The unofficial Shadow Defender Support Thread.

I agree with you...which is why I continue to use .325.
(But then I'm also continuing to milk XP Pro SP3 for as long as I can justify doing so as well. )

 

A man after my own heart

 

IMO the main things that went wrong with Returnil were trying to force an antivirus onto people that very few wanted, coupled with incredibly slow development times and poor build quality. Including an antivirus was a mistake because the choice of antivirus, and even whether or not to deploy one at all, should be left to the user to decide.

I agree that SD shouldn't go beyond its intended purpose but there is a legitimate question as to exactly what that purpose should be. SD can be viewed simply as a utility that can be used to test software that doesn't require a reboot, or it can also be used for security purposes. My guess is that most SD users probably use it for both. So far, I can't see anything in recent developments to the program that contradicts either aim. The addition of support for SSD devices is good, as is enabling the virtualization cache to be held in RAM rather than written to disk. Tightening of any existing security weaknesses is also a good thing.

From a security perspective, it seems to me that the issue of future SD development is around whether it should remain a simple light virtualization utility with the emphasis on remediation, or whether features aimed at prevention should be added. Currently, SD has to be augmented with additional security layers in order to restrict the attack surface beyond simply making system infections temporary in nature. Remediation is good but prevention is also needed in order to mitigate against the damage that malware can do if allowed to run, including potential SD bypasses. The question is whether this should be left to other layers to achieve or whether elements of this can be incorporated into SD without destroying its fundamental nature. I believe they can. Sandboxie is a good example of a security program that has managed to get the balance right, with a well implemented combination of application virtualization and software restriction features.

 

Thanks, pegr. A very interesting posting which explains some fundamental principles about Shadow Defender and the way it can be used.

 

Pegr, your posts are always a breath of fresh air! I completely agree with you, SD with restrictions type a la Sandboxie would be the next logical step in terms of development even though it would make it difficult for the average user to configure it (probably one of the weakest points of Sandboxie, not so intuitive to configure without an interest in security). I do hope however that your suggestions might strike a chord with Tony.

 

Can anyone with Windows 8 64 bit check their Administrator Events in event viewer for warnings of event ID 136 or 134 source Ntfs (Ntfs) and/or event ID 1101. I am seeing these after rebooting out of shadow mode. It also shows up after entering shadow mode but of course that gets wiped out.

Code:

Level------Date and Time---------Source---Event ID--Task Category

Warning..8/28/2013 8:24:13 AM..Ntfs (Ntfs)..136.........(2)

In the General tab I see: The default transaction resource manager on volume C: encountered an error while starting and its metadata was reset.  The data contains the error code.

-or-

Code:

Level------Date and Time---------Source---Event ID--Task Category

Warning..8/24/2013 10:35:55 PM..Ntfs (Ntfs)..134........(2)

The transaction resource manager on volume C: encountered an error during recovery.  The resource manager will continue recovery.

I'm also seeing these.

Code:

Level-----Date and Time-------Source---Event ID--Task Catagory

Error..8/28/2013 8:24:24 AM..Eventlog..1101....Event processing

In the General tab I see: Audit events have been dropped by the transport.  0

I may even have a related bug check by exiting shadow mode from shutting down instead of a reboot. That is when I saw Event ID 134.

I'm using version 1.3.0.455. This is a new non-UEFI windows install from the 22nd. My programs are in my sig except I have been running as admin and no MBAM scanner. Macrium free is also installed.

 

Hi Patrick,

In the older versions, SD used Inno setup for the setup installtion.
but Inno Setup was reported as false positive for many times.
So i decided to use 7-zip to package SD.

Best regards,
Tony

On 2013-08-26 19:40, Patrick wrote:
> Hi Tony,
> Some members have asked why you are using 7-zip for the setup install?
> There is some discussion about it on this page on Wilders forum.
>
> https://www.wilderssecurity.com/showthread.php?p=2272617#post2272617
>
> from post 2846 downwards
>
> best wishes
>
> Patrick

 

hi,

something is wrong, i can not email to support@shadowdefender.com
the mail is not delivert
so i couldn't send the german translation to tony

is there any other way to do this ?

 

Hi BruzZzler
You could post it as an attachment here at The Official Shadow Defender Forum on the Translations thread.
Or
send it as an attachment to shadowdefenderforum@gmail.com and I'll see to it that Tony receives it when his email recovers.

Patrick (Admin The Official Shadow Defender Forum)

 

So far the past week, I've been testing my new Light Virtualizations set-up. Light Virtualization within a Light Virtualization.

Here's Deep Freeze and Shadow Defender installed, both in inactive states:
http://i.imgur.com/J2FVOdKs.jpg?1

First layer laid down by Deep Freeze Frozen state, Shadow Defender inactive, now you can enter Shadow Mode if you like:
http://i.imgur.com/933pYycs.jpg?1

In Frozen state and Shadow Mode together:
http://i.imgur.com/RSXZVh0s.jpg?1

No glitches/bugs, corruptions or compatibility problems. Works like a dream...within a dream

Risk paid off thanks to AX64! Perhaps Wioski testing next, though looks a bit tedious without a UI/seperate accounts and requiring a fresh Wdinows install? But I'm very happy for now

 

How is this possible?

 

you have mail patrick, thx

 

Thanks BruzZzler
Received and emailed to Tony
also I've put it for download for logged in members on this page of The Official Shadow Defender Forum


I will let you know when I have received a reply.

best wishes

Patrick

 

Test yourself, follow the ABOVE simple guide (Deep Freeze has 30 days trial fyi if you have;t used it bfore), install order doesn't matter. It's also possible to reverse the order by layering SM first, DF second but..

Then you have weaknesses in SD (mentioned some pages back) and its incompatibility issue with AX64; if you use other backup software then it's fine. Though I personally wouldn't recommend anyone to use SD as first layer. At least until SD catches up to DF

Just noting gist of each testings

DeepFreeze-Frozen state first layer, ShadowDefender-Shadow Mode second:

1. DF-F, SD-SM (SD settings set on exit SM on reboot or SM on boot)

2. DF-F discards all settings/changes from SD/SM on reboot. On reboot DF is in Frozen state with SD-SM in inactive state as expected.

-

Tested reverse order, SD-SM first layer, DF-F second:

1. Entered SD-SM (with SD setting to SM on reboot or SM exit after reboot), after, enter DF-F setting to enter DF-F state immediately after a reboot, also tried a reboot first without DF-F and DF-F with reboot. DF was still in Frozen state on immediate or on reboot, SD-SM should have discarded DF-F settings. Another SD weakness/hole.

2. Attempted to exit SD-SM, unsuccessful both LV still in SM/frozen state after reboot. Again SD weakness/hole, SD should have discarded DF-F/settings.

3. On the following reboot, attempt to exit from DF Frozen state is successful, SD still in SM. Same SD weakness/hole.

4. Exit SM finally successful after reboot, while DF-F was thawed from previous. Noticed some corruptions.

 

What are the folders to commit if you want to correctly commit Microsoft Security Essential updates?

C:\Program Files\Microsoft Security Client
C:\ProgramData\Microsoft\Microsoft Antimalware
C:\ProgramData\Microsoft\Microsoft Security Client
C:\Users\All Users\Microsoft\Microsoft Antimalware
C:\Users\All Users\Microsoft\Microsoft Security Client

Windows Defender also?

C:\Program Files\Windows Defender
C:\Program Files (x86)\Windows Defender
C:\ProgramData\Microsoft\Windows Defender
C:\Users\All Users\Microsoft\Windows Defender

Do I also need to commit (or exclude) registry keys?

 

Hi guys, sorry for the long absence but I was back home visiting my parents, no internet, no Wi-Fi, perfect peace of mind

I couldn't agree more with you Pegr. In fact I have discussed this with Tony and he came to the conclusion that he may be able to create two versions of SD in the future: A barebones 'light' version without all the bells and whistles, plus a more full-featured version with all the new options added. This would suit both fan camps, the core of the software will be the same anyway. Of course nothing is certain yet, it's up to Tony to decide.

 

RE: member asked‏

9/05/13

support@shadowdefender.com
Hi Patrick,

Here is my reply to xxxxxx:
There is no documented way to implement registry exclusion list in
Windows XP.
To implement it, SD should use some undocumented technology, but this
will be at a high risk. Because so many virus/malware use the same
technology and most of the anti-virus products don't like this.
Thanks.

Best regards,
Tony


On 2013-09-02 18:22, Patrick wrote:
> Hi Tony,
> I'd be interested to know what your reply was for myself (as an xp
> user) and so that I can inform other members. When people email you
> with a problem they often don't pass the information they get from
> your reply back to us at the forum.
> You see it a lot on forums, people ask a question that could be of
> interest to us all but just think of their own particular problem when
> they have received the answer. I call it "hit and run" posting.
>
> best wishes
>
> Patrick

 

Nice to see that you are OK Cyberman, I was wondering about you. I like the idea of the "Light version". I know some people get excited about bells and whistles but honestly, they kind of make me restless.

Bo

 

Can anyone explain how to commit changes if you have installed a program whilst in shadow mode as it would appear that it is left to the user to determine where those files/folders reside on your PC.

As an example, if i commit changes to the program folder itself, there may be a folder created in program data which would also need to be comitted to the real system.

It would be far easier if SD listed the files/folders created since entering shadow mode so you can click on those appropriate and commit.

I am not sure if this is offered in any alternative to SD ??

Andy

 

You could try RegShot

You take a snapshot before install and then after install and can compare the two (explained on link)

Patrick

 

I would be happier if SD displayed the recoverable files/folders to commit rather than using another third party program.

Sandboxie offers this feature but is not system wide protection.

 

Reboot and reinstall.

 

Robin A
I think that AMD would like some sort of integrated installation monitor whilst in Shadow Mode so that he can see where the installation is going and what changes are being made before he reboots and installs his software (or chooses "Commit Now" from Shadow Mode) that's why I suggested "RegShot" Windows XP/Vista/7/8 x86 x64.
Although it is a separate program it is freeware and should do what he wants.

In the past Inctrl5 and Primo program installation monitor did the same sort of thing,

 

You're not the only one, found 2 samples that were able to get through while in Shadow Mode by itself.

With the dual layer, Deep Freeze Frozen state discards them and Shadow Defender without a trace. So the list of Shadow Defender confirmed holes grows to 11 excluding the ones posted back lol

 

coffeetime
Maybe you could drop an email to bugs@shadowdefender.com or support@shadowdefender.com

Patrick