SpyShelter 10

Discussion in 'other anti-malware software' started by Mops21, Jul 30, 2015.

  1. hjlbx

    hjlbx Guest

    @Windows_Security

    I would really like to see if anyone with a non- *.cn domain IP can replicate this one.

    No one that I know who is using non-Chinese version of Windows can replicate, even using proxy with US exit node. And about 10 of use tried.

    I spent days trying to replicate...
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,789
    Location:
    The Netherlands
    So basically, when you surf to this site it loads malware (via exploit) that tries to inject code into system processes? Interesting stuff, the question is what type of malware this is. It seems that conhost.exe is executed by IE, but for what purpose, seems like they are trying to somehow bypass anti-exe tools by using trusted system processes.
     
  3. hjlbx

    hjlbx Guest

    I think it is Locky variant; it's different version of Locky each time site active. It's ransomware.
     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,399
    Location:
    U.S.A.
    Conhost.exe normal is started by csrss.exe as explained here: http://www.howtogeek.com/howto/4996/what-is-conhost.exe-and-why-is-it-running/ .

    The fact it is running under IE smells of a hollow process routine going on.

    -EDIT-

    Also appears that explorer.exe has been injected with malware. Note that you can't outright block explorer.exe access to Win directories since it does need access to processes there. However, your security solution needs to block unknown process disk or memory injection into explorer.exe.
     
    Last edited: Apr 11, 2016
  5. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,973
    Location:
    Poland - Cracow
    @Rasheed187
    Even if I would agree with some propositions/demands from your list, some of them could be useless or hard/inconvinient to deal with. Look at the list of "trusted" what is your expectation loooong time ;)...SS has own list in wich there are ca 10000 (maybe more intoday) entries and question is - how many of them do you know well?...how many can you recognise or connect with some application/process? Few dosen?...few hundrets?...one thousand? And what about the rest?
    As I remember we never had access to Online Armor's OASIS and then AMN (the same with Mamutu and EAM)...the same with e.g. PCTools and perhaps Symantec. This feature - WL/BL - can be only enabled or disabled (except individual rule made by user). We have similar situation in SS...even more - we can enable/disable WL's feature for each one single action listed on the "list of monitored actions".
     
  6. hjlbx

    hjlbx Guest

    I have been advised by SpS staff that they plan a lot of improvements in their products over the next year.

    I think they are aware of a number of issues, however they didn't mention what they would be changing, adding, improving to SpS.

    We'll all just have to wait and see what they come up with...
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,789
    Location:
    The Netherlands
    I'm trying to visualize, if it's Locky then I assume it's being injected into conhost.exe because it's a trusted system process? This would indeed bypass anti-exe without strict parent-child process control. That's why sandboxing also is not a bad idea, because conhost.exe will still run with low rights, without any direct access to file system, so Locky wouldn't be able to do any damage. And anti-exploit like HMPA/MBAE would also most likely block this.

    Sounds good to me, but I'm a bit skeptical based on the lack of response to some of my requests.
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,789
    Location:
    The Netherlands
    Well, can you tell me which of them could be useless and hard to deal with? I believe most of them are simple features. And about the "Trusted Signers" list, if SS has a list of 10000 software companies which are allowed to run without any alerts, this would be a huge security risk. Comodo Cloud AV also has a list but it's not enabled by default.
     
  9. guest

    guest Guest

    You can avoid to use the list if you select the high security profile.
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,789
    Location:
    The Netherlands
    Actually I use "Allow Microsoft", since I'm not sure what the Medium and High security level will allow. That's my whole point, this should be visible to the user.
     
  11. hjlbx

    hjlbx Guest

    @ichito - @Rasheed187 wants option to edit trusted vendors - like in NVT ERP or COMODO.

    It is valuable to those that want to allow only those files they have white-listed on system.

    One way is not better than the other, but I think Datpol created it in a way so typical user will not smash their system. So it hides (hard codes) some things.

    Since user can define parent > child execution rules in SpS I think ability to edit trusted vendors is not so important; just set "Ask User Always" and everything is monitored - except for critical Windows processes that Datpol was smart about not exposing to user tampering - lest they smash their system.

    Imagine user creating block rule for svchost.exe or something worse, winlogon.exe - with early start service enabled.
     
  12. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,789
    Location:
    The Netherlands
    Yes I agree, this request hasn't got any high priority. The other ones that I mentioned are much more important to me.
     
  13. hjlbx

    hjlbx Guest

    I think Datpol implementation is designed to prevent typical users from smashing their systems.

    GUI stuff - they are aware of the criticisms and complaints.
     
  14. XTengri

    XTengri Registered Member

    Joined:
    Mar 26, 2010
    Posts:
    2
    Location:
    Kazakhstan
  15. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,599
    Location:
    North Carolina, USA
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,789
    Location:
    The Netherlands
    BTW, another reason why it would be handy to have this, is because I noticed that if you disable "auto allow for trusted components", SS will start to alert you about system processes, even in "allow Microsoft" mode. So an option to simply trust only MS Signed applications, would be nice.
     
  17. Rules

    Rules Registered Member

    Joined:
    Mar 3, 2009
    Posts:
    614
    Location:
    EARTH
    Someone know how the option auto-clean rules work in general settings tab?

    Have to do it manually each time, maybe this option just work on manually created one, not by the SS itself!!!.

    Rules.
     
  18. hjlbx

    hjlbx Guest

    There is no auto-clean in SpS. It is manual rules clean-up only. I asked SpS about it. They said it is not good idea in case malware modifies files.
     
  19. Rules

    Rules Registered Member

    Joined:
    Mar 3, 2009
    Posts:
    614
    Location:
    EARTH
    Ok, thank you hjlbx.:)

    Rules.
     
  20. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    41,759
    I tested EIS a while ago and it simply "auto-deleted" firewall-rules from deinstalled programs.
    And after testing SpS i thought it would do this too ("auto-clean rules"), and i wondered myself because rules were not deleted.
    But good to know that it has to be done manually in SpS.
     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,789
    Location:
    The Netherlands
    BTW, I was playing with the anti-exe function and is it true that it only monitors child process execution? I never really checked it out, because I'm already using ERP.
     
  22. guest

    guest Guest

  23. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    Yeah, yeah, yeah... get my hopes up again... STABLE isn't out yet.
    *shakes his head* ReHIPS hype is starting to turn into a Kardashian sex-tape.
     
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,789
    Location:
    The Netherlands
    I don't consider it to be a true competitor since I don't believe it will alert about suspicious behavior.

    Anyone? Is it correct that SS allows explorer.exe and other system applications to start any app alert without an alert?
     
  25. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,399
    Location:
    U.S.A.
    Appears what I circled below controls this? You would have to set it to "ask" for any app you wish to monitor other app startups. Then create a specific rule for that app startup.

    SpyShelter_HIPS_Rule.png
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.