Advice Request A Question About Shadow Defender

[raveed]

I just look at the statements, which disturbed me. If using Shadow Mode on all disks, running malware, is it possible for the malicious file to remain on the system after reboot?

 

[Quassar]

If you dont leave shadow mode during system or files are not excluded / commit than don't should change/modify your files..
even if you brutal reset system and all files new will be not remain.

 

[raveed]

Ok, thanks

 

[Quassar]

Ok, thanks

But all modification still present on your system till you don't restart system so if you got infection such like keyloger can still steal your data even if cant modify it for forever.

 

[raveed]

I mean exactly the procedure when:
- I run Shadow Mode on all disks
- I run a malicious file and check the behavior of av
- I restart the system after the test.

 

[Deleted member 178]

I just look at the statements, which disturbed me. If using Shadow Mode on all disks, running malware, is it possible for the malicious file to remain on the system after reboot?

It was before when the malware infected the MBR, not anymore.

The only way is if you committed an infected file.

 

[bribon77]

I've had Shadow for years. It's my test bank. It has never failed me until now. And it ran malware on everything from Wacript to Petia. etc

 

[ForgottenSeer 69673]

I've had Shadow for years. It's my test bank. It has never failed me until now. And it ran malware from everything from Wacript to Petia. etc

How did it fail you?

 

[bribon77]

Never fail

 

[ForgottenSeer 69673]

I only had it fail once. The gui would not start up after an insider update. The developer sent me a registry change and after that is has stayed working.

 

[Andy Ful]

I mean exactly the procedure when:
- I run Shadow Mode on all disks
- I run a malicious file and check the behavior of av
- I restart the system after the test.

You probably know it, but those points should be extended:
- do not store personal data on the computer;
- check if other sources are disconnected (pendrives, NAS, etc.);
- check if other computers in the home network are isolated from your computer;
- use VPN, or disconnect the computer from the network;
- use Gest Network feature or the separate router for malware testing.
There are probably some more ...

 

[raveed]

I understand, you can not trust the program completely and you have to be careful...
Thank you all for your advice.

 

[Quassar]

I understand, you can not trust the program completely and you have to be careful...
Thank you all for your advice.

Yes you need know yet how this program work what can do for you and what cant do... than you can instal rest software to protect rest part of your system/data

 

[raveed]

Yes you need know yet how this program work what can do for you and what cant do... than you can instal rest software to protect rest part of your system/data

Yes, I know that you can use it as a sandbox, but I usually use it only when I'm not sure of the program, or if I want to test the program - behavior.

 

[Quassar]

Yea but some programs put deep drives in to system and otther services which require to restart your system than SD will wipe data so sometimes cant test some soft so in this case full virtual system will be better..

any way no problem glad to help youget some info which you need to know..
if need something know yet feel free to ask at last i will don't answer if dont know xDDDDDDDDD

 

[raveed]

Yea but some programs put deep drives in to system and otther services which require to restart your system than SD will wipe data so sometimes cant test some soft so in this case full virtual system will be better..

That's right, that's the case with av installations. Of course, I also use wmvare, unfortunately due to a rather old computer and weak components it is very tedious ....

 

[Quassar]

Hmm in this situation you can use Snapshot or even more safe fullback disk/system software

 

[ichito]

Sorry...but I found that I can say about one more way of "baypassing" SD...actually not only SD but every LV software like TTF, WTF or Returnil. It's not connetced to SD's commmit or exclusiuon feature but to specific feature of some particular apps - I'm saying about saving/synchronisation of settings/config files that are located not on system disk but on other local not virtualised. In such situation info/data are saved wile Shadow Mode on non virtualised disk and than after reboot and entering to normal mode are still accesible for that app with all saved changes...this could be potentialy used in some cases to bypass protection of vulnerable apps that are using described mechanism.
Such case on SSM exeample was describet some time ago on Wilders in that thread
System Safety Monitor and Shadow Defender

 

[Wraith]

Sorry...but I found that I can say about one more way of "baypassing" SD...actually not only SD but every LV software like TTF, WTF or Returnil. It's not connetced to SD's commmit or exclusiuon feature but to specific feature of some particular apps - I'm saying about saving/synchronisation of settings/config files that are located not on system disk but on other local not virtualised. In such situation info/data are saved wile Shadow Mode on non virtualised disk and than after reboot and entering to normal mode are still accesible for that app...this could be potentialy used in some cases to bypass protection of vulnerable apps that are using described mechanism.
Such case on SSM exeample was describet some time ago on Wilders in that thread
System Safety Monitor and Shadow Defender

Well if you run all the disks and partitions that are connected to your computer in shadow mode then nothing will remain after a restart.

 

[Andy Ful]

Well if you run all the disks and partitions that are connected to your computer in shadow mode then nothing will remain after a restart.

Except, network disks like Google Drive or OneDrive, etc.