SpyShelter 9.2 released

Well done grasshopper, I mean Rules changed it to 0 and all is swell!
Thanks!

 

Your are most welcome Aussie

Rules.

 

https://www.spyshelter.com/purchase/

 

pyShelter 9.6 changelog:
– Blocking execution feature for all processes added
– New menu item in General Rules: Block component execution
– Performance optimizations
– Implemented rules templates with save/load feature
– Action alert reorganized and redesigned
– Start SpyShelter by service feature
– Changed default program look
https://www.spyshelter.com/blog/spyshelter-9-6-released/#more-2695

 

"Posted on December 22, 2014

We have fixed a critical bug with Keystroke Encryption driver on 32 bit systems.
Please update your SpyShelter to 9.6.1 as soon as possible."
https://www.spyshelter.com/blog/

 

Thanks for posting, ichito!

 

Blocking execution feature very good but must be work in global and deny every exe and allow run exe from allowed list in general rule

 

I've been a user of W7FwAS for a while now, along with Windows Firewall Control for interface purposes. My previous Firewall/HIPS proggie was Online Armor. So I switched to W7F once Emsisoft upgraded to v9 and discontinued support for Online Armor. I've been contemplating ditching W7F and upgrading my paid version of SS to include the firewall aspect. I was going to go to Comodo, but meh... if I go down that road, I'd just end up using my existing key for Online Armor, get it converted to v9 key and use EIS.

Then I noticed this...

When you say co-existing, do you mean it reads and uses the current rules listed in W7F?... or was your comment based on your opinion?

I've seen one screenshot in relation to the firewall, and all it showed was a list of browsed IP's along with resolved DNS names... Windows Firewall Control shows IPs, PeerBlock shows IPs and DNS...

Can't make a real decision to change without intel... or maybe I am just procrastinating. Would be good if it didn't ask for a reboot after install, so I could use Shadow Defender to trial the firewall out. Argh...

EDIT: Just saw this, a SpyShelter Firewall Test by SpyShelter... https://www.spyshelter.com/two-way-internet-firewall/ seems to look like a cool firewall... especially the domain name blocking aspect... ugh, time to send a ticket to SpyShelter and see how much it'll cost me to upgrade from SSP to SSF.

 

Seems like the firewall has become more advanced, I think I will it give it one more try, but the usability is really quite a big problem. On the other hand, Comodo is even more annoying, and I feel naked running without HIPS, so perhaps I have no choice.

 

Usability in SSF is borderline suicidal... pwoahhhh did I accumulate some white hairs trying to figure crap out... and yes, Comodo is its own enemy. I tried using OA with SSP but it clashed, dunno' how others got it to work.

 

@ichito

Could you pass two change requests to the developers?

1. Add a disable RESTRICTIONS option in right click SpyShelter Icon
(when protection is disabled the RESTRICTED MODE rules are still active)

2. Add action 33 (setting hook to monitor network request) to the rules template
(for some programs like web browsers it is normal behaviour to hook this)

Could you also pass this bug to the developers?

3. Spyshelter does not seem to respect its own rules (allow all actions of a folder, including future update), see picture

 

OK W_S...I'll do it and I have to pass another ones:
- SS and SSFW in v. 9.6 and 9.6.1 can't import my previous saved rules...after installation the rules tab is empty
- both versions don't properly create the rules for some certain apps (I noticed such behaviour for e.g. MS Office components).
I don't know why is it...maybe because of those "Implemented rules templates with save/load feature"? At this time I left SS and I'm waiting for bug changes.

 

Thx

 

To clarify, I wasn't just talking about the firewall. SS is powerful for sure, but stuff like rules management and the logging window get on my nerves, it's not handy.

 

Hello,

SpyShelter 9.6.2 released...
SpyShelter Changelog:

You may update via built-in updater or download from the download page.

 

Kees...the gift for you
I'll test whether my issues are resolved.

 

I've checked out the latest SpyShelter Firewall, and once again I have to say that I'm disappointed, so I'm done with it.

Crappy rules management, and a crappy logging/events viewer, annoy me the most. But there is more: No easy way to trust apps from the alert window, and I don't like the "edit rules" window, there is no easy way to see what's allowed or blocked.

I'm also not impressed with the firewall, it should clearly show you which aps are allowed to make outbound connections, or are allowed to accept incoming connections. Positive things: it's stable (no freezes or crashes) and does not interfere with EXE Radar and Sandboxie.

 

Stay with it but in ver. 9.5...as I am

 

@ ichito

That won't work, because the annoying stuff that I described has been present in all versions. I'm done with it, this really sucks because currently you haven't got any HIPS to my taste on Win 8.

I also don't like Comodo, Online Armor and PrivateFirewall. Too bad that Emsisoft doesn't offer a standalone behavior blocker anymore, I mean something like Mamutu. On Win XP I used the excellent System Safety Monitor and Neoava Guard.

 

I tried SpyShelter again 2 days ago, and it had a disable protection option when you right click the tray icon. So you want a second option that enforces restricted mode rules when protection is disabled? When I disabled protection I want all protection disabled since i'm usually doing it to install something, or I'm having some sort of conflict.

They definitely need to add network monitor protection module to the rules template. SpyShelter network monitor was blocking hooks for Anki flash card application over, and over again. The only option I had was to disable the network monitor protection module. It would have been great if I could have just excluded Anki from the Network protection instead of having to disable it all together. I could not take the chance of it causing my deck to become corrupt since I have been working on it for 5 years. My deck has about 20,000 cards in it with over 100,000 translations, and I would literally loss my mind if my work became corrupted.

I have had problems in the past with SS not respecting it's own rules. I had SS set to Microsoft only, and it was allowing me to execute non-Microsoft executables with little to no prompts. Online Armor prompted me for every little thing with the same executables. Maybe i'm misunderstanding expected behavior from SS in the different modes.

 

About 2, can you tell me which browser behaves like this ? If I'm correct, this filter is to block banking trojans from logging SSL connections.
About 3, is this the "trust app" setting? If so, it does not seem to work.

 

I tested Eset Smart Security, and SpyShelter Premium against PC flank leak test found here, and they both failed. http://pcflank.com/pcflankleaktest.htm There's only 1 test. You type into the box to see if it can capture your keystrokes, and send them to their online server without your firewall blocking the transmission of data. I'm not sure if the SpyShelter version with a Firewall would pass the test. Since it is also a keylogger test I thought SpyShelter Premium should block it as well. SpyShelter prompted me during the test, but when I chose block it successfully transmitted my keystrokes to their server anyway. I tested Online Armor against it, and it was flagged as a threat by Online Armor's cloud. I allowed it to run anyway, and Online Armor passed the test. It was unable to send my keystrokes to their server.

 

Arghh, this test works only with Internet Explorer, so i can't confirm that my combo SS firewall and EAV flagged it, nevertheless i got a 340/340 at Comodo leaktest, (SS firewall do the job).

Rules.

 

Yeah, they probably used IE because they figured everyone would have it installed on their machine. Why don't you have IE installed on your machine?

 

The free version can changed to a real easy to use "inverted" HIPS.

From BLOCKING ALL and ALLOWING SOME (after user confirmation), it will invert
to BLOCKING INTERNET APPLICATIONS and ALLOWING TRUSTED (automatically):

1. Protect system and allow trusted vendors
2. Restrict risky threatgate folders
3. Block intrusions from internet facing applications

Step 1: Set protection to Medium level (auto allow build-in trusted vendors) and use only HIPS and kernel level protection. I have ran Spyshelter with anti-keylogging and anti-get text enabled and it seems to cause no problems with the block all actions of step three. I just don't think it is necessary for two reasons (assuming users are not so stupid that they disable UAC):

• Most people use IE / Chrome / Adobe, so spyware in low rights sandbox can't touch other medium level processes, this reduces the (post infection) threat which most anti-keyloggers protect against (when your infected, you have bigger problems).
• User land hooking provides more hassle as protection IMO (remember how EP_XOFF made threatfire blind by removing all user land hooks). System protection should protect side-by-side infection of medium level processes with step three "block all actions of internet facing" and prevent survive re-boot infections.

Step 2: Use the restricted aps list to mitigate the (elevation) risk of some threatgate folders. When a drive-by drops some code, it runs in restricted mode, meaning as a limited user with no option to elevate to admin rights.

Note. because ADS write is blocked, Chromium based browsers and IE do not mark a downloaded file as coming from the Internet. Because code can be hidden in Alternate Data Stream (ADS) this is good practice. A disadvantage (advantage to some) is that the potentially unsafe warning will not be displayed when executing a file from the internet. To prevent shoot in the foot errors, the temporary internet folder of IE (is also where Outlook stores attachements before opening), the LOW rights Temp folder, the Temporary folder of Windows Media Player and download folder are also restricted.

Note. The user name of my PC is Desktop, this might be confusing, so C:\Users\Desktop\etc is in fact C:\Users\[Your User Name]\etc for instance C:\Users\John\AppData\Chromium\




Step 3 Set a deny rule to contain vulnerable applications. These are the ones I also have guarded by EMET: Browser, Office aps, Media player, PDF Reader. Bonus of Spyshelter that you can create exclude path rules for folders, so the HIPS module of Spyshelter also guards the PPAPI-flash player of Adobe (and all future versions).

Use the exclude folders (for future versions), next change the allow rule to a deny to block unusual actions of vulnerable applications (processing rich content with embedded code).


Remember to disable Spyshelter before updating your system.