SpyShelter 10

Discussion in 'other anti-malware software' started by Mops21, Jul 30, 2015.

  1. ald4r1s

    ald4r1s Registered Member

    Joined:
    Apr 8, 2013
    Posts:
    53
    I just noticed that change when I wanted to scan a file. I haven't had time to check on the release notes lately...

    I have used this function very occasionally, I will not really miss it, although having VT back or a replacement would still be nice.
     
  2. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,594
    Location:
    North Carolina, USA
  3. ArchiveX

    ArchiveX Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    1,464
    Location:
    Land of the Light
    Just updated! :thumb:
     
  4. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,594
    Location:
    North Carolina, USA
  5. ArchiveX

    ArchiveX Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    1,464
    Location:
    Land of the Light
    Too frequent updates lately...:eek:
     
  6. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,685
    But if the frequent updates are fixing bugs, I welcome the updates.
     
  7. ArchiveX

    ArchiveX Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    1,464
    Location:
    Land of the Light
    No doubt about it.:thumb:
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,549
    Location:
    The Netherlands
    Now we only need major new protection features and a better, more handy GUI. But I'm not counting on it, so I'm a bit disappointed but you can't have it all.
     
  9. Schorg

    Schorg Guest

    Hello SpyShelter users,

    I have been experimenting with a few vulnerable processes for a few months, by adding them to the Restricted Apps List, such as :-

    c:\windows\system32\CMD.exe
    c:\windows\system32\Rundll32.exe
    c:\windows\system32\Regsver32.exe

    c:\windows\system32\CMD.exe
    c:\windows\system32\Rundll32.exe
    c:\windows\system32\Regsver32.exe

    I have not experienced any issues so far, only when I've installed new programs I need to temporary remove Rundll32.exe and Regsver32.exe (but that is expected!!)

    Has anyone else tried adding vulnerable processes to Restricted Apps List?
     
  10. SanyaIV

    SanyaIV Registered Member

    Joined:
    Oct 17, 2013
    Posts:
    278
    I'm having some issues, I'm using the Firewall version and I have it set to "Ask User" (Because I want to make my own rules for everything) I've already opened a ticket with SpyShelter but have yet to receive any respond, probably because I brought up a lot of issues in the ticket so writing an answer would take some time.

    My first issue is that while the computer is idle cleanmgr.exe will try to launch dismhost.exe from appdata\local\temp\[random folder name\ and even if I for the Application Execution Control alert answer with "Allow" and "Remember my choice" the application cleanmgr.exe isn't added to the Application Execution Control list so it isn't actually remembering my choice, the same if I check to let cleanmgr.exe execute any application in the alert.
    Pre-post addendum: I remember that before the first cleanmgr.exe alert I received an alert for literally no process trying to launch the dismhost.exe file. The field for the application trying to launch it was blank and "View details" didn't do anything. Not sure if relevant. Also, I've tried re-installing without keeping any rules/settings, didn't fix the issue.

    My second issue is with the firewall, I made a trusted zone with advanced rules but only for outgoing and with the remote IP 10.220.0.0/24... The issue is that the same rule allowed pings to 8.8.8.8 ... ... how is 8.8.8.8 included in 10.220.0.0/24? If I removed the trusted zone then ping 8.8.8.8 would cause an alert which I had to answer. In other words I don't understand how the firewall works? It doesn't make sense to me.

    My third issue is that I want to make a zone to allow incoming request on port 57372 but block all other incoming requests, this seems impossible since the zone list doesn't use a hierarchy priority list meaning that rules can conflict and it seemed the block all incoming rule took precedent over allow incoming port 57372 which I don't understand since usually the more specific rule (a single port vs all ports etc) is the one that takes precedent in these sort of situations.

    My fourth issue is that I as a result of issue three decided to make a custom rule for the application in question and I made a rule to allow incoming requests on port 57373 (Notice that I accidentally typed 57373 instead of 57372 in the rule) and... wait.. the application was allowed to listen on 57372... So the ports for incoming makes literally no difference? If the custom rule was to be followed then the application wouldn't be able to listen to port 57372...

    So, can anyone shed some light on this for me while I'm waiting for an official response? I think issue #1 is a bug but issue #2-4 might be bugs or me just completely misunderstanding everything about the firewall. Also I'm using WFP driver for the firewall, would it make sense to switch to the other driver? Haven't been able to find anything explaining the differences between the drivers in the help file. Oh also that's another thing, the help file is somewhat lacking in my opinion.

    So far I'm liking SpyShelter Firewall, but the firewall part has me so confused, it seems to operate under some rules from a different dimension or something. Also, the lack of options when manually editing the Application Execution Control list is disappointing. There was no way for me to manually add cleanmgr.exe to that list, and even if I could there would be no option for me to add a wildcard to the its rules since adding rules only accepts browsing and not typing meaning you can't enter wildcards in a path.

    I'm hoping some of this will be addressed by SpyShelter in their official response but until then maybe someone on here can shed some light on these issues?
     
  11. hjlbx

    hjlbx Guest

    1. The cleanmgr (dismhost.exe) during System Idle has been reported to Datpol repeatedly. You can run Automatic Maintenance and allow dismhost.exe so that it creates a permanent allow rule.

    2. The SpS firewall is quite buggy and un-refined. It made no sense to me as to how it works. I know that doesn't answer your questions. Dealing with Datpol support is slow and frustrating. Expect single-line answers...

    3. Use WFP (Windows Filtering Platform); don't switch to TDI - it essentially is a legacy filter for XP.

    TDI is a driver that works anywhere from Windows XP to Windows 8.

    WFP is a driver that works on Windows 7 and above.

    Generally WFP is designed to be a more reliable and standard way to filter traffic, but in practice due to third party software products installed (antivirus, firewall, etc) either driver may fail to work correctly.

    Switch to TDI only if WFP doesn't work.

    * * * * *

    SpSFW is quirky - as you are finding out.

    On 64-bit systems it will not detect process hollow, memory injection, and the Restricted Apps only provides partial protection. Try to get technical infos from Datpol is next to impossible - it seems they do not want to tell any users the exact limitations of SpSFW on 64-bit systems.

    SpSFW still needs some crucial improvements and refinement.
     
  12. SanyaIV

    SanyaIV Registered Member

    Joined:
    Oct 17, 2013
    Posts:
    278
    Thanks for the reply, finally fixed the cleanmgr.exe issue for me. Shame SpSFW doesn't work too well on 64bit systems, I still like it though, for the protection it still delivers. I think I'll stop trying to make advanced rules with the firewall from now on and only use the default allow/block all outbound/inbound rules instead of specifics, at least until such a time when the firewall is improved.
     
  13. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,594
    Location:
    North Carolina, USA
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,549
    Location:
    The Netherlands
    I tried it, but I noticed that it broke legit behavior, so I stopped with this experiment.
     
  15. Schorg

    Schorg Guest

    OTE=Rasheed187, post: 2602207, member: 19444"]I tried it, but I noticed that it broke legit behavior, so I stopped with this experiment.[/QUOTE]

    Thank you Rasheed187, could you maybe elaborate on the issues you have faced?

    I have also added c:\users and removable drives to Restricted Apps

    The only issue so far with restricting c:\users for onedrive to work correctly is to add c:\onedrivetemp, c:\users\username\onedrive and c:\users\username\appdata\local\microsoft\onedrive to folders with write access.

    As yet I have not faced any additional issues.

    Edit - Strange quotes not working when clicking on reply?
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,549
    Location:
    The Netherlands
    Quotes are working for me, you probably did something wrong. But if I recall correctly, I tried to restrict both rundll32.exe and dllhost.exe, but it broke some stuff. That's why it's so tricky to restrict these type of system processes, it would be cool if you could restrict them only when launched by non-trusted apps.
     
  17. Jerry666

    Jerry666 Registered Member

    Joined:
    May 28, 2002
    Posts:
    176
    Do you have a list any of the system processes that work when restricted ?
     
  18. Schorg

    Schorg Guest

    How strange I did exactly the same highlighting the text and click reply and quote now works.

    Anyway yes it would certainly be ideal to be able to restrict vulnerable processes just for non trusted apps. Thanks for your reply.
     
  19. hjlbx

    hjlbx Guest

    It might or might not work. Datpol advises strongly against it.

    A lot of system processes on 64-bit systems cannot be added to Restricted Apps due to sysnative (file redirection).

    Vulnerable Processes:

    https://malwaretips.com/threads/vulnerable-processes.56154/

    https://malwaretips.com/threads/vulnerable-processes.56154/#post-479259

    In SpyShelter you really should disable (block the execution of vulnerable processes in Application Execution Control) - and not add them to Restricted Apps.

    If you need one of the vulnerable processes, then you can unblock it temporarily - do what you need to do with it - then re-block its execution.
     
  20. Schorg

    Schorg Guest

    I do prefer to block vulnerable processes in application execution control as you recommend. Than restricting them.

    I am interested in restricting some as an experiment - especially users directories.

    I tried to contact Datol regarding limitations of the restricted apps in windows 8/10. Not very detail reply's.

    I would love to know the limitations of restricted apps. It bugs me what's missing.
     
  21. hjlbx

    hjlbx Guest

    1. Typical response from Datpol = one or two basic sentences; never a detailed explanation so one can fully understand.

    2. Datpol won't say...
     
  22. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    40,160
    Sometime ago I got 2 and ~5 basic sentences :D
    Which helped me 0%, it's like a robot has answered the support-tickets and is only shuffling the words/sentences with each email.
     
  23. hjlbx

    hjlbx Guest

    LOL... @mood you explain it perfectly ! :D
     
  24. Schorg

    Schorg Guest

    Hjlbx and Mood, so true, after 2 day wait your question becomes the answer.
     
    Last edited by a moderator: Jul 20, 2016
  25. Schorg

    Schorg Guest

    Could you tell me which vulnerable processes SpyShelter Firewall is unable to add to Application Execution Control in 64bit systems? as I have added I believe all of them without issue, following your advice on MalewareTips and adding to the updated list from the Bouncer thread by WildByDesign. Thank you to both for providing such valuable list!!!

    As I believe that when to go to Application Execution Control>right click on All components>create a rule>.... you are provided with SpyShelter's file explorer.

    On the left had side you presented with quick access, onedrive, this PC etc, amongst these is SpyShelter GUI and below is the folder - Sysnative.

    I have added via this way

    c:\windows\sysnative\bcdedit.exe
    c:\windows\sysnative\bcdboot.exe
    c:\windows\sysnative\bootim.exe
    c:\windows\sysnative\bootsect.exe
    c:\windows\sysnative\bootcfg.exe
    c:\windows\sysantive\systemreset.exe

    I have added all other vulnerable processes without the need for SpyShelter Sysnative, which I have attached within this post (SpyShelter VP.txt)

    I have had no issues and all vulnerable processes I have tried to execute all of them and I am presented with access denied.

    I have not added runonce.exe as I require it for MBAE, but only MBAE is able to use runonce.exe

    I have also added C:\users (user space), which is working rather well.

    Edit :- Updated my SpyShelter VP.txt

    As I have added to Restricted apps list the following :-

    [Removable drives]
    any harddrive partition ie E:\ etc
    ?:\$RECYCLE.BIN\
    c\windows\system32\macromed\flash\flashutil_activex.exe

    Also removed msiexec.exe from the Restricted apps list and added to Application Execution Control>All components and create a deny rule.

    Please note if you are going to install/update program you will have to temporarily remove from restricted apps list c:\users and c:\windows\system32\Rundll32.exe and in Application Execution Control>All components - if program requires to install a driver/service you need to make it allowed for
    c:\windows\system32\Regsver32.exe.

    All in all working rather nicely for everyday computing.
     

    Attached Files:

    Last edited by a moderator: Jul 22, 2016
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.