Spyshelter 5.1x releases

Discussion in 'other anti-malware software' started by guest, Mar 2, 2011.

Thread Status:
Not open for further replies.
  1. guest

    guest Guest

    http://www.spyshelter.com/change_log.html
     
  2. blasev

    blasev Registered Member

    Joined:
    Oct 25, 2010
    Posts:
    763
    Re: Spyshelter 5.10 released

    Wow a nice surprise
    If they add restricted mode to 64bit it will be very very very nice
     
  3. guest

    guest Guest

    Re: Spyshelter 5.10 released

    About "Extended process termination feature with BWLists"

     

    Attached Files:

  4. Carver

    Carver Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    1,910
    Location:
    USA
    Re: Spyshelter 5.10 released

    In the free edition it seams you can't fully edit the entry in the BW Lists", only in the paid version.
     
  5. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    Re: Spyshelter 5.10 released

    If they add restricted mode to 64bit systems it will be a top notch application and i will maybe consider just run it alone:thumb:
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Re: Spyshelter 5.10 released

    what is restricted mode?
     
  7. Gobbler

    Gobbler Registered Member

    Joined:
    Jul 30, 2010
    Posts:
    270
    Re: Spyshelter 5.10 released

    Restricted mode runs programs with limited rights on which it is imposed, similar to OA's Run Safer.
     
  8. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    Re: Spyshelter 5.10 released

    :thumb:
     
  9. Rules

    Rules Registered Member

    Joined:
    Mar 3, 2009
    Posts:
    697
    Location:
    EU
    SpyShelter 5.11 released

    Changelog :

    - Decreased number of false alerts: Huge internal signers database update - added over 9400 new positions (previously ~300)
    - Signatures processing function rewritten and strongly optimized
    - Fixed issue in AntiKernelModelogger module which blocked keys on some configurations
    - Added import export function for Trusted signers list
    - GUI translations display issue fixed
    - Language updates
    - Minor fixes

    Download :

    http://www.spyshelter.com/download.html

    Rules.
     
  10. Boyfriend

    Boyfriend Registered Member

    Joined:
    Jun 7, 2010
    Posts:
    1,070
    Location:
    Pakistan
    Re: SpyShelter 5.11 released

    Thanks for update :)

    Nice work :thumb: Hope to see less warnings about very common trusted operations.
     
  11. blasev

    blasev Registered Member

    Joined:
    Oct 25, 2010
    Posts:
    763
    Re: SpyShelter 5.11 released

    thx for the update :D
     
  12. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,649
    Location:
    Paris
    Re: SpyShelter 5.11 released

    Anyone else (I guess new users or VM trialers) getting a keylog warning upon starting IE8?
     
  13. Gobbler

    Gobbler Registered Member

    Joined:
    Jul 30, 2010
    Posts:
    270
    Re: SpyShelter 5.11 released

    I have heard that SpyShelter is a one man product and if it is true he is one heck of dedicated developer man.Thanks for the heads up:thumb:
     
  14. blasev

    blasev Registered Member

    Joined:
    Oct 25, 2010
    Posts:
    763
    Re: SpyShelter 5.11 released

    Keylog warning or networkspy warning?
    I don't get keylog warning on my vm, but I do get networkspy warning, since I use Trusteer at maximum setting with IE8
     
  15. markedmanner

    markedmanner Registered Member

    Joined:
    Nov 1, 2009
    Posts:
    134
    Re: SpyShelter 5.11 released

    Running some test on 5.11 now. I installed it with the high security setting. I have not changed any settings. Downloaded about 10 pieces of malware ran them. Was alerted to each one and clicked terminate for each one. Still one of them was running in memory..... More testing to come. Will post more details.

    UPDATE: Upon restart malware is not running but I can rerun the malware which is located at: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\35MM2AZA\PIC976242742133-JPG-www.facebook.com[1].exe without a peep out of spyshelter. And the malware is running in memory. Here is what white/black list looks like in spyshelter:
    http://i54.tinypic.com/2eobihi.png

    the other items listed as blocked do not execute when I try to run them:
    AntiSpyWareSetup[1].exe
    bt[1].exe

    but PIC976242742133-JPG-www.facebook.com[1].exe does even though it says its blocked by spyshelter. Also this piece of malware is not digitally signed.

    ~ VirusTotal Results URL Removed per Policy ~ Result: 22/ 43 (51.2%)

    ~ Comodo Results URL Removed per Policy ~

    Just had a second piece of malware that when I click terminate it does not terminate it when prompted file name spy[1].exe... Im thinking that Spyshelter maybe good as just a anti-keylogger but its HIPS functionality is not all that great.

    UPDATE: Well on these 2 pieces of malware if I click Deny instead of Terminate it kills the malware from running. the second one (spy[1].exe) it says the program has encountered an error and it closes and the first one (PIC976242742133-JPG-www.facebook.com[1].exe) it terminates it and will not allow it to run again if I try to run it. What I dont understand is that other malware is killed when I click terminate but not these 2. These 2 should be terminated if I click terminate. So I guess the best rule with Spyshelter is to always lick Deny instead of terminate. Maybe a bug in the terminate feature?
     
    Last edited by a moderator: Mar 8, 2011
  16. guest

    guest Guest

    Re: SpyShelter 5.11 released

    I suggest to clear some things before judge.
    That is not function of Spyshelter to delete malware HIPS based software do not detect viruses by signature etc
    If app modify own code or filename Spyshelter will show alert again
    If malware run without alerts than this instance of malware do not produce any dangerous action

    Malware you've tested possibly can work in 2 instances:
    One instance launch other and wait for some work.
    Other instance produce dangerous action (and may autoterminated)

    Spyshelter terminates apps only if this app produce dangerous action(action for each was created termination rule)It seems that one copy of this app produce dangerous action
    Other copy of app did not produce action which was created termination rule for.

    Summary Note:
    SpyShelter is not supposed to terminate executable next time it will run but ONLY(it allow to run it) when it will detect it's action(s) - depend on settings, terminate on specific action or on ANY suspicuius action (need to check option "Apply the choice to all actions for current component"

    "So I guess the best rule with Spyshelter is to always click Deny instead of terminate"
    Cannot agree, wrong opinion

    Even if Spyshelter cannot terminate app for some reason (I do not know this apps which Spyshelter cannot terminate) anyway it will blocks action

    Alg is following:
    Driver ask GUI for permission:
    User select to terminate action
    Gui ask driver to terminate process
    Process cannot be terminated immediatly because Driver should return result code of function from kernel mode
    Driver return error (block action) and process should be terminated by system via driver request posted before

    I do not see any arguments that this trojan produce some dangerous activity
    This trojan may just keep self in memory and nothing do (or his actions may autoblocked without terminating)

    Hope you all reader will have now brighter view on that case and others.

    IMHO SpyShelter did what is supposed to do good and one malware you've found has been "castrated"
    Anyway It's better to see this trojan for testing and check if our theroy is right.


    Thanks for testing SpyShelter
     
  17. blasev

    blasev Registered Member

    Joined:
    Oct 25, 2010
    Posts:
    763
    I love spyshelter
    But lately I'm confused, on where to put it.
    Since almost all anti virus/malware has its own anti keyloger and hips
    And also almost all firewall has hips/anti keylogger

    Can anyone share me their security set up? (the one that use spyshelter ofcourse :))
     
  18. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,264
    Location:
    USA
    This is one of my favorite softwares and I think it just got better.
     
  19. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    I might try it if they'd only add 64-bit support in the free version.
     
  20. markedmanner

    markedmanner Registered Member

    Joined:
    Nov 1, 2009
    Posts:
    134
    Re: SpyShelter 5.11 released

    I understand. I dont expect it to delete the file. I do expect a HIPS to terminate a malware process that is running in memory if I click terminate.

    The malware is onle 1 instance only 1 process. I watched it in Comodo killswitch and task manager. The process is detected as malware by AVs

    Lets assume that it does create 2 processes and one is malicious and one is not. (Which is not the case) I think it is a fail that SpyShelter would allow a piece of malware to even create another process that is running.

    I tested with factory defaults. That is how I test everything to see how it would preform for the average user. I will change this setting and post back my result.

    True but it totally defeats the purpose of the "Terminate Button" Clicking the terminate button does nothing to the process.


    I agree that the piece of malware that does not terminate may not be doing anything to harm the computer since Spyshelter may block any changes it would try to make. But at the same time it is not a good thing that it is still running in memory even after I click terminate.

    More testing to come...

    Update: I tried checking "Apply the choice to all actions for current component" then clicking terminate. I get the same result. Process does not terminate.
    And then even though there is a rule created for: PIC976242742133-JPG-www.facebook.com[1].exe it still allows it to run. See screen shot: http://i53.tinypic.com/282huky.png and here is the process which is detected as malware running in killswitch. http://i53.tinypic.com/2vtbhxc.png Other pieces of malware do not do this. When I click terminate Spyshelter creates a rule and I can not even execute the malware. Spyshelter terminates it when I do. Expect for these 2 which I have found. Which I am sure there are others what will do the same thing.

    Comodo Internet Security Defense + kills these processes and does not allow them to run at all. I noticed that even the processes that Spyshelter does kill they show up in killswitch for a second then are terminated. With Comodo I dont think it even allows the process to run whatsoever.
     
    Last edited: Mar 8, 2011
  21. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    Re: SpyShelter 5.11 released

    Grrreat comments, markedmanner. I really really hope you are passing this information on to Spyshelter.com. If it's a hole, they will (I believe) plug it.
     
  22. guest

    guest Guest

    Re: SpyShelter 5.11 released

    From SS developer;

    SS: We cannot check it how this malware really oparates seeing only simple description.

    SS: Yes, by AV => SpyShelter is behaviour blocker.

    SS: Let us watch it and see, send zipped malware to support@spyshelter.com so we would be able to check it analyze and comment, let's make case open, we are always stay away from any „secret” tests so you can also publish it for some testers if you know them. We'll figure out true or eventual issue with application if exist really.

    SS: We haven’t recieved so far any message regarding similar issue, don’t hesitate to send piece of malware and give us chance to comment that
     
  23. markedmanner

    markedmanner Registered Member

    Joined:
    Nov 1, 2009
    Posts:
    134
    I just sent an email. Also I understand that this malware does not necessarily defeat Spyshelter as the process is not causing any damage but I would think that Spyshelter should terminate it. I think you have a great product though and overall offers good protection.
     
  24. sm1

    sm1 Registered Member

    Joined:
    Jan 1, 2011
    Posts:
    570
    Can anyone advise me how to properly add chrome and firefox to restricted apps list? If I add chrome.exe either individually or the entire application folder chrome is not opening any web page and shows an error. If I add firefox spyshelter shows plugincontainer.exe has violated the access rules:doubt:
     
  25. guest

    guest Guest


    SS analysis:

    Wrong opinion about one process.
    There are 2 process created by that trojan
    See screens from process explorer.
    Spyshelter catch dangerous activity one of them and terminate it
    Other copy of trojan was created by first and do not produce any activity so alerts or termination rules do not apply on it
    In addition this copy is suspended(see process state) by first for code injection (see image trying to inject code....)
    It means this copy is not executed
    Suspended process may cause damage no more than calculator (calc.exe)

    Finally to be sure that terminated rule works he may use LogWindow

    Simply saying:
    I don’t see any issue hole or bug in SpyShelter with process termination or blocking dangarous activity.
    On provided example it did everything OK.
    Thanks again for testing and sending malware.
    We appreciate that.
     

    Attached Files:

    Last edited by a moderator: Mar 9, 2011
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.