SpyShelter 10

Discussion in 'other anti-malware software' started by Mops21, Jul 30, 2015.

  1. Yes, when you have the paid version, you can edit the trusted vendors list, so crucial software on your PC can be auto-allowed. All software not updating through its own executable (e.g. like Microsoft Office and Chrome), can be assigned a default BLOCK rule. So you can auto-allow publisher Microsoft but deny all Office executables suspicious behaviour.

    This sort of changes the behavior of Spyshelter from a system wide HIPS to a vulnarable process suspicious behavior blocker with zero pop-ups, because the SPECIFIC PROCESSES (AUTO) BLOCK RULES have higher priority than than the SYSTEM WIDE AUTO ALLOW PUBISHER RULES.
     
  2. hjlbx

    hjlbx Guest

    @Windows_Security

    Won't that break some apps ?

    Changing Allowed actions to Deny.

    If I am understanding correctly - let me use example:

    Application A uses inter-process communication with Task Scheduler.

    Let SpS create the Allow actions, then change Allow actions to Deny.

    Application A - when executed - will not perform any suspicious actions; in this case, inter-process communication with Task Scheduler.

    Very simplistic example, but it illustrates what I think you mean.

    TIA

    PS - by the way, which setting are you referring to about adding a block all. Current version of SpS permits creation of Excluded File and Folder, but I see no option to Block All for File and Folder.

    Do you mean do it in the individual rules pane for each application - or - enable Block All Suspicious Actions ?
     
    Last edited by a moderator: Mar 16, 2016
  3. That is why you have to selectively apply it to vulnarable applications, see example for Chrome

    Select HIPS and encryption (no need to hook all other stuf when using Spyshelter as an Behavioral Blocker)

    upload_2016-3-16_11-7-44.png


    Allow signed components
    upload_2016-3-16_11-8-31.png

    Make a Block ALL rule for Chrome Application Folder

    upload_2016-3-16_11-9-30.png


    Chrome now runs in a HIPS sandbox and added encryption to Chrome
     
  4. hjlbx

    hjlbx Guest

    I'm really not following.

    If you create a block-all actions, then how can Chrome connect to the internet - since internet access is blocked ?

    Auto-Allow = Allow all actions for trusted signer
    Exclude = do not monitor any actions for folder contects
    Block All = Deny all actions

    Sorry, I'm just not understanding how this setting combo is working.

    When I follow the above steps for Internet Explorer - it just crashes upon execution.
     
    Last edited by a moderator: Mar 16, 2016
  5. Look at the first visual of previous post: it is for Spyshelter (Free) not the Spyshelter Firewall

    upload_2016-3-16_11-38-14.png

    Set Auto-block to prevent user choices for programs not listed in Trysted Vendors List

    upload_2016-3-16_11-42-2.png
     
  6. hjlbx

    hjlbx Guest

    @Windows_Security

    I understand now.

    I use SpSFW - so the above methodology won't work.

    However, even if I create an all block - except for network access - for Internet Explorer - it still just crashes upon execution.

    SpS Free does have HIPS enabled, but the HIPS monitoring is strictly limited. So, perhaps that is why it is working ?
     
  7. The HIPS in free version is good enough to block all memory manipulations of HMPAlert, so for people still on 32 bits is is a nice freebie. I had not noticed that you were using SPSFW, so sorry for the confusion
     
  8. hjlbx

    hjlbx Guest

    @Windows_Security ... thanks mate.

    Sorry about the confusion too. I am not too familiar with the settings in SpS products yet. Documentation leaves a just a bit to be desired. Kind of slugging my way over the mountain - if you know what I mean.

    I'm on 64 bit W10. Just trying to come up with ways to use SpSFW to its fullest capability.

    I think it basically comes down to experimenting with the rules for the most vulnerable processes - and just allow only those needed to get the thing to work as needed - and block everything else.

    Of course, that is a manual config pain - but not too onerous.

    What do you think ?
     
  9. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,973
    Location:
    Poland - Cracow
    ??...what features are in SS Free that are not in SS FW?
     
  10. hjlbx

    hjlbx Guest

    @ichito

    @Windows_Security explains a way of using the settings in SpS Free that cannot be applied in SpSFW - because the method of using those settings will block all internet access for the applications.

    You have to read back through the posts.

    SpSFW is more than fine - it is very good security soft.
     
  11. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,973
    Location:
    Poland - Cracow
    OK...now I see where is the matter :)
     
  12. Online_Sword

    Online_Sword Registered Member

    Joined:
    Aug 21, 2015
    Posts:
    146
    @Windows_Security

    Could we apply this method to a wider area such as C:\Users\* without causing any issue?
     
  13. Creative thinking, I have not tried that.
    I have ran this config with Office, Mediaplayer, PDF-reader and Chrome only. Adding user folders, should add protection, without pop-ups for trusted programs. I am working abroad until Saturday. Will try this interesting idea this weekend.
     
  14. kerykeion

    kerykeion Registered Member

    Joined:
    Jun 30, 2010
    Posts:
    281
    Location:
    Philippines
    Wouldn't it allow user-space malware from running? Just a thought.
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,789
    Location:
    The Netherlands
  16. hjlbx

    hjlbx Guest

    SpS support replied to my inquiry about SpS on 64 bit. Actions 29 and 36 might (I interpret as will) not be detected on 64 bit. Some processes cannot be run inside the sandbox because of sysnative - for example - host processes. HIPS will not detect process hollowing - as you already well know.

    SpS still needs some work on 64 bit. If I recall correctly, Emsisoft products will detect equivalent to actions 29 and 36. So, if Emsisoft can accomplish this, then certainly Datpol can.
     
  17. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,789
    Location:
    The Netherlands
    I totally forgot that you already mentioned this. SS does not alert when a child process is being modified. So actions 29 and 36 will only be detected when a process is trying to modify a non-child process. Probably that's why it's failing certain leaktests on my system. Seriously, the SS developers need to step up their game, almost all ransomware variants use process hollowing, and HMPA does offer protection against this, even on 64 bit systems if I'm correct.
     
  18. hjlbx

    hjlbx Guest

    Child process memory modification not being blocked was for AppGuard's Memory Protection. That was on the Bouncer thread.

    For process hollowing, SpS support says proper technique is to perform Virus Total lookup - for example for hollowed processes explorer.exe or svchost.exe. I pointed out to them that such a VT lookup returns results for the valid Windows process = safe. I also pointed out that if one defines protected folders, but allows explorer.exe to modify protected folders for normal system operations - then the contents will be encrypted. So it is problematic. At this point in time SpS is only going to protect against ransomware if you block it at execution.

    As SpS support points out, they assume a user is going to perform due diligence on a file before executing it. That's fine in theory, but how many typical users are that disciplined ? Plus, what if a user uploads a file to VT prior to execution and VT returns 0/57 - and then they execute it and know absolutely nothing about malware behavior, system space vs user space, host processes, etc. If the file is ransomware, then they're screwed - that's what.

    I genuinely like SpS products, but there are various quirks that Datpol needs to rectify. Patch Guard is giving them some problems.

    They don't have a beta program. They don't participate actively on any forums. So, to me, the lack of technical infos and difficulty in getting accurate answers is discouraging.

    Some of the available leak tests are so outdated that I think they might not be returning accurate results. It is difficult to know.
     
  19. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,789
    Location:
    The Netherlands
    No, this was also discussed in the Secure Folders thread, SS will alert about code injection if a process tries to modify a non-child process. But for some reason it can't deal with child processes, that's why it also fails against ransomware.

    Yes it's a shame, they should have had a forum where developers participated.
     
  20. hjlbx

    hjlbx Guest

    OK. I forgot. Thanks @Rasheed187 .

    I think developers might participate on native Polish language sites. I think there are two few staff or maybe they just don't want to do it.

    I submitted a request to create blog post about SpS on 64 bit systems. To clear up confusion, dis-\mis- information. You know... it is always best to get infos direct from developer. I hope they do it.
     
  21. @Online_Sword tested it and it seems to work

    @kerykeion, after excluding a folder, the idea is to change the allow to block
     
  22. hjlbx

    hjlbx Guest

    32 bit only
     
  23. @hjblx Yes, I downgraded to 32 bits (with Vista), because Desktop and Laptop only had 4GB Ram memory. The low spec low spec dual cores seem to run faster on 32 bits. Probably because they have little cache memory, so then run better with smaller register size on 32 bits. Also the two cores don't have to carry the overhead of the 32 bits system in 64 bits OS.

    So I miss out on Kernel protection and better ASLR randomization, but on the other hand enjoy better features with security programs.
     
  24. hjlbx

    hjlbx Guest

    I agree completely.
     
  25. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,599
    Location:
    North Carolina, USA
    Hello,

    SpyShelter version 10.7.3 has been released:
    Homepage: https://www.spyshelter.com/
    Download: https://www.spyshelter.com/download-spyshelter/
    Blog: https://www.spyshelter.com/blog/
    Changelog: https://www.spyshelter.com/blog/spyshelter-changelog/
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.