SpyShelter 10

Discussion in 'other anti-malware software' started by Mops21, Jul 30, 2015.

  1. hjlbx

    hjlbx Guest

    Last night I tested SpSFW against Cerber and CTB Locker.

    Cerber - managed to damage the Windows boot loader and I had to clean install W7. As I sit here I'm 7 hours into waiting for Windows Update to complete.

    The sample used bcdedit.exe to modify the system to boot into Safe Mode with Networking. I selected "Deny" in all the bcdedit alerts - but I can't definitively determine what and why it happened.

    CTB Locker - encrypts all User Space unprotected folders.

    CTB Locker sample I used employs its own process to encrypt files - so its one of those ransomware variants that once you execute it then there is nothing that can be done about it; its not SpyShelter's fault as it doesn't have rapid-file modification detection and termination. If you have protected folders, then those files won't be encrypted - so there is a mechanism in SpS products to protect your most valuable files.

    And it doesn't make a difference if you run the CTB Locker as a Restricted App. Same result.

    Use SpS as default-deny and all of this is a moot point.

    * * * * *

    More malware testing does indeed need to be done. However, when I did it and made videos and procedures to replicate - and submitted each one to Datpol with care - well... you already know what happened. I told you.
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Thanks for testing SS against these samples, we need more of this. And yes, the results are not that great, so this should be definitely be investigated further by the developers. I also hope that member ald4r1s will post screenshots of his test, because I wonder what SS alerts about. The thing is, there is no "hollow process" alert.
     
  3. hjlbx

    hjlbx Guest

    There are some improvements. Did you notice that Datpol removed the "Not fully supported on W8 64 bit" reference on the Restricted Apps info tab. Not sure what that means - if anything.

    Maybe after killing-off SpS Free (which they should have done long ago) the company will have more time to devote to their paid products.
     
  4. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    LOL And you'll sit another 7 hours, perhaps forever. Known issue.
     
  5. hjlbx

    hjlbx Guest

    LOL... I know, I know. W7 will be updated Oct 31st.
     
  6. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    :argh::eek::gack:
     
  7. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    554
    Location:
    Croatia
    Try this to - http://superuser.com/a/996072

    Fix
    Microsoft released a new Windows Update Client Update to fix the slow update searching/installation problem:

    Installing and searching for updates is slow and high CPU usage occurs in Windows 7

    1. Download:
    2. Stop Windows Update service. This speeds up the setup of MSU updates and the useless steps from Moab are not required. This can be done from the command line, or from the service manager window.
    3. Try the downloaded update and see if it speeds up the installation of Updates.
     
  8. hjlbx

    hjlbx Guest

    Thanks bro...
     
  9. Schorg

    Schorg Guest

    If you don't mind me asking, out of interest if you selected terminate instead of deny on bcdedit alert would there have resulted in a different outcome? Or adding bcdedit to Application execution control <All components>

    Also would it be beneficial to add all vulnerable processes to Application execution control <All components> using the create a rule(no file hash checking)

    Thanks for taking the time in testing.
     
  10. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    I can turn off all my other security software and for some reason I just can not get this free antikeylogger program to enable.
     

    Attached Files:

  11. hjlbx

    hjlbx Guest

    I would create Deny rules for all vulnerable processes under Application Execution Control.

    Termination of bcdedit, instead of Deny, could very well have resulted in a different outcome. On top it, the damaged boot loader prevented Rollback RX from reverting the system - so I had to submit a report to Horizon DataSys.

    More testing needs to be done, but I think SpS is very good option to craft tough default-deny configuration. I like that SpS is so very light - I did the testing on a 10 year old Pentium system without any system slowdown.
     
  12. Schorg

    Schorg Guest

    Thanks @hjlbx for your quick reply, I am in the process of adding all vulnerable processes to Application execution control <All components> - using create a rule(no file hashing checking), gave up last time when windows 10 au resulted in hash changes and rules becoming obsolete.

    Very time consuming, but welcome your recommendation.

    I agree more testing needs doing shame your malware testing sent to Datpol ended that way.
     
  13. hjlbx

    hjlbx Guest

    I asked Datpol to implement "Auto-purge" when a files hash has changed and a new rules is created.

    Whomever I was communicating with at Datpol stated that is not a good idea for computer forensics.

    I told they updates fix bugs and more importantly patch vulnerabilities - so the user does not want an old program rule to remain in rules database - but tech insisted this is not the way to do it. LOL...

    I think this is why they implemented the no hash creation.
     
  14. Schorg

    Schorg Guest

    Glad they have implemented the create a rule(no file hash checking).

    I can tell you I was disappointed when all my vulnerable processes rules were obsolete.

    Maybe they are slowly adding your suggestions?
     
    Last edited by a moderator: Oct 18, 2016
  15. Agree completely

    upload_2016-10-18_23-55-21.png

    Default Intrusion Deny in Folders of vulnarable programs
    (works for Free and Premium)
    upload_2016-10-19_0-13-58.png

    That is why SpyShelter Free
    (medium Auto-allow) co-operated so nicely with VoodooShield Free (in Auto-Pilot mode), very little false positives and not many user pop-ups asking to allow stuff
     
    Last edited by a moderator: Oct 18, 2016
  16. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,997
    Location:
    Poland - Cracow
    @hjlbx
    Thanks for interesting test...I'm the fan of SS so it's hard to not to question the results :) I want to ask you about used its settings:
    - which level of protection was used?
    - you have used enabled fatures like such:
    "Auto-block suspicious behaviour"
    "Terminate child processes" and "Terminate all instances"
    "Block registering of non exist driver"
    - if deny some action do you enable option "Apply the choice to all actions for current module" in alert window?
    I think options above can rise the level of protection especially if we also protect specific localisations with our privat/sensitive data...what is also avaliable in SS.
     
  17. Use spyshelter protected registry keys to block HKCU intrusions (I know I have also one HKLM to prevent 16 bits apps being enabled).

    Does DatPol/SpyShelter has a list of keys which they protect?

    upload_2016-10-19_9-19-10.png
     
    Last edited by a moderator: Oct 19, 2016
  18. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    I also noticed that all my vulnerable processes hashes changed when upgrading to Windows 10, and was also disappointed if this was going to be the case with each major update ...
    As an aside and slightly OT, this was in NVT ERP and this program does do file hash checking for vulnerable processes as far as I know. @hjlbx advised to untick 'Allow Microsoft Windows system protected processes' and and 'Do not allow signed processes' to get around this in that program.
     
    Last edited: Oct 19, 2016
  19. hjlbx

    hjlbx Guest

    1. Ask User
    2. I did not enable Auto-block suspicious behavior - as that setting is an anti-executable; the setting does work. However, the point of the test was to execute a malware and see if the HIPS would detect malicious actions.

    After an unknown file is executed, SpS HIPS is not built to detect and prevent some things. Below are just a few:

    A. Rapid file modification
    B. Script actions (no command line parser) - for example a malicious script that deletes the hard drive contents

    If you allow the interpreter to execute, then SpS isn't going to protect the system in many cases - because doesn't have a command line parser

    C. Install of firmware - like flash BIOS

    It's no big deal... as virtually every other HIPS I have used is essentially in the same boat

    3. Terminate works in most cases, however I submitted a few files to Datpol where Terminate could not kill the process - and neither could Process Explorer or Task Manager

    Any how, Terminate is going to be the appropriate option to select in virtually all unknown\untrusted cases (default-deny)

    4. Apply the choice to all actions doesn't make a difference because of 2.

    Once the CTB Locker sample was executed, SpS HIP

    * * * * *

    The whole point of the test was not to Terminate in every SpS HIPS alert, but instead to validate the Deny option in each Alert.

    If you select Terminate in every HIPS alert, then you might as well use a much less complex anti-executable - like NVT ERP, Voodooshield, etc. Upon execution select Block\Terminate and potential threat is terminated - and there isn't any need for additional HIPS functionality.
     
  20. hjlbx

    hjlbx Guest

    I don't think a Datpol suggested protected_reg_key list exists.

    It's all learn-as-you-go trial-and-error...
     
  21. Schorg

    Schorg Guest

    Hi @paulderdash,

    Its a pain, restore rules/vulnerable processes. I like NVT ERP shame development has slowed , but seems like near future reading the SOB thread may get restarted.
     
  22. Schorg

    Schorg Guest

    Maybe you could add to SpyShelter's configure external file analyzers - VirusTotal, VoodooAi(standalone) portable etc to assist in unknown cases when SpyShelter alerts you and if still unsure terminate.

    Thank you, good to be aware of HIPS limitations.
     
  23. hjlbx

    hjlbx Guest

    It is better to use virtualization - like Shadow Defender - or rollback soft like Rollback RX.
     
  24. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,997
    Location:
    Poland - Cracow
    @hjlbx
    OK...I understand your point of view...it's true not change default settings if we want to test the level of sensivity and possibility to block certain attack but such settings could be useful in our daily job with SS.
    BTW...auto-block suspicious action means not only "block execute"...it means also block "not allowed" to this time action (list of monitored actions) so process allowed to execute can be axecuted but its not detected and allowed action will be blocked.
    What about the firmware...do you think in how way HIPS should react in such software...how deep?

    @Schorg
    why you don't use "export settings/rules" in SS or other apps like ERP? It's reasonable to do so from time to time...try it...it works :)
    And remember...it's much easier talk what is bad and to complain than talk about advantages ;)
     
  25. guest

    guest Guest

    So there are 2 lists (internal + custom) for protection of the registry?
    a) "internal registry protection feature"
    b) "custom protected registry keys"
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.