Discussion in 'sandboxing & virtualization' started by Cutting_Edgetech, Feb 14, 2011.
Does that happen with the latest version or with all versions? All the time or once?
I just want to share something.
I was in Shadow Mode, run Gigabyte utilty for driver & bios update.
For fun I download new Bios version (F6) and my PC is automatic restarted, new version of Bios was instaled with no problem.
I just want to share that here.
That is as expected - because SD can not shadow (virtualize) the BIOS/CMOS.
I've taken an interest in Shadow Defender.
Should I purchase, what version do you recommend downloading?
It has happened only once (once in test period) because I've allways made allowing rule for it...versions?...I've installed the latest version of Jetico perhaps in April/May and then few times in last months and don't remember numbers of SD version...probably I could say v. 623, 636, 648...648 is currently on board.
Another thing: I currently have Malwarebytes Anti-Malware, Malwarebytes Anti-Exploit, and Avira AV installed. Would these programs cause any issues running in Shadow Mode?
Odds are programs that run okay on real system, run okay in shadow. Note: updates in shadow will be lost on restart.
google > How to use Shadow Defender e.g., https://malwaretips.com/threads/how-to-set-up-shadow-defender-for-convenience-max-protection.12778/
SD shouldn't interfere with other apps in system...they should work as the same as in the real system. One exception are apps which need to be constantly updated but bjm_ mentioned it already.
Thanks for the support guys.
Sounds like it would be a great addition to staying safe online
Oh boy, of course it is. As soon as you see anything abnormal or erratic behaviour just push the reset/power button, restart the machine an everything will be just fine.
Just a small caveat to that
As I understand it Shadow Defender is not a firewall and will not necessarily protect you if you expose information about your real system during a shadowed browsing or online session.
Shadow Defender is fantastic but you still have to be aware of what you are doing and saying on the net.
These are my thoughts anyway, please feel free to tell me if I am wrong.
That is correct Patrick. Nor can SD remove a certain class of trojans from your system after restarting, so SD users should also use a realtime anti-malware program!
Could you explain that, relating to not removing a certain class of trojans.
I didn't know about the trojan class, what is it?
Hi guys, I'm on my lunch break, checked-in and saw your question. I'll try to explain what I meant above...
First you need to recognize that SD only virtualizes Windows formatted and lettered 'disk' volumes (per your Mode settings). Early in 2014 I pointed out - in Patrick's (now defunct) Official SD Website - the importance of virtualizing Windows track0 / hidden boot partition whenever the C-partition was checked in Mode Selection. To Tony's credit he quickly implemented that concept. Afterwards I read about a number of trojan exploits (in the 'bootkit' class) which were capable of hiding 'below' Windows in unallocated HDD/SSD space. Tony didn't consider this a serious problem because he said those trojans were in a dormant state while hiding in some unallocated space and that SD would protect the system upon virtualizing the C-partition along with the boot sectors/partition. I just didn't (and still don't) see his point, especially for users who run SD on-demand, as there will be times when SD in not active and the system is then vulnerable!
This would be of far less concern if Tony would have implemented The Shadow's request to provide an option to Drop Rights and Prevent Driver Execution within SD (as in Sandboxie), but that has not been done (so far).
Since I never run without having SBIE on I am not worried, but I have to ask my favorite followup question. How did these trojan's get on my system in the first place?
Well Pete, if you are the sole user of your system, never run without SBIE with drop rights enabled, and never open suspect email attachments, you do indeed have a low risk of infection. But then again, that modus operandi probably isn't typical...
Well I am not the sole user, but there are only 3 adult responsible users. Any browser is run in SBIE, and I don't use drop rights, but I do run Appguard and ERP along with EIS. And I suspect I am not typical, but you pay one way or another. Prevention is much cheaper
Pete, both you and Patrick asked me to elaborate on the remark I made in post 4763...
...and I believe my reply (post 4766) elaborated on the remark in question.
I was only trying to make the point that SD users should not totally rely upon it (alone) for protection against malware because SD in itself does not identify or block malware! Therefore, without anti-malware protection an SD user (particularly,one with admin privileges) is completely vulnerable to malware infection. It is true that if malware infects a system's C-drive or any other SD-protected volume that malware will be totally cleansed by a subsequent system restart. But if any such malware is capable of hiding in unallocated drive space it will survive a restart, lurking there for the first opportunity to complete its intended (nasty) mission. That opportunity would arise the next time the system volume (and boot sectors) were not being virtualized by SD!
Unless it´s supported by reliable evidence, I´d put this in the SD mith category.
Robin, what (specifically) do you consider to be a myth?
With all due respect, I also consider this a myth unless a PoC available. If you have one please share it via pm please. The other day I tried Petya in my main personal machine and I survived to its payload. I want to see that kind of malware capable of making unallocated drive space in the first place cause I don't have space made by me in my drives, of course if they exist.
In this case, the belief that malware can hide in unallocated space and from there infect the Windows partition when it´s in shadow mode.
I think there is always some unallocated space in a disk, some of it "between" the partitions. Some partition managers show these spaces. Also, in a MBR disk Windows itself can store information in unallocated space in certain cases. In GPT disks this is not allowed, and this information is stored in the MSR partition.
This leads to another interesting question. To be truly hidden there would have to be some mechanism that allows windows to start it running. Something had to put it there and there has to be something that can accces this data.
Separate names with a comma.