the other.
     
  7. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    I agree. In all the time, I've been using Shadow Defender, I've never seen anything survive a reboot when Shadow Mode has been enabled. Also, I've never experienced any adverse interaction between Shadow Defender and AppGuard, nor have I ever seen any issues reported. It seems likely that the fact that you only recently installed AppGuard is coincidental and unconnected to the issue you reported.

    Without evidence from the Windows Event Log it's speculation, but here's some thoughts on what could have happened: -

    First, you experienced a failed installation of MBAM. With MBAM this is unusual and does suggest that there could have been some interference from AppGuard during the installation. Either that or Shadow Defender partially saved some, but not all, of the changes from the installation. That would be a fundamental bug in Shadow Defender and highly unlikely.

    Second, traces of the failed installation survived after rebooting. This suggests that Shadow Mode wasn't enabled at the time. Now it is possible that you had previously attempted to enter Shadow Mode but it hadn't enabled successfully, even though the tray icon turned blue. I've seen this happen on a few occasions on my own system, and on each occasion it has happened, I traced the cause to interference by real-time AV protection. My experience was that the glitch was unpredictable: sometimes it would happen and sometimes it wouldn't. Shadow Defender locks the partition on entry to Shadow Mode. If this is prevented for any reason by another running process, Shadow Mode will not enable successfully even though it might look to the user as though it has. The necessity to lock the partition on entry to Shadow Mode is also the reason why exiting Shadow Mode on the system partition requires a reboot.

    Two questions: -

    1. Did you ensure that you set the AppGuard protection level to Install before attempting the MBAM installation?

    2. Do you use an AV with real-time protection enabled; and if so, which one?

    The suggestion by bgoodman4 to repeat the entire sequence is a good one. If nothing else, it might help to increase your confidence that Shadow Defender and AppGuard do work well together; and in the unlikely event that there is a conflict between them on your system, it may help to pinpoint the cause. If the MBAM installation does fail after setting the AppGuard protection level to Install, this time check the Windows Event Log before rebooting then check it again after rebooting to ensure that Shadow Mode was really enabled.

    Kind regards
     
  8. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Yep, through software compatibility, vm problems, some posted here.
    Yep, try and replicate the problem.
     
  9. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    I had another issue. I have my computer set to never go to sleep. I downloaded and installed UltimateDefrag4. I enabled SD and began the process of defragging a 1 TB external hard drive. Huge amount of data. It took a good day and a half. So last night I got on and logged into a couple of message boards. I saw a beautiful picture that I liked so I downloaded it and set it as my desktop background to see if I liked it. This morning my Ex. HD was finished defragging. So I restarted my computer and to my surprise, the new background had been saved!!! SD definitely showed that it was enabled last night. I looked. I look every time I use my computer. It is a ritual.

    The other day after my first noticeable event that I posted here, I had another. After restart I noticed a pdf file that I had downloaded on my desktop. So I enabled enabled SD again. Later on I checked it to see if it still said that it was enabled. And it did show enabled for drive D but NOT drive C. So I thought that I was having an Ah Ha moment. I assumed that I had somehow unchecked Drive C without realizing it. I restarted my computer to re-enable and make sure to check C again and just be more careful. And to my surprise, C was automatically checked for me. So I had not changed the drives that I had originally chosen. Something happened with SD without my interference and without my knowledge.

    I have been using 331, by the way.

    Now here's the thing. I am really OCD about my computer and I rarely leave any files on my comp. I wipe everything no matter what it is. But occasionally I get lazy and leave something. Had I not been lazy and left that pdf file, I would have never known that SD was not doing it's job. And had I not left the new background on my computer this morning, I would have assumed that SD was enabled throughout this entire this entire period that it showed that it was enabled.

    Here's another thing. I thought that maybe Appguard had done something. So I actually reinstalled my entire OS. Everything fresh with no new software.

    it looks like I will have to go back to Returnil 2010. It is the only version of Returnil that I can use on Vista 64 bit. I was really so happy about SD because it seemed so light weight, and according to some people here, it is superior to Returnil when it comes to rootkits. But evidently this is just not the case.....at least not on this computer.
     
  10. CyberMan969

    CyberMan969 Registered Member

    Joined:
    Apr 21, 2011
    Posts:
    589
    Don't you have a backup? o_O Every time I install Windows on a new machine the first thing I do after I see the Windows Desktop for the first time is to apply certain optimizations that I do on every Windows install, then take a full backup of the Windows disk. This way there is no need to re-install Windows on that machine, ever. If problems arise I just restore the backup and in a few minutes my system is back as it was on the day it was installed, plus my optimizations already applied. I use that backup as a clean base to install fresh software when I need to.

    BTW I always backup using an Acronis bootable USB stick, so there is no need for Acronis to be installed in Windows. You get the same functionality from the USB stick. Acronis is only useful to be installed in Windows only if you want to schedule automated backups, or for its Try And Decide feature which I don't need anyway. You don't have to use Acronis of course. The native Win7 backup app is good enough, for as long as you also create a Win7 startup disc that will enable you to restore outside Windows if the worst happens.

    After my first backup I add all drivers and Windows updates offline (got them earlier before I actually installed Windows, using Windows Update Downloader: http://www.windowsupdatesdownloader.com/Default.aspx ). I then add all my favorite software and take another backup, incremental this time (again without installing Acronis, I just use the USB stick). Remember, at this point the computer has never been online yet. I am paranoid about this, I always install Windows making sure I'm completely offline, network cable unplugged, wireless adapter disabled.

    If you haven't taken a backup then take one immediately and make sure you verify it for corruption after it is created. Make sure your PC is 100% clean before backing up, you don't want any possible malware to be in your backup! A backup will save you from having to re-install everything from scratch if your disk dies, or when you face serious software issues. Why troubleshoot or re-install when you can have your system back in a few miniutes with just a simple restore? Also make a second copy of your backup on a differen disk than the one that holds your first copy, and verify both copies to make sure that your backups are fully restorable without any corruption present. The second copy is needed in case you lose the first one because of bad disk sectors or an overall disk failure. It can happen. Better be paranoid and sure, rather than be sorry later. You don't have to get burned before taking extra precautions.

    Regarding SD, try v1.1.0325. I have never faced the issues you described with it. Also, if you have changed the location of your user files to another disk then make sure that this other disk is also always in Shadow Mode every time you put C: in Shadow Mode. You will have to restart the system with both disks scheduled to be in Shadow Mode, in order to be 100% sure (SD will warn you about it).

    Get SD v225 here:

    http://www.mediafire.com/?k803c8qk739fy2o

    This is the version that Tony himself released two and a half years ago, and the one that most SD die-hards are using.

    Hope this helps :thumb:
     
    Last edited: Sep 22, 2012
  11. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ caspian

    Hi, first off, i don't think it's "probably" wise to defrag whilst in SD mode !

    Funny thing, recently i've noticed that my V.1.1.0.326 also doesn't always go into SD mode on drive C either ? It seems to happen every other time, or so, i go to enable it. Interestingly, the SD banner Always shows on my desktop though ! Both partitions are Always checked like this before i do it.

    1.png

    When i see the "Operation finished" box, and notice drive C still in Normal mode, i uncheck/check it again & repeat. It then Always puts C into SD mode as well.

    I've been using Only this version for some time now, with no other issues at all. So it's strange that mine is "appearing" to do this too ! I havn't tried saving something in "Phantom" mode to see if it does, or not, so i'll do that & report back.
     
  12. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,950
    Location:
    USA
    I have been using Shadow Defender, and Appguard together for many years. I have never had anything like you described happen on any of my 8 machines running this Shadow Defender, and Appguard together. Appguard should not interfere with Shadow Defender in any way. Are you using a solid state drive? There has been reports of Shadow Defender not handling the outer trim of SSD's properly. SSD's had just hit the consumer market when the developer of SD went missing.
     
  13. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,950
    Location:
    USA
    I've never had that happen in the many years that I have been using SD. It sounds like you have corrupt installation or some sort of hardware incompatibility. You are using V.1.1.0.326 though. Maybe you should install V 1.1.0.325 I believe V 1.1.0.326 was a beta build.
     
  14. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,950
    Location:
    USA
    Well, that's bad in itself. Very few people in the Wilders Community really trust build 331 because no one knows who the hell released it. They just magically took over Shadow Defender's Domain, and website over a year after Tony had disappeared. They will not answer anyone's questions about who they are or what happened to Tony. They also refused to release a change log for build 331. They wouldn't even return any of my messages at all.
     
  15. sdmod

    sdmod Shadow Defender Expert

    Joined:
    Oct 28, 2010
    Posts:
    780
    Thre were some problems with 1.1.0.326
    1.1.0.325 is pretty much tried and tested, it's had everything but the kitchen sink thrown at it and has weathered it...maybe it doesn't suit everybody but it was the last good, stable version before Tony's absense.
     
  16. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    I have two partitions that I keep in Shadow Mode and I have seen exactly the same behaviour on v1.1.0.325 where drive D went into Shadow Mode but drive C didn't. I traced the cause to interference by Panda Cloud AV while SD was trying to lock the system partition. The problem was intermittent and didn't always occur. After removing Panda Cloud, the problem never reoccurred. On my system, it was only Panda Cloud that did this: other AVs that I tested were fine.

    It is possible that the problem is due to interference from other real-time security software that is running. Try temporarily disabling any other real-time protection one at a time, starting with real-time AV if you are running one, in order to investigate the cause. If it is confirmed that the cause is interference, you may be able to avoid the problem by temporarily disabling real-time protection of the other program before entering Shadow Mode then reenabling it again afterwards.

    Kind regards
     
    Last edited: Sep 22, 2012
  17. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    Cyberman, that was incredible. I will definitely need to learn how to create backups like that. And I also like the idea of having Windows Updates ready to go in advance, offline. And thanks for the earlier version, 225! Very helpful.
     
  18. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    Okay so it's not just me. I am going to try the 325 version. Thanks for sharing that.
     
  19. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    Yeah I guess I better try 325. Thanks for the input.
     
  20. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    Ah Ha! I am using Panda free antivirus. I use to use Eset but more recently it seems to bog my system down. What is the best free antivirus these days other than Panda, in your opinion?
     
  21. CyberMan969

    CyberMan969 Registered Member

    Joined:
    Apr 21, 2011
    Posts:
    589
    Thank you for your good words!

    One last pointer (which I added on my previous message too):

    Make sure your PC is 100% clean before backing up, you don't want any possible malware to be in your backup. If you are not sure or you don't wanna take any chances, then do a fresh completely offline Win7 install again, (but get your latest drivers and Windows updates first, and put them on a stick for later offline install. Regarding the Win updates: download either 32bit or 64bit, depending on what your Windows is).

    Have a look at my Win7 install guide (with security/paranoia in mind), here:

    http://thessdreview.com/Forums/software/2247.htm

    It' a very long read, but if you're still learning it'll be worth it. Print it out, and if you have any questions just ask.

    Good luck! :) And drop SD v331!
     
    Last edited: Sep 22, 2012
  22. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    The question as to what AV is best is purely subjective and isn't allowed at Wilders. If you want to know what I use, look at my signature. If you like Panda Cloud, you don't have to get rid of it though. Providing you disable Panda Cloud real-time protection before entering Shadow Mode then enable it again afterwards you shouldn't have a problem. Alternatively, try some of the other free AVs and pick one you like.
     
  23. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ pegr

    Thanks for the info :thumb: Interesting you say it's also happened to you with v1.1.0.325 also :eek: I'll keep monitoring things.

    Yes, curious isn't it !

    Bear in mind what the above 2 members have also said though ! Let us know how it goes.

    Pleasure
     
  24. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    Okay. I installed 325. And I changed my antivirus to AVG. But when I enable SD, Drive C does not take (4 times in a row). I exit and then open it up again and C is in normal mode. I then check it again and it seems to stick. Keep in mind though that this is on my Vista 64 bit desktop. I am getting ready to see if this is now happening on my Vista 32 bit laptop.

    If this is a new behavior, then what could be causing it? A windows update? Or does SD phone home to something that could make this happen?? I know that sounds paranoid but hey. There is some pretty weird stuff going with Tony and the website and evidently an impersonator.
     
  25. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    I've been using SD 1.1.0.325 along side DefenseWall (No realtime AV) sense 2009 and have never experienced the problems your going through.(XP Home 32-bit)
    Staying in shadowmode 99.9% of the time, always when I reboot SD automatically discards one session and begins another.(I prefer it that way)
    Curious as to the origin of your issue and hope you get it sorted out.
     
Loading...
Thread Status:
Not open for further replies.