@Windows_Security I would really like to see if anyone with a non- *.cn domain IP can replicate this one. No one that I know who is using non-Chinese version of Windows can replicate, even using proxy with US exit node. And about 10 of use tried. I spent days trying to replicate...
So basically, when you surf to this site it loads malware (via exploit) that tries to inject code into system processes? Interesting stuff, the question is what type of malware this is. It seems that conhost.exe is executed by IE, but for what purpose, seems like they are trying to somehow bypass anti-exe tools by using trusted system processes.
Conhost.exe normal is started by csrss.exe as explained here: http://www.howtogeek.com/howto/4996/what-is-conhost.exe-and-why-is-it-running/ . The fact it is running under IE smells of a hollow process routine going on. -EDIT- Also appears that explorer.exe has been injected with malware. Note that you can't outright block explorer.exe access to Win directories since it does need access to processes there. However, your security solution needs to block unknown process disk or memory injection into explorer.exe.
@Rasheed187 Even if I would agree with some propositions/demands from your list, some of them could be useless or hard/inconvinient to deal with. Look at the list of "trusted" what is your expectation loooong time ...SS has own list in wich there are ca 10000 (maybe more intoday) entries and question is - how many of them do you know well?...how many can you recognise or connect with some application/process? Few dosen?...few hundrets?...one thousand? And what about the rest? As I remember we never had access to Online Armor's OASIS and then AMN (the same with Mamutu and EAM)...the same with e.g. PCTools and perhaps Symantec. This feature - WL/BL - can be only enabled or disabled (except individual rule made by user). We have similar situation in SS...even more - we can enable/disable WL's feature for each one single action listed on the "list of monitored actions".
I have been advised by SpS staff that they plan a lot of improvements in their products over the next year. I think they are aware of a number of issues, however they didn't mention what they would be changing, adding, improving to SpS. We'll all just have to wait and see what they come up with...
I'm trying to visualize, if it's Locky then I assume it's being injected into conhost.exe because it's a trusted system process? This would indeed bypass anti-exe without strict parent-child process control. That's why sandboxing also is not a bad idea, because conhost.exe will still run with low rights, without any direct access to file system, so Locky wouldn't be able to do any damage. And anti-exploit like HMPA/MBAE would also most likely block this. Sounds good to me, but I'm a bit skeptical based on the lack of response to some of my requests.
Well, can you tell me which of them could be useless and hard to deal with? I believe most of them are simple features. And about the "Trusted Signers" list, if SS has a list of 10000 software companies which are allowed to run without any alerts, this would be a huge security risk. Comodo Cloud AV also has a list but it's not enabled by default.
Actually I use "Allow Microsoft", since I'm not sure what the Medium and High security level will allow. That's my whole point, this should be visible to the user.
@ichito - @Rasheed187 wants option to edit trusted vendors - like in NVT ERP or COMODO. It is valuable to those that want to allow only those files they have white-listed on system. One way is not better than the other, but I think Datpol created it in a way so typical user will not smash their system. So it hides (hard codes) some things. Since user can define parent > child execution rules in SpS I think ability to edit trusted vendors is not so important; just set "Ask User Always" and everything is monitored - except for critical Windows processes that Datpol was smart about not exposing to user tampering - lest they smash their system. Imagine user creating block rule for svchost.exe or something worse, winlogon.exe - with early start service enabled.
Yes I agree, this request hasn't got any high priority. The other ones that I mentioned are much more important to me.
I think Datpol implementation is designed to prevent typical users from smashing their systems. GUI stuff - they are aware of the criticisms and complaints.
http://www.softpedia.com/get/Security/Security-Related/SpyShelter.shtml 50% discount (1 year, single pc)
Hello, SpyShelter version 10.7.6 has been released: Homepage: https://www.spyshelter.com/ Download: https://www.spyshelter.com/download-spyshelter/ Blog: https://www.spyshelter.com/blog/ Changelog: https://www.spyshelter.com/blog/spyshelter-changelog/
BTW, another reason why it would be handy to have this, is because I noticed that if you disable "auto allow for trusted components", SS will start to alert you about system processes, even in "allow Microsoft" mode. So an option to simply trust only MS Signed applications, would be nice.
Someone know how the option auto-clean rules work in general settings tab? Have to do it manually each time, maybe this option just work on manually created one, not by the SS itself!!!. Rules.
There is no auto-clean in SpS. It is manual rules clean-up only. I asked SpS about it. They said it is not good idea in case malware modifies files.
I tested EIS a while ago and it simply "auto-deleted" firewall-rules from deinstalled programs. And after testing SpS i thought it would do this too ("auto-clean rules"), and i wondered myself because rules were not deleted. But good to know that it has to be done manually in SpS.
BTW, I was playing with the anti-exe function and is it true that it only monitors child process execution? I never really checked it out, because I'm already using ERP.
For those who hasn't notice there is a new competitor in the neighbourhood https://www.wilderssecurity.com/threads/rehips.364248/
Yeah, yeah, yeah... get my hopes up again... STABLE isn't out yet. *shakes his head* ReHIPS hype is starting to turn into a Kardashian sex-tape.
I don't consider it to be a true competitor since I don't believe it will alert about suspicious behavior. Anyone? Is it correct that SS allows explorer.exe and other system applications to start any app alert without an alert?
Appears what I circled below controls this? You would have to set it to "ask" for any app you wish to monitor other app startups. Then create a specific rule for that app startup.
