@hjlbx is in my opinion is a decent chap. @hjlbx tests security software and there is nothing wrong with identifying issues in such software, which if acted upon could be beneficial to the users of such products. I appreciate his wisdom and testing in this area.
I am having a problem setting up a rule that will allow my VPN (AirVPN.exe) to execute. Under "Application Execution Control" the default rules for any run is always deny all (*). That's that's the case here. But I usually am allowed to edit the rules I want to allow applications to execute; right-clicking on the deny rules and selecting "mark it allowed." However, I am not able to do this with AirVPN.exe; when I cto allow it the rule does not change. Any ideas?
Did you try to delete the rule and re-create it upon next execution of AirVPN ? I had an issue with OpenVPN where I had to exit SpS and then restart SpS for the rule to become active - but that was different than your issue.
Yep. I've deleted the rule, toggled SSF protection and restated both SSF and arivpn. Nothing seems to be able to change that rule.
Do you have "Block Suspicious Actions" enabled ? Are you using "Ask User" security setting ? Since Datpol has implemented some changes over the past few days, it could be a bug. There was a problem with Application Control and no hash checking - perhaps the fix introduced some minor snafu. Your image shows AirVPN.exe cannot execute any children processes. Nice avatar by the way...
I did. But I though that since I put airvpn.exe as a trusted signer that should no longer be suspicious. Guess not. I was. But I found that is I toggle it to Allow Microsoft and back again the setting now works where I do get asked. That seems to have fixed my issue. Right. That's the rule I am trying to change. Thanks. Think Michael Scott when you see it!
Settings > Monitored Actions > at very bottom of list tick "Auto-allow for trusted signer..." I think it should work even with Block Suspicious Actions enabled (I don't have SpS installed at this very moment).
If you don't mind me making a suggestion try removing AirVPN.exe from Application execution Control and General tabs and manually add to general. Go to Rules>General>Create rules for a component(second icon just below General tab(icon which looks like a small green plus) or right click on the title Component name. Either enter full path into Component path: or left click ....(button)> to open SpyShelter's File Explorer>locate AirVPN.exe or type in the full path in File name:> press open. Go to Execution of an application>select allow>press ok Hope this Helps I believe @hjlbx is correct that is a bug as I have discovery a bug regarding create rule(no file hash checking) when importing rules only retains the first rule you have create via create rule (no file hash checking)
This is from both the SpyShelter and the qfx websites (borrowing the nice pretty graphics from QFX) and applies to all anti-loggers... This is how an anti-logger works: SpyShelter How does the Keystroke Encryption work? The SpyShelter Keystroke Encryption Driver encrypts all keystrokes in real time and sends them via safe tunnel directly to application on which your keyboard is focused, preventing dangerous applications from capturing them. Keystrokes are automatically decrypted once they reach the active window. We do not share detailed technical information about used encryption technique. Click here to read more about Keystroke Encryption QFX "Your keystrokes remain encrypted as they travel through the perilous path in the operating system, where keyloggers can be physically or remotely installed on your computer to intercept your keystrokes. When your encrypted keystrokes reach the destination app, the decryption module of the anti-logger goes to work, and you see exactly the keys you've typed." In other words, anti-loggers do not transmit encrypted keystrokes over the network; a keystroke decryption key is not transmitted to the remote system - it only happens on the local system. It all basically uses the same concept\methodology as when a wireless keyboard transmits encrypted keystrokes to the USB dongle and the keystroke decryption is performed by the dongle. The best you can do with an anti-logger is to combo it with a VPN for consumer. In other Consumer and Enterprise products you have a number of options - one is a data sandbox with VPN and the other is an end-to-end, certified clean remote hosted sandbox (Quarri). However, in all cases, once you put your data onto a remote system then you have no control over its integrity or security. https://www.qfxsoftware.com/uploads/images/howitworks_v.gif https://www.qfxsoftware.com/uploads/images/howitworks_h.gif
A Scripted Keylogger is a webpage-embedded keylogger. Once the encrypted keystrokes are decrypted in the browser, then there's nothing that can be done in some cases -- with some webpage-embedded keyloggers, data capture doesn't even require you to post the data. No anti-logger can protect against a Scripted Keylogger.
I said this here (sentence below - at the bottom of one of my previous posts - link provided), but it is funny when these kinds of statements are completely ignored - and all the focus is on me pointing out the facts that some find unacceptable. "SpS products will protect system if it is configured and used properly; it has almost everything one needs to have a safe computing experience" https://www.wilderssecurity.com/threads/spyshelter-10.378379/page-27#post-2624363
So according to your logic VPN software is useless because it doesn't encrypt keystrokes against keyloggers but it encrypts the connections against being intercepted. You said exactly reverse thing about SpyShelter now. Do you have some inside info on SpyShelter VPN? Encrypting keystrokes internally and transmiting data over internet are two completely different things, are you capable of understanding that? Why do you create a problem that doesn't exist? You are repeating the same nonsense over and over. It's not task of any software to interfere with browser's own memory space.
Sorry, I must have missed this post, but I do indeed combine SBIE with SS. And I haven't been using any AV since 2006 when I dumped Avira, so this is my 10th anniversary. Of course I haven't had any problems with malware.
If this is truly the case, then it should be fixed ASAP. To clarify, I believe SS does block DLL injection when code is injected into other processes. But according to you it will fail when apps inject code into child processes. It also can not recognize a process hollow attack, once a child process is launched in suspended mode. I think this is a bit harsh. Don't forget that SS can correctly detect and block a lot of behavior related to malware, think of: service/driver loading, global and API hooking (keyloggers), low level disk access and read/write access to files.
Yes I agree with this. This is true. Very interesting link about the 2 separate process hollowing techniques. So you're saying that the newest version does detect it? But how does it do this, can you post some screenshots? Because we have to distinguish between regular code injection, and process hollowing.
Spyshelter Free is discontinued, grab it while you can (for instance from filehippo). I run it at Medium level with all modules disabled except HIPS. With VoodooShield free (in Auto-pilot) it is an unbeatable freebie pair. The trick: select allow folder, choose existing files and future files in this folder, choose OK, next make this rule denied (changing allow to block). I also have enabled 'Auto block suspicious behavior'. This results in a HIPS containment for selected folders and mild auto-blocking of dangereous actions. I have also tuned down VoodoooShield from Smart to Autopilot, but kept blocking of child processes of borwsers on (the VoodooShield anti-exploit feature). I havve disabled CMD+scripts through registry tweak, so windows cmd+windows script+Powershell+scripts+DotNet can't do any harm (withe the command feature of VoodooShield this is enough to provide solid protection). helas the end of the unbeatable combi of Spyshelter HIPS module + VoodooShield Anti Executable In Dual core Pentium dual core @3.1 Ghz (G3240) with Sata2 SSD startup time with VoodooShield+Spyshelter HIPS only C:\Program Files\Chromium\chrome.exe - 2 executions (AppTimer log) 0.7814 (cold from disk) 0.5320 (hot from cache)
Might still be a combo worth considering with SpyShelter Premium? Would you care to elaborate on the registry tweak?
Using Registry Run regedit to open the Registry Editor. navigate to the following registry key: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System If the Windows or System key is not present, you may be required to create them. In the right pane, double click DisableCMD and set its value to 0. If DisableCMD is not present on your system, you may be required to create a new DWORD value, name it DisableCMD and then give it a value 0. Now if any user were to try to open CMD, they would see a message: The command prompt has been disabled by your administrator. Enable CMD If for some reason, you need to do the reverse, ie. enable the command prompt, simply disable the Prevent access to the command prompt policy setting. In the registry, you may delete the DisableCMD DWORD or set its value to 1. * * * * * Disabling Windows Script Host (wscript.exe) https://technet.microsoft.com/en-us/library/ee198684.aspx * * * * * You can do the same with Powershell with powershell script execution (but can't disable powershell.exe) and other processes - just search online for the registry hacks.
You have sufficient protection Yesterday I could still download the free version from FileHippo and CNET
Kees was just looking at download.com and the free version listed is called spyshelter anti-keylogger. is that the one you are referring to ?
@boredog You can download the latest free version (10.8.6) from Majorgeeks http://www.majorgeeks.com/files/details/spyshelter_personal_free.html
No not really, the whole point of features like keystroke encryption and blocking of browser memory modification is to still protect the system even if you have made the wrong decision to allow a certain app to modify the system. So it's basically a failsafe. AppGuard and HMPA do the same, AG will block code injection once malware is allowed to run, and HMPA will alert you if your browser has been compromised with the safe-banking feature.
In theory, SS should be easily able to defeat hook and message based loggers. Same goes for loggers that want to install drivers. The only problem with SS is that it's almost never being tested against all kinds of malware, so it remains a question how will it perform against the most advanced attacks. Of course the problem with process hollowing/DLL injection into child processes should be fixed, but with SSFW you can at least block process execution of system applications which are often used in these kind of attacks. Interesting, but why no option to disable already monitored reg-keys? I would also like to see a more advanced GUI for the firewall/network monitor, perhaps something like Free Firewall and Windows Firewall Notifier, see links. http://www.evorim.com/en/free-firewall http://www.ghacks.net/2015/06/15/a-first-look-at-windows-firewall-notifier-2/