You are correct in that if malware can be stopped at the dropper stage, then it cannot execute its more advanced payload infection methods. The problem is that current malware is increasing resorting to using valid Win processes against itself. These are the ones that can slip though HIPS or anti-exec detection. An example of such I posted here: https://www.wilderssecurity.com/thre...erception-software.385640/page-2#post-2591396 that applies to anyone using Vista or Win 7.
Yes, so in other words, don't let untrusted apps launch system apps for no good reason, and you're good to go.
I don't know about the RMI blocking capabilities of SpS since I never tested any malware against it that used RMI. The developers are sketchy about clearly stating what SpS can\cannot block. * * * * * As far as hollow process, SpS cannot block it; you have to know which child processes to block - e.g. explorer.exe, svchost.exe, etc - which, to me, requires way too much of the user. Effective use of SpS requires practicing with actual malware in order to learn malware behaviors. When you do this you will quickly learn SpS' quirks - which are more than a few. The rule I would follow is to block any User Space process from executing a System Space process. * * * * * Because SpS is sketchy in some areas and the price of a lifetime license is $100+, I have opted not to use it. The only way to protect your system completely with SpS is not to execute any unknown\untrusted files in the first place. If that is the case, then I don't need SpS as there are much cheaper (and arguably better) alternatives. * * * * * The fact is that SpS' protections are not quite there yet for 64-bit systems -- and based upon replies and interaction with support -- I am not entirely confident that Datpol will be able to make SpS at least equivalent -- overall -- to other solutions. For example, Datpol keeps saying they are going to fix all issues with their interface, but they have been saying this for a long time.
Probably yes...so I tried make "global deny rule" for explorer.exe using "Application Execution Control" in "Rules" module in SSFW...in Premium it's not available. I've highlighted explorer.exe on the list of parent proceses (on top) and than in bottom box and set rule "block" for it. I don't know how it will work in praxis but I know that the same rule for file manager block launching any file. ----------------- Edit: it doesn't work...no way to launch usual apps.
That's no surprise, of course explorer.exe should be allowed to launch child apps. I think SS should only alert about system apps that are being launched from C:\Windows. It should not alert about ALL child processes (like .tmp processes), because during software install it becomes annoying, but you can not choose "Install Mode" since it will then stop monitoring of all suspicious behavior. I know what you mean, but I still think it's better than other competing solutions. The license is a bit expensive, I think 20 bucks a year and 50 bucks for the lifetime license is more realistic, perhaps it would even boost sales who knows. And they should scrap SSFW, the anti-exe and firewall feature should be offered in SS Premium.
The only HIPS alternative product for 64-bit systems is ReHIPS - but it only monitors execution. Instead of full spectrum action monitoring it instead uses Windows' built-in containment protections (separate user profiles for each application which are isolated from each other).
I know. I meant essentially HIPS-only alternative. COMODO HIPS would be great -- if they can only fix the "disappearing rules" bug.
I'm not sure why people are so excited by ReHIPS, it's mostly focused on isolating. Sandboxie is already quite good doing that. When it comes to standalone HIPS (behavior blockers) SS is far from perfect, but I still prefer it over Comodo and others. Also, let's not forget that HIPS is the lastline of defense, AV and AE combined with common sense should keep malware from your system in the first place. Against the most advanced malware most HIPS will fail anyway, but that doesn't mean I also want to see SS reach a higher level of protection.
ReHIPS' HIPS acts completely as anti-executable. It is not a full HIPS like COMODO, Eset or SpyShelter. ReHIPS' isolation\containment doesn't use User Mode Hooks. Sandboxie uses User Mode Hooks and that is one area where it is susceptible. Either way - User Mode Hooks or no User Mode Hooks the risk is quite small -- so either ReHIPS or Sandboxie are worthwhile. ReHIPS is a good program, but it still needs bug fixes and usability improvements.
Perhaps it shouldn't even be called a HIPS, if it doesn't alert about suspicious behaviors. And a lot of security tools are using user mode hooks, I don't see how it's an advantage if ReHIPS doesn't. Here some more info: http://www.malwaretech.com/2014/10/usermode-sandboxing.html
Hello, SpyShelter version 10.7.7 has been released: Homepage: https://www.spyshelter.com/ Download: https://www.spyshelter.com/download-spyshelter/ Blog: https://www.spyshelter.com/blog/ Changelog: https://www.spyshelter.com/blog/spyshelter-changelog/
Because of this http://www.reuters.com/article/us-cybersecurity-sharing-virustotal-anal-idUSKCN0XY0R4 http://blog.virustotal.com/2016/05/maintaining-healthy-community.html BTW..no news from Datpol
hope the no skin revert back.or theme completely removed plus i think the next product should be Spyshelter Internet Security as i see bellow key in registry Code: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyshelterInternetSecurity_is1 this is just my guess
"SpyShelter 10.7.8 (17/June/2016) Changelog: – Added cleaning rules feature for parent/child processes at App Exec control – Added option to improve compatibility with remote control tools – Keystroke Encryption driver compatibility improved – Fixed BSOD in KE driver on 32 bit systems" "SpyShelter 10.7.8 brings a couple of new features and improvements. We have added an option which makes it possible to operate SpyShelter via various Remote Control applications (such as Teamviewer). This option is available in Settings>Security and is turned off by default. System restart or SpyShelter restart might be required after enabling this option. Application Execution Control at SpyShelter Firewall received a Cleanup feature. It allows to clear the rules created for temporary and nonexistent files. In order to clean up the rules in App Execution Control, simply right click on the list of applications and choose Cleanup option from the dropdown menu. Keystroke Encryption received further compatibility upgrades and a rare crash that could occur on 32bit systems has been fixed." https://www.spyshelter.com/blog/spyshelter-10-7-8-released/#more-6851
Actually, I expected that the new ruling wouldn't affect tools like SS. I'm a bit surprised, but it's not a big deal since you can still use VT Uploader.
Hello folks, Have anyone experienced problems on Windows 7 x64 boot after updating to SpyShelther Premium 10.7.8 from 10.7.7? Best regards, Aeolis
BTW, the thing that still drives me insane is the "log window", it's useless to me in its current state. It logs all executions, and also allowed and blocked behaviors of trusted apps, making it way too cluttered. Even worse, you can't even see what is blocked/allowed until you click on an entry and there are no app icons visibile. It should have been like in NG and OSSS, see screenshots.
Hmmm...except possibilty to scan on VT suspicious/unknown process directly from alert what was sometimes useful
