Shadow defender or returnil ?

Discussion in 'sandboxing & virtualization' started by garry35, Jun 26, 2012.

Thread Status:
Not open for further replies.
  1. garry35

    garry35 Registered Member

    Joined:
    Jan 20, 2009
    Posts:
    329
    i am considering either returnil or shadow defender, but i would like some opinions of others. my main consideration is security and that it runs on 64bit. these questions apply equally to both programs.

    are they able to run in 64 bit ?
    are they still being actively updated when needed ?
    are there any known exploits or hacks that might cause problems ?

    if i have missed anything else or there are better solutions available can anybody make suggestions. i dont mind paying so long as its reliable and trustworthy. i dont mind spending time to learn new programs.

    thanks in advance
    Gazzer
     
  2. clocks

    clocks Registered Member

    Joined:
    Aug 25, 2007
    Posts:
    2,559
    A week ago I bought SD, only to find out it's developer has disappeared, as has their forums and support. I would use Returnil or Wiztool Time Freeze, before spending money on SD.
     
  3. aladdin

    aladdin Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    2,986
    Location:
    Oman
    Rollback Rx is a virtualization program. If I am not mistaken you are already using MagiCure (Rollback Rx). Then, why you need another virtualization program?

    Best regards,
     
  4. bgoodman4

    bgoodman4 Registered Member

    Joined:
    Jan 13, 2009
    Posts:
    3,130
    I use both RollBack Rx and Shadow Defender and the reason I do is because it is known that some root-kits can get past Rx but are blocked by SD. I should add that I only use SD when I am doing something that I consider on the riskier side,,,,such as opening a suspicious file or e-mail. For normal computing such as trusted program testing, updates etc I feel Rx is quite sufficient to protect my system.

    I have used both SD and Returnil and I prefer SD buts thats just my preference. I found both to work without issue however I do not know if the current version of R will protect as well as SD.
     
  5. The Shadow

    The Shadow Registered Member

    Joined:
    Jan 24, 2012
    Posts:
    814
    Location:
    USA
    I'm pretty much doing the same thing, but I'm an SD old-timer and an Rx noob (I believe it's just the opposite with you).

    As you probably know, the last rootkit tests that were conducted by Wilders members are at least a year or two old, but they did conclusively show that only SD was capable of containing the rootkit samples within its virtual space, or in the case of Rx, within its current snapshot. All other tested programs (including Returnil and Rx) were not able to do that. Until I see more a more recent test indicating that updated versions of Returnil, other LVs, or Rx can contain rootkits such as the TDL variants, I for one will stay with SD as long as it is compatible with the version of Windows I'm running!

    TS

    PS to garry: I am running SD on my W7 64-bit system (HDD) without any issues. There are reported issues with SSDs.
     
    Last edited: Jun 26, 2012
  6. garry35

    garry35 Registered Member

    Joined:
    Jan 20, 2009
    Posts:
    329
    you can never be too secure :ninja:
     
  7. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Absolutley love Shadow Defender and IMO its one of a kind.
     
  8. CyberMan969

    CyberMan969 Registered Member

    Joined:
    Apr 21, 2011
    Posts:
    589
    Actually RX is a snapshot app. This is not just semantics, snapshoting and light virtualization (LV) are two totally different technologies. Light virtualization apps feature a virtualization buffer (like Shadow Defender, Toolwiz Time Freeze, Wondershare Time Freeze to name a few). Rollback RX (EAZ-Fix), Comodo Time Machine, and all other 'proper' snapshot apps use no such buffer.

    A snapshot app provides different functionality to an LV one. Snapshot apps allow the user to accumulate changes across several reboots and save them as new snapshots, so they are perfect for testing programs that require reboots in order to become functional. LV apps are no good for such software, but some of them (like Shadow Defender) can fully undo sturdy rootkit infections that snapshot apps cannot handle. Each one of these two technologies provides different benefits and functionality, so I see no reason why they shouldn't be used together - for as long as there are no compatibility issues between them.
     
  9. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    I agree, snapshotting isn't virtualization. The two approaches are the exact of opposite of each other in terms of how changes get saved or discarded. With light virtualization, all system changes are temporary unless explicit steps are taken to make some or all of them permanent. With snapshotting, all system changes are permanent unless explicit steps are taken to undo some or all of them. The two technologies are, as you say, quite different.

    Returnil:
    run in 64 bit? Yes
    actively updated when needed? Yes
    known exploits or hacks that might cause problems? Some rootkits

    Shadow Defender:
    run in 64 bit? Yes
    actively updated when needed? No
    known exploits or hacks that might cause problems? None known
     
  10. garry35

    garry35 Registered Member

    Joined:
    Jan 20, 2009
    Posts:
    329
    i briefly tested both returnil free version and shadow defender trial. returnil seemed to slow my system so i uninstalled it. shadow defender seems ok but after asking their support site about their upgrade policy they havent replied after 3 days, and the latest version as reported on their site is 1.1.0.331 64bit and is dated as 2011.3.31 which would suggest either its not actively updated or they havent yet needed to update. and their forum seems offline
     
  11. Arcanez

    Arcanez Registered Member

    Joined:
    Oct 5, 2011
    Posts:
    396
    Location:
    Event Horizon
    WTF also hasn't received an update for a very long time. It seems there are only a few light virtualization softwares out there that actually have development like DeepFreeze I guess which is pretty sad...
     
  12. CyberMan969

    CyberMan969 Registered Member

    Joined:
    Apr 21, 2011
    Posts:
    589
    All possible questions regarding SD have been repeatedly answered here:

    https://www.wilderssecurity.com/showthread.php?t=293075&page=01

    Here's the short version: Shadow Defender 1.1.0.325 is the last known good version released before Tony, the SD developer, disappeared. Unknowns seem to have taken over the SD site. They keep selling the software without providing any form of support or answering any e-mails, and have released v1.1.0.331 without a changelog. Most people who know their sh*t and have been following SD for years now, are still sticking with v225.

    Two full years after it was lastly updated, SD is still the ONLY software able to withstand and fully undo infections by sturdy rootkits like TDSS (me and many others don't consider v331 as a legitimate update). I cannot stress enough how true this is. Personally I have tested almost all light virtualization apps, and IMHO SD is still the simplest and BEST. Once you start using it and learn the ins and outs of the story behind it, you'll know what I mean. And like many others before you (including me) you'll probably feel a little bit foolish in regard to your initial reservations.
     
  13. clocks

    clocks Registered Member

    Joined:
    Aug 25, 2007
    Posts:
    2,559
    Would it be a good idea to make a sticky with a download link to the known safe version of SD(325)?
     
  14. garry35

    garry35 Registered Member

    Joined:
    Jan 20, 2009
    Posts:
    329
    where can i dl v325 ?
     
  15. CyberMan969

    CyberMan969 Registered Member

    Joined:
    Apr 21, 2011
    Posts:
    589
  16. bgoodman4

    bgoodman4 Registered Member

    Joined:
    Jan 13, 2009
    Posts:
    3,130
  17. aladdin

    aladdin Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    2,986
    Location:
    Oman
    I am pretty sure that you have by now used the option in Rollback Rx called, "reset to baseline". If you have then the computer reboots, at reboot it does few things and after doing few things, it says "loading VDisk Image".

    What does "loading VDisk Image" mean to you?
     
    Last edited: Jun 28, 2012
  18. CyberMan969

    CyberMan969 Registered Member

    Joined:
    Apr 21, 2011
    Posts:
    589
    KOR, please, do not use sarcasm, it does nothing to further your point of view. Sarcasm only serves to irritate people.

    I'm not going to go into a debate my friend, this is indeed semantics land we're entering now. There no real virtualization buffer with RX, CTM, or any other snapshot app. VDisk image is just the way RX names the snapshot, it has nothing to do with a proper virtualization buffer that programs like SD and WTF use, and also has little to do with proper virtual machine images that a user can load with "full" virtualization apps like Oracle's VirtualBox . People with much more knowledge than myself have ascertained so already, so it is pointless to talk about it. Still, if any other users agree with you let them come forward and say their piece.

    Yes, the two technologies are related but their approach is very different, as pegr has pointed out.

    Also you seem to find strange that people want to use RX alongside SD, WTF etc. I have pointed out many times in this forum of the distinct functionalities that each program offers. I have also given plain, real-world examples of such usage. They really complement each other, and combined they give more control to the user over the setup and security of his/her machine. I'm not going to carry on debating just for the sake of it. Please my friend, don't see this is as a challenge to your knowledgeability, because it isn't.

    I'll be the first to admit things when I'm wrong, it would be petty and immature not to do so. I have already admitted that you were right and I was wrong about SD and TRIM. But now we're just arguing about semantics.

    Again, this is NOT a challenge towards you, you have helped people already with your knowledge and with your very helpful and positive comments. I have learned from your comments as well. Please, lets leave at that.
     
  19. aladdin

    aladdin Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    2,986
    Location:
    Oman
    Nobody used sarcasm and seems to be paranoia there.

    Therefore, it is useless to discuss further with paranoia!

    Best regards,
     
  20. CyberMan969

    CyberMan969 Registered Member

    Joined:
    Apr 21, 2011
    Posts:
    589
    The above phrase alone denoted irony, but then again maybe you're right, I may have misjudged it. I may be paranoid enough in regard to the security of my system, but I surely hope that my paranoia ends there...

    Your demeanour when you're answeing some posts indicates that you may be taking some comments personally. It was never my intention to challenge you. We have had some very informative exchanges in the past, there's really nothing there to fight about.
     
    Last edited: Jun 28, 2012
  21. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    In this context vdisk appears to be a reference to the new baseline snapshot itself. If true, this is a different use of the term virtualization. Images created by imaging programs can also be called vdisks in this sense.

    When people talk about virtualization applications, they are usually talking about the ability of the program to isolate and contain change within a virtual container, not just the ability to make snapshots or images of the real system.

    Snapshot and imaging programs do not virtualize the system in the way that light virtualization programs do. Although there may be some disk virtualization with Rollback Rx in the way disk I/O is handled there isn't, as far as I'm aware, any system virtualization as there is with Shadow Defender.
     
  22. CyberMan969

    CyberMan969 Registered Member

    Joined:
    Apr 21, 2011
    Posts:
    589
    Thanks pegr, that's why I said that these techs are related, but very different in their approach as you have pointed out. All I'm trying to say to Aladdin is that arguing about it is purely semantics.

    It is also a non-debateable fact that some of these programs really complement each other, providing different functionalities and fulfilling different tasks. I have provided real-world examples of such usage, still some users seem to be unable to comprehend it, or unwilling to accept it.
     
  23. aladdin

    aladdin Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    2,986
    Location:
    Oman
    Dear pegr,

    Is VMware a virtualization program or not! We have agreed it is.

    When you load Win7 in VMware, does it isolate and contain change within the virtual container. Or, does it apply the changes to Win7 in real time.

    Rollback Rx doesn't apply the changes in real time too. It contains the changes in different snapshots which appear to the user to be in real time. The different changes are there in each snapshot, and therefore the user rolls back and forth in these snapshots and is presented with these changes.

    For example, you have baseline snapshot and after that you install Firefox v11 and take snapshot A. Then later on, you install Firefox v12 and take snapshot B. After a while when Firefox v13 is out, you install it and take snapshot C. Now these different Firefox versions are all sitting in virtual container in different snapshots.

    Now you roll back to snapshot B. There you are presented with Firefox v12 and you work with it for few days. But all Firefox versions are still there, v11, v12 and v13 too.

    While you are in snapshot B, you decide to create a new baseline based on snapshot B, which you are currently working with and has Firefox v12.

    You computer will reboot, Rollback Rx will update all the snapshots to B, meaning it will now destroy both Firefox v11 and v13, and load a NEW VDISK with Firefox v12.

    Before your update to baseline snapshot, you were in virtual environment with Firefox v11, v12 and v13. Now, after updating to baseline, you start a new baseline with a NEW virtual environment with Firefox v12 only.

    Now compare this to "System Restore" and see what the differences are?

    You have restore points, "A", "B" and "C". If you restore to "B", what happens now?

    Best regards,
     
  24. aladdin

    aladdin Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    2,986
    Location:
    Oman
    Baseline snapshot which is created on installation of Rollback Rx is a big virtual container. Within that big virtual container, each snapshot is a contained virtual container which contains the information for that container (snapshot) only.

    For example, if I roll back to snapshot "B", which contains the information for container "B" only, then it will present me with the baseline container and updated information from container "B" only.

    Best regards,
     
  25. aladdin

    aladdin Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    2,986
    Location:
    Oman
    Now compare Rollback Rx snapshot technology to EaseUS/Farstone snapshot technology. Not EaseUS/Farstone imaging technology.

    Rollback Rx snapshots are kept on the same partition which is being under snapshot. If one rolls back and forth to a snapshot, all other snapshots are there and not destroyed.

    Where as, EaseUS/Farstone snapshots are kept on a seperate partition and usually not on the partition which is under snapshot. Day 1, 2 and 3 snapshots are created. If one rolls back to Day 2 snapshot, all snapshots are destroyed, after roll back.

    Best regards,
     
Loading...
Thread Status:
Not open for further replies.