it didn't recorded anything too. Just detecting pressed keys isn't logging. Keylogging is to transmit exactly what you type to the attacker. anti-exe doesn't monitor drivers and dlls, (the only exception is NVT Smart Object Blocker) , HIPS does. default-deny isn't for beginners, user of such solutions must know how to differentiate a legit process than a suspicious one. some default-deny solutions implement cloud reputation/lookup to help the beginners to decide but it is not a requirement. that the point of default-deny solutions , if you want silent one, so use suite like kaspersky which whitelist stuff for you. check my point above. you are totally mistaken the purpose of two different mechanisms. how malware start ? via a file executed (LOLbins, dlls, drivers) or a script executed (LOLscripts) your anti-exe only monitors executables... drivers and dll are exempt from monitoring, however it can block later in the attack chain (if any). Every solutions have a scope, they have a distinct purpose , and SpS does the one it was made for very well, like NVT ERP does as very well. if you want an all-around full system monitoring of everything , use a suite, Kasperky or else. Single purpose default-deny are obviously aren't for you.
I didn't test it much (like 15 mins?) but I do remember there was 1 dll rule in the rules list before I wiped the rules list and disallowed everything (emptied trusted vendors list, clicked on ask user and not auto-allow anything from the security tab). I remember starting chrome and it did not ask me to allow chrome to read any dlls, so idk how the dll monitoring works, but bouncer and memprotect module filtering tell me any time a program tries to use a dll if I set it in the config file, that did not happen with spyshelter, but there was a dll (I think it was from system 32) allow rule in the rules list when I first opened it See that's the thing. If I get alert about process explorer reading other processes' memory and trying to access them after I've ran it, I'll know it's legit, and if the same happens when I run paint, I'll know something is suspicious, but without having the source code of the process you're getting a prompt for and without knowing the windows 10 apis that are used, you can't really know 100% what process should be allowed what action, you can only guess (like the process explorer example), or try blocking all actions and see if something's broken with the process, if not likely the action(s) weren't needed anyway or the process was trying to do malicious stuff. Of course that implies that you're not using the internal database or auto-allowing stuff, which is less secure than you manually reviewing everything, obviously, and to me largely eliminates the purpose of using it if I'm just going to auto allow most of the stuff
@Floyd 57 I don't know how you tested it and if you used default setting or not...but 15mn or even an hour isn't enough to get the full picture. When i test a solution , i use it for at minimum a month, like a did for ERP, OSA ReHips, etc... Then I can have my own very clear ideas of the pros and cons, and if it deserves to be on my system. HIPS have a purpose, it is to give abundant monitoring, reason why i like SpS, but my favorite solution is Appguard Enterprise (SRP).
then new tree_view excellent just need sort column to view all staff like date action number protection module comment hash just need one more thing when press for example "a" in keyboard it should select component with a in its first letter like alternative view
Those 4 actions are for non-standard rules or perhaps for planned features. For sure you can get action #59 (which is not presented on the standard list) by preparing non-standard network rule (in advanced rules window). So we have 63 actions and 3 next are not uncovered yet
Exactly, you need to have some knowledge about what's normal app behavior, otherwise it's pointless to use such a HIPS in ask mode. I don't see anything wrong with using the white-list unless you can't control it like in SS, so that's why I don't use it. But a white-list can be very handy to reduce alerts. Also, SS monitors the most important behaviors that can be abused by spyware and trojans. The thing that's bugging me is that it doesn't have an auto-block option. I do not want to see alerts for stuff like protected file access and outbound connections.
it is why i kept saying since ages, if one doesn't have a decent knowledge of his system and can't handle prompts, don't use default-deny solutions and even less HIPS, go use an AV suite, most stuff there are simplified. personally i dont see the point of using an HIPS other than Ask User/Interactive/Paranoid mode. (those familiar with some famous HIPS will recognize the terms)
from theory most HIPS software are simple easy in use. "Allow process" or "Denny/Block Process" plus "Remember my choice" if you want wanna remember rule and auto set it in next same situation in next time. However problem is not with HIPS but with system knowledge most peoples just dont know what going up beetwen system and task from software which monitor HIPS and alert about this situation. ex: from where user have to know what mean if firefox start with paraments '-p" and etc started by procecc explorer.exe (and what is this!? explorer exe ) Most software have rly usefull FAQs about software settings on web and pined in main softwre somewhere aurond menu about/help in menu, But from experience peoples are so damn lazy!! To open & read instructions which require more time than 5s reading and is bigger than half page A4 or even copule pages But every day they spend time on crap sites and read more and more bulk craps and other such comon things on sites...
Laziness of people is reason malware spread so fast and phishers are so successful...happy clickers... Just look at security/computer forums, people come ask here what they could find with a 5mn efforts on Google. How many times i had to redirect people to the help file of the software. This spreading laziness is forcing security vendors to simplify their software to such extent that they even becomes less strong than before. Lazy users want the security soft do all the job while they keep happy clicking on suspicious links and porn ads, and looking for cracks/keygens.
More like lack of education, people don't run malware cuz they're lazy, they run it cuz they don't know better. But they're also lazy Right? Many? I don't see the issue with the software taking the decisions for the user, what else do you mean?
they don't know better because they don't looking for knowing better. Way too many Not that, i talk about the fact that very powerful softs are reduced to almost just a GUI with 3 buttons when before you had many options to strengthen the said software.
I remember there was isolated processes (or maybe it was Rehips?) How does that compare to sandboxie's isolation?
- Spyshelter uses only restrictions. It is not a real sandbox (if we consider sandboxing as isolation). - ReHips isolates by using tightened Windows' user-profiles. So unless Win10 changes this, ReHIPS doesn't needs frequent updates. - Sandboxie is more like light virtualization using code whitelisting, so it needs to closely follow applications development, if not they can't run isolated or are broken, so Sbie requires immediate updates if the said applications receive major code changes. I don't have the article under hands but you can find it on Google.
Exactly, and it's not like it's rocket science. I remember when I started using HIPS (Process Guard and later System Safety Monitor) back in 2004, I learned everything I needed to know about software/app behavior in about a year. The thing is, most apps do not need to perform certain stuff like code injection, recording keyboard input and registering services and drivers. So it's actually quite easy to spot suspicious behavior.
I don't know why...I've downloaded FW installer few minutes ago and I have 11.4 stable, than compared it to RC on my disk looking at SHA1 - you can see two different numbers. Maybe try do this one more time?
Thanks , tried once more and got 11.4 release installed no problem , that's a relief , after the problems with the first 11.4 rc ruining my system . working te way it has in the past
Today I saw that the settings in list of monitored actions were changed to auto allow for signed. But I always had a setting not to allow for all components how is that possible? I did not change anything