The unofficial Shadow Defender Support Thread.

Discussion in 'sandboxing & virtualization' started by Cutting_Edgetech, Feb 14, 2011.

  1. Cruise

    Cruise Registered Member

    Joined:
    Jun 10, 2010
    Posts:
    1,236
    Location:
    USA
    Frankly, I don't see what's so questionable about Wendi's remarks. As an ex-Rollback Rx user I can tell you that Rx's driver (which is kind of a bootkit) redirects Windows disk-writes and Rx's snapshots are hidden in unallocated disk-sectors, so why couldn't malware do the same?
     
  2. Wendi

    Wendi Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    643
    Location:
    USA
    Robin, as I indicated previously, SD (with Shadow Mode enabled) neither recognizes or blocks any malware. It takes a restart to clear out disk changes including any malware that may have infected SD's protected volumes (but as I also stated, SD cannot do this with unallocated partitions).

    I respectfully suggest that you (and Mister X) google what I have asserted about certain malware being able to hide in unallocated space (hints: Mebroot, Sinowal, TDL3 & TDL4).
     
    Last edited: Sep 24, 2016
  3. Wendi

    Wendi Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    643
    Location:
    USA
    Pete, it just takes a (malicious) driver. That's why I said (in post 4766)...
     
  4. Wendi

    Wendi Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    643
    Location:
    USA
    Exactly!
     
  5. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,131
    Location:
    USA
    I assume that something like NVT Driver Radar Pro would help to mitigate that problem somewhat.
     
  6. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    5,614
    Location:
    Milan and Seoul
    I also used to have Rollback and Emisoft would refuse to treat Rx's driver as a FP as the same device was used by malware. I think anything is possible if the attack is specific, but one has to be conned into downloading the malware. The chances to to get something like that on your system are really remote...
     
  7. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    Could you mention which ones?
    I been using Minitool Partition Wizard for so long, what a great tool. I've encountered some HDDs from customers which have those small unallocated spaces within. But in my personal HDDs preparation when servicing computers I've never left or seen
    Thanks for pointing me out to these.
     
  8. Robin A.

    Robin A. Registered Member

    Joined:
    Feb 25, 2006
    Posts:
    2,557
    These spaces may not exist in your drives. You can see them with Partition Wizard when they exist. They may be created when you move/resize partitions.
     

    Attached Files:

  9. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    Seems logical and this is what I expected.
    Yes. I must admit when tinkering with partitions I've seen this but always try to fix it one way or another until I make them to disappear LOL

    Thanks for your replies.
     
  10. sdmod

    sdmod Shadow Defender Expert

    Joined:
    Oct 28, 2010
    Posts:
    1,159
  11. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
  12. Wendi

    Wendi Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    643
    Location:
    USA
    Sorry guys, but as far as I'm concerned Tony’s reply (and stance on this matter) 'doesn't hold water'. He adds no further insight to what I reported in post 4766.
    Allow me to elaborate. Upon placing the system volume into Shadow Mode, the user is given these 2 options:

    1. Exit Shadow Mode when shutdown
    2. Enter Shadow Mode on boot

    The 1st option is typically selected by those who use SD on-demand, whereby he system volume exits Shadow Mode, clearing all changes when Windows restarts or shuts down.

    The 2nd option is typically selected by those who prefer to always run in Shadow Mode, where SD invokes the actions of option 1, and re-enters Shadow Mode the next time the user is logged into Windows.

    Option 1 leaves the system vulnerable to malware execution anytime after system restart, and option 2 still leaves the system vulnerable to driver execution between the time of BIOS and user logon. And if you don’t think that can happen, I would refer you to Cruise’s Rollback Rx example (Rollback Rx loads its bootkit driver before user logon)!
     
    Last edited: Sep 26, 2016
  13. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,997
    Location:
    Poland - Cracow
    What are you talking about?...you deny your own words...all changes are cleared after restart or system is still vulnerable to malware execution after such restart?
    The next thing...SD install its own service and by default this service is automaticly loaded while starting system so SD is out of user logon and don't depends on it. That is the reason that some other security apps works in the same way - SSM, SpyShelter, Kerio...
    The name of SD service is not obvious but it is
    160926225223_1.jpg
     
  14. Wendi

    Wendi Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    643
    Location:
    USA
    Please re-read what I have said so that you may better understand what I'm talking about. The changes that are cleared on restart are those from the previous session. As far as I'm aware SD's 'write buffer' does not include any changes that might occur during the subsequent bootup!

    As far as I'm aware, under option 2 Shadow Mode is not re-enabled until the user logs in (or is automatically logged in). If that's correct then any driver injected into the early bootup phase could infect the system before Shadow Mode is enabled.
     
    Last edited: Sep 26, 2016
  15. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    @Wendi
    Have you tested anything you've claimed on a real machine?
     
  16. Wendi

    Wendi Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    643
    Location:
    USA
    No I haven't Mr.X, but neither has Tony done that! Please understand that my only purpose here was to suggest why SD could be vulnerable to a certain class of malware so it may not be sufficient protection without additional (anti-malware) protection. I won't attempt to prove this possibility because I believe Malwarebytes AM+AE protects me from any such instance. In any case, since Tony claims otherwise (i.e., if any malware hides in unallocated disk space there's no way it could execute), why isn't the burden of proof on him?
     
    Last edited: Sep 26, 2016
  17. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,997
    Location:
    Poland - Cracow
    I think this thread could be the beginning of Track0 protection in SD
    https://www.wilderssecurity.com/thre...-alternative-to-shadow-defender.333366/page-2
    and as I remeber you Wendi was one of the author of suggestion to introduce MBR track0 protection...so maybe it would be better for me without doubts not to "kick with horse" :) But as we'll have those info on mind so we can probably still sleep peacefully
    https://www.wilderssecurity.com/thre...er-support-thread.293075/page-42#post-2069413

    I don't know if SD still reverts good MBR more than 100 times/sec but I wonder how many time does it takes for malware from alocated hidden space to be written, executed and saved no matter in which form/result in space of normal disk?
     
  18. login123

    login123 Registered Member

    Joined:
    Jul 12, 2007
    Posts:
    184
    1. I start a clean system.
    2. I update the antivirus, etc.
    3. I start Shadow Defender.
    4. I install and uninstall various softwares, check emails, surf the net, etc.
    5. During the session, a malware "hides" in unallocated space.

    When I restart the system, the malware is maybe still in the unallocated space.
    How can it run?
    Isn't it necessary for some exe file to be present on the "real" system to make the malware install?

    Probably my ignorance, but I can't think of how that would work unless some executable can run in the executable partition of the OS?
     
  19. sdmod

    sdmod Shadow Defender Expert

    Joined:
    Oct 28, 2010
    Posts:
    1,159
    Hi Wendi,
    I've emailed Tony asking him if he would look at this page again to maybe give a more detailed definitive answer to this question of the possibility of infection from unallocated space.

    Patrick





     
  20. Pliskin

    Pliskin Registered Member

    Joined:
    Feb 8, 2009
    Posts:
    439
    A bootkit is a type of malware that infects the MBR. SD will protect the MBR, so after you restart Windows this trojan is useless, because there is no infected MBR to start it.
     
    Last edited: Sep 27, 2016
  21. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    IMHO, we need an independent series of test made by one or some of us. Thought of starting one but I don't even know where to get the right malware samples (Mebroot, Sinowal, TDL3 & TDL4) or how to properly conduct the tests. I'm going to need a camera as I pretend to run tests on a real machine and spare HDD. How/when/what to analyze after reboot and the machine exits shadow mode.
    This way we could stop speculating and theorizing about SD capabilities on this scenarios.
     
  22. Wendi

    Wendi Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    643
    Location:
    USA
    Hi login123. I presume this is directed at me, so here is my reply.

    First of all please understand that my entire premise has been that SD by itself may not provide sufficient malware protection in certain situations. In your example (above) you are updating an AV, so that AV may prevent the malware in question from infecting the system. Furthermore, it is not "necessary for some exe file to be present...". Certain malware can execute by way of imbedded exploit code!
     
    Last edited: Sep 27, 2016
  23. Wendi

    Wendi Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    643
    Location:
    USA
    You are mostly correct, but that protection occurs only when Shadow Mode is enabled for the system drive. When it is not enabled the system is vulnerable. Consider the following:

    Assume I enter Shadow Mode and select the C-drive. Even if I select option 2, ‘Enter Shadow Mode On Boot’, the note at the bottom of Shadow Defender’s Help on this topic states...
    So my concern is that If the above underlined statement is true a malicious kernel driver could load before Shadow Mode. Furthermore, it’s my belief that most SD users will not enable Shadow Mode when it’s time to update Windows or their applications, so if a backdoor Trojan is lurking in unallocated space it could very well take that opportunity to execute!
     
    Last edited: Sep 27, 2016
  24. Wendi

    Wendi Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    643
    Location:
    USA
    No argument there. ;)
     
  25. Pliskin

    Pliskin Registered Member

    Joined:
    Feb 8, 2009
    Posts:
    439
    It can't, because there isn't any malicious kernel driver if you "installed" this malware while in Shadow Mode.
    After shutdown (or reboot) any new driver, malicious or not, is gone.
    When Shadow Mode is not enabled the system is vulnerable to all malware, so I don't get your point here.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.