Honestly?...I don't know how it exactly work...I think I remember some events when action on "ask user" level was done automaticly but it was connected more with run/installation of app than the action of logger/system modifications. The reason to build...I think...so huge database was to avoid "false positive" whatever it means. It was mentioned in changelog few years ago...quotes from changelogs So...it can mean that developer wanted to make live of user easier and make SS more automatic in its decision however talking about "false alert/positives" in HIPS matter is a bit unjustified.
IMO, in "ask user" mode it should monitor every app, except for trusted system applications. If they do indeed use a white-list, that would be bad stuff. The user should always have full control. Normally I run in "Allow Microsoft" mode to avoid problems.
Under "Settings" and "List of monitored actions" you have to uncheck "Auto allow the action for a component signed by a trusted signer"
I always have that disabled. I will now run SS in "ask user" mode to see if it auto allows certain actions. BTW, I noticed that in the status-bar you can see what action is allowed or blocked, but like said before, that should be a separate column in both the rules and logging tab, this would make it possible to sort on allowed or blocked actions, to get a quick overview.
BTW, I found another problem with SS, if you allow "opening process or thread for modify access", then that app will automatically be allowed to modify memory of other processes. So it seems like action type 29 and 40 are handled the same.
You could see what the"action type" means at the bottom most toolbar both in Rules and Log Windowd tabs.
I just installed spyshelter free, on windows 10 pro x64 with nov update. my AV is webroot. question: what other security products can I run with spyshelter free? what about: malwarebytes anti exploit voodooshield crystal security glasswire
spyshelter free windows 10 pro x64 I checked the clipboard protection, and it doesn't pass its own test. whatever I copy to the clipboard appears in the test window. maybe it is because when the test exe file started up, spyshelter asked for permission, and I gave.
Yes I know, but this should have been a separate column, like I said. This way you get a quick overview, without having to click on each event or rule. I didn't have any problems with MBAE, and I suspect that it will also not conflict with the other tools, because they are all not HIPS.
I have been testing this, and it looks like in "ask user" mode it will only white-list crucial system applications, but will indeed alert about other "Microsoft signed" tools, so this is a good thing. BTW, I also checked out the new data protection feature, it seems to work as advertised, it's a nice extra protection against ransomware.
Trying SS Firewall right now. It opens popups with Chrome. They say it blocks hooks from being created. When I open a new tab for instance. (ActionType 33) What's that?
It's all in my signature. However, since then I found this post: https://www.wilderssecurity.com/threads/spyshelter-10.378379/page-5#post-2534000 This helped me got rid of it. But I had the uninstall SS FW anyway as one of the programs I use was not working correctly with it. But thanks for answering!
If you disable MBAE you won't have those popups. There is as well an option to hide them without excluding a process
Can you perhaps tell which app you added to the "excluded processes"? Because if you added Chrome, then you basically disabled protection against banking trojans that are trying to hijack the browser, so it wouldn't be logical. Or did you add MBAE to the exclusions? Another option would be to disable tool-tips for network hooks.
I understand this, but it would be interesting to know how you made it shut up, because if the only way was to add Chrome to the exclusions, it's basically a useless feature that has been added to SS.
Yes, I added it to the exclusions, like suggested in a post earlier in the thread. I agree this trick was not a real solution though.
OK, so perhaps this feature needs to go back to the drawing board. The way it should work, is that the app that is causing the alert, in this case probably MBAE, should be added to the exclusion list, to solve possible conflicts.
Exclusion of some processes from ANS module (rule #33) is direct answer for users expectations what was mentioned about one year ago on this forum also...so I don't think is useless
You should read my post again. I'm saying that if you exclude a process, then that process should be allowed to install network hooks inside the browser. But I get the impression that currently, it doesn't work this way. It looks like if you exclude a process, it will simply not be monitored anymore, leaving it open to attack by trojans.
Are default settings for spyshelter firewall sufficient ,or is some fine tuning recommended?. Also would you recommend that windows firewall runs alongside spyshelter firewall or disable it?]
There's a deal on SpyShelter products on BitsDuJour right now: http://www.bitsdujour.com/software/spyshelter-firewall/in=todays-deals-home
It depends on your needs, I've disabled the monitoring of certain actions, because they are way too common. To avoid problems it's probably best to choose "Allow Microsoft", otherwise you may get alerts about normal system operations. And there is no need to turn off the Win Firewall, unless you want SS to do all the blocking.