SpyShelter 10

Discussion in 'other anti-malware software' started by Mops21, Jul 30, 2015.

  1. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    You are correct in that if malware can be stopped at the dropper stage, then it cannot execute its more advanced payload infection methods. The problem is that current malware is increasing resorting to using valid Win processes against itself. These are the ones that can slip though HIPS or anti-exec detection. An example of such I posted here: https://www.wilderssecurity.com/thre...erception-software.385640/page-2#post-2591396 that applies to anyone using Vista or Win 7.
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,825
    Location:
    The Netherlands
    Yes, so in other words, don't let untrusted apps launch system apps for no good reason, and you're good to go.
     
  3. hjlbx

    hjlbx Guest

    I don't know about the RMI blocking capabilities of SpS since I never tested any malware against it that used RMI.

    The developers are sketchy about clearly stating what SpS can\cannot block.

    * * * * *

    As far as hollow process, SpS cannot block it; you have to know which child processes to block - e.g. explorer.exe, svchost.exe, etc - which, to me, requires way too much of the user.

    Effective use of SpS requires practicing with actual malware in order to learn malware behaviors. When you do this you will quickly learn SpS' quirks - which are more than a few.

    The rule I would follow is to block any User Space process from executing a System Space process.

    * * * * *

    Because SpS is sketchy in some areas and the price of a lifetime license is $100+, I have opted not to use it.

    The only way to protect your system completely with SpS is not to execute any unknown\untrusted files in the first place.

    If that is the case, then I don't need SpS as there are much cheaper (and arguably better) alternatives.

    * * * * *

    The fact is that SpS' protections are not quite there yet for 64-bit systems -- and based upon replies and interaction with support -- I am not entirely confident that Datpol will be able to make SpS at least equivalent -- overall -- to other solutions.

    For example, Datpol keeps saying they are going to fix all issues with their interface, but they have been saying this for a long time.
     
  4. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,973
    Location:
    Poland - Cracow
    Probably yes...so I tried make "global deny rule" for explorer.exe using "Application Execution Control" in "Rules" module in SSFW...in Premium it's not available. I've highlighted explorer.exe on the list of parent proceses (on top) and than in bottom box and set rule "block" for it. I don't know how it will work in praxis but I know that the same rule for file manager block launching any file.
    -----------------
    Edit:
    it doesn't work...no way to launch usual apps.
     
    Last edited: May 31, 2016
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,825
    Location:
    The Netherlands
    That's no surprise, of course explorer.exe should be allowed to launch child apps. I think SS should only alert about system apps that are being launched from C:\Windows. It should not alert about ALL child processes (like .tmp processes), because during software install it becomes annoying, but you can not choose "Install Mode" since it will then stop monitoring of all suspicious behavior.

    I know what you mean, but I still think it's better than other competing solutions. The license is a bit expensive, I think 20 bucks a year and 50 bucks for the lifetime license is more realistic, perhaps it would even boost sales who knows. And they should scrap SSFW, the anti-exe and firewall feature should be offered in SS Premium.
     
  6. hjlbx

    hjlbx Guest

    The only HIPS alternative product for 64-bit systems is ReHIPS - but it only monitors execution. Instead of full spectrum action monitoring it instead uses Windows' built-in containment protections (separate user profiles for each application which are isolated from each other).
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    Comodo's Defense+ ?
     
  8. hjlbx

    hjlbx Guest

    I know. I meant essentially HIPS-only alternative. COMODO HIPS would be great -- if they can only fix the "disappearing rules" bug.
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,825
    Location:
    The Netherlands
    I'm not sure why people are so excited by ReHIPS, it's mostly focused on isolating. Sandboxie is already quite good doing that. When it comes to standalone HIPS (behavior blockers) SS is far from perfect, but I still prefer it over Comodo and others.

    Also, let's not forget that HIPS is the lastline of defense, AV and AE combined with common sense should keep malware from your system in the first place. Against the most advanced malware most HIPS will fail anyway, but that doesn't mean I also want to see SS reach a higher level of protection.
     
  10. hjlbx

    hjlbx Guest

    ReHIPS' HIPS acts completely as anti-executable. It is not a full HIPS like COMODO, Eset or SpyShelter.

    ReHIPS' isolation\containment doesn't use User Mode Hooks. Sandboxie uses User Mode Hooks and that is one area where it is susceptible. Either way - User Mode Hooks or no User Mode Hooks the risk is quite small -- so either ReHIPS or Sandboxie are worthwhile.

    ReHIPS is a good program, but it still needs bug fixes and usability improvements.
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,825
    Location:
    The Netherlands
    Perhaps it shouldn't even be called a HIPS, if it doesn't alert about suspicious behaviors. And a lot of security tools are using user mode hooks, I don't see how it's an advantage if ReHIPS doesn't. Here some more info:

    http://www.malwaretech.com/2014/10/usermode-sandboxing.html
     
  12. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,599
    Location:
    North Carolina, USA
  13. guest

    guest Guest

    New VT policy, SS "first blood"?
     
  14. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,973
    Location:
    Poland - Cracow
    Probably yes...the second I know...first I noticed was CrowdInspect.
     
  15. Tomin2009

    Tomin2009 Registered Member

    Joined:
    Sep 13, 2012
    Posts:
    94
    :( What do you mean?
     
  16. Tomin2009

    Tomin2009 Registered Member

    Joined:
    Sep 13, 2012
    Posts:
    94
    Any special news fromSpyshelter?
     
  17. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,973
    Location:
    Poland - Cracow
  18. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    405
    Location:
    router
    hope the no skin revert back.or theme completely removed
    plus i think the next product should be Spyshelter Internet Security
    as i see bellow key in registry
    Code:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyshelterInternetSecurity_is1
    this is just my guess :)
     
    Last edited: Jun 14, 2016
  19. Tomin2009

    Tomin2009 Registered Member

    Joined:
    Sep 13, 2012
    Posts:
    94
    :thumb:
     
  20. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,973
    Location:
    Poland - Cracow
    Nice finding...it sugests possible changes and new features :thumb:
     
  21. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,973
    Location:
    Poland - Cracow
    "SpyShelter 10.7.8 (17/June/2016) Changelog:
    – Added cleaning rules feature for parent/child processes at App Exec control
    – Added option to improve compatibility with remote control tools
    – Keystroke Encryption driver compatibility improved
    – Fixed BSOD in KE driver on 32 bit systems"


    "SpyShelter 10.7.8 brings a couple of new features and improvements.


    We have added an option which makes it possible to operate SpyShelter via various Remote Control applications (such as Teamviewer).

    3rdparty.png

    This option is available in Settings>Security and is turned off by default. System restart or SpyShelter restart might be required after enabling this option.


    Application Execution Control at SpyShelter Firewall received a Cleanup feature. It allows to clear the rules created for temporary and nonexistent files. In order to clean up the rules in App Execution Control, simply right click on the list of applications and choose Cleanup option from the dropdown menu.


    Keystroke Encryption received further compatibility upgrades and a rare crash that could occur on 32bit systems has been fixed."
    https://www.spyshelter.com/blog/spyshelter-10-7-8-released/#more-6851
     
  22. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,825
    Location:
    The Netherlands
    Actually, I expected that the new ruling wouldn't affect tools like SS. I'm a bit surprised, but it's not a big deal since you can still use VT Uploader.
     
  23. Aeolis

    Aeolis Registered Member

    Joined:
    Apr 10, 2010
    Posts:
    60
    Hello folks,

    Have anyone experienced problems on Windows 7 x64 boot after updating to SpyShelther Premium 10.7.8 from 10.7.7?

    Best regards,

    Aeolis
     
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,825
    Location:
    The Netherlands
    BTW, the thing that still drives me insane is the "log window", it's useless to me in its current state. It logs all executions, and also allowed and blocked behaviors of trusted apps, making it way too cluttered. Even worse, you can't even see what is blocked/allowed until you click on an entry and there are no app icons visibile. It should have been like in NG and OSSS, see screenshots.
     

    Attached Files:

  25. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,973
    Location:
    Poland - Cracow
    Hmmm...except possibilty to scan on VT suspicious/unknown process directly from alert what was sometimes useful :)
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.