Which Shadow Program and Why?

Discussion in 'sandboxing & virtualization' started by huntnyc, Oct 14, 2007.

Thread Status:
Not open for further replies.
  1. huntnyc

    huntnyc Registered Member

    Joined:
    Nov 10, 2004
    Posts:
    976
    Location:
    Brooklyn, USA
    Deciding which shadow program to use but would like to hear your input on what you like about the one you have chosen. I am considering the following choices

    1. Returnil
    2. Deep Freeze
    3. Shadow Defender
    4. Shadow User

    Regarding stability, ease of use, support, what are your thoughts on any one of these or one not listed. Instead of testing software, I am now more concerned with running a stable system shadowd and using imaging program Shadow Protect. I will assume that most of these shadow programs would have to be taken out of shadow mode to do successful image of C drive. Thanks for your input.

    Gary
     
  2. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    These programs all work as advertised, but they have rather different capabilities so you need to define the desired feature set. At least my quick take on them:
    • Returnil
      • Free for personal use
      • Excellent timely support
      • Currently only shadows the system partition (typically C), but on most systems that's the key one.
      • Can enter a shadow session without reboot
      • Shadow sessions not carried across restarts
      • Can create virtual partition on systems with one partition systems to allow material to be saved during a shadow session if needed
    • Deep Freeze
      • $36 (with 1 year maintenance)
      • Cleans on reboot, so items not carried across a reboot
      • Really designed for systems that will be typically run under a shadowed state in which quick wipe/restore capabilities are the key target
      • Faronics provides excellent support
      • Rock solid from all reports I've see, have not used it
    • Shadow Defender
      • $35
      • Support has been variable, but not a support intensive product, so don't be too put off by that
      • Product seems quite solid
      • Can define partitions to be shadowed, as well as locations to be excluded
      • Can enter shadow mode without restart
      • Shadow sessions not carried across restarts, probably the prime real difference between ShadowDefender and ShadowUser
    • Shadow User
      • Most expensive of the bunch $70
      • Can define partitions to be shadowed, as well as locations to be excluded
      • Requires restart to enter shadow mode
      • Can carry a shadow session across restarts - only one of the list that currently does this - generally needed if you want to use shadow sessions to test software
      • Somewhat aged user interface, could use a few quick touchups, nothing major
    Now, what traits are must have and which ones can you live without? That may drive your decision. Like I said, all work as advertised, but they advertise different capabilities.

    Blue
     
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    Right now Shadow Defender has commit capabilty which Returnil has coming.

    Another difference is between a few is I tested how well they would fair against an attack from Killdisk. Returnil, and ShadowDefender withstood the attack. Shadowuser failed. Didn't test Deepfreeze.

    Pete
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hi Pete,

    Didn't we decide it was pointless to test with Deep Freeze, since Killdisk wipes the entire disk, which would include Deep Freeze itself, since DF doesn't work with a virtual, or shadowed, partition?

    -rich
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    To add to Blue's informative summary:

    Deep Freeze
    • You can select which partitions to freeze
    • Must reboot to unfreeze (Thawed state) to make changes.

    If you are considering evaluating Deep Freeze, I can comment further on my experiences in a home environment.

    -rich
     
  6. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi, folks: Oh, No! I am still under the impression that DF along with some others have passed killdisk test, when killdisk became a topic here. :'(
     
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
  8. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,213
    If you intend to use ShadowProtect, and money it's not an issue, ShadowUser comes from that same maker Storagecraft, which means no conflict for sure.

    I personally think that ShadowUser is the most complete out of the list. It hasn't been updated for 2 years (Storagecraft hasn't made any announcement about discontinuing the application), but like Blue mentioned there isn't anything that needs to be urgently corrected.

    I've been running SU for two years, without any malware whatsoever, but I must admit, I've tried Returnil, it is a fine application and free for personal use. Moneywise the combination of ShadowProtect and Returnil is very tempting.
     
  9. Huupi

    Huupi Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    2,024
    Using SP/Returnil on my systems and sofar smooth sailing.
    Laptop has Powershadow on it and work perfectly,sad its not free anymore.
     
  10. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    Hi Rich and all.

    I plum forgot I did that. I do remember ShadowUser didn't pass the test. Returnil and Shadow Protect work just fine, together. I would image with any of them in Shadow Mode's, but other than that no issues at all.

    Pete
     
  11. huntnyc

    huntnyc Registered Member

    Joined:
    Nov 10, 2004
    Posts:
    976
    Location:
    Brooklyn, USA
    Pete,

    Are you saying you would or would not image with any of them in shadow mode and thanks again.

    And, thank to all for input so far.

    Gary
     
  12. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,694
    Hello,

    Pete, a quick question:

    Why do you consider KillDisk to be a standard by which the shadow programs should be tested? In that regard, all shadow programs are useless if operations are performed on the disk itself rather than os itself, including boot CDs, damage etc.

    Cheers,
    Mrk
     
  13. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    Correct. I image so I know I can reliably restore a system. I just like to do it in a manner that avoids any potential problems. All of the shadow programs are to an extent modifiying how the disk writes. Kind of following the KISS princicple.

    Pete
     
  14. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    Hi Mrk

    Not sure it's a standard, but many virus' attack other parts of the OS, and Killdisk, attacks the disk structure itself. Many of the shadow programs, indeed modify the mbr. Using Shadowuser doesn't protect you from the attack. Initially some of the others didn't either, but now they do.

    It was also an interesting test to see how well Sandboxie contained things. It did contain and prevent the attack.

    Pete
     
  15. L Bainbridge

    L Bainbridge Registered Member

    Joined:
    May 15, 2006
    Posts:
    173
    Location:
    London,U.K.
    Just a quick addition to Blue's post.
    Shadow Defender can continue Shadow Mode after reboot.

    Also have a look at Power Shadow - not free any more but very solid in both 2.6 & 2.8 incarnations.
     
  16. tradetime

    tradetime Registered Member

    Joined:
    Oct 24, 2006
    Posts:
    1,000
    Location:
    UK
    What, you mean changes will not be lost on reboot if you do not wish?
     
  17. huntnyc

    huntnyc Registered Member

    Joined:
    Nov 10, 2004
    Posts:
    976
    Location:
    Brooklyn, USA
    Could you clairfy what you mean by this? I understand ShadowUser is the only program that will allow a restart and have all changes retained which would allow for install a program for your testing that reuqired a reboot. I don't think ShadowDefender can do this, can it?

    Gary
     
  18. L Bainbridge

    L Bainbridge Registered Member

    Joined:
    May 15, 2006
    Posts:
    173
    Location:
    London,U.K.
    My bad -
    :oops:I wasn't clear.
    Shadow Mode can be maintained in Shadow Defender after a reboot- but it is a 'new' shadow - i.e. the previous session won't be carried across as per Shadow User.
     
  19. nanana1

    nanana1 Frequent Poster

    Joined:
    Jun 22, 2007
    Posts:
    947
    Power Shadow can be dangerous.....see this thread https://www.wilderssecurity.com/showthread.php?t=188392
     
  20. huntnyc

    huntnyc Registered Member

    Joined:
    Nov 10, 2004
    Posts:
    976
    Location:
    Brooklyn, USA
    Down to choosing between DeepFreeze and ShadowDefender. Like the price of both and their features covering more than one partition when needed. Only thing I see DF does not have is a commit now feature like SD along with exclusions of SD. Don't know which one to choose yet. Has anyone tried both and chosen one over the other for any particular reason?

    Gary
     
  21. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,549
    I have bought Shadow Defender for the following reasons:
    1. You can enter in shadow mode withought the need of rebooting your pc. If I am not mistaken with DeepFreeze you have to reboot if you want to exist the Thawed mode.
    2. You can select which drives partition you like to protect before entering in shadow mode. With Deepfreeze you can do that only during the installation. If later on you change your mind you have to uninstall/reinstall deepfreeze.
    3. It gives lifetime upgrades (although the support is not good). If you need support you better choose deepfreeze.
    4. You can select which folders you want to retain after exiting the shadow mode(the commit by shadowdefender is also a very nice addition). In Deepfreeze you cannot do that.

    Panagiotis
     
  22. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi, folks: I agree with Pandlouk's assessments; Shadow Defender dose have a better technical flexibility, but I also like to point out this: Deep Freeze has its ups and downs during those years(how many ?), during its down years, it has suffered "unfreezer"'s sabotage (version 5 and lower). Since version 6 in 2006, it has regained users' confidence. Whereas Shadow Defender is a new comer, has not faced its down hours/years yet, what if it would have suffered a sort of tech setback, would it have abundant resources to rebound ? DeepFreeze has been widely used by Internet cafe in China (SD's mother land), I like to see SD to take the rein from DF some day, given the home-field advantages. Pls keep in mind that both are excellent apps, just that little , little ... . Good luck.
     
  23. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    I like Shadow Defender, and own it. Also like Returnil, and when the newer feature come will like it better. My choice falls with Returnil because they have support here. There is a real communication problem with the shadow developer and that must makes me a bit nervous.
     
  24. munckman

    munckman Registered Member

    Joined:
    May 2, 2002
    Posts:
    100
    Shadow Defender, as it stands now, allows you to update programs with shadow mode turned on and those updates will survive a reboot. This is done by use of the Exclusion List (Version: 1.0.0.116). A big advantage for me.

    An example of this is updating AntiVir Personal Edition Premium. It updates the definitions fine but AntiVir's Status Window will show two different dates of the definition update upon reboot. The defs are up to date though. This difference is because there is a registry change and registry changes can not be excluded; only files and folders can be excluded. You can see this difference if you expand the Last update in the Status window. You will see the expanded "Virus definition file: V7....." has updated but just to the right of it it will show the last update date. This is because of a registry change. I give this example to illustrate a worst case or messy scenario.


    For AntiVir, adding these two entries to SD's Exclusion List will allow the update to survive a reboot:

    C:\Program Files\AntiVir PersonalEdition Premium\*
    C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Premium\*


    I believe this registry entry prevents both places in the AntiVir Status window from showing the same :doubt: :
    HKEY_LOCAL_MACHINE\Software\H+BEDV\AntiVir PersonalEdition Premium V 7 |LastUpdate

    To check if you "really" have the latest AntiVir def update, just check for update. It will say your up to date. Checking will also make both places in the Status window show the same date. At least temporarily. :rolleyes: No it's not perfect.

    If a program has all of the update contained in a file or folder you should be good to go or reboot. You could exclude My Docs, downloads, favorites - what ever. Happy excluding. :thumb:
     
  25. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    If I would decide to choose one of these 4 ISR-softwares to replace FirstDefense-ISR, it would be a step back for me. I wouldn't have the same possibilities anymore and I would certainly miss my archives.

    The only way to go back to the original clean state with these 4 ISR-softwares is restoring an original image and that isn't ISR anymore.

    DeepFreeze is the worst of all 4, at least for a home-user and would cause alot more reboots, than any other ISR-software.
    A reboot for Thawed and a reboot for Frozen isn't pleasant for doing changes.
    DeepFreeze can only be good in a work environment with stable set of used softwares.
     
Loading...
Thread Status:
Not open for further replies.