Shadow Defender - An Unobjective Review :)

Product name
Shadow Defender
Installation (rating)
5.00 star(s)
User interface (rating)
4.00 star(s)
Accessibility notes
An old-school manner interface but clear and understandable
Performance (rating)
5.00 star(s)
Core Protection (rating)
5.00 star(s)
Additional Protection notes
Great protection as the result of specific kind of used technology
Positives
    • Low impact on system resources
    • Easy to use
    • Simple and non-intrusive
    • Ransomware protection
    • Strong and reliable protection
    • Compatible with other anti-virus software
    • Great value for money
    • Features you can't get elsewhere for free
    • Well designed, clear and easy to use interface
Negatives
    • Advanced users may want more control
    • Can be complex in some situations
Time spent using product
Computer specs
Described in my security configuration thread
Recommended for
  1. All types of users
  2. Multi-user devices
  3. Financial banking or trading
  4. Low spec PCs
Overall rating
5.00 star(s)

ichito

Level 11
Thread author
Verified
Top Poster
Content Creator
Well-known
Dec 12, 2013
541
This review is based on my review originaly published on Polish forum SG.pl ca 5 years ago. I decided post it here because SD after such period is still efficient and strong at the same level as in the past. Of cource SD was updated few time since those times but there was rather minor changes connected mainly to new builds of Windows or small registry improvements. The whole list of updates you can find here
OK...so let's start :)

There are programs that bear the mark of their author's genius and for which...using and discovering for years...we have more and more respect and even devotional faithfulness and worship. We forgive them for mishaps and minor shortcomings, and all that is bad, we forget faster than it lasted and before it could discourage us seriously. I have several favorite programs to which my attitude is so emotional, and one of them is Shadow Defender - a program for the so-called "Light virtualization" , which a few years ago was called "the best piece of code ever created". Because for some users it can be still the "dark side of power" ... no offense please, it is only a description of lack of understanding and some strange aversion to non-standard and less common solutions ... so that's why a few words about it.
SD among the enthusiasts of security software has the status of legend, and its history for the last years has become equally strange and mysterious ... and maybe even more ... than the plot of many a sensational film. The author of the program - commonly known as Tony - is Chinese and develops his program in China - an equally fascinating country that is mysterious for millennia and probably as much a horrifying approach to human rights and life. At the beginning of 2010, the author of the program simply disappeared ... he disappeared and there was no contact with him, no one had any idea what had happened ... there were speculations continuing either because of the earthquake that took place ... or because of social unrest that every now and then envelop this state and are bloodily suppressed ... or any other more or less mysterious reason that came to mind.
The development of the program has been inhibited, but that's not all ...some spice was added by fakes of the original Shadow Defender, false page of the program, and even people who began to introduce themselves as friends of Tony and who cited personal and current contacts passed on to him news about his life and health. The vast majority of these facts did not gain any confirmation or authorization ... some could not be verified by definition. The culmination took place when on the official and still existing website of the SD the new version of it have appeared…just from nowhere. It was differed from the previous and last signed by the author version only by number and added Polish version (written in agreement with the author for the next edition)...it was version 1.1.0.331 from March 2011 ... and then again a break for almost 2 years.
And suddenly shock ...actualy after more than 3 years and to everyone's surprise, the author showed himself again ... some of them only revealed part of their history and from them in a more or less indirect way it was possible to obtain a version that it is still the same person. For part of this is not enough and they said goodbye to the program, for others enough to trust the program the more that Tony took solidly for the development of his work and started pouring the next versions, each of them repaired some mistakes in the operation or sometimes introduced new functions .

According to me, the program has lost some popularity over the years, and its strangely twisted history has undermined confidence in it, which is why I believe it is high time to restore its rightful leader position. It is time for more people to get to know and trust the program, because in terms of security, trust is the basic factor that we are guided by and which affects everything that we then do in this direction. If you have any doubts, I invite you to the next part ... maybe it is worth to get to know the topic a little bit wider and possible doubts finally settled? And if you do not have ... in total you can also read.

System virtualization...describing in the simple words...consists on the creating in the computer's memory an exact copy of the system, on which copy the user then works. This copy is a virtual…unreal…system ... and it’s just a fully functional clone of the system, having all its normal features and allowing to act on as efficiently as on the real system. In Shadow Defender this mode is called "Shadow Mode" (abbreviated as SM) and you can know that it is turned on by the blue icon next to the name of the disk in the program window, by the icon working in the system tray and by the desktop bar (what is optional).
The main advantages of such a system are two and they imply further benefits and applications:
- such a system is a creation that works only in a given moment in the memory, so it is not permanent,
- it is isolated from the real system and no change is written to it during work or after its completion (there are exceptions, but more on this).

From the first glance, you can see that both functions are important for the security, health of our systems and data stored on the computer. The first of these ( ie the temporariness of such a system ) offers the following benefits in addition:
- it is extremely difficult, or rather impossible to recover data from such a working system, and thus traces of our activity on the Internet, after used files and documents, which increases our privacy,
- SD in addition gives the possibility to create a system in RAM memory, that is, faster and more volatile than the physical disk memory, which can definitely speed up the operations performed,
- the memory separated and working as a system image can be encrypted, which means that even the data stored in it is available only to the program and to no one else.

Another basic possibility, ie isolation and lack of writing to the real system, allows you to avoid introducing unwanted, accidental and unfavorable changes to the system, which immediately indicates that it may have the following application:
- securing the system (and other available disks) before installing pests / infections in them and performing serious damage,
- avoiding the introduction of adverse or unwanted changes related to reckless or accidental software installation,
- purposeful testing of programs, making changes in system settings and making any other operations on programs or files,
- reducing the need for system maintenance, among others
cleaning from junk files, traces of Internet activity, registry cleaning and optimization, disk defragmentation, etc.

In addition to the main functionalities resulting, by definition, SD also offers other that meet the needs of some users - those I have "captured" are listed below.
- For those who care about the ability to write data during an SM session, eg downloaded system updates, security (AV signatures) or other programs, the program gives you the option to save changes by offering a "Commit Now" panel - we can create a list of locations where changes the sessions will be saved to the system / real disk (manual operation, on demand); changes in selected locations can also be saved thanks to the command from the context menu (optionally enabled), they can also be made as a whole when exiting the SM mode - the program always asks whether to save or reject changes before the system is restarted.
- For those who need specific locations of the real system / disk to be excluded from virtualization, it is possible to create their list in the "Exclusion List" panel - it works like the previous function, but it is completely automatic and does not require our participation (watch out here for what is added to this list - these areas will simply be automatically excluded from protection!).
- SD allows you to protect the entire sector "Track0", not just the MBR sector itself, which is part of it, as it was only recently in previous versions ... it is important in protection against advanced forms of rootkits.
- Allows full or selective coverage of all local disks on the computer (including USB flash drives).
- It allows you to exclude some important parts of the registry for the user (this is, among others, related to other installed software and its updates).
- The possibility of entering hibernation in the SM mode, which is probably intended to save energy during one session of the program.
- It gives the possibility to protect the program and settings password, and its automatic update.
- And finally, something more sensitive to the care of the system - of course, the permanent use of the virtualization mode - that is, regardless of the subsequent system startups, we will always work on an unreal system / disk.


In comparison to the existing and former (in the last few years) competition, SD does not offer too many additional functions expanding its functionality such as containers for trusted files, system snapshots or AV scanner, as was the case with Returnil System Safe or additional protection of selected folders as in the case of Wondershare Time Freeze or Toolwiz Time Freeze . However, simplicity and transparency makes it a universal tool, easy to use and extremely effective in operation ... and these are the main advantages of SD . For several years of use I did not have a problem with the program on XP, Vista on Win7 (apart from the short-term problem I described here with the version preceding the latest release) ... the program always lost changes on the disks, always returned to the real system and it was always stable and safe. I could certainly test 100%: the wildest "changes in the system and install the most suspicious programs, knowing that it is enough to restart the computer and again I will enjoy a healthy system.
Of course, Shadow Defender has been tested against various types of infections, and the results of these tests were discussed among users...and there is the only one test I known that SD has not passed ( Bootkit Sinowal.B infection at 2012). The results were not, however, not completely unambiguous, because they concerned version 1.1.0.331, which I mentioned above.

Are we sure that SD is good protection? Apart from one successful documented attack that has moved from the virtual system to the real one, one can safely say that it is a good security (by the way - do you remember the effectiveness of AV?). Using SD we guarantee that we will not be threatened ... that no infection will hurt us, although of course it can reach us while working in SM mode ... that we can safely test diferent types of apps and changes of the system . But there is one important "but" which can not be forget. Shadow Defender, as well as all similar programs for virtualization or just isolation (eg all sandboxes) do not protect against so-called “data leaking"). What does this mean? ...it means that an isolated program and the whole system does not encounter restrictions from this type of security. In other words
- if we allow a network connection, it will happen (although the rule in the firewall will not behave),
- if we download a malicious component in this way, then (if there are no other appropriate protections), it may just start and, for example, download our login details during an online banking session that it sends to its servers (but the malware itself will disappear after reboot) ... I donn't need to explain how it's threatening
- in another case malware might (after starting up) encrypt files on another available disk, which was not virtualized during this session ... as a result, physically the malware will not survive after restart, but our data will go to the hell anyway.


Remember - SD is not used to detect malware, restrict them or sanitize...it's also not designed to revert system from earlier saved snapshots. SD only serves to work on a specially created unrealistic system and has its certain limitations resulting from the specifics of such a solution. It is not a remedy for everything ... it should be one of several protective layers that we should use on a daily basis, but it is a very hermetic and effective layer.

And that's probably all ... thank you those who persevered to the end of the text ... I apologize to those whom I got bored. If you have comments, questions ... write and ask, I will try to answer as much as I can.
 

plat

Level 29
Top Poster
Sep 13, 2018
1,793
Very fascinating....clearly, Shadow Defender has its devotees, just like Sandboxie. It is tempting. Tell me, is it a big leap to go from Sbie to Shadow Defender in terms of learning curve? I find "cherry picking" of what to isolate instead of system-wide isolation to be more efficient and failure-proof but is this flawed thinking?

Also, can you repeat: when was the last time Shadow Defender was updated? Did the developer disappear again?
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,004
One small note :
Shadow defender is defeated by a ransomware strain in my tests. However, as said fail% is
< 0.3*%.
Rest I agreed with you! It is a nice company with a signature based Av or malware testing purposes
Could you please give us some more information about how it happened and what exactly was defeated? (y)
Could you find and send the sample for testing on Malware Hub?
 
Last edited:

bribon77

Level 35
Verified
Top Poster
Well-known
Jul 6, 2017
2,392
Thanks @ichito for the explanation of this wonderful program.
The only thing I can say is that I have used it for a long time, and it has never failed me and I have tried everything that is within my reach in terms of Malware.
The only thing I could say against is that the developer of this program is not seen, but let's find out why he does it??:unsure:
 
F

ForgottenSeer 69673

Good write up. Just wanted to mention I had a problem with SD not starting up after an insider update. I wrote to SD support and they sent me a registry hack that solved the problem. Also there was an update to SD last year. I posted it in the update section.
 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,010
Apart from the issues you mentioned which are similar to other VM products like

1) Inability to protect against hardware-based attacks e.g. Spectre, Meltdown etc
2) Susceptible to VM-evading malware
3) Inability to protect from data exfiltration

Two(2) other cons are

1) The host OS can be fingerprinted vs a VM whereby you can run a second OS
2) I believe you can't run two(2) different VPNs to double-hop as compared to using a VM unless you get a VPN with multi-hop feature
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,004
Apart from the issues you mentioned which are similar to other VM products like

1) Inability to protect against hardware-based attacks e.g. Spectre, Meltdown etc
2) Susceptible to VM-evading malware
3) Inability to protect from data exfiltration

Two(2) other cons are

1) The host OS can be fingerprinted vs a VM whereby you can run a second OS
2) I believe you can't run two(2) different VPNs to double-hop as compared to using a VM unless you get a VPN with multi-hop feature
The points you mentioned are very important for understanding what Shadow Defender can protect, but I am not sure if they should be counted as issues. For example, Shadow Defender cannot also protect the computer from overheating, disk failures, memory failures, broken updates, and spilling coffee on the keyboard.:giggle:

So, It should be clearly stated that Shadow Defender can protect the data on the disks in shadow mode, from permanent changes. After reboot, you get your data untouched. Why? Because they were not touched at all. Shadow Defender has redirected any changes to the hidden partition or to the RAM. Windows processes (and malware) does not feel it (that is a magic of Shadow Defender). After reboot, the changes are simply deleted. That is all, and nothing more.

The malware could easily find out if Shadow Defender is installed, by checking if Shadow Defender driver was started. But this is probably an advantage to the user, because the malware will usually stop the malicious actions.(y)
 
Last edited:
F

ForgottenSeer 69673

Could you please give us some more information about how it happened and what exactly was defeated? (y)
Could you find and send the sample for testing on Malware Hub?
there is no way ransomeware could have worked if the user was using ram instead of the hard drive. the ram would have been cleared on reboot. i would like to see the test run again with user using ram instead of the hard drive. that is how i use sd.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,004
there is no way ransomeware could have worked if the user was using ram instead of the hard drive. the ram would have been cleared on reboot. i would like to see the test run again with user using ram instead of the hard drive. that is how i use sd.
I also use RAM, but there should not be any difference if the disk has been used instead of RAM. if the malware could make Shadow Defender driver dysfunctional when redirecting the changes to disk (instead of RAM), then after rebooting the malware would not exist in the disk space available for Windows OS. So, the malware would not be able to start with Windows.
On the other side, if the malware could bypass the Shadow Defender redirections, then it could also force writing to the real system instead of RAM.(y)
 

jetman

Level 10
Verified
Well-known
Jun 6, 2017
470
I have never used Shadow Defender but do use Rollback RX.

Based on what I have read, Rollback RX does everything that Shadow Defender does, plus a lot more (as it can allow you to save various snaphots).

Would I be correct ?
 
  • Like
Reactions: Venustus

ichito

Level 11
Thread author
Verified
Top Poster
Content Creator
Well-known
Dec 12, 2013
541
I have never used Shadow Defender but do use Rollback RX.

Based on what I have read, Rollback RX does everything that Shadow Defender does, plus a lot more (as it can allow you to save various snaphots).

Would I be correct ?
"does everything that Shadow Defender does" - no...if your system is infected by some malware and than you create snapshot of such system you are capable revert only infeced snapshot...but if your system that is working using Shadow Mode (SD) will be infected it will be clean and healthy just after simple reboot.
"plus a lot more"...what do you mean?
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,004
I have never used Shadow Defender but do use Rollback RX.

Based on what I have read, Rollback RX does everything that Shadow Defender does, plus a lot more (as it can allow you to save various snaphots).

Would I be correct ?
No, they work differently.
Rollback RX can take snapshots of the system and can restore the system or files from snapshots. So, the changes in the system are real, but you can restore the earlier system state from the snapshot. You need both Rollback RX working properly and healthy snapshots.

Shadow Defender does not restore anything, because the real system does not change in Shadow Mode (except when you commit some changes).

Rollback RX is more convenient, but Shadow Defender is safer.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top