Reasons to use Shadow Defender

View previous topic View next topic Go down

Reasons to use Shadow Defender

Post by ssj100 on 26/4/2010, 13:29

One of the main reasons I use Shadow Defender is for protection against people who have direct physical access to my system. Don't get me wrong, thankfully I live with people who won't maliciously and purposefully try to stuff my system over.

Instead, enabling Shadow Mode can be useful when other people want to use your computer, and you don't have the time etc to supervise what they can and can't do. Certainly, with LUA + SRP enabled, there's only so much a user can do anyway. But still, having Shadow Defender ensures that there isn't any accidental deletion of any of your files/folders, and no modifications of settings to something you don't like.

Furthermore, Shadow Defender can be another useful layer of defense when testing malware in a Virtual Machine (as mentioned briefly in my security setup/approach post). For example, before testing any malware, go into Shadow Mode and then only open your Virtual Machine and run the malware. Of course, you can also sandbox VirtualBox with Sandboxie if you're incredibly paranoid.

Another reason for using Shadow Defender is for malware that (as far as I know) doesn't currently exist haha (and there's only been one example in history that I know of anyway: http://en.wikipedia.org/wiki/Windows_Metafile_vulnerability ). This thread might be of interest also:
http://ssj100.fullsubject.com/security-news-and-information-f7/interesting-malware-pocs-that-you-ve-come-across-t20.htm

In any case, it is often difficult to run a file sandboxed (with Sandboxie) which you have downloaded from your sandboxed web browser without first recovering it on to your REAL system. By recovering files on to your REAL system, or even by browsing the newly introduced file in its relevant sandbox, you can see from the above examples that malware could potentially execute even without opening the file - simply clicking the file once or hovering your mouse over the file may be enough to trigger the malware.

And we must remember that software like Sandboxie, DefenseWall and GeSWall do not open picture and video files (when Windows Picture and Fax Viewer and Windows Media Player are your relevant default programs) sandboxed/untrusted/isolated unless you specifically run explorer.exe sandboxed/untrusted/isolated or you right click on the file and run it sandboxed/untrusted/isolated. And clearly just right clicking the file could mean that you trigger the malware exploit before you get a chance to run it sandboxed/untrusted/isolated!
I often hear many people at this stage say...simple, just use a third party picture viewer and video player. Well, in my opinion, the fact is that you simply cannot guarantee that the file will always run sandboxed or untrusted or isolated, unless you run it with explorer.exe as I described above.

The fact is that malware and malware writers should be clever enough to bypass whatever default program you have set your windows to run picture, video and other files. And the last time I checked, you can't really uninstall Windows Picture and Fax Viewer or Windows Media Player! I remember when I tried "uninstalling" Windows Media Player, it simply rolled back to an older version of Windows Media Player. Therefore, for example, even if you run a third party picture viewer, the malware may be clever enough to force you to open Windows Picture and Fax Viewer instead, and as described above, unless you use Sandboxie and have opened it with a sandboxed explorer.exe, the infected file will most likely open unsandboxed/trusted/unisolated and the malware is free to pounce!

This is where Shadow Defender can be useful - before downloading or recovering risky files on to your REAL system, simply enable Shadow Mode. From then on, you are (also) protected by a system virtualiser and would be highly unlikely to be bypassed even if the aforementioned malware (that doesn't exist haha) tries to attack you.

Anyway, hence concludes my ramblings of why Shadow Defender can (still) be useful despite an apparently bullet-proof setup. Very theoretical scenarios for sure. But if you want "100%" protection, you might as well go all the way haha.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum