Shadow Defender
5.00 star(s)
Installation Feedback
Fast and easy without issue.
Interface (UI)
4.00 star(s)
Interface Feedback
An old-school manner interface but clear and understandable
5.00 star(s)
Usability Feedback
Clear functions, options are easy to manage...some specific features are described in review
Performance and System Impact
5.00 star(s)
Performance and System Impact Feedback
SD is light for system recources
5.00 star(s)
Protection Feedback
Great protection as the result of specific kind of used technology
Low impact on system resources
Easy to use
Simple and non-intrusive
Ransomware protection
Strong and reliable protection
Works alongside other antivirus software
Great value
Features you can't get elsewhere for free
Well designed, clear interface
Advanced users may want more control
Can be complex in some situations
Software installed on computer
More than 1 year
Computer Specifications
Described in my security configuration thread
Recommended for
All types of users
Device is shared by family members
Banking or other financial activity
Low specs device
Overall Rating
5.00 star(s)

Any views or opinions expressed are that of the member giving the information and may be subjective.
This software may behave differently on your device.

We encourage you to compare these opinions with others and take informed decisions on what security products to use.
Before buying a product you should consider factors such as price, ease of use, compatibility, and support. Installing a free trial version allows an antivirus to be tested in everyday use before purchase.


Level 6
Content Creator
This review is based on my review originaly published on Polish forum ca 5 years ago. I decided post it here because SD after such period is still efficient and strong at the same level as in the past. Of cource SD was updated few time since those times but there was rather minor changes connected mainly to new builds of Windows or small registry improvements. The whole list of updates you can find here let's start :)

There are programs that bear the mark of their author's genius and for which...using and discovering for years...we have more and more respect and even devotional faithfulness and worship. We forgive them for mishaps and minor shortcomings, and all that is bad, we forget faster than it lasted and before it could discourage us seriously. I have several favorite programs to which my attitude is so emotional, and one of them is Shadow Defender - a program for the so-called "Light virtualization" , which a few years ago was called "the best piece of code ever created". Because for some users it can be still the "dark side of power" ... no offense please, it is only a description of lack of understanding and some strange aversion to non-standard and less common solutions ... so that's why a few words about it.
SD among the enthusiasts of security software has the status of legend, and its history for the last years has become equally strange and mysterious ... and maybe even more ... than the plot of many a sensational film. The author of the program - commonly known as Tony - is Chinese and develops his program in China - an equally fascinating country that is mysterious for millennia and probably as much a horrifying approach to human rights and life. At the beginning of 2010, the author of the program simply disappeared ... he disappeared and there was no contact with him, no one had any idea what had happened ... there were speculations continuing either because of the earthquake that took place ... or because of social unrest that every now and then envelop this state and are bloodily suppressed ... or any other more or less mysterious reason that came to mind.
The development of the program has been inhibited, but that's not all ...some spice was added by fakes of the original Shadow Defender, false page of the program, and even people who began to introduce themselves as friends of Tony and who cited personal and current contacts passed on to him news about his life and health. The vast majority of these facts did not gain any confirmation or authorization ... some could not be verified by definition. The culmination took place when on the official and still existing website of the SD the new version of it have appeared…just from nowhere. It was differed from the previous and last signed by the author version only by number and added Polish version (written in agreement with the author for the next edition) was version from March 2011 ... and then again a break for almost 2 years.
And suddenly shock ...actualy after more than 3 years and to everyone's surprise, the author showed himself again ... some of them only revealed part of their history and from them in a more or less indirect way it was possible to obtain a version that it is still the same person. For part of this is not enough and they said goodbye to the program, for others enough to trust the program the more that Tony took solidly for the development of his work and started pouring the next versions, each of them repaired some mistakes in the operation or sometimes introduced new functions .

According to me, the program has lost some popularity over the years, and its strangely twisted history has undermined confidence in it, which is why I believe it is high time to restore its rightful leader position. It is time for more people to get to know and trust the program, because in terms of security, trust is the basic factor that we are guided by and which affects everything that we then do in this direction. If you have any doubts, I invite you to the next part ... maybe it is worth to get to know the topic a little bit wider and possible doubts finally settled? And if you do not have ... in total you can also read.

System virtualization...describing in the simple words...consists on the creating in the computer's memory an exact copy of the system, on which copy the user then works. This copy is a virtual…unreal…system ... and it’s just a fully functional clone of the system, having all its normal features and allowing to act on as efficiently as on the real system. In Shadow Defender this mode is called "Shadow Mode" (abbreviated as SM) and you can know that it is turned on by the blue icon next to the name of the disk in the program window, by the icon working in the system tray and by the desktop bar (what is optional).
The main advantages of such a system are two and they imply further benefits and applications:
- such a system is a creation that works only in a given moment in the memory, so it is not permanent,
- it is isolated from the real system and no change is written to it during work or after its completion (there are exceptions, but more on this).

From the first glance, you can see that both functions are important for the security, health of our systems and data stored on the computer. The first of these ( ie the temporariness of such a system ) offers the following benefits in addition:
- it is extremely difficult, or rather impossible to recover data from such a working system, and thus traces of our activity on the Internet, after used files and documents, which increases our privacy,
- SD in addition gives the possibility to create a system in RAM memory, that is, faster and more volatile than the physical disk memory, which can definitely speed up the operations performed,
- the memory separated and working as a system image can be encrypted, which means that even the data stored in it is available only to the program and to no one else.

Another basic possibility, ie isolation and lack of writing to the real system, allows you to avoid introducing unwanted, accidental and unfavorable changes to the system, which immediately indicates that it may have the following application:
- securing the system (and other available disks) before installing pests / infections in them and performing serious damage,
- avoiding the introduction of adverse or unwanted changes related to reckless or accidental software installation,
- purposeful testing of programs, making changes in system settings and making any other operations on programs or files,
- reducing the need for system maintenance, among others
cleaning from junk files, traces of Internet activity, registry cleaning and optimization, disk defragmentation, etc.

In addition to the main functionalities resulting, by definition, SD also offers other that meet the needs of some users - those I have "captured" are listed below.
- For those who care about the ability to write data during an SM session, eg downloaded system updates, security (AV signatures) or other programs, the program gives you the option to save changes by offering a "Commit Now" panel - we can create a list of locations where changes the sessions will be saved to the system / real disk (manual operation, on demand); changes in selected locations can also be saved thanks to the command from the context menu (optionally enabled), they can also be made as a whole when exiting the SM mode - the program always asks whether to save or reject changes before the system is restarted.
- For those who need specific locations of the real system / disk to be excluded from virtualization, it is possible to create their list in the "Exclusion List" panel - it works like the previous function, but it is completely automatic and does not require our participation (watch out here for what is added to this list - these areas will simply be automatically excluded from protection!).
- SD allows you to protect the entire sector "Track0", not just the MBR sector itself, which is part of it, as it was only recently in previous versions ... it is important in protection against advanced forms of rootkits.
- Allows full or selective coverage of all local disks on the computer (including USB flash drives).
- It allows you to exclude some important parts of the registry for the user (this is, among others, related to other installed software and its updates).
- The possibility of entering hibernation in the SM mode, which is probably intended to save energy during one session of the program.
- It gives the possibility to protect the program and settings password, and its automatic update.
- And finally, something more sensitive to the care of the system - of course, the permanent use of the virtualization mode - that is, regardless of the subsequent system startups, we will always work on an unreal system / disk.

In comparison to the existing and former (in the last few years) competition, SD does not offer too many additional functions expanding its functionality such as containers for trusted files, system snapshots or AV scanner, as was the case with Returnil System Safe or additional protection of selected folders as in the case of Wondershare Time Freeze or Toolwiz Time Freeze . However, simplicity and transparency makes it a universal tool, easy to use and extremely effective in operation ... and these are the main advantages of SD . For several years of use I did not have a problem with the program on XP, Vista on Windows 7 (apart from the short-term problem I described here with the version preceding the latest release) ... the program always lost changes on the disks, always returned to the real system and it was always stable and safe. I could certainly test 100%: the wildest "changes in the system and install the most suspicious programs, knowing that it is enough to restart the computer and again I will enjoy a healthy system.
Of course, Shadow Defender has been tested against various types of infections, and the results of these tests were discussed among users...and there is the only one test I known that SD has not passed ( Bootkit Sinowal.B infection at 2012). The results were not, however, not completely unambiguous, because they concerned version, which I mentioned above.

Are we sure that SD is good protection? Apart from one successful documented attack that has moved from the virtual system to the real one, one can safely say that it is a good security (by the way - do you remember the effectiveness of AV?). Using SD we guarantee that we will not be threatened ... that no infection will hurt us, although of course it can reach us while working in SM mode ... that we can safely test diferent types of apps and changes of the system . But there is one important "but" which can not be forget. Shadow Defender, as well as all similar programs for virtualization or just isolation (eg all sandboxes) do not protect against so-called “data leaking"). What does this mean? means that an isolated program and the whole system does not encounter restrictions from this type of security. In other words
- if we allow a network connection, it will happen (although the rule in the firewall will not behave),
- if we download a malicious component in this way, then (if there are no other appropriate protections), it may just start and, for example, download our login details during an online banking session that it sends to its servers (but the malware itself will disappear after reboot) ... I donn't need to explain how it's threatening
- in another case malware might (after starting up) encrypt files on another available disk, which was not virtualized during this session ... as a result, physically the malware will not survive after restart, but our data will go to the hell anyway.

Remember - SD is not used to detect malware, restrict them or's also not designed to revert system from earlier saved snapshots. SD only serves to work on a specially created unrealistic system and has its certain limitations resulting from the specifics of such a solution. It is not a remedy for everything ... it should be one of several protective layers that we should use on a daily basis, but it is a very hermetic and effective layer.

And that's probably all ... thank you those who persevered to the end of the text ... I apologize to those whom I got bored. If you have comments, questions ... write and ask, I will try to answer as much as I can.


Level 9
Very fascinating....clearly, Shadow Defender has its devotees, just like Sandboxie. It is tempting. Tell me, is it a big leap to go from Sbie to Shadow Defender in terms of learning curve? I find "cherry picking" of what to isolate instead of system-wide isolation to be more efficient and failure-proof but is this flawed thinking?

Also, can you repeat: when was the last time Shadow Defender was updated? Did the developer disappear again?

Andy Ful

Level 47
Content Creator
One small note :
Shadow defender is defeated by a ransomware strain in my tests. However, as said fail% is
< 0.3*%.
Rest I agreed with you! It is a nice company with a signature based Av or malware testing purposes
Could you please give us some more information about how it happened and what exactly was defeated? (y)
Could you find and send the sample for testing on Malware Hub?
Last edited:


Level 28
Thanks @ichito for the explanation of this wonderful program.
The only thing I can say is that I have used it for a long time, and it has never failed me and I have tried everything that is within my reach in terms of Malware.
The only thing I could say against is that the developer of this program is not seen, but let's find out why he does it??:unsure:


Level 46
Content Creator
Apart from the issues you mentioned which are similar to other VM products like

1) Inability to protect against hardware-based attacks e.g. Spectre, Meltdown etc
2) Susceptible to VM-evading malware
3) Inability to protect from data exfiltration

Two(2) other cons are

1) The host OS can be fingerprinted vs a VM whereby you can run a second OS
2) I believe you can't run two(2) different VPNs to double-hop as compared to using a VM unless you get a VPN with multi-hop feature
Last edited:

Andy Ful

Level 47
Content Creator
Apart from the issues you mentioned which are similar to other VM products like

1) Inability to protect against hardware-based attacks e.g. Spectre, Meltdown etc
2) Susceptible to VM-evading malware
3) Inability to protect from data exfiltration

Two(2) other cons are

1) The host OS can be fingerprinted vs a VM whereby you can run a second OS
2) I believe you can't run two(2) different VPNs to double-hop as compared to using a VM unless you get a VPN with multi-hop feature
The points you mentioned are very important for understanding what Shadow Defender can protect, but I am not sure if they should be counted as issues. For example, Shadow Defender cannot also protect the computer from overheating, disk failures, memory failures, broken updates, and spilling coffee on the keyboard.:giggle:

So, It should be clearly stated that Shadow Defender can protect the data on the disks in shadow mode, from permanent changes. After reboot, you get your data untouched. Why? Because they were not touched at all. Shadow Defender has redirected any changes to the hidden partition or to the RAM. Windows processes (and malware) does not feel it (that is a magic of Shadow Defender). After reboot, the changes are simply deleted. That is all, and nothing more.

The malware could easily find out if Shadow Defender is installed, by checking if Shadow Defender driver was started. But this is probably an advantage to the user, because the malware will usually stop the malicious actions.(y)
Last edited: