SpyShelter 10

Discussion in 'other anti-malware software' started by Mops21, Jul 30, 2015.

  1. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,997
    Location:
    Poland - Cracow
    There is from years an option to lower rights for chosen aps...in some period of time this module was called "Sandbox". Info from help file
    "Restricted Apps tab


    SpyShelter Restriced Apps uses a restricted SID and hooks in order to protect your PC. This features allows you to choose applications that you want to run with lower privileges. Applications running in restricted mode have limited access to system resources such as registry keys, files, webcam, microphone, keylogging, hooks installing, usual administrative tasks (such as stopping, registering, running services and drivers) and so on.

    Other restrictions for applications running in restricted mode include:
    1) Registry hive HKLM are not writeable (access to other registry keys can be also limited).
    2) Restricted file access (as you can see in the appropriate SpyShelter tab).
    3) Restrictions on other system objects (based on system security settings).
    4) All dangerous actions are blocked automatically for applications running in restricted mode.
    5) Children of restricted processes are also restricted.

    This mode can be used for running Web browsers, email clients, instant messengers, or any unknown program."

    You are right...a bit more advanced network monitor was mentioned on our (Polish) forums as a users suggestion but at this time no results of it. Similar was with feature like "process monitor" which can be useful and was in the past in most of HIPS/BB aps as you know for sure. Of course SS has his own list of active processes but as I remember it's only accesible when you don't want to encrypt keystrokes in specific app - an option "Do not encrypt keystrokes of processes specified below"/"Select a process from the list..." - and doesn't offer some others commands.
     
    Last edited: Sep 12, 2016
  2. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    thanks
    how does "restricted apps" compare to a real sandbox (like sandboxie or comodo) or isolation (like rehips)?
     
  3. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,997
    Location:
    Poland - Cracow
  4. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I believe it's in both versions. You can also run apps in "restricted mode" via the context menu. It basically strips apps from admin rights plus blocks suspicious behavior automatically, so most malware should normally not be able to run correctly. Even ransomware should not be able to trash the whole system, depending on which folders are writable.

    You would think that this is easy to program.
     
    Last edited: Sep 17, 2016
  6. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,997
    Location:
    Poland - Cracow
    Honestly...I don't know what you mean...
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    You surely know that programming software means "developing". Earlier in the thread someone sad it might be difficult to develop certain features, but if the developers truly has the skills, he should be able to do so. Like I said, SS is already pretty good, and I would recommend it to all people searching for a stable and strong HIPS. But honestly, the last major new feature was file/folder protection.
     
  8. @Rasheed187

    You got a point (does not happen often that we agree :) ), but it is also a bit harsh for accusing them to sit on their hands (I had to post a comment otherwise people might think we are friends now ;) ), considering that they worked on the firewall and making HIPS working on 64 bits.
     
  9. hjlbx

    hjlbx Guest

    Has Datpol fixed SpS on 64 bit systems ... it can now detect and prevent hollow process ?

    When I tested SpSFW 6 months ago, it did not detect nor prevent hollow process ?

    There are posters on MT stating SpS prevents hollow process... one states Datpol always prevented hollow process.
     
  10. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,997
    Location:
    Poland - Cracow
    Yes...you are right but actually no :) I could add latest changes in scannig files/processes - possibility to add an external AV engine and SS own window to show the results of scanning (not connected with process of default in system internet browser). We don't talking about a lot of Win10 compatibility improvements...about better cooperation with remote apps.
    6 months?...there where 13 releised versions to v. 10.8.6 and a lot of improvements for 32- and 64-bit systems so maybe they are right when talking about preventing hollow processes.
     
  11. guest

    guest Guest

    so can't they officially and publicly notifying it...? if it was fixed, no reason to not tell it; unless of course, they can't find a method to fix this issue...
     
  12. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Don't get me wrong, I'm not really blaming the developers because I think they just don't have enough coders. But when it comes to HIPS, I'm a perfectionist, and I see a lot of lost potential. I can't deny that I'm frustrated about the lack of certain improvements, that matter to me.

    How did you test this, I can't remember anymore. If I'm correct you claimed that SS does not monitor code injection into child processes. I will see if I can test this with a leak-test.

    It depends how you look at this. I wouldn't call this major features or improvements. I believe SS could be a lot better, for example the sandbox, anti-exe and network monitor should all be made more useful and handy. And don't forget about the logging window.
     
  13. hjlbx

    hjlbx Guest

    All you have to do to confirm that SpS does not prevent hollow process, is to execute a process hollowing ransomware and select block in the hollow process alert (typically explorer.exe or svchost.exe). Encryption will still happen.
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    OK, so you tested it with actual ransomware. So if you allow ransomware to execute explorer.exe or svchost.exe, it's game over. That does sound like a serious flaw, did you report this to the developers?
     
  15. hjlbx

    hjlbx Guest

    It's been reported for a long time... more than a couple of years.
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    And did you test the latest SS version? Because I really wonder why some claim that SS can indeed stop process hollowing.
     
  17. hjlbx

    hjlbx Guest

    I don't mess with SpS any more. Datpol sent me an email to stop sending bug and vulnerability reports...
     
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    What the hell, you got to be kidding me? I don't think this is the right attitude for developers. Yes, SS is already a good product, I get that. But why on earth would you dismiss user reports and requests. For example, the developer of Neoava Guard was very open to suggestions, and actually implemented some of them.
     
  19. hjlbx

    hjlbx Guest

    All my reports were legit, but I got the impression that they were perceived as a nuisance. So I dropped SpS months ago...
     
  20. guest

    guest Guest

    :eek:
    Crazy...
     
  21. PaleDark

    PaleDark Registered Member

    Joined:
    Nov 30, 2015
    Posts:
    55
    Seem it's right for me to drop SpS. It's not like their product is bad. It's great. I miss those alerts calling since Comodo years. But other than that Im pretty disappointed, especially their "arrogant-ness".

    I almost wanted to purchase the lifetime license of the Firewall version, but able to withold the temptation :p
     
  22. guest

    guest Guest

    I thought about it too, and trialed the product months ago.
    But the more i read here about it, the more i think: No :D
     
  23. hjlbx

    hjlbx Guest

    SpS products are good, but there are nagging, fundamental problems that have been reported, but never fixed - especially on 64 bit systems. Plus, it is almost impossible to get accurate, in-depth technical infos from Datpol. I am not sure if it is a language thing or something else, but my experience with Datpol does not inspire any kind of confidence.

    I have bashed COMODO Engineering directly behind the scenes for over a year now about the "disappearing" rules bug. Their development team assures that the bug has now been assigned a priority fix. All that remains to be seen is that a fix actually works as expected. If that is indeed the case, then the fixed COMODO HIPS would be my first choice for a solid HIPS on 64 bit - if I wanted HIPS.
     
  24. guest

    guest Guest

    If they begin to improve it on a 64bit-OS i think about testing it again.
    But i still have other apps, so i don't really need it at the moment.
    Maybe next year.
     
  25. guest

    guest Guest

    yes this bug made me flee from Comodo at full speed ^^
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.