SpyShelter 10

Discussion in 'other anti-malware software' started by Mops21, Jul 30, 2015.

  1. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,762
    Location:
    The Netherlands
    There is no "ask" option. But anyway, the anti-exe feature in SSFW is very confusing, it needs some serious work. BTW, have you already tested SS against RMI? Apparently it does protect against this on Win 10 64 bit.
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,398
    Location:
    U.S.A.
    No. Have no desire to. Perfectly happy with Eset's HIPS performance and features.
     
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,398
    Location:
    U.S.A.
    Suspect it is WIN 10 doing the protection and not SpyShelter.
     
  4. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,973
    Location:
    Poland - Cracow
    No...is not true. I run most of my files using file manager FreeCommander and every new file...installers, aplication or whatever...gives me an alert of SS.
     
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,398
    Location:
    U.S.A.
    See reply #411. Appears you have to set SS to "always ask user." This appears to be the same as running a HIPS in interactive mode. You then create a rule and are not longer alerted for the same activity.

    SS appears to me to be a hybrid behavior blocker/HIPS along the lines of Comdo's Defense+.

    For example in a true HIPS, a rule will always have a source and a target app specification. If you leave the source or target app blank, it defaults to all processes. Note that there are no internal defaults in a pure HIPS other than default rules coded by the vendor. If a rule doesn't exist, the process runs without restriction except when the HIPS is running in interactive or policy mode. In interactive mode if a rule for the process doesn't exist, the user is alerted. In policy mode if a rule doesn't exist for the process, it is blocked.

    In a behavior blocker, rules can only be created for a specific process. A behavior blocker uses internal rules to determine what to do with processes. For unknown/untrusted processes, this is usually to alert the user and have them make the decision to allow or block; resulting in a like rule for the process being created. Additional examples of internal default rules used would be to allow all signed system processes and known trusted apps to run w/o restriction, etc..

    Appears in SS, the only way you can specify the monitoring e.g. ask mode, is globally which is the equivalent of running a HIPS in interactive mode.
     
    Last edited: May 21, 2016
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,762
    Location:
    The Netherlands
    OK I see, I thought you made the screenshot yourself. But you often install apps just to test them, and SS is known to be quite stable, so you might want to consider giving it a spin.

    No, the SS developers tested it, and SS gave an alert about "open process or thread for modify access". In the now closed "HIPS thread", I already expected that this would catch RMI. The only problem is that this alert is presented way too often during normal PC usage.

    Yes correct, it will alert about child processes, but for some reason it won't alert about processes being launched by explorer.exe, it's probably a configuration error. But the good news is that this will block malware from launching system apps like svchost.exe, explorer.exe and other apps used in attacks like cmd.exe. I should have played with this feature earlier, since it complements EXE Radar.
     
  7. hjlbx

    hjlbx Guest

    You have to:

    Set SpS to "Ask User" and delete Application Execution allow rule for explorer.exe.
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,762
    Location:
    The Netherlands
    I will check it out, but it's not a big deal because I actually want SS to allow explorer.exe, but it would be cool if configuration of anti-exe would become more like in ERP. And I think I remember why I never enabled the anti-exe feature in SS, it's because it might become annoying when you install software. And using "install mode" would stop SS from alerting about suspicious behavior.
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,762
    Location:
    The Netherlands
    @ hjlbx

    Didn't you test SSFW against ransomware? What happened when you blocked them from launching explorer.exe, did it stop the "process hollow" attack? If I recall correctly, you said that SS failed to protect against ransomware, but I forgot why exactly.

    BTW, I tested it against the Exploit Test Tool and it blocked all tests. Of course it didn't block the exploits, but it blocked process execution, and the blocked process doesn't even show up in "suspended state" once the block rule has been made.
     
  10. hjlbx

    hjlbx Guest

    You can define an "Ask" rule for explorer.exe - which prevents it from automatically launching an application.

    However, SpS does not detect hollow process - even if you do a VT lookup of hollowed explorer withing the SpS HIPS alert - it will return the infos for the legitimate explorer.exe.

    So, with SpS, the best you can do is not to execute any unknown\untrusted files.

    * * * * *

    Personally, I think SpS is a decent security soft, but there are some areas that need improvement.

    Datpol said they would be improving SpS, but they didn't indicate what they would be improving.
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,762
    Location:
    The Netherlands
    OK, but if you block ransomware from running child processes like explorer.exe and svchost.exe, doesn't this already stop the attack? Because most ransomware will not directly encrypt files, it will use explorer.exe or another trusted system app. And if they do try to directly modify files, the folder/file protection feature of SS should be able to protect your private data.
     
  12. hjlbx

    hjlbx Guest

    Yes. If you block execution of explorer.exe, it will block encryption by hollowed explorer.exe.

    I suppose the rule to follow generally is this: Do not allow any unknown\untrusted process from User Space to execute a process in System Space.
     
  13. ald4r1s

    ald4r1s Registered Member

    Joined:
    Apr 8, 2013
    Posts:
    53
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,762
    Location:
    The Netherlands
    OK I see, so basically SS can block the attack in the early stages, but once you allow certain things like process execution or memory reading, it can't protect you. So that is something that needs to be improved. It must be able to block RMI, process hollowing and code injection into child processes in various stages.
     
  15. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,398
    Location:
    U.S.A.
    First, explorer.exe by virture of being the desktop shell is always running.

    Process hollowing as it pertains to explorer.exe usually works this way. The malware does RMI on explorer.exe. Using the injected code, the malware starts another high privilege system process in a suspended state. The malware then carves out the memory of the suspended process and injects its main payload malicious code. The malware finally starts the infected suspended system process and terminates itself.

    To detect the above activities, the security solution must first be able to detect the creation of suspended sub-processes. If it can't do that, it is "game over" at this point. Ideally, the security solution should detect the RMI injection to explorer.exe which is the initial infection vector.

    The malware authors are clever. They will try to pick a process to suspend that normally runs as a subprocess to explorer.exe such as an e-mail client, special device software, audio GUI, etc..
     
    Last edited: May 28, 2016
  16. hjlbx

    hjlbx Guest

    Datpol stated fixing this on 64-bit systems will be difficult.
     
  17. hjlbx

    hjlbx Guest

    If you test SpS against ransomware, you can block explorer.exe. It's straight forward block of the run sequence at explorer.exe.
     
  18. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,398
    Location:
    U.S.A.
    That is well and fine. As we all know, it is perfectly acceptable to have to multiple instances of explorer.exe running under services.exe. However, this is not process hollowing activity as I described previously.

    -EDIT-

    Also worth noting is that malware will usually not target explorer.exe for process hollowing activities since it is one process that almost all security software monitors. Instead it will chose a high privileged process such a svchost.exe and create that as a suspended process under its dropper process as the target for its memory hollowing activities.
     
    Last edited: May 28, 2016
  19. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,762
    Location:
    The Netherlands
    SS can block child process execution, so this will block process hollowing. According to the developers it can also block RMI by blocking opening/reading of process memory. But if you allow those things, it can't protect you anymore.

    SS will alert about ALL child processes being created, including svchost.exe, so it doesn't matter which process malware tries to modify. However, I haven't actually tested it against malware.

    But apps like HMPA and Emsisoft can all do it, without even relying on user input, so why can't SS, know what I mean?
     
  20. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,398
    Location:
    U.S.A.
    Referring back to the testing and discussion on like topic in the 'Classical HIPS' thread, a number of security solutions are effective against detecting spawned active sub processes. They are likewise effective for RMI against active processes. However, many do not detect creation of suspended sub processes or RMI against suspended processes.
     
  21. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    2,015
    Hello!

    I'm interested in SS free because of its HIPS. Is it strong enough to stop malicious activity? Their explanation about HIPS freemium "System Protection module is monitoring less actions" is rather vague.

    Thank you.
     
  22. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,762
    Location:
    The Netherlands
    I don't think there is a difference between blocking a suspended or non-suspended process from loading. I tested SS with the process hollowing tool from GithHub, and it blocked loading of CMD.exe, so it couldn't perform the process manipulation. Developers tested the RMI tool (also on GitHub) and if memory reading/opening was blocked, it also passed the test on Win 64 bit.
     
  23. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,398
    Location:
    U.S.A.
    According to your posting here: https://www.wilderssecurity.com/thre...d-hips-discussion.372859/page-29#post-2580990 SS failed this process hollowing test?
     
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,762
    Location:
    The Netherlands
    That was because back then I didn't have anti-exe enabled. That's what I'm trying to explain, HIPS should be able to identify such an attack. SS can block RMI and process hollowing in its first stage, but it depends on user input, so it won't auto block these type of attacks, and doesn't let you know that something fishy is going on.
     
  25. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    2,015
    Just found out it in SS. Actually there's an answer in "Settings" in the "List of monitored actions": there're 65 actions, 11 are disabled in freemium:
    4 for "Screen Protection"
    3 for "Web cam", "Sound", "Internet Security"
    4 for "System Protection" (out of 40)

    Not so much disabled in freemium.

    I think it's worth to try SS free.
     
    Last edited: May 29, 2016
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.