The unofficial Shadow Defender Support Thread.

Discussion in 'sandboxing & virtualization' started by Cutting_Edgetech, Feb 14, 2011.

  1. Blues7

    Blues7 Registered Member

    Joined:
    May 11, 2009
    Posts:
    870
    Location:
    2500'
    I agree with you...which is why I continue to use .325.
    (But then I'm also continuing to milk XP Pro SP3 for as long as I can justify doing so as well. :p )
     
  2. sdmod

    sdmod Shadow Defender Expert

    Joined:
    Oct 28, 2010
    Posts:
    1,035
    A man after my own heart :)

     
  3. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,281
    Location:
    UK
    IMO the main things that went wrong with Returnil were trying to force an antivirus onto people that very few wanted, coupled with incredibly slow development times and poor build quality. Including an antivirus was a mistake because the choice of antivirus, and even whether or not to deploy one at all, should be left to the user to decide.

    I agree that SD shouldn't go beyond its intended purpose but there is a legitimate question as to exactly what that purpose should be. SD can be viewed simply as a utility that can be used to test software that doesn't require a reboot, or it can also be used for security purposes. My guess is that most SD users probably use it for both. So far, I can't see anything in recent developments to the program that contradicts either aim. The addition of support for SSD devices is good, as is enabling the virtualization cache to be held in RAM rather than written to disk. Tightening of any existing security weaknesses is also a good thing.

    From a security perspective, it seems to me that the issue of future SD development is around whether it should remain a simple light virtualization utility with the emphasis on remediation, or whether features aimed at prevention should be added. Currently, SD has to be augmented with additional security layers in order to restrict the attack surface beyond simply making system infections temporary in nature. Remediation is good but prevention is also needed in order to mitigate against the damage that malware can do if allowed to run, including potential SD bypasses. The question is whether this should be left to other layers to achieve or whether elements of this can be incorporated into SD without destroying its fundamental nature. I believe they can. Sandboxie is a good example of a security program that has managed to get the balance right, with a well implemented combination of application virtualization and software restriction features.
     
  4. Peter 123

    Peter 123 Registered Member

    Joined:
    Feb 1, 2009
    Posts:
    281
    Location:
    Austria
    Thanks, pegr. A very interesting posting which explains some fundamental principles about Shadow Defender and the way it can be used. :thumb:
     
  5. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    5,187
    Location:
    Milan and Seoul
    Pegr, your posts are always a breath of fresh air! I completely agree with you, SD with restrictions type a la Sandboxie would be the next logical step in terms of development even though it would make it difficult for the average user to configure it (probably one of the weakest points of Sandboxie, not so intuitive to configure without an interest in security). I do hope however that your suggestions might strike a chord with Tony.
     
  6. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,106
    Location:
    Mountaineer Country
    Can anyone with Windows 8 64 bit check their Administrator Events in event viewer for warnings of event ID 136 or 134 source Ntfs (Ntfs) and/or event ID 1101. I am seeing these after rebooting out of shadow mode. It also shows up after entering shadow mode but of course that gets wiped out.

    Code:
    Level------Date and Time---------Source---Event ID--Task Category
    
    Warning..8/28/2013 8:24:13 AM..Ntfs (Ntfs)..136.........(2)
    
    In the General tab I see: The default transaction resource manager on volume C: encountered an error while starting and its metadata was reset.  The data contains the error code.
    -or-

    Code:
    Level------Date and Time---------Source---Event ID--Task Category
    
    Warning..8/24/2013 10:35:55 PM..Ntfs (Ntfs)..134........(2)
    
    The transaction resource manager on volume C: encountered an error during recovery.  The resource manager will continue recovery.
    I'm also seeing these.

    Code:
    Level-----Date and Time-------Source---Event ID--Task Catagory
    
    Error..8/28/2013 8:24:24 AM..Eventlog..1101....Event processing
    
    In the General tab I see: Audit events have been dropped by the transport.  0
    I may even have a related bug check by exiting shadow mode from shutting down instead of a reboot. That is when I saw Event ID 134.

    I'm using version 1.3.0.455. This is a new non-UEFI windows install from the 22nd. My programs are in my sig except I have been running as admin and no MBAM scanner. Macrium free is also installed.
     
  7. sdmod

    sdmod Shadow Defender Expert

    Joined:
    Oct 28, 2010
    Posts:
    1,035
    Hi Patrick,

    In the older versions, SD used Inno setup for the setup installtion.
    but Inno Setup was reported as false positive for many times.
    So i decided to use 7-zip to package SD.

    Best regards,
    Tony


    On 2013-08-26 19:40, Patrick wrote:
    > Hi Tony,
    > Some members have asked why you are using 7-zip for the setup install?
    > There is some discussion about it on this page on Wilders forum.
    >
    > https://www.wilderssecurity.com/showthread.php?p=2272617#post2272617
    >
    > from post 2846 downwards
    >
    > best wishes
    >
    > Patrick


     
    Last edited: Aug 28, 2013
  8. BruzZzler

    BruzZzler Registered Member

    Joined:
    Jun 1, 2012
    Posts:
    30
    hi,

    something is wrong, i can not email to support@shadowdefender.com
    the mail is not delivert :(
    so i couldn't send the german translation to tony

    is there any other way to do this ?
     
  9. sdmod

    sdmod Shadow Defender Expert

    Joined:
    Oct 28, 2010
    Posts:
    1,035
    Hi BruzZzler
    You could post it as an attachment here at The Official Shadow Defender Forum on the Translations thread.
    Or
    send it as an attachment to shadowdefenderforum@gmail.com and I'll see to it that Tony receives it when his email recovers.

    Patrick (Admin The Official Shadow Defender Forum)



     
    Last edited: Sep 2, 2013
  10. coffeetime

    coffeetime Registered Member

    Joined:
    Aug 26, 2012
    Posts:
    55
    So far the past week, I've been testing my new Light Virtualizations set-up. Light Virtualization within a Light Virtualization.

    Here's Deep Freeze and Shadow Defender installed, both in inactive states:
    http://i.imgur.com/J2FVOdKs.jpg?1

    First layer laid down by Deep Freeze Frozen state, Shadow Defender inactive, now you can enter Shadow Mode if you like:
    http://i.imgur.com/933pYycs.jpg?1

    In Frozen state and Shadow Mode together:
    http://i.imgur.com/RSXZVh0s.jpg?1

    No glitches/bugs, corruptions or compatibility problems. Works like a dream...within a dream :D

    Risk paid off thanks to AX64! Perhaps Wioski testing next, though looks a bit tedious without a UI/seperate accounts and requiring a fresh Wdinows install? But I'm very happy for now *puppy*
     
  11. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,337
    Location:
    USA
    How is this possible?
     
  12. BruzZzler

    BruzZzler Registered Member

    Joined:
    Jun 1, 2012
    Posts:
    30

    you have mail patrick, thx
     
  13. sdmod

    sdmod Shadow Defender Expert

    Joined:
    Oct 28, 2010
    Posts:
    1,035
    Thanks BruzZzler
    Received and emailed to Tony
    also I've put it for download for logged in members on this page of The Official Shadow Defender Forum


    I will let you know when I have received a reply.

    best wishes

    Patrick :)

     
    Last edited: Sep 3, 2013
  14. coffeetime

    coffeetime Registered Member

    Joined:
    Aug 26, 2012
    Posts:
    55
    Test yourself, follow the ABOVE simple guide (Deep Freeze has 30 days trial fyi if you have;t used it bfore), install order doesn't matter. It's also possible to reverse the order by layering SM first, DF second but..

    Then you have weaknesses in SD (mentioned some pages back) and its incompatibility issue with AX64; if you use other backup software then it's fine. Though I personally wouldn't recommend anyone to use SD as first layer. At least until SD catches up to DF :p

    Just noting gist of each testings

    DeepFreeze-Frozen state first layer, ShadowDefender-Shadow Mode second:

    1. DF-F, SD-SM (SD settings set on exit SM on reboot or SM on boot)

    2. DF-F discards all settings/changes from SD/SM on reboot. On reboot DF is in Frozen state with SD-SM in inactive state as expected.

    -

    Tested reverse order, SD-SM first layer, DF-F second:

    1. Entered SD-SM (with SD setting to SM on reboot or SM exit after reboot), after, enter DF-F setting to enter DF-F state immediately after a reboot, also tried a reboot first without DF-F and DF-F with reboot. DF was still in Frozen state on immediate or on reboot, SD-SM should have discarded DF-F settings. Another SD weakness/hole.

    2. Attempted to exit SD-SM, unsuccessful both LV still in SM/frozen state after reboot. Again SD weakness/hole, SD should have discarded DF-F/settings.

    3. On the following reboot, attempt to exit from DF Frozen state is successful, SD still in SM. Same SD weakness/hole.

    4. Exit SM finally successful after reboot, while DF-F was thawed from previous. Noticed some corruptions.
     
  15. t3ster

    t3ster Registered Member

    Joined:
    Nov 7, 2012
    Posts:
    37
    What are the folders to commit if you want to correctly commit Microsoft Security Essential updates?

    C:\Program Files\Microsoft Security Client
    C:\ProgramData\Microsoft\Microsoft Antimalware
    C:\ProgramData\Microsoft\Microsoft Security Client
    C:\Users\All Users\Microsoft\Microsoft Antimalware
    C:\Users\All Users\Microsoft\Microsoft Security Client

    Windows Defender also?

    C:\Program Files\Windows Defender
    C:\Program Files (x86)\Windows Defender
    C:\ProgramData\Microsoft\Windows Defender
    C:\Users\All Users\Microsoft\Windows Defender

    Do I also need to commit (or exclude) registry keys?
     
  16. CyberMan969

    CyberMan969 Registered Member

    Joined:
    Apr 21, 2011
    Posts:
    589
    Hi guys, sorry for the long absence but I was back home visiting my parents, no internet, no Wi-Fi, perfect peace of mind :D

    I couldn't agree more with you Pegr. In fact I have discussed this with Tony and he came to the conclusion that he may be able to create two versions of SD in the future: A barebones 'light' version without all the bells and whistles, plus a more full-featured version with all the new options added. This would suit both fan camps, the core of the software will be the same anyway. Of course nothing is certain yet, it's up to Tony to decide.

     
  17. sdmod

    sdmod Shadow Defender Expert

    Joined:
    Oct 28, 2010
    Posts:
    1,035
    RE: member asked‏

    9/05/13

    support@shadowdefender.com
    Hi Patrick,

    Here is my reply to xxxxxx:
    There is no documented way to implement registry exclusion list in
    Windows XP.
    To implement it, SD should use some undocumented technology, but this
    will be at a high risk. Because so many virus/malware use the same
    technology and most of the anti-virus products don't like this.
    Thanks.

    Best regards,
    Tony



    On 2013-09-02 18:22, Patrick wrote:
    > Hi Tony,
    > I'd be interested to know what your reply was for myself (as an xp
    > user) and so that I can inform other members. When people email you
    > with a problem they often don't pass the information they get from
    > your reply back to us at the forum.
    > You see it a lot on forums, people ask a question that could be of
    > interest to us all but just think of their own particular problem when
    > they have received the answer. I call it "hit and run" posting.
    >
    > best wishes
    >
    > Patrick :)
     
  18. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    5,766
    Location:
    Nicaragua
    Nice to see that you are OK Cyberman:cool:, I was wondering about you. I like the idea of the "Light version". I know some people get excited about bells and whistles but honestly, they kind of make me restless.

    Bo
     
  19. AMD

    AMD Registered Member

    Joined:
    Jul 9, 2012
    Posts:
    92
    Location:
    UK
    Can anyone explain how to commit changes if you have installed a program whilst in shadow mode as it would appear that it is left to the user to determine where those files/folders reside on your PC.

    As an example, if i commit changes to the program folder itself, there may be a folder created in program data which would also need to be comitted to the real system.

    It would be far easier if SD listed the files/folders created since entering shadow mode so you can click on those appropriate and commit.

    I am not sure if this is offered in any alternative to SD ??

    Andy
     
  20. sdmod

    sdmod Shadow Defender Expert

    Joined:
    Oct 28, 2010
    Posts:
    1,035
    You could try RegShot

    You take a snapshot before install and then after install and can compare the two (explained on link)

    Patrick

     
  21. AMD

    AMD Registered Member

    Joined:
    Jul 9, 2012
    Posts:
    92
    Location:
    UK
    I would be happier if SD displayed the recoverable files/folders to commit rather than using another third party program.

    Sandboxie offers this feature but is not system wide protection.
     
  22. Robin A.

    Robin A. Registered Member

    Joined:
    Feb 25, 2006
    Posts:
    2,546
    Reboot and reinstall.
     
  23. sdmod

    sdmod Shadow Defender Expert

    Joined:
    Oct 28, 2010
    Posts:
    1,035
    Robin A
    I think that AMD would like some sort of integrated installation monitor whilst in Shadow Mode so that he can see where the installation is going and what changes are being made before he reboots and installs his software (or chooses "Commit Now" from Shadow Mode) that's why I suggested "RegShot" Windows XP/Vista/7/8 x86 x64.
    Although it is a separate program it is freeware and should do what he wants. :)

    In the past Inctrl5 and Primo program installation monitor did the same sort of thing,

     
    Last edited: Sep 8, 2013
  24. coffeetime

    coffeetime Registered Member

    Joined:
    Aug 26, 2012
    Posts:
    55
    You're not the only one, found 2 samples that were able to get through while in Shadow Mode by itself.

    With the dual layer, Deep Freeze Frozen state discards them and Shadow Defender without a trace. So the list of Shadow Defender confirmed holes grows to 11 excluding the ones posted back lol
     
  25. sdmod

    sdmod Shadow Defender Expert

    Joined:
    Oct 28, 2010
    Posts:
    1,035
    coffeetime
    Maybe you could drop an email to bugs@shadowdefender.com or support@shadowdefender.com

    Patrick


     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.