SpyShelter 9.2 released

Discussion in 'other anti-malware software' started by pablozi, Sep 18, 2014.

  1. StillBorn

    StillBorn Registered Member

    Joined:
    Nov 19, 2014
    Posts:
    297
    You could do worse. Many people will: consistently, constantly. What's to do.
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I'm not slamming it, but I think there is a big chance for the developers to generate more sales if they added a dedicated anti-ransomware module, comparable to HMPA's CryptoGuard and CryptoMonitor. These apps will pro actively look for mass file modification.

    Of course you can probably stop some ransomware variants with SS if they are delivered via exploits. Because in "restricted apps mode" it won't have access to all folders, can't inject code, and most likely also can't access the network, all things that are crucial to most ransomware. But if you're not using this feature, SS will have difficulty to fully protect the system against any damage, you can even see it on a couple of YouTube videos, I'm not sure if they are still online.
     
    Last edited: Jun 8, 2015
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Don't forget, back in the days most HIPS also didn't have dedicated protection against ransomware, but it's still a powerful HIPS. You can always try to combine it with HMPA, for example.
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    There's always room for improvement, they could easily add folder protection similar to Secure Folders and also a "rapidly modify files" filter. This means that untrusted apps will be suspended (or killed) if they will quickly try to modify files.
     
  5. Last time I tried SS (without the firewall), running a program as restricted, SS did not apply its HIPS rules. Although I understand the logic behind this decision, It would be stonger when user mode restrictions (rules) would stil apply when running in restricted mode.
     
  6. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,997
    Location:
    Poland - Cracow
    Hi everybody...
    what do you think about this entries on SS's blog?
    https://www.spyshelter.com/blog/should-anti-keylogger-be-reviewed-as-anti-virus/
    Below discussed article on PCMag
    http://www.pcmag.com/article2/0,2817,2484664,00.asp
     
  7. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,094
    Location:
    Germany
    Rubenking also wrote that nothing changed between Trend Micro 2014 and 2015 except for the GUI, which was complete ******** as well.

    *possibly offensive word removed
     
    Last edited by a moderator: Jun 9, 2015
  8. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    411
    Location:
    router
    the result on blog very Clear.
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    That sounds a bit weird. In "restricted mode" it should block everything, with an option to unblock stuff if your apps can't function correctly. That would make sense.
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes I agree, you should review it for what it is, namely a HIPS, not an AV or even behavior blocker. So in other words, it doesn't make any sense whatsoever, to install both trusted apps and malware samples, and to keep on clicking on either allow or block. Because a HIPS doesn't know what's good or bad, it depends on the user expertise. So yes, parts of the review were quite silly.
     
  11. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I had Problems with SpyShelter causing an error message with Media Player Classic 64bit. I use the Mega K-Lite Codec Pack. I reported it to SpyShelter, and it turned out to be the Keystroke Encryption module. I was informed to switch to Better Compatibility Mode, and that fixed the problem. I'm reporting it here in case anyone else runs into the same problem.
     
  12. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    My openvpn service has started leaking it's DNS occasionally since I started using SpyShelter. Has anyone else experienced this problem?
     
  13. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I used the latest Comodo Leak Test to test Eset Smart Security 8, and SpyShelter Premium Combo. I am failing the following two leak test below. Does anyone know if these are packet filter fails on Eset Smart Security's part, or a HIPS failure for SpyShelter?

    Failed Test Invasion: FileDrop
    Failed Test Impersonation: DDE
     
  14. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Will "Ask User" Mode prompt the user for any new executable attempting to execute like Online Armor, and Comodo does? I'm talking about files like .exe, .tmp, .msi, .bat, .SCR, etc.. Basically what I want to know is will SpyShelter behave like a full blown HIPS in "Ask User" mode.
     
  15. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,997
    Location:
    Poland - Cracow
    Mostly "yes" if...
    listed options are disabled:
    - "auto block suspicious behaviour" (tab "security")
    - "block dll loading from removable drivers" and "block registering of non exist drivers" (tab "advanced")
    - "auto allow the action for signet component" (tab "list of monitored actions")
    launched execute is not restricted app or is not inside restricted areas - folders, drivers- (tab "restricted apps list")
    rule for app is not "all actions" (tab "rules")
    ...and it's everything what I can propose. You should remember that SS has its own internal white list which is not to get by user so is not to be disabled.
     
  16. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    Yeah, this issue has been out in the wild for over a year, and according to stuff I have read, both SS and the developers of KLite Codec refuse to take blame for it. Switching to compatibility mode fixes it, but a band-aid solution at best.

    Can you provide a bit more detail please? As in, are you using the full version of the OpenVPN client, or a custom-tailored version provided by your VPN? Is it leaking your ISP DNS or your VPN DNS? 2nd one shouldn't matter I think...

    Pwoah, that was one hell of a ride!

    FAILED Invasion: FileDrop
    What does it do ? Tries to drop itself to system32 directory.
    What is the risk ? If the virus can drop itself into the system32 folder, it can easily infect one of the critical files in it too.
    FAILED Injection: Services
    What does it do ? Tries to modify “Services” key in registry in order to have itself launched as a service.
    What is the risk ? The malware is going to have itself automatically started with windows. The key can be used to install a rootkit or boot driver that can be used to takeover the operating system.
    FAILED Impersonation: DDE
    What does it do ? Tries to use Direct Data Exchange (DDE) to control IE's behavior and transfer data to the Internet server
    What is the risk ? Firewalls can be bypassed and malicious files can be downloaded from the trusted browser process.

    I had EAM, MBAM & SSP running as active...I am leaning towards a lackluster effort on SSP's part. I use W7FwAS, and that doesn't have any packet filtering features.

    EDIT: If I removed my 3 pre-defined rules for Program Files (both x64 and x86) and Windows directories, I managed to drop from 3 failures to 2... the same 2 as your results show...

    Just repeating what ichito said... if "auto block suspicious behaviour" is ticked, things will remain quiet. However, it'll have to be unticked if you are installing/uninstalling/upgrading apps...
     
    Last edited: Jul 11, 2015
  17. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,997
    Location:
    Poland - Cracow
    My score is 340/340 on settings
    "ask user" level
    "auto block suspicious behaviour"- disabled
    block dll loading from removable drivers" and "block registering of non exist drivers" - enabled
    "auto allow the action for signet component" - disabled
    Your lower score can be caused...probably...by another thing.

    ss-clt.jpg

    BTW...about using CLT
    https://forums.comodo.com/leak-test...ting-accurate-leak-test-results-t61715.0.html
     
  18. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    The above two options for me are greyed out... oh well!
     
  19. StillBorn

    StillBorn Registered Member

    Joined:
    Nov 19, 2014
    Posts:
    297
    @ichito Thanks for the insightful and informative post (#217). :thumb:
     
  20. Rules

    Rules Registered Member

    Joined:
    Mar 3, 2009
    Posts:
    697
    Location:
    EU
    @ichito

    Yep, using SSF for many years and always 340/340, same settings.

    rules.
     
  21. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    Anyone here got a setup blueprint for SSF and a VPN?
     
  22. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    Just did some quick reading online, SSF produces 340/340... SSP misses out due to the lack of firewall.
     
  23. Magic_The

    Magic_The Registered Member

    Joined:
    Jun 24, 2015
    Posts:
    40
    How do i enable "auto allow the action for signet component"? because its gray to me.. (cant enable)
     
  24. Rules

    Rules Registered Member

    Joined:
    Mar 3, 2009
    Posts:
    697
    Location:
    EU
    Which OS you're using ?

    rules.
     
  25. Magic_The

    Magic_The Registered Member

    Joined:
    Jun 24, 2015
    Posts:
    40
    Win 7.1 64 bit
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.