The unofficial Shadow Defender Support Thread.

TheMozart,

The best thing about SD is that one can protect more than one partition/disk. Not very many virtualization software allows you to do this.

Second screen shot, two partitions are protected, "System" and "SIMs":

 

TheMozart,

The third screen shot is for "Administration Menu":

 

TheMozart,

The partition "SIMs" is protect, however the "GameData" should be excluded as she likes to save her games. Here is the fourth screen shot:

 

You asked about IE Favorites. Her DataDisk is partition "Z" and it is not under Shadow Mode. However, if it was in Shadow Mode, then it could be like the above screen shot four as "Exclusion List" or like screen shot five below as "Commit Now" thus giving a choice "to commit or not to commit":

 

Dear TheMozart,

SD is one of the best, small foot print, full featured, very fast and proven program. But unfortunately, I cannot use it anymore due to having SSDs in my computers.

Best regards,

KOR!

P.S. As suggest by brother Peter123, you can use SD in combination with SBIE, being optimal and at the same time keeping your reboots to minimum.

 

Thanks KOR for your comments and help and the time you did for screenshots.

I have decided to completely remove SBIE as running SD will suffice for me. In 20 years being a PC user I have never had an infection, so my internet habits do not place me at risk of getting a keylogger etc.

My firefox runs noscript,cookie monster,adblock, betterprivacy etc and is rather solid and closed off, so I am not concerned about getting anything surfing really.

The main reason I began using SBIE was to install and test new programs and if I was going to visit extremely suspicious websites, but I can now do that with SD instead.

So I have some questions:

1. Is there a way to exist or close SD if I want to? There is no "exit" function. So can I load Task Manager and end process for DefenderDaemon.exe? Is that the only way to close it?

2. Let's say I want to download and install a program or visit a suspicious website, and load SD for the session and then reboot and go back to normal....what option do I choose in SD to accomplish that? I only see 2 options, 1. Enter shadow mode on boot or 2. Exit shadow mode on Shutdown.

So why isn't there a function to reboot NORMALLY and not enter shadow mode? In other words, how do I enter Shadow Mode, do what I need to do, and then reboot to a clean slate WITHOUT having shadow mode load again?

3. If I just protect C: and not D: and E: etc, and then I run Opera Web Browser that's located in C:\Program Files, and I visit a bad website that downloads and installs a driveby download or some other nasty script, can my D: and E: and other partitions be infected seeing they were not selected for Shadow Mode? In other words, can a website script make nasty things jump across to my other partitions?

 

If you want to reboot normally to do your maintaince and not being in Shadow Mode is in screen shot #1, "Exit Shadow Mode on Shutdown".

Best regards,

KOR!

 

Hey KOR, I thought I had to do a complete SHUTDOWN for that? Shouldn't it then instead say, "Exit Shadow Mode on Reboot"?

 

LOL!

I believe that Tony was Chinese!

Best regards,

KOR!

 

So nobody knows what happened to him? He just dissapeared without trace and never heard from since?

 

If C: is in Shadow Mode and D: is not, but D: contains personal files, and I browse the internet using Opera which is installed on C:, can some website install a nasty drivebydownload or other nasty onto D: and execute seeing only C: is in Shadow Mode and not D:?

And can KOR or someone else please answer all my questions in post #906, I would really appreciate it.

 

I can answer questions Nr. 1 and 2 - respectively they are already answered by the screenshots published by "King of Rapture":

See screenshot in # 901:
[img=http://www.abload.de/thumb/sd1cp7li.jpg]

---> In "Mode Setting" you have an option "Exit Shadow Mode" (respectively: "Exit All Shadow Modes").

So there is no need to terminate the process DefenderDameon.exe via Task Manager.

Look at the screenshot in # 900:
[img=http://www.abload.de/thumb/sd2oe77k.jpg]

When entering the shadow mode, you are asked what you will like to do, when you will shut down your computer:

a) "Enter Shadow Mode [= a new session of the shadow mode - not continuing the old one!] on Boot"
or
b) "Exit Shadow Mode on Shutdown" [= reboot normally, without entering Shadow Mode again]

---> So option b) is exactly what your are looking for.

Concerning question 3:

This must be answered by an expert.

 

Ok, where is KOR?

BTW, thanks Peter for your comments.

 

Yes a Virus can replicate itself from one partition to another,just like it can replicate in the system restore.That is my understanding but I am no expert.However its more lkely to mess with your C drive then your D drive.If I am wrong some one else can correct my statement.

 

Yes I want to know this too. If I Shadow Mode C: but not D:, can an infection from my web browsing on C: using Opera or Firefox running on C:, "jump across" and infect D: drive which is NOT in Shadow Mode? Can something then "activate and run" on D:?

 

The answer to this is yes it can. This is where using Sandboxie in conjunction with Shadow Defender can be helpful as nothing will escape the sandbox and infect other partitions. Part of the strength of Sandboxie lies in the fact that, properly configured, it combines application virtualization with policy restriction features.

Alternatively, if using Shadow Defender as the only virtualization tool when engaging in high risk surfing or deliberately testing malware, it is a good idea to temporarily put ALL partitions into Shadow Mode, not just the system partition. Unlike the system partition which needs a reboot to exit Shadow Mode, data partitions can enter and exit Shadow Mode on the fly without a reboot, so it's not inconvenient to do.

The main advantage of system-wide virtualization is that it enables changes to the system to be controlled in a predictable way and enables a perfect cleanup following a malware infection or to uninstall test software installed in Shadow Mode with a simple reboot without having to resort to restoring the system from an image. Regular imaging is of course still necessary as part of a system backup plan in case of hard disk failure.

Whilst Shadow Defender is very useful as a boot-to-restore tool, it should be supplemented by other security layers in order to mitigate against the damage that malware may do if allowed to run unchecked. IMO SD should be supplemented by anti-executable, HIPS, BB, or policy restriction, and/or real-time anti-virus.

 

Thank you pegr for your comments.

I don't want to use SBIE as I only want to use SD, so what I will do is follow your recommendations, when doing high risk surfing or installing a new program to test, I will place ALL partitions into SHADOW MODE, and then when I am finished testing software or doing high risk surfing, I will just come out of Shadow Mode and reboot

So my W7 SYSTEM Partition will be OK seeing it does not show up on SD?

 

Not sure about that one, sorry. Perhaps someone else can answer that for you. If your system partition isn't visible in SD, how are you entering Shadow Mode?

 

What do you mean how I am entering SD? I just load SD and select C: and D: etc and select Shadow Mode and it loads. So what do you mean?

Do you know what SYSTEM partition I refer to? It's the 100MB SYSTEM Partition W7 creates.

http://i50.tinypic.com/9gegw9.jpg

So one thing concerns me.. and hopefully KOR may have an answer... how do I tell SD to protect the 100MB SYSTEM Partition I have? And seeing I am not able to tell SD to place SYSTEM partition into Shadow Mode, can something infect the SYSTEM Partition and make my W7 unbootable?

 

When you said the system partition, I assumed you were referring to the C: drive where your system boots from.

I'm on Windows XP, not Windows 7 so I'm not sure what the 100MB partition is that you are referring to. Is it some kind of recovery partition? If it isn't visible in SD then you won't be able to put it into Shadow Mode if that answers the question. Then again, if SD can't see it then I doubt if malware can either.

 

Im not sure what it is sorry. Something new in W7 I guess.

I wonder if malware can see it? KOR...where are you my friend?

Im not even sure how to scan SYSTEM Partition for malware?

 

I did find this which may help to explain what it is: http://www.mydigitallife.info/how-t...m-been-created-during-windows-7-installation/

 

Question for CyberMan969:

On W7 I have a SYSTEM PARTITION that is HIDDEN and 199MB in size.

In SD, it does NOT show up, hence, not giving me ability to select for Shadow Mode.

What can I do to protect it from malware when I am doing "risky surfing" or installing new programs to test?

 

+1 to KOR's and pegr's recent posts.

There are malware that can infect all partitions/disks attached to the system so for peace of mind put them all in shadow mode before visiting dodgy or suspect sites. Also, if you have moved your user folders from C: to a different disk (like I have done), then make sure to definitely put that disk in Shadow Mode as well, before you go online (SD may warn you of open files if you do that so it may be best to schedule auto-Shadow Mode for that disk as well as C: on the next reboot).

You can always preserve favorites when in Shadow Mode just by right-clicking their parent folder and committing them manually. If you have deleted Favorites when in Shadow Mode and you want them to stay deleted, then make sure you tick the "Commit deleted files" option as well.

If you want to keep changes don't use the "Exit All Shadow Modes" button. Just tick the drive whose changes you wanna keep and click the "Exit Shadow Mode" button. You will then be presented with the option to discard or commit changes (this option is not available if you use the "Exit All Shadow Modes" button).

Commiting changes frequently and indiscriminately is something that is not recommended for obvious reasons. If you want to install a program that requires a reboot (and you are 100% sure that it is safe and compatible with your system), then you must temporarily disable Shadow Mode from auto-starting with Windows and restart the computer as normal. When you're back in Windows keep the protection turned off while you install the software you want. Then reboot for the changes to take effect, and finally restart Shadow Mode. Do not choose to commit any changes unless you're really 100% sure that whatever has occured in the meantime is absolutely safe.

Like pegr said, SD is not enough on its own. Light Virtualization software are not supposed to be a substitute for a firewall or antivirus/antimalware software. LV ALONE WILL NOT STOP MALWARE FROM INFECTING YOUR SYSTEM, you will still need a firewall with HIPS/anti-execution functions, PLUS antivirus/antimalware software, PLUS encryption and anti-keylogging software for full real-time protection. LV does not differentiate between malicious and non-malicious changes. All it does is to completely undo ALL the changes caused by things like configuration screw-ups caused by users, problematic software (like an incompatible Windows Update or a bad driver), or damage caused by malware that somehow manages to creep in through your other defences. If you also use Sanboxie and you sandbox your browser (plus any suspect executables) while being on Shadow Mode, then the chances of getting infected are negligible.

For extra security I always have my network adapter disabled so my PC always starts off-line. I have placed a shortcut of my network adapter on the taskbar and every time I need to go online I right-click the shorcut and enable the adapter (it takes only 5 seconds or so to establish connection). When I finish I right-click the shortcut again and disable the adapter. I make sure the adapter is always disabled before turning off or rebooting the machine, so it'll be off next time the computer starts.

If you get infected and Shadow Mode protection is on, don't give the malware time to call back to its maker! As soon as you realize that something is wrong disconnect from the internet immediately and turn your system off. If your system is frozen hold the power putton for a few seconds until it turns off (hard reset), or remove the power cord (and the battery if the system is a laptop/netbook). Wait 20 seconds or so, then power the system back on. All trouble should be undone and your system should be reverted to its previous state.

LV software work per-session only, once you commit changes and restart there will be no way back to a previous state - unless of course you restore a previously saved traditional backup, or unless you use snapshot software.

Apologies for the TLDNR...

 

Unfortunately my HP W7 DVDs automatically create the SYSTEM Partition and so it's there. And I am not wanting to "hack" it and remove it as I may mess things up and not experienced enough to do it, nor willing to do. And I have read that it's impossible to install SP1 and maybe some future updates of the SYSTEM Partition is missing.

So I wonder how can W7 users protect the SYSTEM Partition from Malware seeing we cannot even SCAN IT with any malware checker, and seeing SD won't even give ability to place it in Shadow Mode?

Anyone shed some light on this?