SpyShelter 10

Discussion in 'other anti-malware software' started by Mops21, Jul 30, 2015.

  1. Schorg

    Schorg Guest

    Yes very true I have Shadow Defender, I was interested in trying Rollback RX, but I read that there is an issue with SSD regarding TRIM has that issue been resolved?
     
  2. Schorg

    Schorg Guest

    Yes I regularly use export/import of SpyShelter rules, but there is an issue/bug at the moment which when you create more than one rule via create a rule(no file hash checking) SpyShelter only imports the first rule you created via create a rule(no file hash checking).

    I do believe the issue/bug has been fixed which will be available with the next update. Which I am looking forward too:)

    Sorry I do like SpyShelter and I would not have purchased SpyShelter Firewall if I did not;)

    It's always good to know either the advantages/limitations of any security software.
     
    Last edited by a moderator: Oct 19, 2016
  3. Schorg

    Schorg Guest

    Hi @mood, you are spot on;)
     
  4. hjlbx

    hjlbx Guest

    Yes

    He asked if Datpol has made a suggested custom list and made it publicly available. Datpol hasn't.

    It's the same situation as other products that have some type of reg_key feature - like Shadow Defender, WinPatrol, etc - none of them publish a list. There is no guidance other than "we have this feature."
     
  5. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,997
    Location:
    Poland - Cracow
  6. hjlbx

    hjlbx Guest

    There is a bug in 10.8.8 Restricted Applications.

    When you attempt to save a file - such as a downloaded file from within a browser or from within a PDF reader - then the CPU will spike and Explorer will hang for a minute or so...
     
  7. hjlbx

    hjlbx Guest

    Using SpyShelter alone, I cannot see an advanced user ever getting a persistently infected physical system - not unless they make a huge blunder or are just plain negligent.

    That being said, the reason why I post things about SpyShelter is not to bash or badmouth it. My message is always: "Never underestimate malware... because it has been shown over-and-over that it will somehow manage to mess with your peace of mind. On top of it, security softs can't do everything despite how they are marketed."

    So if I know or learn something about a security soft I will post it so that others do not find out later - when it is too little, too late. I'm am used to getting negative responses to such posts. There is a certain AV that I report bugs to the vendor. The fanboys always gang-up on me and slam my reports, meanwhile I receive private messages from the developers "Hey, good catch... Thanks for your report." LOL...

    I will give you an example. Horizon DataSys states that their products are bullet-proof. Well, they forgot to make sure that malware cannot modify the Windows boot loader via bcdedit.exe - because when that happens - it can corrupt\damage Windows loading itself and thereby makes the HDS Subsystem Console worthless. In short, there is no way to rollback the system. I'm sure there are ways to repair the situation, but I am not a disk guy and plus, I do not want to spend hours with various utilities or Windows repair only to find out that none worked - so I just clean installed the OS because. I just went through this entire scenario testing Cerber.

    Another example is Shadow Defender. It does not virtualize non-disk areas of the system - such as firmware - so in some way it can be bypassed at a low level. That is a given, but actually finding malware that can leverage this "vulnerability" is an entirely different matter - so it is not something to fret about.

    What you don't know about your softs is more than just a pain in da arse - it can hurt you.

    * * * * *
    I wish Datpol would specifically state which dangerous monitored actions are blocked for Restricted Applications. Restricted Applications does not block every single monitored action listed under Settings > Monitored Actions - for a single example, Restricted Applications allows connections to the network.

    * * * * *

    I wish Datpol would manage to suppress the desktop.ini alerts for Protected Folders.

    * * * * *

    I think the primary problem for typical users when relying upon HIPS is that the alerts amount to gibberish for them. Even when I test a HIPS against malware the test is basically a form of "practice" because I am learning both the malware behavior and how it shows up in the HIPS alerts.

    * * * * *

    There is only so much HIPS can be designed to do without it just becoming too overly burdensome. If it gets too deep then it can amount to COMODO HIPS in Paranoid Mode = unusable due to the massive number of alerts; all you do is respond to HIPS alerts and nothing else.
     
  8. hjlbx

    hjlbx Guest

    @Windows_Security

    Why did you take down posted denied Read\Write access policy for NET.Framework mscoree.dll ?
     
  9. hjlbx

    hjlbx Guest

    SpS is extremely - extremely - light on system.

    I tested on 10 year old Pentium system with 3 GB RAM running W7 Ultimate and there is perhaps only a few second different in restart\boot times. It is such a small time difference that actually measuring it is quite difficult.

    :thumb:
     
  10. Schorg

    Schorg Guest

    Hi @hjlbx

    I sincerely appreciate your time and effort and hope you continue to do so for many years to come.:)
     
  11. hjlbx

    hjlbx Guest

    I mess with SpS in my free time because I like it. It is one of the very few good security softs.
     
  12. hjlbx

    hjlbx Guest

    Can anyone explain to me how the Auto Clean Up Rules works ?

    Does it function only for uninstalled\removed programs - and not temp files from installers ?

    I pointed out to Datpol that retaining a rule for an old version of a program - for example a browser - is not a good idea.

    1. Updates for browsers, PDF readers, video players, etc are very often for security purposes - specifically to patch vulnerabilities.
    2. Because of 1, you don't want the rules for a prior, less secure version of a program to remain on the system.
    3. Ideally, we don't want a user to install an old version and then there are existing rules that allow it.

    The above is the reason that Andreas provides the setting to purge old rules when the file hash changes. It is an opt-in setting.

    Datpol replied that it is not good to auto-delete prior rules for forensic purposes. I see their perspective, but I think greater security without the user having to think about it not do anything is a more ideal solution.

    Of course you can manually delete the prior rules - as I have never seen Spyshelter auto clean any rules. Perhaps I did not give it enough time.

    I suppose it is not a huge deal since the typical SpS user is at least at the intermediate level and knows how or will figure it out.

    Does the auto-clean rules functionality only work in the paid version - and not in the trial version ?
     
    Last edited by a moderator: Oct 20, 2016
  13. Schorg

    Schorg Guest

    Unfortunately I always manually cleanup my rules after any installation or upgrade.

    I honestly don't know about auto cleanup, sorry I am unable to assist you.

    If you manually cleanup, if you tick check file hash any programs with obsolete file hashes there rules are listed for removal. All old browsers etc are listed for removal, i never seen any old program rules remain in the rules, once you manually cleanup.

    Edit : Does auto cleanup work differently?

    Hope this helps:)
     
    Last edited by a moderator: Oct 20, 2016
  14. hjlbx

    hjlbx Guest

    Just tested SpSFW for *.dll injection on W10 Home 64 bit.

    Using Diskmark utility you will get an alert for monitored action 29 - Modifying Process Memory; possible remote dll injection.

    10/21/2016 4:12:41 AM,C:\Program Files\WindowsApps\45313CrystalDewWorld.CrystalDiskMark5ShizukuEditio_5.2.0.2_x64__f9n0g0ncbtket\DiskMark64S.exe,29,Allowed ;Modifying process memory (diskspd64.exe(pid=5596))

    However, using the Security Exploded Remote DLL inejction I was able to inject (there are other utilities freely available online):

    C:\Windows\WinSxS\amd64_microsoft-windows-printing-wsdahost_31bf3856ad364e35_10.0.14393.206_none_36f93b6d31be6a74\PrintWSDAHost.dll

    into notepad.exe using CreateRemoteThread - for just an example - with no alert for monitored action 36 - Injecting dll (logs below)

    You can open Process Explorer, Process Hacker, etc and filter for PrintWSDAHost.dll - and it is loaded into Notepad process; you will not find a line item for monitored action 36 - Injecting dll below

    You will only get alerts for monitored action 36 - Injecting dll on 32 bit systems

    10/21/2016 4:35:48 AM,C:\Windows\explorer.exe,53,Allowed ;Execution of an application ("C:\WINDOWS\system32\notepad.exe" )
    10/21/2016 4:36:03 AM,C:\Users\HJLBX\Desktop\RemoteDll\RemoteDLL_Software - 1\Portable Version\RemoteDll64.exe,57,Allowed ;Opening protected process for reading access (explorer.exe(pid=4040))
    10/21/2016 4:36:37 AM,C:\Windows\System32\svchost.exe,53,Allowed ;Execution of an application (C:\WINDOWS\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5})
    10/21/2016 4:38:33 AM,C:\Windows\System32\svchost.exe,53,Allowed ;Execution of an application (consent.exe 660 432 000001E8443D2040)
    10/21/2016 4:38:33 AM,C:\Windows\System32\svchost.exe,53,Allowed ;Execution of an application (C:\WINDOWS\system32\AUDIODG.EXE 0x3d
    10/21/2016 4:38:33 AM,C:\Windows\System32\svchost.exe,53,Allowed ;Execution of an application (/QuitInfo:0000000000000768;0000000000000764; )
    10/21/2016 4:38:35 AM,C:\Windows\System32\svchost.exe,53,Allowed ;Execution of an application (C:\WINDOWS\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E})
    10/21/2016 4:38:35 AM,C:\Windows\System32\svchost.exe,53,Allowed ;Execution of an application (/QuitInfo:0000000000000768;0000000000000764; )
    10/21/2016 4:38:35 AM,C:\Windows\System32\svchost.exe,53,Allowed ;Execution of an application (C:\WINDOWS\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E})
    10/21/2016 4:38:36 AM,C:\Windows\explorer.exe,53,Allowed ;Execution of an application ("C:\Program Files\Process Hacker 2\ProcessHacker.exe" )
    10/21/2016 4:38:36 AM,C:\Program Files\Process Hacker 2\kprocesshacker.sys,39,Allowed ;Registering driver or service
    10/21/2016 4:38:37 AM,C:\Program Files\Process Hacker 2\ProcessHacker.exe,57,Allowed ;Opening protected process for reading access (explorer.exe(pid=4040))
    10/21/2016 4:39:21 AM,C:\Program Files\Process Hacker 2\ProcessHacker.exe,40,Allowed ;Opening process or thread for modify access (SpyShelterSrv.exe(pid=1444))
    10/21/2016 4:40:29 AM,C:\Windows\System32\svchost.exe,53,Allowed ;Execution of an application (C:\WINDOWS\system32\DllHost.exe /Processid:{448AEE3B-DC65-4AF6-BF5F-DCE86D62B6C7})
     
    Last edited by a moderator: Oct 21, 2016
  15. Schorg

    Schorg Guest

    Hi @hjlbx

    So does that mean you was able to block diskmark utility from carrying out dll injection?

    So with Security Exploded Remote DLL injection carried out dll injection without any alerts.

    Do these two apps use different methods of dll injection?

    Could you explain it more as I am interested? Thanks.

    Are you carrying out anymore test and if so I would be interested, thanks.
     
  16. hjlbx

    hjlbx Guest

    With Diskmark SpS detected process memory modification - but added a note in the alert that it is similar to remote dll injection (but it is not remote dll injection)

    WIth DLL injection utility it is actual DLL injection

    SpS on 64-bit can detect certain memory modification, but cannot detect DLL injection; it can only detect and prevent DLL injection on 32 bit systems
     
  17. Schorg

    Schorg Guest

    I see, so SpyShelter can detect certain memory modifications, which you demonstrated with diskmark utility.

    But cannot detect dll injection, which you demonstrated with Security Exploded Remote DLL injection.

    Thanks for your explanation:)

    EDIT:- @hjlbx if you don't mind me asking if you combo SpyShelter with Excubits Memprotect would this prevent process hollowing & dll injection?
     
    Last edited by a moderator: Oct 21, 2016
  18. hjlbx

    hjlbx Guest

    If you set SpS to default-deny configuration (Block all suspicious actions after whitelisting) then there is very little to worry about.

    Most people that use a program like SpS are not indiscriminate and take care to make sure that they are installing\running safe softs.

    The problem with HIPS is that if you rely upon it to protect your system, then under certain circumstances it will not - this is true of all HIPS.

    Because of this a good Application Control soft (anti-exec, HIPS, software restriction policy) combined with a light virtualization, rollback or image restore soft is a very good combo for the circumstance where security soft protections just don't work out for you. It is not an overly complex combo and works really well.
     
  19. Schorg

    Schorg Guest

    Thanks for your reply:)

    Good to know:)

    I would include myself in this statement, spot on;)

    Looks like I have all bases covered, once again thank you:)
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes, I totally agree, it is important to keep testing tools. Search for "Webroot SecureAnywhere Versus Trusteer Rapport
    Comparative Analysis 2015 Q2", I wonder how SS would perform in such an extensive test.

    Yes, certain things are unclear. But it would be cool if they added virtualization to the sandbox.

    I also haven't got a clue what that means. The thing what annoys me is that I'm not seeing the improvements that I want to see.

    This is a serious flaw. I think SS perhaps doesn't monitor certain kind of code injection methods? I'm not sure what to think, perhaps I should switch to another HIPS or add an additional tool to cover this.
     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes, in certain cases it's probably best to quickly terminate certain processes, because sometimes HIPS have got difficulty to correctly block certain things.

    I have asked for such a feature in the past, SS should indeed add detection for "rapid-file modification", this would at least give you a chance to stop most damage done by ransomware. I believe that HMPA and MBARW use more advanced file system monitoring methods, but even they are sometimes bypassed. WAR does perform better because it's sort of a next gen AV, comparable to Cylance, but I don't believe it watches the file system.
     
  22. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    BTW, it would be a smart move for Datpol to improve and add certain features. Then they could also market it as anti-ransom and anti-exploit, this will generate even more sales. In fact, it will already block most exploits because of the anti-executable feature. I believe that HIPS should be able to tackle all kinds of malware, no matter if it's ransomware, banking trojans or keyloggers.

    And they could also enhance the "auto block suspicious behavior" feature. It should be able to spot the two different process hollowing methods. Actually, I don't even know which behavior it currently blocks, does it perhaps try to act like a behavior blocker which looks at a sequence of possible malicious actions?

    http://journeyintoir.blogspot.com/2015/02/process-hollowing-meets-cuckoo-sandbox.html
     
  23. hjlbx

    hjlbx Guest

    Not being able to detect and block DLL injection on 64-bit is not enough of a reason to switch. Afterall, DLL injection doesn't occur until the malicious process is allowed to execute - which in your case you would Terminate.

    Besides, there are many other benefits to SpS that compensate for its few quirks. A few things might be weak or not function as we all would like on 64-bit, but still - properly configured for default-deny - you have high protection in a very light package.

    You're not going to find a simple system add-on for DLL injection protection; it would mean either a complete switch-out or adding AppGuard (which I know you dislike) or Excubits MemProtect (which I think you dislike the notion of having to manually write all the rules).
     
  24. Poppey

    Poppey Registered Member

    Joined:
    Nov 23, 2015
    Posts:
    39
    Location:
    Germany
    Since two days I have a problem with Spyshelter Firewall. I had installed the software Secureaplus. The software needs a very long time to make the first check on my PC. So I make the check over the night. At the night it was also an update for Windows 10. At the morning all addons in Opera browser that I used for youtube doesn't work. I thought it was a problem with the update or the software Secureaplus, because before i have installed it, everything worked on my PC. So I deinstalled Secureplus. But nothing happend. So I used the Windows restore point before the update was installed. Nothing happend. Then I find out that the addons form Opera for youtube wont work, when I insert youtube with my Google acoount. Without the Google account everything works on the youtube side. Why? I don't know. Before I found it this, I installed Opera brower new and try some other changes. But now I have a problem with Spyshelter. When I start Opera I geht every 10-20 seconds an popup from Spyshelter with the info (I'm from germany and try to translate the popup into english) " Spyshelter is blocking the setting of Hooks for the Process opera.exe (PID=11216) ActionsType:33" I don't find it in the Logging Windows of Spyshelter. I also allow everything for Opera. I don't know why I get now these popups. Before I had installed Secureaplus and the Windowsupdate everythink works fine.
     
  25. Schorg

    Schorg Guest

    Hi @Poppey

    Action 33 popups can be safely prevented from showing via SpyShelters GUI>Settings>Advanced and then untick Enable showing tooltips for blocking network hook actions.

    Hope this helps:)
     
    Last edited by a moderator: Oct 23, 2016
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.