The unofficial Shadow Defender Support Thread.

Discussion in 'sandboxing & virtualization' started by Cutting_Edgetech, Feb 14, 2011.

  1. Crane_Mann

    Crane_Mann Registered Member

    Joined:
    Apr 2, 2009
    Posts:
    46
    Location:
    United States
    For example - Microsoft Security essentials
    Windows 7

    C drive is shadowed - so un-shadow
    make a folder in c:\windows
    c:\windows\startup-shutdown
    create a text file named shutdown.txt
    in this file put
    reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware" "D:\Data\Reg.reg"
    rename shutdown.txt to shutdown.bat and run it.
    Edit shutdown.bat and modifiy it to
    del "D:\Data\Reg.reg"
    reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware" "D:\Data\Reg.reg"

    Why? Because when this runs at shutdown, it has to delete previous reg.reg before saveing latest version - everytime.

    I don't have D drive shadowed - you have to pick a drive that is not shadowed.

    Now, create startup.txt
    In this file put
    reg import "D:\Data\Reg.reg"
    "C:\Program Files\Shadow Defender\DefenderDaemon.exe" /auto

    Why? You want the reg copied into the registery before Shadow Defender starts.

    Rename this too, startup.bat

    Edit group policy by clicking start, typing gpedit.msc
    Click computer configuration - windows settings - Scripts
    In the right pane "add" enter
    C:\windows\startup-shutdown\startup.bat

    In the left pane go to User Configuration - windows settings - Scripts
    In the right pane add "logoff" enter
    C:\windows\startup-shutdown\shutdown.bat

    Why? Because the first one is system - it will copy the reg.reg before Shadow Defender starts
    The second one is user logoff - copies the reg before Shadow Defender quits and you loose it.

    Close out gpedit.msc

    go to where your Shadow Defender starts
    C:\Users\userName\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

    userName is the name you use to log on with in windows
    or it may be all users
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

    What you are looking for is Shadow Defender link. You need to change it to
    "C:\Program Files\Shadow Defender\Defender.exe"
    from
    "C:\Program Files\Shadow Defender\DefenderDaemon.exe" /auto

    Why? You won't see the icon in the bottom right of your task bar if you don't.
    Also by adding Shadow Defender to the group editor, Shadow Defender will start first before anyone logs on and before anything else starts up.

    In Shadow Defender exclude
    C:\ProgramData\Microsoft\Microsoft Antimalware\*

    There is a question in my mind as to whether this actually works. Looks right. Makes sense.

    Any comments or corrections are welcome. It just seems to me that it isn't working because when I reboot, my securiy essential icon is red until the computer has run for several minutes. To test it, I could have the startup.bat and shutdown.bat create a file on C drive and see if the file updated after reboot. I guess that would have been too simple.
     
  2. kupo

    kupo Registered Member

    Joined:
    Jan 25, 2011
    Posts:
    1,122
    To those who are using Sandboxie together with Shadow Defender, do you have C:\Sandbox in the exclusion list of SD? Just curious.
     
  3. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    3,638
    Location:
    Europe then Asia
    Nope, if i downloaded something i deem trustworthy (after testing it on shadow mode) then i move on normal mode and download it again.
     
  4. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    I m not running either right now, but i don't see why exclude the Sandbox folder. By not excluding it, you have a Sandbox inside a sandbox. I would exclude the directory where Sandboxie recovers the data you want. For example if you save your downloads to C:/username/Downloads (autorecovery function in Sandboxie) , that's what i 'd exclude, so the data there would be untouched by Shadow Defender too.
     
  5. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,281
    Location:
    UK
    There is no disadvantage to excluding C:\Sandbox from a security perspective as the main part of system space is virtualised by Shadow Defender. I imagine the decision would partly depend on whether there is any noticeable increase in speed from avoiding the double redirection of disk writes by sandboxed applications: first by Sandboxie when redirecting file system writes to C:\Sandbox; and second by Shadow Defender when redirecting disk sectors belonging to C:\Sandbox to its own disk sector cache.

    In my case, I got the best performance improvement with Sandboxie by moving the sandbox container folder to a RAM disk, which also avoids the need for secure sandbox deletion if privacy is an additional goal.
     
  6. kupo

    kupo Registered Member

    Joined:
    Jan 25, 2011
    Posts:
    1,122
    Thanks for the inputs :D
     
  7. STONEMAN

    STONEMAN Registered Member

    Joined:
    Jan 17, 2009
    Posts:
    98
    Location:
    London,South Of The River
    I have one folder excluded from shadow defender called my downloads
    just incase i want to save something while in shadow mode,its covered with full sandboxie restrictions.
     
  8. Robin A.

    Robin A. Registered Member

    Joined:
    Feb 25, 2006
    Posts:
    2,387
    After using Returnil for several years, I am now using SD.

    I had previously found that in Returnil, if a I made a change to the boot files using EasyBCD while in virtual mode, the change passed to the real system.

    Out of curiosity, I tried in SD. While in shadow mode, I renamed the boot menu title from "Windows 7 Home Premium" to "Windows 7 HOME PREMIUM". Upon reboot, Windows detected the change and presented the boot menu screen with the new name.

    So, the changes made with EasyBCD in shadow mode appear in the system after reboot. Does anybody know why this happens?
     
    Last edited: Dec 27, 2012
  9. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,312
    Location:
    Oz
    As far as I know, SD does not wipe anything.
     
  10. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,393
    Location:
    Location Unknown
    No light virtualization/rollback app, Shadow Defender, Returnil, or Rollback RX, etc., protects the Master Boot Record. The MBR is what EasyBCD manipulates. Shadow Defender's driver is loader after the MBR and thus cannot protect it. That's the reason why imaging and light-virtualization goes hand-in-hand; as a safety net.
     
  11. The Shadow

    The Shadow Registered Member

    Joined:
    Jan 24, 2012
    Posts:
    814
    Location:
    USA
  12. sdmod

    sdmod Shadow Defender Expert

    Joined:
    Oct 28, 2010
    Posts:
    801
    Yes, I've posted a few times about this maybe being an aspect of the problem, see my post #1418 with two links, I had the feeling that my emails might be blocked at times.

     
  13. merisi

    merisi Registered Member

    Joined:
    Dec 17, 2012
    Posts:
    316
    When I emailed him, it said that his emails were coming from Texas according to Mailhops on Thunderbird. I guess he may have to use a proxy or a VPN just to contact people. Tony replied to all my emails with a real civility. I guess something like SD would be an annoyance to certains regimes.
     
  14. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    4,000
    Location:
    Nicaragua
    I installed SD for the first time, its working very well in my W7 32 bits. After re reading this thread, I decided to install version .346. No glitches.:)

    Easy to figure out, as easy to use as the other LV programs that I used in the past. I like the option to right click on a file to commit, really nice.

    Bo
     
  15. Blues7

    Blues7 Registered Member

    Joined:
    May 11, 2009
    Posts:
    868
    Location:
    2500'
    When I do occasionally run SD that is exactly how I use it.

    My only exclusion is my "downloads" folder which is under the supervision of Sandboxie (forced).

    Combines the best of both worlds imho.
     
  16. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    4,000
    Location:
    Nicaragua
    Thats how I have mine.

    Use Sandboxie as you normally use it.

    Bo
     
  17. sdmod

    sdmod Shadow Defender Expert

    Joined:
    Oct 28, 2010
    Posts:
    801
    Yes, Shadow Defender and Sandboxie, great combination but I also use Avast and Malwarebyes to check any file before I allow it in permanently.

     
  18. kupo

    kupo Registered Member

    Joined:
    Jan 25, 2011
    Posts:
    1,122
    Using the latest version of SD here and Windows 7 x64 Home Premium.

    Windows suddenly doesn't recognize the publisher of SD and gives a yellow warning in a UAC prompt when accessing SD's main window. I am sure it recognize the publisher last night. Downloading the installer of SD and now it also gives a yellow warning. Anybody else having the same issue?
    EDIT: Looking at the properties of the installer and files that are installed in my comp, SD still has the valid signature.
    EDIT: Now I get it, one of the countersignature expired. lol
    Capture2.JPG
     
    Last edited: Dec 31, 2012
  19. merisi

    merisi Registered Member

    Joined:
    Dec 17, 2012
    Posts:
    316
    One thing I don't understand, if SD writes to my HD, what happens to all that data once I leave Shadow mode?
     
  20. Arcanez

    Arcanez Registered Member

    Joined:
    Oct 5, 2011
    Posts:
    397
    Location:
    Event Horizon
    I don't think Shadow Defender writes the changes directly onto the harddrive. I think it uses a Journal file and writes all changes into that single file. So when ever you commit changes Shadow Defender Looks into the Journal file and kinda copy pastes whatever you Chose to the real harddrive.

    I downloaded a few really big files while in shadow mode and then committed them. You can see that committing takes quiet Long as if something is copied. If Shadow Defender stored all files on the harddrive in Shadow Mode committing would only take some seconds I guess.

    I'm not quiet sure about all this but I think works more or less like this.
     
  21. Robin A.

    Robin A. Registered Member

    Joined:
    Feb 25, 2006
    Posts:
    2,387
    SD writes to a disk cache. When you leave shadow mode, it is deleted. It´s the same that happens what you delete a directory or file.
     
  22. merisi

    merisi Registered Member

    Joined:
    Dec 17, 2012
    Posts:
    316
    Thanks Arcanez and Robin. While it's great to enjoy the benefits of SD it's even better to know what's going and how it works properly. I'm still very new to security and to an extent computers.
     
  23. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    4,000
    Location:
    Nicaragua
    The name of the file is diskpt0.sys. Shadow Defender places it in C when you enable protection and it gets deleted when you reboot the computer.

    Bo
     
  24. QVX11

    QVX11 Registered Member

    Joined:
    Jul 19, 2011
    Posts:
    5
    If TrueCrypt is being used with ShadowDefender, is the temporary file that ShadowDefender creates when in Shadow Mode encrypted?
     
  25. merisi

    merisi Registered Member

    Joined:
    Dec 17, 2012
    Posts:
    316
    Thank you. I've got a much better understanding of it now.