Shadow Mode, Malware and Tinkering - WARNING!

[hjlbx]

Hello,

Shadow Defender is great software.

It protects my system from permanent infection.

However, I have one warning.

Remember this - if you download malware and tinker with it - meaning allow it to run without any type of restriction, then it will perform all of its malicious activities during Shadow Mode. Plus if you are signed in as Administrator, then the malware will be able to run with same privileges. Shadow Mode is a fully virtualized environment that does not prevent malware from running nor stop it once it is executed!

So if the malware is designed to grab data and transmit it back to a C&C server, then it will do so. If its a cryptolocker variant it is going to encrypt files, if it's a virus it is going to replicate, etc, etc, etc.

There are things you can do while running in Shadow Mode to ensure solid security:

1. Use Guest Account
2. Use Microsoft's DropMyRights
3. Use Sandboxie
4. Once you download and run malware, then disable network/block connections
5. Use Blue Network's AppGuard (if use Sandboxie need special configuration; with Shadow Defender/Emsisoft no special configuration needed).
NOTE: Configuring AppGuard not so easy. If not done correctly will cause big headache.
6. Use Windows Parental Controls as an anti-executable (requires configuring some folders)
7. Always use your AV/Firewall in Shadow Mode

I allow malware to run in Shadow Mode with Administrator privileges (my system is completely exposed, but actions by malware are reversible - except, perhaps, for rootkits - jury is still out on that one), but once it is done downloading and installing, then I turn AV to Offline Mode - which blocks all network connections via firewall. This option to block network connections either globally or on a per application basis is available with most AV nowadays.

I do not recommend what I do. Proceed with caution and be prepared for the (unintended) consequences.

hjlbx

 

[nissimezra]

thanks for the info
i used timefreez for testing and even crypt-locker was revert, however if you have another partition or drive connected to the pc the data will be gone

 

[hjlbx]

Hello nissimezra,

Stick with Shadow Defender. SD time tested. Reliable, dependable performance. Extremely light on resources. Very simple to use. Allows great system flexibility in Shadow Mode, therefore very versatile.

I think it is worth the cost.

hjlbx

PS -

Do not get caught-up in debate that SD does not prevent installation of drivers or limit access permissions, etc. If you are testing malwares, then you do not want those restrictions in SD. If are not testing malwares then you want/need them. In that case you can use Sandboxie in Shadow Mode. Sandboxie, even freeware version, prevents driver installation and option to enforce access \ permission privileges.

 

[frogboy]

That is a good point about going off line to run the malware.

 

[hjlbx]

Hello frogboy,

Easy (Lazy) way...hit "Airplane Mode" key on laptop.

hjlbx

 

[frogboy]

You would have to be unlucky to get infected though with Shadow Defender. I have tested a fair bit here and was ok because Norton detected stuff all really and on reboot i was ok.

 

[hjlbx]

Hello frogboy,

Surf far enough, and long enough, and the system will get bit. It is inevitable.

However, with Shadow Defender I think the odds are good that with the vast majority of malwares the physical system is protected against infection.

hjlbx

 

[Cats-4_Owners-2]

This was a fascinating and very readable thread with lots of good advice; and still would be regardless of the fact I'm up late unable to sleep! The illustrative descriptions of what SD can & cannot do along with mention of adguard and utilizing Sandboxie was very interesting, and it was good to hear about Time Freeze too. Thanks!

Edit: PS Discussion about using a non-administrative account as preventative security was also a very strong point. Thanks for sharing it!

 

[Rolo]

So I Googled to see if SD conflicts with Hyper-V and I found this! http://shadowdefenderforum.com/index.php?topic=160.0

Did you ever find out, @hjlbx

 

[hjlbx]

So I Googled to see if SD conflicts with Hyper-V and I found this! http://shadowdefenderforum.com/index.php?topic=160.0

Did you ever find out, @hjlbx

Hyper-V doesn't make any difference to Shadow Defender...

You may have Hyper-V capable hardware, but if you don't have the correct Windows license - Hyper-V will not be activated.

Only Windows Pro and Enterprise have Hyper-V; W8/8.1 Home does not have Hyper-V.

 

[Rolo]

So you've tried installing SD on a box with Hyper-V? (I'm running 10 Pro with Hyper-V).

I know VirtualBox can't be installed with Hyper-V installed.

 

[hjlbx]

So you've tried installing SD on a box with Hyper-V? (I'm running 10 Pro with Hyper-V).

I know VirtualBox can't be installed with Hyper-V installed.

All you can do on your specific system is try... since even though Hyper-V "should not affect Shadow Defender" according to the developer that doesn't mean it is the case on every system. I should have qualified this in the post above, but I didn't. in any case,

I don't use VM... it's a waste of resources on my specific systems = low end.

 

[jasonX]

Thanks for the great piece of information. I have SD but have not used it when tinkering some malware samples or check-out some stuff that I am not sure of. I always use Sandboxie for that or VirtualBox but rarely as it eats resources.

 

[Rolo]

I've only used SD to try/test giveaway software until I started using VM for that purpose, so I never committed changes. I'm not sure if I'm overlooking something or what here: how are changes committed?

I entered shadow mode, installed a program, looked to commit changes (there were 50MB worth) but there was nothing listed in the path to commit. I added C:\* and it started "committing" every single file on C: whether it was actually changed/added or not (it was faulting on Windows installation folder w/Access Denied). Do I have to specify every file/folder to commit?

 

[Piteko21]

I only have one question: if a cryptolocker variant encrypt my files, shadow mode will revert the system to a normal stage? without any encrypt file (a clean windows after reboot the system and exit of shadow mode) ?

 

[Deleted member 2913]

Removed

 

[WinXPert]

I don't use VM... it's a waste of resources on my specific systems = low end.

Relate

I've used SD, DF, TF and Sandboxie when playing with malwares, sometimes I do it "live" on a low end PC without net

 

[Deleted member 178]

I've only used SD to try/test giveaway software until I started using VM for that purpose, so I never committed changes. I'm not sure if I'm overlooking something or what here: how are changes committed?

commit the file or folder

I entered shadow mode, installed a program, looked to commit changes (there were 50MB worth) but there was nothing listed in the path to commit. I added C:\* and it started "committing" every single file on C: whether it was actually changed/added or not (it was faulting on Windows installation folder w/Access Denied). Do I have to specify every file/folder to commit?

you have to specify the drive, folder, file; unless you have them already excluded.

 

[Rolo]

I can't see how to make that work (can't commit changes if I don't know everything that's changed and I have to name them specifically).

I understand the intent of SD is to, basically, checkpoint/snapshot your system that it will revert to when you are finished tinkering and reboot.

 

[Deleted member 178]

I can't see how to make that work (can't commit changes if I don't know everything that's changed and I have to name them specifically).

mostly pathbased commits are for files/videos/pictures, etc... if you install a program and want keep it, better commit the whole drive C and the registry.

I understand the intent of SD is to, basically, checkpoint/snapshot your system that it will revert to when you are finished tinkering and reboot.

Exact, imagine it as a secure Rollback RX doing a single snapshot without the capacity to keep things if you reboot (unless committed)