I'm not slamming it, but I think there is a big chance for the developers to generate more sales if they added a dedicated anti-ransomware module, comparable to HMPA's CryptoGuard and CryptoMonitor. These apps will pro actively look for mass file modification. Of course you can probably stop some ransomware variants with SS if they are delivered via exploits. Because in "restricted apps mode" it won't have access to all folders, can't inject code, and most likely also can't access the network, all things that are crucial to most ransomware. But if you're not using this feature, SS will have difficulty to fully protect the system against any damage, you can even see it on a couple of YouTube videos, I'm not sure if they are still online.
Don't forget, back in the days most HIPS also didn't have dedicated protection against ransomware, but it's still a powerful HIPS. You can always try to combine it with HMPA, for example.
There's always room for improvement, they could easily add folder protection similar to Secure Folders and also a "rapidly modify files" filter. This means that untrusted apps will be suspended (or killed) if they will quickly try to modify files.
Last time I tried SS (without the firewall), running a program as restricted, SS did not apply its HIPS rules. Although I understand the logic behind this decision, It would be stonger when user mode restrictions (rules) would stil apply when running in restricted mode.
Hi everybody... what do you think about this entries on SS's blog? https://www.spyshelter.com/blog/should-anti-keylogger-be-reviewed-as-anti-virus/ Below discussed article on PCMag http://www.pcmag.com/article2/0,2817,2484664,00.asp
Rubenking also wrote that nothing changed between Trend Micro 2014 and 2015 except for the GUI, which was complete ******** as well. *possibly offensive word removed
That sounds a bit weird. In "restricted mode" it should block everything, with an option to unblock stuff if your apps can't function correctly. That would make sense.
Yes I agree, you should review it for what it is, namely a HIPS, not an AV or even behavior blocker. So in other words, it doesn't make any sense whatsoever, to install both trusted apps and malware samples, and to keep on clicking on either allow or block. Because a HIPS doesn't know what's good or bad, it depends on the user expertise. So yes, parts of the review were quite silly.
I had Problems with SpyShelter causing an error message with Media Player Classic 64bit. I use the Mega K-Lite Codec Pack. I reported it to SpyShelter, and it turned out to be the Keystroke Encryption module. I was informed to switch to Better Compatibility Mode, and that fixed the problem. I'm reporting it here in case anyone else runs into the same problem.
My openvpn service has started leaking it's DNS occasionally since I started using SpyShelter. Has anyone else experienced this problem?
I used the latest Comodo Leak Test to test Eset Smart Security 8, and SpyShelter Premium Combo. I am failing the following two leak test below. Does anyone know if these are packet filter fails on Eset Smart Security's part, or a HIPS failure for SpyShelter? Failed Test Invasion: FileDrop Failed Test Impersonation: DDE
Will "Ask User" Mode prompt the user for any new executable attempting to execute like Online Armor, and Comodo does? I'm talking about files like .exe, .tmp, .msi, .bat, .SCR, etc.. Basically what I want to know is will SpyShelter behave like a full blown HIPS in "Ask User" mode.
Mostly "yes" if... listed options are disabled: - "auto block suspicious behaviour" (tab "security") - "block dll loading from removable drivers" and "block registering of non exist drivers" (tab "advanced") - "auto allow the action for signet component" (tab "list of monitored actions") launched execute is not restricted app or is not inside restricted areas - folders, drivers- (tab "restricted apps list") rule for app is not "all actions" (tab "rules") ...and it's everything what I can propose. You should remember that SS has its own internal white list which is not to get by user so is not to be disabled.
Yeah, this issue has been out in the wild for over a year, and according to stuff I have read, both SS and the developers of KLite Codec refuse to take blame for it. Switching to compatibility mode fixes it, but a band-aid solution at best. Can you provide a bit more detail please? As in, are you using the full version of the OpenVPN client, or a custom-tailored version provided by your VPN? Is it leaking your ISP DNS or your VPN DNS? 2nd one shouldn't matter I think... Pwoah, that was one hell of a ride! FAILED Invasion: FileDrop What does it do ? Tries to drop itself to system32 directory. What is the risk ? If the virus can drop itself into the system32 folder, it can easily infect one of the critical files in it too. FAILED Injection: Services What does it do ? Tries to modify “Services” key in registry in order to have itself launched as a service. What is the risk ? The malware is going to have itself automatically started with windows. The key can be used to install a rootkit or boot driver that can be used to takeover the operating system. FAILED Impersonation: DDE What does it do ? Tries to use Direct Data Exchange (DDE) to control IE's behavior and transfer data to the Internet server What is the risk ? Firewalls can be bypassed and malicious files can be downloaded from the trusted browser process. I had EAM, MBAM & SSP running as active...I am leaning towards a lackluster effort on SSP's part. I use W7FwAS, and that doesn't have any packet filtering features. EDIT: If I removed my 3 pre-defined rules for Program Files (both x64 and x86) and Windows directories, I managed to drop from 3 failures to 2... the same 2 as your results show... Just repeating what ichito said... if "auto block suspicious behaviour" is ticked, things will remain quiet. However, it'll have to be unticked if you are installing/uninstalling/upgrading apps...
My score is 340/340 on settings "ask user" level "auto block suspicious behaviour"- disabled block dll loading from removable drivers" and "block registering of non exist drivers" - enabled "auto allow the action for signet component" - disabled Your lower score can be caused...probably...by another thing. BTW...about using CLT https://forums.comodo.com/leak-test...ting-accurate-leak-test-results-t61715.0.html
Just did some quick reading online, SSF produces 340/340... SSP misses out due to the lack of firewall.