Advice Request A Question About Shadow Defender

[Wraith]

First of all I have a lifetime license of Shadow Defender and this is a brilliant software. No yearly subscription and doesn't use any resource at all. Now back to the main topic. Suppose I am working in Shadow Mode and I download a malware sample to test the sample. I first run the malware in sandboxie but it's clever and self terminates. Then I run the malware on my system normally(in Shadow Mode). After a few seconds, the malware crashes the system and the PC reboots. Here's the main question- Did the malware bypass Shadow Defender when it crashed the PC? or did Shadow Defender protect me despite the OS crashing?

 

[ForgottenSeer 69673]

There is a bunch of Youtube vids on SD. Here is just one withy Peyta.
You should use an antikeylogger with it because SD won't prevent logging your info while in shadow mode

 

[Quassar]

Shadow Defender restor your oryginal files after reboot, after crash your files dont should be touched becsaue he move it to his own hiden temp sector... where after your command he replace it to oryginal sector which some times need take a bit time if files are large ^^

Howevery as @ticklemefeet said during system work virus can still modify/inject your process to steal your data.. and you have to rememer about it. So firewall its still must have and some hips/exe blocker.

However with Shadow Defender 24/7 Antivirus is less importan thing if you dont add exlusion for risky sector

 

[Wraith]

The Video gave me my answer. Thanks a ton guys. I use NVT SysHardener and Avast Free with Hardened Mode set to Aggressive. Hope this protects against keyloggers.

 

[Andy Ful]

When the disk is in the Shadow Mode, all changes are virtual and does not touch the disk sectors where your files are located. The changes are virtualized and redirected to the hidden partition made by Shadow Defender or to the memory (reserved RAM). On reboot, your files are not restored, because they were not changed at all - Shadow Defender simply clears the hidden partition, or when changes were in RAM they are cleared by Windows OS.
When the system crashes, all possible errors affect the hidden partition or the reserved RAM, both are cleared on the reboot.

 

[ichito]

Here's the main question- Did the malware bypass Shadow Defender when it crashed the PC? or did Shadow Defender protect me despite the OS crashing?

Malware can bypass SD when touches data on not virtualised disk...it can be important when you want to test some kind of infections especialy ransomware. In such case you should...I think...enable Shadow Mode for every visible disk in SD window.

 

[ChemicalB]

Most likely during the crash and the next reboot, a malware can't survive but I think no security vendor would guarantee his product as 100% malware-proof.
Light virtualization software like SD are definitely effective but they can have instability issues seen that under certain circumstances SD has frozen my system requiring the forced shutdown.
This doesn't mean the possibility of a bypass, but certainly like I said, in certain circumstances the software has some problem.
So I think a VM would be definitively better for malware testing.
Just my opinion.

 

[Quassar]

Most likely during the crash and the next reboot, a malware can't survive but I think no security vendor would guarantee his product as 100% malware-proof.
Light virtualization software like SD are definitely effective but they can have instability issues seen that under certain circumstances SD has frozen my system requiring the forced shutdown.
This doesn't mean the possibility of a bypass, but certainly like I said, in certain circumstances the software has some problem.
So I think a VM would be definitively better for malware testing.
Just my opinion.

Nope some virus bypass/hjack to drivers while vmware have myself drivers and virus will just dont work and you will cant discover property changes which virus does.
With time i see more often intelligence malware which detect VM system and just dont wanna start to infect your system and its nothing new.

That why i drop VM for malware test and do audit on my 2nd old trash pc ^^
However on my main PC i have VMware but to test/use normal software..

About SD i didnt yet had any freeze which punish me to brutal restart pc all time work smooth but im sure always 1 person will have problem if 1 specific software -- to much different custom hardware pc and dev is not possible to check all modification/ drivers status for stable work.
That why I'm paying some more $$$ to get better parts to my pc.

 

[ChemicalB]

Nope some virus bypass/hjack to drivers while vmware have myself drivers and virus will just dont work and you will cant discover propertly changes which virus does.
With time i see more offen inteligence malware which detect VM system and just dont wanna start to infect your system and its nothing new.

I agree, nowadays many malware are VM aware going into sleep mode to avoid detection or inspections.

 

[Quassar]

Next thing is even with Shadow Defender on main pc/system you cant make audit becasue some virus put some deep changes in services and will start work after next system boot / while shadow defender wipe data after restart...

Imo Shadow Defender is better than only virus changes cover.... with good configureation you can hold him 24/7 like me and rly rare time shut down to make deep changes.. with this meta your system will be always fresh and fast like from 1st day and you no need use crap cleaners becaue there will be nothing to clean

 

[Andy Ful]

Shadow Defender uses a kernel driver so it is not easy to bypass it, but it is possible. For now, no one bothers to do it, because Shadow Defender is not popular.
Shadow Defender may fail badly if the crash happens while committing the files.
Never reboot while committing the folder with many subfolders and many files (it can last some hours) or even better do not commit such folders at all.

 

[ForgottenSeer 69673]

Shadow Defender uses a kernel driver so it is not easy to bypass it, but it is possible. For now, no one bothers to do it, because Shadow Defender is not popular.
Shadow Defender may fail badly if the crash happens while committing the files.
Never reboot while committing the folder with many subfolders and many files (it can last some hours) or even better do not commit such folders at all.

And so Andy how would you rate SD compared to other programs like Deep Freeze, Drive Vaccine ect? I have never tried Deep Freeze but heard back in the day it was very good, especialy for schools and libraries. I currently use SD. When testing malware, I have SD enabled on main machine and use Virtual Box to test with. I have never seen the need to commit drive changes.

 

[Andy Ful]

I did not try Deep Freeze or Drive Vaccine. Deep Freeze is usually considered as most stable and solid. But, there are differences related to usability in plus for Drive Vaccine. The only way is trying the concrete software to see if it suits you.
SD and similar software can be bypassed by exploiting its weak point: the committing. The malware could, in theory, exploit it to commit the payload and some registry keys for getting the persistence in the real system.
Though, I did not see this in the wild.

 

[Deleted member 178]

IMO, committing defeat the purpose of SD, i never used that feature.

 

[Mr.X]

SD and similar software can be bypassed by exploiting its weak point: the committing.

Yet there it is. It is included on every single installation you do on a machine. But you can strengthen that weakness by either deleting Commit.exe or less drastic setting Commit.exe to be alerted in a anti-executable. I do the latter.

 

[Andy Ful]

Yet there it is. It is included on every single installation you do on a machine. But you can strengthen that weakness by either deleting Commit.exe or less drastic setting Commit.exe to be alerted in a anti-executable. I do the latter.

That is much safer because the attacker needs Administrative Rights to commit. It is still possible via exploiting Defender.exe ('Commit now' feature). Another possible vector is via ShellExt.dll to avoid Anti-Exe.

 

[ichito]

It must to be very sophisticated attack and attacker have to know that in attacked machine malware will find SD...SD without any other protection I think the way what Mr X suggested should be enough - in my system Commit.exe is blocked in all it action (SSFW rule).

 

[Andy Ful]

It must to be very sophisticated attack and attacker have to know that in attacked machine malware will find SD...SD without any other protection I think the way what Mr X suggested should be enough - in my system Commit.exe is blocked in all it action (SSFW rule).

I do not apply any special protection for Commit.exe. ShadowDefender bypass is not profitable for the criminals, because it is not popular and no one uses it in Enterprises and Public Institutions.
There are so many more attractive and much easier vectors of attack.
The possibilities of exploiting mentioned by me are purely theoretical.

 

[Quassar]

It must to be very sophisticated attack and attacker have to know that in attacked machine malware will find SD...SD without any other protection I think the way what Mr X suggested should be enough - in my system Commit.exe is blocked in all it action (SSFW rule).

But you know @ichito SD is nice but if you got infection somehow dunno how but lets say in theory/practice... its just happen.
SD after reboot will delete all his finger spring and you can live with out know your data were stolen ^^

 

[ichito]

@Andy Ful @Quassar
(i ty Brutusie? )
I know but that strange attacks from "outerspace" can happened and we sometime try make some strange...theoretical...rules that have protect us against them. Everything it's for our training...experiment...knowledge...experience ...even for fun