Yes, when you have the paid version, you can edit the trusted vendors list, so crucial software on your PC can be auto-allowed. All software not updating through its own executable (e.g. like Microsoft Office and Chrome), can be assigned a default BLOCK rule. So you can auto-allow publisher Microsoft but deny all Office executables suspicious behaviour. This sort of changes the behavior of Spyshelter from a system wide HIPS to a vulnarable process suspicious behavior blocker with zero pop-ups, because the SPECIFIC PROCESSES (AUTO) BLOCK RULES have higher priority than than the SYSTEM WIDE AUTO ALLOW PUBISHER RULES.
@Windows_Security Won't that break some apps ? Changing Allowed actions to Deny. If I am understanding correctly - let me use example: Application A uses inter-process communication with Task Scheduler. Let SpS create the Allow actions, then change Allow actions to Deny. Application A - when executed - will not perform any suspicious actions; in this case, inter-process communication with Task Scheduler. Very simplistic example, but it illustrates what I think you mean. TIA PS - by the way, which setting are you referring to about adding a block all. Current version of SpS permits creation of Excluded File and Folder, but I see no option to Block All for File and Folder. Do you mean do it in the individual rules pane for each application - or - enable Block All Suspicious Actions ?
That is why you have to selectively apply it to vulnarable applications, see example for Chrome Select HIPS and encryption (no need to hook all other stuf when using Spyshelter as an Behavioral Blocker) Allow signed components Make a Block ALL rule for Chrome Application Folder Chrome now runs in a HIPS sandbox and added encryption to Chrome
I'm really not following. If you create a block-all actions, then how can Chrome connect to the internet - since internet access is blocked ? Auto-Allow = Allow all actions for trusted signer Exclude = do not monitor any actions for folder contects Block All = Deny all actions Sorry, I'm just not understanding how this setting combo is working. When I follow the above steps for Internet Explorer - it just crashes upon execution.
Look at the first visual of previous post: it is for Spyshelter (Free) not the Spyshelter Firewall Set Auto-block to prevent user choices for programs not listed in Trysted Vendors List
@Windows_Security I understand now. I use SpSFW - so the above methodology won't work. However, even if I create an all block - except for network access - for Internet Explorer - it still just crashes upon execution. SpS Free does have HIPS enabled, but the HIPS monitoring is strictly limited. So, perhaps that is why it is working ?
The HIPS in free version is good enough to block all memory manipulations of HMPAlert, so for people still on 32 bits is is a nice freebie. I had not noticed that you were using SPSFW, so sorry for the confusion
@Windows_Security ... thanks mate. Sorry about the confusion too. I am not too familiar with the settings in SpS products yet. Documentation leaves a just a bit to be desired. Kind of slugging my way over the mountain - if you know what I mean. I'm on 64 bit W10. Just trying to come up with ways to use SpSFW to its fullest capability. I think it basically comes down to experimenting with the rules for the most vulnerable processes - and just allow only those needed to get the thing to work as needed - and block everything else. Of course, that is a manual config pain - but not too onerous. What do you think ?
@ichito @Windows_Security explains a way of using the settings in SpS Free that cannot be applied in SpSFW - because the method of using those settings will block all internet access for the applications. You have to read back through the posts. SpSFW is more than fine - it is very good security soft.
@Windows_Security Could we apply this method to a wider area such as C:\Users\* without causing any issue?
Creative thinking, I have not tried that. I have ran this config with Office, Mediaplayer, PDF-reader and Chrome only. Adding user folders, should add protection, without pop-ups for trusted programs. I am working abroad until Saturday. Will try this interesting idea this weekend.
BTW, I think I discovered a flaw in SS. In the Bouncer thread, Windows_Security posted a screenshot of SS blocking memory modification, but this doesn't happen on my system. Perhaps it's because I'm running SS on Win 64 bit? https://www.wilderssecurity.com/thre...-tuersteher-light.359127/page-43#post-2573586
SpS support replied to my inquiry about SpS on 64 bit. Actions 29 and 36 might (I interpret as will) not be detected on 64 bit. Some processes cannot be run inside the sandbox because of sysnative - for example - host processes. HIPS will not detect process hollowing - as you already well know. SpS still needs some work on 64 bit. If I recall correctly, Emsisoft products will detect equivalent to actions 29 and 36. So, if Emsisoft can accomplish this, then certainly Datpol can.
I totally forgot that you already mentioned this. SS does not alert when a child process is being modified. So actions 29 and 36 will only be detected when a process is trying to modify a non-child process. Probably that's why it's failing certain leaktests on my system. Seriously, the SS developers need to step up their game, almost all ransomware variants use process hollowing, and HMPA does offer protection against this, even on 64 bit systems if I'm correct.
Child process memory modification not being blocked was for AppGuard's Memory Protection. That was on the Bouncer thread. For process hollowing, SpS support says proper technique is to perform Virus Total lookup - for example for hollowed processes explorer.exe or svchost.exe. I pointed out to them that such a VT lookup returns results for the valid Windows process = safe. I also pointed out that if one defines protected folders, but allows explorer.exe to modify protected folders for normal system operations - then the contents will be encrypted. So it is problematic. At this point in time SpS is only going to protect against ransomware if you block it at execution. As SpS support points out, they assume a user is going to perform due diligence on a file before executing it. That's fine in theory, but how many typical users are that disciplined ? Plus, what if a user uploads a file to VT prior to execution and VT returns 0/57 - and then they execute it and know absolutely nothing about malware behavior, system space vs user space, host processes, etc. If the file is ransomware, then they're screwed - that's what. I genuinely like SpS products, but there are various quirks that Datpol needs to rectify. Patch Guard is giving them some problems. They don't have a beta program. They don't participate actively on any forums. So, to me, the lack of technical infos and difficulty in getting accurate answers is discouraging. Some of the available leak tests are so outdated that I think they might not be returning accurate results. It is difficult to know.
No, this was also discussed in the Secure Folders thread, SS will alert about code injection if a process tries to modify a non-child process. But for some reason it can't deal with child processes, that's why it also fails against ransomware. Yes it's a shame, they should have had a forum where developers participated.
OK. I forgot. Thanks @Rasheed187 . I think developers might participate on native Polish language sites. I think there are two few staff or maybe they just don't want to do it. I submitted a request to create blog post about SpS on 64 bit systems. To clear up confusion, dis-\mis- information. You know... it is always best to get infos direct from developer. I hope they do it.
@Online_Sword tested it and it seems to work @kerykeion, after excluding a folder, the idea is to change the allow to block
@hjblx Yes, I downgraded to 32 bits (with Vista), because Desktop and Laptop only had 4GB Ram memory. The low spec low spec dual cores seem to run faster on 32 bits. Probably because they have little cache memory, so then run better with smaller register size on 32 bits. Also the two cores don't have to carry the overhead of the 32 bits system in 64 bits OS. So I miss out on Kernel protection and better ASLR randomization, but on the other hand enjoy better features with security programs.
Hello, SpyShelter version 10.7.3 has been released: Homepage: https://www.spyshelter.com/ Download: https://www.spyshelter.com/download-spyshelter/ Blog: https://www.spyshelter.com/blog/ Changelog: https://www.spyshelter.com/blog/spyshelter-changelog/
