Spyshelter 4.5 releases

Re: Spyshelter 4.5

A feeble excuse at best.

IMO misleading a user into thinking that SS has actually blocked this rogue is worse than no protection at all.

 

Re: Spyshelter 4.5

I have to agree with Eru. The screenshots show 2 autostart registry entries being blocked. What does this have to do with the rogue app executing? I think we need some more verbiage from Franklin to clarify what he has shown. Specifically, did the rogue launch before or after a reboot? If so, what was the launch vector - one of the two registry entries shown or another start location that perhaps SpyShelter doesn't protect.

 

Re: Spyshelter 4.5

"Misleading" is the operative word here, I think. Who in the world would choose to permanently block registry entries and still desire that the offending application be allowed to execute? Good grief!

 

Re: Spyshelter 4.5

i would block registry entries and the offending programs too

 

Re: Spyshelter 4.5

I'm confused. Who's doing the misleading, SpyShelter or Franklin?

 

Re: Spyshelter 4.5

The rogue is inactive at reboot.

The exe is still at C:\Documents and Settings\USERNAME\Local Settings\Application Data and if executed then Security Tool comes up but it doesn't seem to be able to kill any other exes?

 

Re: Spyshelter 4.5

Were you testing the new restricted mode?

 

Re: Spyshelter 4.5

that is dead malware

 

Re: Spyshelter 4.5

No intention to mislead at all.

I executed the rogue, hit deny/remember and the rogue's gui came up.

 

Re: Spyshelter 4.5

If you mean the setting below then I entered the rogue's exe in there, rebooted to make sure it stuck then executed the rogue which did start.

 

Re: Spyshelter 4.5

I knew you weren't trying to mislead anyone.

SpyShelter doesn't appear to have an option to kill or delete an executable AFAIK, unlike Zemana. Even still, I don't think Zemana would delete the executable if in the settings you told it to terminate it.

Were you expecting a different result or am I just missing something obvious regarding SpyShelter?

Did the rogue's behavior change as a result of the restricted mode? I would expect it was neutered from doing anything rogue-ish.

 

Re: Spyshelter 4.5

Spyshelter. Blocking the registry entry would lead one to suppose that the entirety of the rogue had been blocked from execution. Kaput. Moribund. Crossing the River Styx.

 

Re: Spyshelter 4.5

Now I understand what you were saying. I don't think application termination is part of SpyShelter's feature-set - just behavior blocking.

They update this thing so much, it will probably be added before I finish typing this post.

 

Re: Spyshelter 4.5

Tested Spyshelter against a microjoin exploit which drops heaps and after hitting deny/remember many times the VM was a mess and which usually reboots into a bsod.

There was no problem in rebooting with all malware droppers inactive and the VM seemed quite usable.

A scan with Malwarebytes shows the extent of the infections dropped but inactive.

 

Re: Spyshelter 4.5

That's some serious testing! It looks like SpyShelter is doing its job superbly.

 

Re: Spyshelter 4.5

Yes it is impressive but with one rogue "Antivir Solution Pro" even though it was rendered ineffectual at killing other exes and was dead at reboot the rogue still managed to hijack the reg proxy settings which stopped IE from connecting to the net.

Maybe that key should be monitored as well?

 

Re: Spyshelter 4.5

Good point.

I'll like to see an enhancement in "System Defense" module, to improve their excellent and smoothly Real Time Protection:

- File Extension Protection - that monitors application associations with certain file extensions, e.g. *.pdf.
- Web Browser Add-ons - Web Browser Add-ons Protection monitors the registration of add-on applications on your browser.
- IE Settings - Internet Explorer settings changes such as home page, search provider, etc.

 

Re: Spyshelter 4.5

ver 4.51 Released

firefox prebeta 4 works now in restricted mode

 

Re: Spyshelter 4.5

Has anyone found out what the exact defense of limited mode is?

@Bellgamin

Did you manage to get Spyshelter running properly.

 

Re: Spyshelter 4.5

Info on restricted SID http://www.eggheadcafe.com/software/aspnet/33279018/restricted-sid-vs-deny-only-sid.aspx

You can view in the tabs to which directories access is restricted. When I am guessing is correct this feature is stronger than drop my rights. It uses OS, so should not cost a lot of CPU power.

 

Re: Spyshelter 4.5

I chickened out & reverted to the previous SS version. I will definitely try restricted mode again in a few weeks.

QUESTION 1- when you opine that restricted mode is "stronger than drop my rights" does that mean that it is also stronger than Run Safer?

QUESTION 2- Reference your statement "It uses OS, so should not cost a lot of CPU power" - - - by "OS" are you referring to an API that SS uses for restricted? PLEASE explain further.

 

Re: Spyshelter 4.5

Q1: when my assumption is right, Problably


Q2: it works a little different, through ACL's and SID's

Run Safer used the standard user token. Problem with Access Control Lists is that when you are the admin, you have problably installed all programs. So your are besided ADMIN, also the owner/creator of those program directories. Now when you drop from ADMIN to Limited User, the user Bellgamin is still the owner/creator of those program files directories and have full controll to them.

In the link I found it seems that a restricted SID works differently. It uses the most restrictive access rights of all the SID's (e.g. User, Owner-Creator, etc) which are applicable to an object. In this way SpyShelter is allways 100% sure that access is denied to HKLM hive (and possibly startup entries in the current user hive) and Windows and Programs Files directories.

This are mechanismes of your OS (even XP has it), so it costs very little overhead. It is a smart angle to define your own Restricted SID to evade the problem of inheritance of rights.

 

Re: Spyshelter 4.5

Maybe some intrepid soul could perform a test.

Set Integrity Level to Low, Medium and High. Then compare results to what SS is currently doing. I am not 100% sure on this, but I have a hunch that DropMyRights or SRP both could restrict a process to lower than user, and I wonder if one of those integrity levels or SS does this, or at what Integrity Level you find equivilent rights/restricitons as so-called protected mode or what SS is doing. One might want to do this with something other than IE, and might want to do it from an image or in VM or something.

I "think" that the Integrity Level is using some form of the SID Kees is talking about. Too much code browsing lately, so I may have much confused. As well, I don't feel like testing myself because I am in the middle of much deep and dirty code sequences.

Any takers?

Sul.

 

Re: Spyshelter 4.5

Not me,

at the moment I have to back track a GPO change. Currently when I install as admin the install is virtualised (in Windows virtual store). So drivers don't work, but gui aps do

 

Re: Spyshelter 4.5

SpyShelter4.52
25 Aug 2010

4.52 version released

- Several optimizations (optimized access to driver)
- Protection improved
- Improved compatibility for virtual machines
- File access violation list implemented for Restricted mode
- Support for removable drives in Restricted mode
- Other new functions and optimizations for RM
- Added progress bar to cleanup function
Premium: http://www.spyshelter.com/download/release/setup.exe
Free http://www.spyshelter.com/download/release/setupfree.exe