Shadow Defender Questions

Discussion in 'sandboxing & virtualization' started by Dregg Heda, Jul 30, 2009.

Thread Status:
Not open for further replies.
  1. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    How does Shadow Defender allow one to save any changes made? I know that there is an option to exclude protection for certain files/folders, and have changes to those written directly to disk but what are the other options? Ive also heard that there isnt an option to save the entire session, although the developer is supposedly working on this. Is this true?

    Does it work in LUA? As in if I install it admin will it work correctly with other LUA accounts on my pc?

    Also I heard sometime back that there was some kind of conflict with DW, has this been fixed?

    Anything else I should know before trialling the software?
     
  2. hamzah95

    hamzah95 Registered Member

    Joined:
    Jun 22, 2009
    Posts:
    108
    You can right click the file and then commit now. You can also save the changes made to the whole drive by: Entering Shadow mode, >Mode Setting>Check (tick) which partition you want to save all the changes made to it>Exit Shadow Mode>Commit all changes.

    i haven't noticed any problems using shadow defender with defensewall, but u have to install shadow defender as trusted of course
     
  3. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    Thanks for the response Hamzah!

    Another question I have is: I know programs like SD are vulnerable to low-level disk access, but are there other vulnerabilities that SD or apps of its ilk have? What are some good options to complement SD? Thanks!
     
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,042
    How do you know this. SD has protection against this. There was a new worm, that used a clever approach and yes it did initially bypass SD, but that has been fixed and a new release should be out shortly
     
  5. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    I read an article, something about how certain types of malware, eg dog trojans can use low level disk access to bypass virtualisers and hence make permanent changes. I assumed the protections incorporated by SD worked against the particular worm you are talking about, but did not prevent low-level disk access in general, hence opening it up to other possible exploits, theoretically atleast. If SD has been updated to prevent low-level disk access in general, then that is good to know!
     
  6. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    Heres another question:

    Does SD have some way to permanently save certain files, like returnil? Like a setting to ensure that certain files are always saved to the real system after every session, without writing directly to the disk?

    How else can one save bookmarks and history without writing directly to disk?

    Thanks!
     
  7. developers

    developers Registered Member

    Joined:
    Apr 1, 2009
    Posts:
    62
    Fix is specific for this worm, but it can be bypassed by another malware or a safesys variant.

    You should read this:
    http://www.prevx.com/blog/134/A-puzzle-called-SafeSys.html

    It's a design flaw not a bug
     
  8. Pliskin

    Pliskin Registered Member

    Joined:
    Feb 8, 2009
    Posts:
    341
    So how to stop the damn thing? Maybe HIPS? Any recommendations?
     
  9. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
  10. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,219
    Keep in mind that anything can be bypassed, it is a matter of the likelihood of the event, and for virtualizers is very rare, particularly used in conjunction with HIPS or AVs.
     
  11. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,042
    Read the article

    I've tested SD against other disk killers before this worm, and indeed SD stops them.

    So if you are saying there is something else out there that bypasses SD, PM me. I'd like to know. Otherwise you are just talking theory.
     
  12. developers

    developers Registered Member

    Joined:
    Apr 1, 2009
    Posts:
    62
    This is not just a theory:

    then, you can look at the mj0011's work (XCon 2008 ).

    Concerning SD, you can try latest variant of MBR rootkit and then analyze system partition after the reboot (not only the MBR/ sector 0 ) ;)
     
    Last edited: Jul 31, 2009
  13. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    So whats a good defense against this developers? Defensewall?
     
  14. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    defensewall yes:cool:
     
Loading...
Thread Status:
Not open for further replies.