No...it oesn't but accoring to screenshots below it can detect a lot of suspicious action that can warn user that something in system is going wrong. You can find actions about trying using DNS, network connections and manipulation of specific system files connected with network management. This test was made using original sample of malware mentioned by Rasheed
For sure. I mentioned that somewhat in passing in my post 224 replying to 222 on the previous page nine. Other than the interesting "Anti-NetworkSpy" actions 33 & 34, "setting hook to monitor network requests" and "accessing to raw socket," I don't rely on SpyShelter for the network side of things. In comparing the both superb Premium vs Firewall versions, I determined the former a better fit in my layered scheme, avoiding redundancy and possible conflicts. Thanks for all the testing you do!
Correct, it's not advertised but it's the job of any HIPS to monitor stuff that could be used in attacks. So that's why I call it a flaw. It would be handy if those screenshots were bigger. And from what I've seen, those alerts are about common stuff, nothing special. What would catch my attention is if I saw it changing my DNS settings. No, this won't help. Actually, this the dumbest thing you can monitor, because just about every app that connects out will trigger this alert. So you will always get two alerts, I've turned it off.
You know what I've always wondered about? Keyloggers can often also monitor what websites are visited, but how do they do this? I suppose they need to inject code into the browser for this? And I also wonder how these apps can hide from the Win Task Manager. Would be interesting to know if SS can stop this. http://thinkertec.com
Haha ...another riddle? OK...in fact it's interresting so I'll try check what will happened and how SS will react.
OK thanks in advance. Like I said, AFAIK you need to use some form of code injection in order to hide from the Win Task Manager, and I wonder how keyloggers record websites visited. Perhaps they try to get access to browser history data? I don't have a clue.
OK cool. And BTW, perhaps you can also ask developers if SS will finally start to protect against password stealers, as described over here: https://www.cybereason.com/blog/hunting-raccoon-stealer-the-new-masked-bandit-on-the-block
OK Rasheed...I'll ask but at this time I'm still not ready with test mentioned above...sorry. I'm ill and lying in the bed and can't focus on a bitmore complicated things except watching TV or reading internet
Hi all...probably I'm ready to show results of test of SyShelter's detection that was mentioned few posts above. The "threat" was logger-app called SpyPal...and I can say it's fairly smart app In the margin...sorry for a long time preparing but it was due to my personal problems and than for necessary modifications of SS v.12 instance on my wife's laptop (it has specific setup). Alright, let's start: * The base - Win 8.1 in Shadow Mode (SD), SS FW 12 on "ask user level", no action is automaticaly allowed and nothing is autmaticaly blocked, log tab is empty. * The beginning of installation and first detected action is modification of system file Wermgr.exe what is very smart bu can be also suspicious according such explanation https://appuals.com/what-is-wermgr-exe/ * Than we have privileges elevating (as I think) and system folders and files modification - changing registry and ActiveX registration * So...finally we have already installed "spy" in our system * The next step of its actions are modification of system (autostart, services) and important for logger's work - modification of Firefox As we can see SpyPal's forces Firefox not only to make internet connection but use it to read keyboard, install hook and open process pingsender.exe. It can be important as regards to Rasheed's question about logging of internet pages and its history More info here https://www.ghacks.net/2017/10/14/what-is-pingsender-exe-on-windows/ The word "second " can be important so that's why...I think...SpyPal needs to deal with taskkil.exe * In this context such detected actions are obviously trivial
Yes...I think so. It seems tha SS can properly detect all vital (for spying apps) actions and needed for them systems modifications. It's important due to similar...or even the same...tricks used by the real threats.
Thanks for the test. Seems like this SpyPal keylogger is indeed quite advanced. And seems like SS gives enough alerts to let you know something might be wrong. But I'm guessing that SpyPal uses the "global hooking" method to monitor Firefox. However, it's not clear to me how it tries to hide from Win Task Manager.
BTW, about the Raccoon password stealer, you should scroll to the Stealing browser information part, it seems to scan the registry in order to steal data. AFAIK, SS doesn't protect these registry keys. This is a feature that needs to be added. https://www.cybereason.com/blog/hunting-raccoon-stealer-the-new-masked-bandit-on-the-block
Hey guys, admittedly I haven't read through this entire thread so I may be asking something that's already been addressed. If so, please indulge me... Does SpyShelter Free 'play well' with Windows Firewall and Windows Defender? Also, is SS Free's HIPS very 'noisy' (i.e., 'chatty')?
The version 11 Free was discontinued a long ways back. The new SpyShelter Free was released as version 12. There's more information in that thread. https://www.wilderssecurity.com/threads/spyshelter-12.422366/
@ichito or someone else any idea what these modifications represent or should be allowed or denied? In BCD 0 UEFI, process started by taskhostw.exe , it happens often and out of the blue
btw why the spy shelter try icon keeps disappearing, I can;t access GUi as well even though spy shelter is working it works fine after install then it break again
in windows 8.1 there is no taskhostw.exe but if its legit windows file then allow it and second screenshot seems apperr after that and belong to that so safe to allow. these happen sometimes to me logoff or restart bring it back and not sure why or if these option enabled Allow terminating Spyshelter via Task Manager you can restart it via taskmgr
any idea what this might mean? and whether I should allow or not, if I disallow chrome, I can't use chrome, I am getting it today it wants UDP out and in, it's doing that on any app
they are about language synching (between hosts or apps? SettingSync routine), the process is at log off log in routine by default, it can be disabled what registry settings , I should be able to block them with registry guard
That's the thing, I don't know which registry keys to monitor, that's why SpyShelter should have offered this feature. The developers really dropped the ball when it comes to this.