I have been experimenting with Excubits MemProtect and SpyShelter Firewall for sometime and had no issues and very light together. I must point out this is on my test PC.
Yes, that helps. But also works for two day with enable Action 33. I try to rollback my system before I get the popups. But Windows 10 says after reboot, that it can not rollback, but than I don't have the popups. When I restart Windows, I have again the popup with Action 33.
Strange? I disable(untick) "Enable showing tooltips for blocking network hook actions". Because of MBAE as this is the reason for SpyShelter giving the action 33 popups. Maybe recently installed program which is causing the popups? Disabling the tooltips is not a problem, its just a notification of blocking network hooks.
Now I have untick Action 33. I don't know why this popup is every 5 seconds when I use Opera. But by chance I have found the solution why all the addons in Opera for the youtube page doesn't work when I locked in with my Google account. There is in the left lower corner on the youtube page (when I locked in with my Google account) a symbol with a little running man. When you press on it, youtube ask you if you want the old layout. I press yes and now everything is ok, all my addons work and the background is black and not white. If had found this one day earlier I would save so much time and I hadn't the action 33 popup
Well, the more I think about it, the more it annoys me. HIPS should always be able to alert about and to block suspicious behavior. Especially when it comes to code injection and process hollowing which is being used by the most advanced malware. Also, in most cases you simply want to block certain app behavior without having to terminate the process. Yes, it also has got a lot of positive things, but other tools do protect against process memory manipulation, so there is no excuse. I will probably continue to use it, simply because I don't like the alternatives. I don't see myself switching to Comodo, but perhaps I should give HMPA another try. Yes correct, AG and MemProtect are no options for me, and they also don't alert about code injection, they auto-block. The whole point of HIPS is to alert you about suspicious behavior, because it will give you clues about whether some app might have malicious intentions.
So I have been playing around with the custom file scanners features of SpyShelter, look what I found http://i.imgur.com/CbZEixy.png All you really need is to install the Virus Total Uploader (https://www.virustotal.com/static/bin/vtuploader2.2.exe) and add the line to SpyShelter custom scanner configuration: "C:\Program Files (x86)\VirusTotalUploader2\VirusTotalUploader2.2.exe" {FILEPATH} And VT is back Although I got used to Jotti already, this is really neat that we can get to use VT.
Hi all SpyShelter 10.8.9 Homepage: https://www.spyshelter.com/ Download: https://www.spyshelter.com/download-spyshelter/ Blog: https://www.spyshelter.com/blog/ Changelog: https://www.spyshelter.com/blog/spyshelter-changelog/ With best Regards Mops21
i don't think so allowing disable built in registry protection be a good idea however it has a bug if you allow first built in registry protection the second one will be allowed automatic which is not good this happen with new custom protected key if you allow built in protected key your custom protected key will be allowed automatic also which is not good at all. i reported it
BTW, SS performed pretty good against Matousec Leak-tests for Win 64 bit, I wonder if those tests didn't use code injection? I think this is very unlikely, too bad that Matousec and MRG Effitas are not testing SS anymore. http://www.matousec.com/projects/proactive-security-challenge-64/results.php I believe it should be possible to control this for more experienced users. In my view, it doesn't make sense to alert about certain keys.
Hmmm...whatever not to talk about those tests I've thought it's worth of checking how the matter actually looks. So I've found: - tested version - 9.2...more than 2 years ago...and its overall score is 89% in PSC 64 SS passed SS passed SS passed both passed (CopyCat - is not a process hollowing?) all passed all passed all passed both passed both passed Hmmm...and now I don't know what to think...results are clear and abvoius...can we say something against?
Thanks for looking into this. But that's why I think it's weird that SS seems to fail against a simple tool like RemoteDLL. Did you also test this tool? And I don't believe that any of the Matousec leak-tests used process hollowing. Also, I've tested SS against certain leak-tests on Win 8.1, and it failed. http://securityxploded.com/remotedll.php
BTW, besides giving an option to protect certain reg-keys on demand, they could have added a feature similar to Outpost's Application Guard, see link. It's this kind of innovation that I'm missing. I also assume that SS protects all keys that are monitored by AutoRuns, but we will never know since the list is not available. http://www.agnitum.com/support/kb/article.php?id=1000283& http://filehippo.com/download_autoruns/
i long time ago running Outpost.thats the one way for protection about autoruns,you can set to ask user mode then you can find which keys protected by tick and untick and deny not all of them monitored as i see. but there is 3 type registry protection as i see with autoruns,it seems if allow one key under one Category all other keys under same Category auto allowed. Category: Autorun Category: WebBrowser/Shell extension Category: General if there is allow create custom category then we can use maximum potential of Spyshelter Firewall yes that's good too for more control.i don't mind get more alert i just want more control.
BTW, I wonder why the "Restricted App" feature didn't stop CTB Locker. Also, you probably already know this but old skool HIPS like Neoava Guard and Online Armor both had file monitoring features. NG alerted about rapid file modification/deletion and OA alerted about "enumerating of files". But I'm not sure if they would be capable of blocking ransomware. http://help.emsisoft.com/oa/Programs.shtml (scroll to Advanced Options) Thanks for testing, I don't use any virtual machines and didn't want to mess with my system, so that's why I didn't. It should really protect most of these keys, since they might be used by malware.
No, I haven't tested specific leak-tests...perhaps I will in near future An what about "CopyCat"? "can infect a running instance of Internet Explorer in memory and use it to send data to Internet server." isn't? Really??...I think "restricted apps" are pointed to run apps...of course with lowered rights however "run" so specific process is allowed to make some changes. This feature should be used to restrict specified vulnerable but known process not for malware. For all unknown files downloaded/copied from external sources should...aven more - has...to be used feature "restricted files/folder".
Hi all When I install or updating the programs did not get no Firewall alert popup the SpyShelter Firewall is this normal so and what did you need you from me Any Infos and help for me With best Regards Mops21
I suggest you check out the RemoteDLL tool, I wonder if it also fails on your Win 64 bit system. And process hollowing is a specific code injection technique, I believe CopyCat uses another one. In general, HIPS should at least protect against these methods: http://www.testmypcsecurity.com/leaktest_techniques.html If the SS sandbox restricts apps from writing to most of the file-system, then it should be able to stop ransomware. So seems like a flaw to me, at least if member hjlbx tested it correctly. But normally he's right about stuff, so I don't doubt it.
Hello, I think that is not normal. When I install a new software I get an pop up if I would allow the setup.exe. Are you enabled everything under "Einstellungen" - "Liste der überwachten Aktionen"? Is everything enabled under "Schutz"? Do you have enbled "Einstellungen" - "Fortgeschritten" - "Tooltips einschalten für automatisch erlaubte signierte Dateien"?
Hi Thank you very much for your Info. Can you make Screenshots from it please for me What must I send after the check to SpyShelter any Files when yes which and who can I find them With best Regards Mops21
i think you should get alert window at least on Ask user mode if you run installer then select install mode and then launch program from installer you should not get any alert also if you tick "remember my choice" and or "Create rules in Installer Mode" in setting tab rules will be created in installer mode when program run directly from installer also there is other option " Show 'Update rules' dialog" if you select Accept all old rules of the component then no more alert for same already created rule. but if you believe not your case and there is real problem with more detail step by step create tick at support of spyshelter https://www.spyshelter.com/helpdesk/
Probably I couldn't agree whit you and I think that the "test" made by hjlbx is useless...at all. "Restricted apps" is not isolated/virtualised enviroment and the reason of use it is not to test very dangerous malware but to launch vulnerable programs with lowered privleges. Additionaly we don't know: - the variant of CTBLocker - the settings of SS...it means - level of protection, list of objects in "Folders with write access" tab and probably some others that can affect on results (alerts, automatic allowing and blocking, user decisions) - it was SS Premium or Firewall. He wrote This is some understanding in my opinion - first - this is list of monitored actions or automaticly allowed (if we want so)...not blocked - second - restricted apps doesn't block automaticly all monitored action but only that are connected with those restrictions SS is not a anti-ransome application however some features are useful to protect against them.
Hi @Poppey and Hi @co22 Thank you very much for your answers and for your help I have contacted them for my issue and I will get back then I have the Final Result of it With best Regards Mops21