App Review Shadow Defender vs Malware samples

safe1st · Aug 29, 2016

Thanks for watching
and hope you enjoy the video!

Cohen · Aug 29, 2016

Great video, thanks for taking the time to do this.

Deleted member 178 · Aug 29, 2016

As expected, classic malware testing on softwares like SD is futile; to truly test it; MBR-based ransomwares, bioskits/rootkits are the minimum requirements.

safe1st · Aug 29, 2016

Umbra said:
As expected, classic malware testing on softwares like SD is futile; to truly test it; MBR-based ransomwares, bioskits/rootkits are the minimum requirements.

You're right

But if I find one when testing other security product, will do re-test for sure

Also I show to some people who dont know how exactly this software works

thanks guys

LabZero · Aug 29, 2016

Great review!

Some time ago I've tested Petya ( old version ) with SD under VM.
No issues at reboot, SD protects MBR from changes.

ZeroDay · Aug 29, 2016

Umbra said:
As expected, classic malware testing on softwares like SD is futile; to truly test it; MBR-based ransomwares, bioskits/rootkits are the minimum requirements.

Hi Umbra, Would the MBR-based ransomware etc bypass SD? I only ask as I know you have a lot of experience with SD.

Deleted member 178 · Aug 29, 2016

They won't , this issue was fixed years ago , now the writing to the MBR is also redirected.

ZeroDay · Aug 29, 2016

Umbra said:
They won't , this issue was fixed years ago , now the writing to the MBR is also redirected.

Great thanks. I'm ashamed to say I've only recently started using SD and it is indeed an amazing piece of software.

frogboy · Aug 29, 2016

ZeroDay said:
Great thanks. I'm ashamed to say I've only recently started using SD and it is indeed an amazing piece of software.

Nothing to be ashamed of there all software is new to us all at some time, please now you can enjoy SD like the rest of us users.

shmu26 · Aug 29, 2016

if you like to test hard-to-defeat software, what about running a test on ReHIPS?
The isolation won't give the malware even a chance, but you could make it much more interesting by running the samples from a non-isolated location, and let the HIPS alone fight the battle.

Overkill · Aug 29, 2016

As of today, there's no known bypass to SD?

SHvFl · Aug 29, 2016

Overkill said:
As of today, there's no known bypass to SD?

It doesn't restrict driver loading so i guess it can't protect any kernel mode malware. I would assume that's one way to bypass any protection it offers.

shmu26 · Aug 29, 2016

SHvFl said:
It doesn't restrict driver loading so i guess it can't protect any kernel mode malware. I would assume that's one way to bypass any protection it offers.

the malware can load all the drivers it wants, and muck up the windows kernel, and it's all okay. Because all changes to the system will be erased at reboot. that's the form of protection it is designed to offer. Your system gets temporarily infected, and then you wash it all away at reboot.

SHvFl · Aug 29, 2016

shmu26 said:
the malware can load all the drivers it wants, and muck up the windows kernel, and it's all okay. Because all changes to the system will be erased at reboot. that's the form of protection it is designed to offer. Your system gets temporarily infected, and then you wash it all away at reboot.

If you load your drivers you can disable SD. No? I am no malware expert but it's possible.

frogboy · Aug 29, 2016

Shadow defender as far as i know is indestructible i have thrown everything but a brick at it over the years and it has never let me down yet.

shmu26 · Aug 29, 2016

SHvFl said:
If you load your drivers you can disable SD. No? I am no malware expert but it's possible.

I don't think it is a problem, because you don't need SD to protect you anymore, at that point. It has done its job already, because it has virtualized your system.

Deleted member 178 · Aug 29, 2016

SHvFl said:
It doesn't restrict driver loading so i guess it can't protect any kernel mode malware. I would assume that's one way to bypass any protection it offers.

SHvFl said:
If you load your drivers you can disable SD. No? I am no malware expert but it's possible.

Writing to MBR and partitions are redirected , so the drivers would be also redirected. AFAIK , nothing bypassed SD yet. The last known bypass was a MBR exploitation , this bypass led to the implementation of the MBR protection of SD.

hjlbx · Aug 29, 2016

Overkill said:
As of today, there's no known bypass to SD?

There is no officially known bypass, but certain types of malware can theoretically bypass it - for example, malicious BIOS, graphics, firmware, etc.

In other words, areas of the system that Shadow Defender does not virtualize.

It is nothing to fret about...

Raheel99 · Sep 22, 2016

LabZero said:
Great review!

Some time ago I've tested Petya ( old version ) with SD under VM.
No issues at reboot, SD protects MBR from changes.

SD under virtual box working great. No need for restoring VM snapshot. Thanks for tip.

Raheel99 · Sep 22, 2016

Great video.

Search

Search

App Review Shadow Defender vs Malware samples

safe1st

Level 17

Cohen

Level 7

Deleted member 178

safe1st

Level 17

LabZero

ZeroDay

Level 30

Deleted member 178

ZeroDay

Level 30

frogboy

In memoriam 1961-2018

shmu26

Level 85

Overkill

Level 31

SHvFl

Level 35

shmu26

Level 85

SHvFl

Level 35

frogboy

In memoriam 1961-2018

shmu26

Level 85

Deleted member 178

hjlbx

Raheel99

Level 1

Raheel99

Level 1

You may also like...