The unofficial Shadow Defender Support Thread.

Discussion in 'sandboxing & virtualization' started by Cutting_Edgetech, Feb 14, 2011.

  1. Wendi

    Wendi Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    583
    Location:
    NY, USA
    That's exactly my point. I'm suggesting that there are bootup-intervals and much longer operational periods (such as when installing software updates) when Shadow Mode is not enabled and that's why you also need other anti-malware running!
     
  2. Pliskin

    Pliskin Registered Member

    Joined:
    Feb 8, 2009
    Posts:
    401
    Shadow Defender protects your from unwanted changes (including malware), while in Shadow Mode only. That's how virtualization apps work.

    Examples:
    1. If I download and execute Sinowal (malware which installs itself in unallocated space and MBR) while in Shadow Mode, I'm safe, because after reboot MBR is clean, so malware is dead (only leftovers in unallocated space). This does not depend on "Exit Shadow Mode when shutdown" or "'Enter Shadow Mode on boot", because as soon as you click on Restart or Shutdown the malware is dead (only leftovers in unallocated space).
    2a. If I download and execute Sinowal while not in Shadow Mode, I'm infected.
    2b. If I download and execute the most harmless malware while not in Shadow Mode, I'm infected.

    Once again, Shadow Defender protects your from unwanted changes (including malware), while in Shadow Mode only and that's how virtualization apps work.
     
  3. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,675
    Location:
    Mexico
    Thanks for testing this one.

    @Wendi
    One less in the list, right?
     
  4. Pliskin

    Pliskin Registered Member

    Joined:
    Feb 8, 2009
    Posts:
    401
    Not my test, I don't even use SD. Here is the test:

    Shadow Defender 1.2.0.370 vs 5 MBR/VBR Rootkits
    https://www.youtube.com/watch?v=VTLuTjufQkU
     
    Last edited: Sep 27, 2016
  5. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    25,498
    SD is no active malware-defense like Avira/KIS, etc.
    But it provides a virtual environment where all changes (made within a "Shadow-Session") are cleared after a reboot.
    a) Enable Shadow Defender
    b) Execute Malware
    c) Reboot = Changes are cleared / malware is gone.
    How can there be a malicious driver, if all changes from the previous session were cleared?
    Sure, SD can't clear changes that were made outside of the virtual environment:
    a) Execute malware
    b) Enter Shadow Session
    c) malicious driver is loaded
    d) Reboot (changes cleared)
    e) Malware is still there :eek:
    But as long as the malware is executed within the virtual environment, all is fine. With a simple reboot it's gone.

    If SD is disabled and the user executes malware, SD can't clear that specific change.
     
  6. Robin A.

    Robin A. Registered Member

    Joined:
    Feb 25, 2006
    Posts:
    2,546
    You are repeating what is well known about SD, I think every SD user is well aware of these facts. The "new" claim, as I understood it, was that malware hiding in unallocated space could infect Windows while in shadow mode.
     
  7. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,320
    Location:
    Here, There and Everywhere
    It's been a long time, but this thread has me responding on Wilders again. I think there is some misinformation that is causing confusion.

    A) Malware cannot execute in unallocated space. Period.

    B) Malware can hide in unallocated space (used as storage) in a sophisticated attack via shadow file systems that can later be used to execute. These are rarely seen itw and not something that most home users would ever encounter. Nemesis is the best, and really only, serious example of something like this and its targeting was payment processing if I remember correctly. Nemesis also required hands-on once entry was successful. But again, it doesn't just land on your computer and actually execute from unallocated space. That doesn't happen. Tony is absolutely right.

    C) Shadow Defender, and most all boot-to-restore software, would definitely have you covered in this scenario. By the MBR protection and the simple way in which SD works.

    D) My worries these days have more to do with shadowing only the OS. This is, on a practical level, the way we feel protected and can work without going in and out of shadow mode for data on other partitions, USB drives, etc. Yet, we now know that ransomware can encrypt across all connected drives (even networked locations) and encrypt targeted file extensions on all your data storage. So, if a ransomware gets by you, one way or another, unless you are shadowing everything connected - you're out of luck except for the files on the system partition.

    E) I still run with either Deep Freeze or Shadow Defender (depending on the system) and anti-executable (or similar). I feel perfectly safe. Yet, I keep Malwarebytes on the system and use it on occasion, for site protection if nothing else.

    I still lurk around Wilders. It's good to see new names and members. All the best to many good friends.

    EDIT: Heck, as long as I'm writing, I just looked at a post I made over a year ago and it's amazing how I am doing the exact same thing....though I left out a couple of things in that post.

    1. Instant Restore (Deep Freeze, SD depending on system)
    2. A perfectly clean, slimmed down, cut-to-size "perfect image."
    3. Anti-Executable
    4. Very minimal "cloud" for serious use...I use a cloud storage service, but only after strong encryption client side - on my computer.
    4. Tor and VPN
    5. Solid physical security
    6. Full Disk Encryption
    7. Minimal software - period. I've gone back to pen and notebooks for a lot of things. Some of it ends up scanned - but mostly not.
     
    Last edited: Sep 27, 2016
  8. login123

    login123 Registered Member

    Joined:
    Jul 12, 2007
    Posts:
    159
    Hi, Wendi. No indeed that post was not directed at you, but thanks for answering. It was just sort of a general request for clarification.
    It was not intended to nit pick nor take a position, was more like wondering aloud. My understanding of the workings of windows is not deep.

    My operating theory has always been that while not shadowed, I would only use or update the softwares with which I am familiar. Then "shadow up" and charge off into the net. Anything that might attach itself while shadowed would just stay in the unallocated space, or maybe free space allocated to a drive, but after a restart it could not run.
    I just assume that the "shadow" software doesn't wipe the space it ran in, but don't know that. I suspect that Powershadow does but can't prove it.

    I have tested this with some softwares that required a restart to work. They didn't. Also have gotten tagged by one or two malwares while shadowed and they were gone on restart. If my "familiar" softwares get compromised, I'm probably cooked.

    I still wonder a bit about the System Reserved Partition. It does not seem to be shadowed by Shadow Defender, and Powershadow doesn't run on anything after win xp. If the SRP is vulnerable, Shadow Defender would not help much, I guess.
     
  9. Robin A.

    Robin A. Registered Member

    Joined:
    Feb 25, 2006
    Posts:
    2,546
    I think the boot partición Is automatically shadowed, be it the SRP or the ESP in GPT disks.
     
  10. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,870
    Location:
    Poland - Cracow
    Thanks LockBox for your clarification but one question according this what you wrote...do you know...maybe?...is this still old trick with reverting good copy of MBR or someting new?
     
  11. Robin A.

    Robin A. Registered Member

    Joined:
    Feb 25, 2006
    Posts:
    2,546
    SD shadows automatically the first track (the first 63 logical sectors). The MBR is in it.
     
  12. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    25,498
    Shadow file system. VSS is using such a filesystem and is able to write to unallocated space, correct? :cautious:
     
  13. pinso

    pinso Registered Member

    Joined:
    Jun 28, 2009
    Posts:
    249
    Hello folks, i was looking for Shadow Defender 1.4.0.650-64bit version. I tried Googling but i couldn't find any straight path, hope some members from this forum knows it. Awaiting reply.
     
  14. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,870
    Location:
    Poland - Cracow
    Thanks for reply.
     
  15. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    25,498
     
  16. Cruise

    Cruise Registered Member

    Joined:
    Jun 10, 2010
    Posts:
    1,185
    Location:
    USA
    As I understand Wendi's position on this matter she has been saying that some malware (containing a harmful driver) can hide in unallocated disk space and could self-execute whenever the system is not in Shadow Mode! And since Shadow Mode doesn't protect unallocated disk space the malware can 'lurk' there waiting for any opportunity to execute. So she is simply suggesting that it's advisable to complement SD with real-time antimalware protection.
     
    Last edited: Sep 29, 2016
  17. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    25,498
    And that's not a bad suggestion by the way ;)
    To have several "security layers" can come in handy.
     
  18. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,347
    I don't think that a anti-malware is necessary. A much better way is using anti-executable and/or sandboxie.
     
  19. sdmod

    sdmod Shadow Defender Expert

    Joined:
    Oct 28, 2010
    Posts:
    980
    I welcome all questions and debate and it is all 'grist to the mill' and makes the forum lively and interesting.
     
  20. sdmod

    sdmod Shadow Defender Expert

    Joined:
    Oct 28, 2010
    Posts:
    980
    Yes, I work along those lines. I am mainly in Shadow Mode these days and use an anti virus (Avast pro) and Sandboxie to check and filter files into my real system but everyone has their own way of doing things.
    I sent another email to Tony about Wendi's question just to let him know that the thread/debate had continued but I haven't had a reply yet. The email to and from Tony seems a bit hit and miss at times, I'm not sure quite why that is.

    Patrick


     
  21. Wendi

    Wendi Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    583
    Location:
    NY, USA
    Any layering of security products is better than no layering, but I prefer those antimalware products that can recognize and block trojans with bootkit/rootkit payloads. However I still wouldn't be without image-backups! :p
     
    Last edited: Sep 29, 2016
  22. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,347
    Nop. Not always.
     
  23. Wendi

    Wendi Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    583
    Location:
    NY, USA
    "To each his (or her) own". ;)
     
    Last edited: Sep 29, 2016
  24. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,870
    Location:
    Poland - Cracow
    Could you give some additional ifno?
     
  25. Pliskin

    Pliskin Registered Member

    Joined:
    Feb 8, 2009
    Posts:
    401
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.