Shadow Defender or AppGuard ??

Discussion in 'other software & services' started by AaLF, Nov 7, 2012.

Thread Status:
Not open for further replies.
  1. AaLF

    AaLF Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    986
    Location:
    Sydney
    Naturally these two products come from two different catagories so its not a 'verses' thread but more a which one will work best in my combo. As the perennial layman here, I'd like some thoughts on the following:

    My permanent setup is any AV + Sandboxie (browser security) + LnS FW.

    To complete my Fab4 I'm looking at two contenders - AppGuard or Shadow Defender.

    AppGuard (trialling) I understand. To install something, just adjust the switch to "install". That's it. Nothing else to do. Except maybe browse over those pink tickets wondering what it all means.

    Shadow Defender sounds great in concept. But reads like it will be a hassle. e.g I have to reboot to install anything? And what about saving stuff when the whole shebang is a sandbox? e.g. Saving bookmarks from browser? Saving even a notepad entry? And i assume all those 'pink tickets' one sees in AG, then in SD nothing is ever permitted and hence SD would have a hugely larger 'pink ticket window' to AG, if it were visible.

    For those with dual experience & a love for SD, how does SD top AG & earn the no.4 ticket to my FAB-4 combo?
     
  2. The Shadow

    The Shadow Registered Member

    Joined:
    Jan 24, 2012
    Posts:
    814
    Location:
    USA
    Ok, here's my take on this... First of all, I believe your existing Fab3 is good enough! But if you feel compelled to making it a Fab4 I would go for AG over SD because Sandboxie already provides excellent internet browsing protection (which imho is the single most important function of any LV or sandbox). Much better yet, complement your Fab3 with a reliable disk-imaging app!

    TS
     
    Last edited: Nov 7, 2012
  3. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    The short answer, which I will expand on, is that either or both in combination could be a useful addition to your existing setup, depending on what you are looking to achieve. It is equally true that a properly configured Sandboxie, combined with common sense and safe practices, can provide excellent protection on its own. There are a number of members at Wilders who just use Sandboxie and who never get infected. If browser and email protection are the main areas of concern, Sandboxie is excellent. I'm assuming that you already use a disk imaging application; if not that should be your immediate number one priority.

    First let's look at AppGuard. Sandboxie's policy restriction features are every bit as good as AppGuard's but AppGuard has the advantage that its protection is system-wide - well almost but not quite. AppGuard automatically prevents or guards (depending on the protection level) any attempt to launch an executable from user space without the user having to explictly run the executable within an isolation sandbox. Executables launched from system space though are trusted unless they are explicitly guarded by adding them to the guarded applications, and therein lies a weakness. The protection level has to be lowered to install new programs into system space; if the program turns out to be malware, AppGuard won't prevent the infection from occurring. One implication of this is that AppGuard can't be used to test software. Sandboxie can be used to safely test any software that doesn't require a reboot, and doesn't install a driver or service. AppGuard prevents drive-by downloads by guarded applications but so does Sandboxie, partly because Sandboxie can be tightly configured to control what is allowed to run within the sandbox, and partly because even without configuration, it will contain all processes spawned by sandboxed applications running within the sandbox. I don't see much difference between explicitly adding untrusted programs to AppGuard's guarded applications list and explicitly running them within a sandbox; it is the user action that makes the difference in both cases. AppGuard does come already configured though for a number of known applications that are guarded by default. AppGuard has a couple of useful additional features worth considering: automatic system-wide protection against USB autoruns and MBR modification. AppGuard also has the added convenience that the user can run as an administrator while benefiting from the policy restriction features that a standard user account provides (and more). It is quicker and more convenient to easily be able to temporarily disable and enable the various AppGuard protections than it is to have to switch between Windows user accounts with different privileges.

    Now let's look at Shadow Defender. Shadow Defender provides system-wide virtualization, which makes it useful for software testing of programs that don't require a reboot to install. Unlike Sandboxie, programs can be tested that install a driver or service providing no reboot is needed for activation. Some people find Light Virtualization a more natural concept than sandboxing because there is no need to operate in a dual world: the world inside the sandbox and the world outside. With LV the entire system is effectively sandboxed and within that constraint, the user can continue to operate normally exactly as they would if the system wasn't virtualized. The only issue then is how to save changes that it is desired to keep. With Shadow Defender there are four options, which can all be combined: (1) create a separate data partition that is not virtualized; (2) maintain a "commit now" list of files and folders residing in the system partition that can be saved to the real system on demand when the system partition is in virtual mode; (3) maintain an exclusion list of files and folders residing in the system partition that will automatically be excluded from protection when the system partition is in virtual mode; (4) save all changes when exiting the virtual mode instead of discarding at reboot. This last option should be used very sparingly, if at all, but is mentioned for completeness. As an alternative to creating a separate data partition, some LV programs (but not Shadow Defender) allow a virtual disk to be created within which work can be saved. Whilst LV can be used for security purposes, a pure LV program like Shadow Defender should never be used as the only layer, as it lacks the anti-executable features necessary to prevent the damage that malware can do if running unchecked in the virtual environment. As you are using Sandboxie combined with an AV, this isn't a relevant factor in your case. As with AppGuard, Shadow Defender also protects the MBR against modification and is hardened against TDL/TDSS rootkits. Software testing apart, the main appeal of LV is that it enables the system to be kept in a stable state with all system changes discarded on reboot. The implication of this extends beyond security. LV enables the user to be adventurous in experimenting with changes in system configuration, knowing that the system can always be reverted to a known state simply by rebooting. Because the system will always restart in a static, known state, there is no risk of ending up with an unbootable system resulting from a BSOD, system crash, or accidental system corruption while in the virtual mode. LV is never going to be an essential, must-have type of program because functionally it doesn't achieve anything more than can be achieved by restoring a system image, but there is the added convenience that it does it faster than restoring an image simply by means of a reboot. LV won't protect against hard disk failure or catastrophic system failure while not virtualized though; imaging is still needed for that unless one is prepared to reinstall the entire system from scratch. One advantage that Sandboxie has over LV is that with Sandboxie there is no need to reboot to exit the sandboxed environment. Some caveats regarding Shadow Defender: (1) It may not work well with SSD (at the very least TRIM will need to be disabled); (2) It may not work at all with Windows 8; (3) It is no longer being actively developed as the developer has been missing for some time, and it is unclear who is currently operating the website, whether they have any legitimate title to the software, and whether the program will ever see any further development to address the compatibility issues with SSD and Windows 8.

    I can't tell you what is the best combination for you but hopefully this rather long post will give you some things to think about when coming to a decision.

    Kind regards
     
    Last edited: Nov 8, 2012
  4. AaLF

    AaLF Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    986
    Location:
    Sydney
    Thanks Pegr, your post is another gem & much appreciated. :thumb:
     
    Last edited: Nov 8, 2012
  5. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    You're welcome. :)
     
Thread Status:
Not open for further replies.