Is there a conflict with Shadow Defender?


Userlevel 7
Badge +34
  • Community Leader
  • 644 replies
Yesterday I installed WSA and am very pleased with it so far. About an hour ago I opened Shadow Defender as I wanted to try out a new version of WinRar and I always try new software in SD first. When I exited SD and had a look at WSA, I was surprised to see that changes that I had made to some of my setting earlier in the day had been rolled back to how it was last night. I also noticed that on the 'front page' the scan that was performed at 9.30 this morming is not there as it says last scan 20 hours ago and the number of scans has been reduced from seven to six. The seventh scan does show up in the log file though and I have saved a copy of it.

19 replies

Hello,
 
I have been using Shadow Defender for a very long time.
 
The type of issue you are reporting is nothing new and has been experienced and reported by a limited group of Shadow Defender users for a long time on the forums.  I have followed the reports and the issue's severity seems to be system specific.  SD can do some really quirky things. 
 
Sometimes it is persistent, other times it is highly intermittent - with no apparent link to anything.  For example, on my system settings will occasionally revert to default settings after using Shadow Mode.
 
These suggestions come from the SD forums and actual experience:
 
If you have a W8 system using hybrid boot, then I would disable hybrid-boot and see if that lessens the issue. 
 
Disabling hybrid-boot may make your system reboot longer (on my system about 10 - 15 minutes).  If you do not allow the page-file to be "re-built" during system re-boot - and do a hard re-boot while the system is in the process of a long re-start - then it can cause some serious problems - like commiting system changes that you definitely do not want.
 
Another suggestion would be to set your systems' virtual memory manually.  On my system, when I allow Windows to manage the pagefile it causes Shadow Defender issues.  I set virtual memory range from !x to 3x physical memory (RAM).
 
Anyhow, it mignt take additional trouble-shooting.
 
Best Reagards,
 
HJLBX
 
Userlevel 7
Hi Nemo
 
You are most welcome...glad that HJLBX was able to assist.  Part of the problem is that WSA runs so well with most other types of security-related apps that it is used in a great many combinations...and when there are hiccups (which there occassionally are, lets be honest) there is no one repository of knowledge likely to be able to help other than the Community, and then again one has to look for the appropriate members for the help.
 
Glad that you have joined the Webroot Community...WSA is not without its faults (which securoty app do es not have them) but I hope that you will soon realise that WSA is one of the best (but then again...I would say that..wouldn't I ?;))
 
Most importantly, if yo do get to the bottom of this then pleas edo post back to let us know.  Such feedback is key to us being able to assist users in the future that may have the same or a similar problem.
 
Many thanks in anticipation.
 
Regards, Baldrick
Userlevel 7
Badge +52
HJLBX wrote: 
I think the issue may be related to the size of the WRData folder size.
 
Please read this thread:
https://community.webroot.com/t5/Webroot-SecureAnywhere-Complete/Controlling-WRData-folder-size-help-needed/m-p/69357#M4954
Userlevel 7
Badge +34
Hi Baldrick
 
Thanks for the prompt reply. I have read the link and that was a concern that WSA was preventing SD from functioning properly. In my case SD is working just fine, it's just that after I had used SD, the settings in WSA had been rolled back to several hours earlier. It just seems strange although maybe nothing to be too concerned about.
 
Nemo
Userlevel 7
Hi Nemo
 
OK, was not sure if the thread would help but thought it better to let you have the details in case.  Thinking more about it it is unlikely to be WSA as the only rollback feature that WSA has is related to files or apps that it classes as 'Undetermined'; it is unable to determine if good or bad, and as part of the 'Undetermined' setting WSA monitors those files/apps and journals what they do to the system during that time, then if it determines they are 'Bad' it blocks them AND uses the jourmal of activities recorded to roll back what the file/app has done.
 
Now, I cannot see this being what is in play here as that would mean that SD has been originally considered 'Undetermined' and then 'Bad', and if 'Bad' it would have been blocked and I am certain that you would know if that was the case, etc.
 
So all I can suggest at present is that you monitor for this occurrence again and if and when it happens you Open a Support Ticket and get the Support Team to investigate this.
 
Apologies for not being able to be of more help on this.
 
Regards, Baldrick
Userlevel 7
Badge +34
Thanks again Baldrick. The helpful post from HJLBX suggests that this is an issue with Shadow Defender and not WSA so I'll monotor things and see if it resolves itself. It just seems strange because I have been using SD for many years and not noticed this type of issue until I installed WSA but that may well just be a coincidence. For example I have been using Panda antivirus for many years and I don't believe SD altered any settings in that program, but there weren't many anyway!
 
As an aside I decided I needed a new antivirus after I got caught out by the Panda debacle on March 11th and it's taken me three weeks of research to plump for WAS! It's an ill wind and all that!
 
Regards
Nemo
Hello Nemo,
 
I think the issue may be related to the size of the WRData folder.
 
If you are running any unknown applicatons your WRData folder is going to balloon in size and may cause issues when you exit Shadow Mode.  Just in case, I'd check and, if this is the case, have them white-listed if trustworthy.
 
No, the problem is not one with WSA and the accumulation of journal data... without that admitedly-sometimes-huge data folder in its entirety, there is no WSA as we know it.
 
A large size WRData folder is a known issue without any simple, clear-cut workarounds to reduce its size.  It's a real technical challenge to limit it's size on the client without reducingcompromising WSA's ability to protect the system.
 
So, when exiting Shadow Mode there ther may be a lot of data to be "re-built" - or perhaps better - to be "sorted" out.
 
It is unclear whether the Windows OS is the real culprit or Shadow Defender itself.  I think it is Windows, as it is the OS that rebuilds the page-file after exiting Shadow Mode - and not Shadow Defender.
 
I think Windows doesn't get it quite right sometimes and somehow reverts to defaults or an earlier system state.
 
I've noticed that those settings that get re-set to system defaults are registry embedded... and never established in, for example, a config or .ini file... which further leads me to believe Windows is the real problem.
 
It's just another quirk... and a part of IT.
 
It will be all right...
 
Best Regards,
 
HJLBX
 
PS - AMD systems and certain hardware can cause both Shadow Defender and WSA - in fact any AV - to mis-behave in my experience.
Userlevel 7
Badge +52
@ wrote:
Real-Time: WSA Antivirus, Sandboxie (Lifetime), Online Armor Premium
we have stopped selling Emsisoft Online Armor. New license activations will only be possible until the end of May 2015. The official end of technical support will be March 31, 2016.
http://blog.emsisoft.com/2015/03/31/emsisoft-online-armor-support-roadmap/
Userlevel 7
Badge +34
Thanks for the reassurance Baldrick.  I have submitted my support ticket and will await their response. I must say that it is very comforting to have such a helpful community and the ability to contact support 24/7, even on a holiday weekend!
 
I was previously using Panda Antivirus and had to leave them after they managed to crash my PC last month, along with many others from what I can gather. I have a feeling that I will sleep better with WSA!
 
Regards
Nemo
Userlevel 7
Badge +34
Pleased to be able to report that Support have sorted out the issue I had with the LSP chain. They had me reset Winsock and that appears to have resolved matters. I must say that it is pleasant to be able to get hold of a technician who knows what's what and can sort things out for me.
 
I'm certainly pleased that I decided on WSA!
 
Nemo
Userlevel 7
Hi nemo
 
Welcome to the Community Forums.
 
I do not use Shadow Defender but there are those in the Community who do...and so perhaps one of them will come by and comment.  In the interim please see this previous thread on some WSA/Shadow Defender issues in case there is something therein that can be of use to you.
 
Regards, Baldrick
 
@ do you still use SD?  And if so then would you be able to comment on what Nemo has reported? Cheers, Baldrick
Userlevel 7
Badge +34
Many thanks HJLBX
 
I too have been using SD for many years but I have'nt noticed this sort of problem before although I do have issues ocasionally when exiting shadow mode and my system hangs on me.
 
I am using Win 7 so it's not the hybrid boot issue. I've just adopted your second recommendation and set the virtual memory manually to the recommended amount which is roughly 1.5x RAM.
 
I'll monitor it and see how it goes.
 
Regards
 
Nemo
I've never experienced any SD issues connected to my use of WR AV, however, I only have Webroot AV and SD on my XP rig as I cannot use either of those apps with Chromebook.
Userlevel 7
Badge +34
Hi Baldrick
 
I haven't managed to resolve the issue by changing the virtual memory but I am trying a work-around that so far seems to be stopping Shadow Defender changing any settings in WSA.
 
I am exititing WSA immediately before starting SD and then starting WSA again once SD is running. I then close WSA just before closing SD and reboot. I thought I would then have to start WSA again but I see that it automatically starts on rebooting which is a plus. It's not ideal but there are only a few seconds when my pc is unprotected and it's not doing anything other than starting SD so I feel comfortable with that. I tried it a couple of times and when I'm back out of SD, WSA's settings number of scans do not seem to have chaged so I hopeful that this may be a solution.
 
One plus with all this is that it's helping me get to know all about WSA! Also I'm impressed with this community and all the helpul advice and will certainly provide further feedback.
 
Regards
 
Nemo
 
Userlevel 7
Badge +34
Back with another question!
 
I have been keeping a log of my scans and whilst they have not detected anything malicious there is a line in the log that says: "Replaced the LSP chain due to malware corruption".  I have discovered that LSP stands for Layered Service Provider but beyond that I don't understand what it means. It it anything that should concern me?
 
Nemo
 
The Layered Service Provider is a part of Winsock - and, if I recall correctly, inserts itself into the TCPIP stack.
 
It taps into the network... and can be abused by malware to monitor all traffic.
 
So, that log entry is a cause for concern.
 
Something's not quite right...
 
I'd submit a Support Ticket.
Userlevel 7
Badge +34
Many thanks HJLBX - that is an extremely helpful post. There is  so much to learn with any new software! I've just had a quick look at my WRData folder and it's only 2.3 mb which seems quite small - I've only been running WSA for two days. I'll look into whitelisting later when I have a bit more time.
 
I'm using an Intel i3 processor if that helps.
 
Kind regards
 
Nemo
 
Userlevel 7
Badge +34
Thanks HJLBX. Now I AM worried! I'll submit a SSupport Ticket as you suggest.
 
Regards
 
Nemo
Userlevel 7
Hi Nemo
 
Don't be overly or unnecessarily worried as WSA has got your back based on multiple and overlapping methods and so whilst there may be some concerned you are not overly exposed.  Yes, concerning but no need to panic, IMHO.
 
Support Ticket, as HJLBXhas suggested, is the way to go...but do expect some delay in terms of response to that given that it is the weekend and also a holiday one to boot (but Support do work 24/7).
 
Regards, Baldrick

Reply