SpyShelter 10

Discussion in 'other anti-malware software' started by Mops21, Jul 30, 2015.

  1. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,997
    Location:
    Poland - Cracow
    english.jpg

    tray.jpg
     
  2. moredhelfinland

    moredhelfinland Registered Member

    Joined:
    Mar 31, 2009
    Posts:
    344
    Location:
    Finland
    Hi,
    Im using Eset Smart Security with Spyshelter Premium. I know, Eset Hips(in smart mode) and Spyshelter Hips "clash" together. That is why i tested them together. And the results are interesting. With SS8+Spyshelter Premium CLT result is 320/340. Interesting thing is that, for example when chrome is updating, or steam update(an .exe file is changed), Spyshelter notices that modification instantly, and prevents it running before i click yes or no. However, SS8 noticed that an .exe modification is made(accept or no). But the steam still starts.
    So is kinda interesting how deep on the kernel ring side of these hips are programmed for. That is why i configured Eset Hips basically disabled, and using Spyshelter's one for that purpose.
     
  3. Tony

    Tony Registered Member

    Joined:
    Feb 9, 2003
    Posts:
    725
    Location:
    Cumbria, England
    There is 35% off all Spyshelter licenses including the firewall lifetime license for this weekend only.
     
  4. moredhelfinland

    moredhelfinland Registered Member

    Joined:
    Mar 31, 2009
    Posts:
    344
    Location:
    Finland
    No thanks, im using SS8 firewall component to specify my outbound connections. Deny all raw socket connections.
     
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I assume you are running the Eset firewall with outbound connection monitoring enabled? If so, the alert you received actually was generated by the firewall. When an outbound connection is made, it does a check by hash to determine an .exe change was made to the process initiating the connection. As far as Eset's HIPS goes, it will only monitor an app .exe change when a specific user rule is created to do so.
     
  6. moredhelfinland

    moredhelfinland Registered Member

    Joined:
    Mar 31, 2009
    Posts:
    344
    Location:
    Finland
    itman, yes im using SS8 firewall for outbound connections. SS8 firewall is quite capable doing so, if you compare it to windows 7 based firewalls
    There is a lot way to connect to internet via windows 7 basic firewall. It does not give an option to preven raw socket connection...
     
  7. Maybe a ridiculous question, but when set Auto Allow to Medium (or High).

    When starting ProcessExplorer, Spyshelter allows auto-allows some actions, but it blocks the loading of a driver. When you click details it says "signer is on the auto-allow list"

    @ichito what am I understanding / doing wrong?
     
    Last edited by a moderator: Mar 27, 2016
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Might have to do with the way Process Explorer loads its driver. It dynamically creates a driver entry in C:\Windows\System32\Drivers directory upon execution and deletes the entry upon termination of PE. That type of activity would definitely be construed as suspicious if done by most processes. You might have to create a manual rule to allow the driver to load.
     
  9. Okay, ran SpyShelter on my PC for a day (I have it on XP systems of older relatives in auto block suspicious actions mode). Might have accidentally put it on Auto Allow high (when I replaced Chrome by Firefox due to ending Chrome XP support). In Medium level it does create an Auto allow rule (auto allow rules have a different icon). Thanks for the explanation @itman (40=opening process/thread for modification, 41=creating the driver (modifying protected files), 27=loading the driver). Note I have only Hips module enabled in free version.

    upload_2016-3-28_8-45-7.png
     
  10. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,703
    Location:
    North Carolina, USA
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I'm still waiting for:

    - Protection against process hollowing (child process modification)
    - Protection against rapidly deleting or overwriting files (anti-ransom)
    - Protection against modification of EXE files
    - Protection against termination of processes
    - Protection against loading of network enabled process (to bypass firewalls)

    - Ability to allow or block actions via log window
    - Ability to see which actions are allowed or blocked in log window (separate column)
    - Ability to auto-block certain actions (let user choose)
    - Ability to manage protected registry keys
    - Ability to hide actions from certain (system) processes in log window (too cluttered)
    - Ability to exclude certain rules from being cleaned
    - Ability to manage Trusted Signers (SS internal list)
     
  12. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    This is what I mean, in NG it was easy to see this. But for some reason the SS developers refuse to add this basic function, I don't get it:
     

    Attached Files:

  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Another thing that should be improved is the way rules are managed. There should be separate rules for Trusted, System and Restricted apps. This should be independent of the sandbox. All apps inside C:\Windows should be trusted except if they marked as "restricted system process" and they can only be trusted if they are protected by Windows Resource Protection.

    Here is how parent-child process creation should be managed:

    System Space = C:\Windows
    User Space = All folders outside C:\Windows

    Trusted process ---> Child process ---> Trust system space ---> Restricted process is not trusted ---> Restricted system process is trusted
    Restricted process ---> Child process ---> Restrict system + user space ---> Trusted process is not trusted
    Non marked process ---> Child process ---> Trust system space ---> Restricted process is not trusted ---> Restricted system process is not trusted
     
  14. guest

    guest Guest

    Have you sent all this details to the developer?
    He is usually quite collaborative.
     
  15. ald4r1s

    ald4r1s Registered Member

    Joined:
    Apr 8, 2013
    Posts:
    53
    You can always develop your own software if you are not happy with 2000 other things that soyshelter actually offers. :rolleyes:

    I am pretty sure that protected files list was added to protect from file modification (writing).
    Process termination 'could' be useful but personally never in my life I have had to protect anything from being terminated...Would be a pointless alert IMO

    Not sure what you mean about trusted signers internal list but I am pretty sure we have the ability to customize our own trusted and untrusted signers because I have been using it like since 2013

    Ctrl+A on rules list, shift+click on entries you wish to keep, and hit the delete button? Not sure if this is what you suggested, but this is a pretty basic UI functionality, and it is there, like in 99% of applications.

    Listing allowed actions in Log would be nice, although with the amount of monitored actions by sps they would have to come up with some really slick design. There is like 60 different actions monitored, now imagine listing 43 of them :'(

    I don't really mean to imply that you are wrong, I just think that most of these features you listed are not really required. Process hollowing might be a thing but I have not personally tested it so I can't say if it protects against it or doesn't.

    Afterall, spyshelter is currently the best antikeylogger and hips on the market, at least as far as my requirements go.

    But yeah, like @guest said, you should send it to devs if you haven't. Posting such suggestion lists on unofficial forum seems pointless.
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes I did, the only problem is it was 6 months ago.
     
  17. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes, but without protection against process hollowing, it can't stop ransomware, this has already been tested. Also, if you can block apps from rapidly modifying files in a short amount of time, this could also stop (most of) the damage done by ransomware.

    It would indicate malicious intent, most apps don't try to terminate or suspend other processes.

    SS has an internal list of trusted software publishers. We should be able to edit this.

    There are certain rules that you don't want to remove, now you have to untick them every time when cleaning up rules.

    I think you misunderstood, I meant there should be an option to block/unblock actions straight from the log window. Now you will have to look for the rule (in Rules tab) to do this.

    No they are not required, but it would most certainly make SS stronger and handier to use.
     
  18. Mops21

    Mops21 Registered Member

    Joined:
    Oct 5, 2010
    Posts:
    2,731
    Location:
    Germany
  19. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    BTW, for the people who didn't understand the scheme: It's basically about how child processes should be handled. To avoid breaking the OS, you need to trust most system applications, except for "vulnerable processes" that can be used in attacks. But even they should sometimes be trusted if they are launched by other system or trusted applications. The problem is that SS doesn't let you label apps, and it's also not clear how "vulnerable processes" are handled. Examples of system processes that should be running as restricted:

    cmd.exe
    bcdedit.exe
    bitsadmin.exe
    powershell.exe
    vssadmin.exe
    wscript.exe
     
  20. Tomin2009

    Tomin2009 Registered Member

    Joined:
    Sep 13, 2012
    Posts:
    94
    Spyshelter Fail

    http://v.youku.com/v_show/id_XMTUyMDA2NDAyNA==.html

     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    It loads very slowly, can you give some more info? It fails to protect against what exactly?
     
  22. Tomin2009

    Tomin2009 Registered Member

    Joined:
    Sep 13, 2012
    Posts:
    94
    ESET passed the test! I just want to figure it out that ESET can detcect injection to C:\Windows\explorer.exe, but others can't, then explorer.exe could do something bad...

    C:\Windows\explorer.exe
    is triying to modify other program's status.
    Target:explorer.exe


     

    Attached Files:

    • 1.jpg
      1.jpg
      File size:
      131.1 KB
      Views:
      13
    • 2.jpg
      2.jpg
      File size:
      21.7 KB
      Views:
      10
    • 3.jpg
      3.jpg
      File size:
      22.2 KB
      Views:
      9
  23. Clicking on services on that website, nothing happens

    upload_2016-4-10_4-38-40.png
     
  24. Tomin2009

    Tomin2009 Registered Member

    Joined:
    Sep 13, 2012
    Posts:
    94
    It's dead right now!
     
  25. Tomin2009

    Tomin2009 Registered Member

    Joined:
    Sep 13, 2012
    Posts:
    94
    Have you seen the pictures below.
     

    Attached Files:

    • 4.jpg
      4.jpg
      File size:
      133.5 KB
      Views:
      20
    • 5.jpg
      5.jpg
      File size:
      145.4 KB
      Views:
      19
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.