SpyShelter 10

Discussion in 'other anti-malware software' started by Mops21, Jul 30, 2015.

  1. SanyaIV

    SanyaIV Registered Member

    Joined:
    Oct 17, 2013
    Posts:
    278
    Executables are available for download, you just need to create a config, it won't do anything without the config.
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,843
    Location:
    The Netherlands
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,843
    Location:
    The Netherlands
    BTW, I'm currently running Vivaldi sandboxed via SS, just as an experiment. If I'm correct, Vivaldi already has an internal sandbox similar to Chrome's, so I'm not sure if I gain anything. But so far I did get an alert about Vivaldi wanting access to the webcam. The strange thing is that I don't even own one.
     
  4. Eru

    Eru Registered Member

    Joined:
    Mar 23, 2010
    Posts:
    107
    Location:
    Poland - Sosnowiec
    You don't have one but Vivaldi tried appy a hook to a webcam :p
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,843
    Location:
    The Netherlands
    OK I see, but this alert only appears when Vivaldi is running restricted, and there is no way to allow this hook.
     
  6. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,485
    what provides good protection for hollowing and RMI?

    EDIT: I assume that if windows script host is disabled, then RMI is blocked?
     
    Last edited: Aug 18, 2016
  7. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,485
    I understand from the posts here that the whitelisting/anti-exe function of spyshelter works pretty well, and the complaints are mainly about the failings of the HIPS, which is sort of a second level of defense, in case the malware somehow executed anyways, perhaps due to a user mistake.

    And it does seem to me that Spyshelter premium, which I have set at "medium" level of security, is pretty good at protecting sensitive windows processes.

    In light of this, would there be any advantage to running secureaplus or voodooshield along with spyshelter, or is that useless?
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,843
    Location:
    The Netherlands
    No, RMI is an advanced code injection method, it hasn't got anything to do with blocking "windows script host" or other processes. So called "process hollowing" can be blocked by monitoring the execution of certain processes like explorer.exe or svchost.exe. If some app launches these type of system processes, there is a big chance it's trying to modify them.

    But certain HIPS can spot such an attack out of the box. SS can not do this at the moment, at least not according to certain tests that were done by members. BTW, I don't believe RMI is used by a lot of malware, it's more used as a technique to bypass anti-exploit tools. And HMPA is an example of a tool that recognizes "process hollowing", without relying on user decision.

    Depends on how you look at it. To me the HIPS part is the most important, for anti-exe there are other more user friendly options available, I use EXE Radar. Obviously, nobody will deliberately run malware, but a HIPS/BB might give you a clue that a certain semi-trusted app is perhaps up to no good.
     
  9. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,485
    which HIPS detects process hollowing, out of the box?
    and what can stop RMI?
    Kaspersky is good?
     
    Last edited: Aug 21, 2016
  10. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,485
    I like your approach. The HIPS gives you a second chance, so it is not game-over as soon as you allow an installer to run.
     
    Last edited: Aug 21, 2016
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,843
    Location:
    The Netherlands
    Yes exactly. AV + AE and common sense is the first line of defense, HIPS is the second line. The problem is that most people don't understand how to interpret most alerts, so that's why it will always be a tool for the advanced user only.

    But despite all of my "negative comments" about SS, I still think it's worth the money. It's not perfect, and will probably not block all advanced malware techniques, but I think it's good enough. However, a couple of thing should be fixed that would make it more user friendly and a bit more secure.
     
  12. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,843
    Location:
    The Netherlands
    Like I said, HMPA can detect process hollowing. SS might be able to detect the first stage of RMI with the "open process or thread for modify access" filter. The problem is that it's way too common for this alert to be triggered. But like I said, I don't believe RMI is used a lot by malware.
     
  13. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,485
    as for stoppping RMI, what about defining netsh.exe as a vulnerable process in NVT ERP?
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,843
    Location:
    The Netherlands
    No you're still misunderstanding. Like I said, it's not related to "vulnerable processes" at all. It's often used during exploit attacks, in order make it more difficult for standard AV's to detect malware that's running in memory.

    But it can also be used by malware that is launched by the user themselves. It's basically a DLL injection method, but I'm not sure if HIPS are so easily fooled by it. If I remember correctly, member itman tested a certain tool against the ESET HIPS, and it could spot RMI.

    https://en.wikipedia.org/wiki/DLL_injection
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,843
    Location:
    The Netherlands
    BTW, I would love to see SS being tested against the latest malware and simulators like the ones used by MRG, see link. That would give an indication how strong the protection really is.

    https://www.mrg-effitas.com/wp-content/uploads/2015/07/Webroot-SecureAnywhere-Versus-Trusteer-Rapport-Comparative-Analysis-2015-Q2.pdf
     
  16. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,602
    Location:
    North Carolina, USA
    Hello,

    SpyShelter version 10.8.5 has been released:
    Homepage: https://www.spyshelter.com/
    Download: https://www.spyshelter.com/download-spyshelter/
    Blog: https://www.spyshelter.com/blog/
    Changelog: https://www.spyshelter.com/blog/spyshelter-changelog/
     
  17. ArchiveX

    ArchiveX Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    1,464
    Location:
    Land of the Light
    Just updated! ;)
    Thanks! :thumb:
     
  18. SanyaIV

    SanyaIV Registered Member

    Joined:
    Oct 17, 2013
    Posts:
    278
    Apparently I can't install the update if I want Keyboard Encryption, because Zemana AntiMalware is installed... I've been using these together and found no compatibility issues. I mean I can understand if they blocked installation if Zemana AntiLogger was installed, but not AntiMalware. Also, it ****** me off quite a lot because it doesn't let me override it... *Sigh* Sent e-mail complaining about it, waiting for new update to try again, until then I'm on 10.8.4 :thumbd:

    Besides that I'm quite disappointed by the fact that SpyShelter and Hyper-V conflict on my system. After the Anniversary Update it seems that if both are installed then I'll get BSOD at start. Went back and forth with support and the summary seems to be 10+Hyper-V+SpS = conflict, issue is in old code which would be risky to experiment with and could take hundreds of hours to fix and could cause new problems... So as I understand it this won't be fixed, unless Microsoft undoes what they did with the Anniversary Update... Pfft fat chance.

    Is anyone running SpyShelter and Hyper-V on a Windows 10 Anniversary Update machine without any issues? Basically I just want to know if the issue is isolated to my machine (tried re-installing Windows) or if it's affecting all other or perhaps only some other machines. (Be warned that if you have not tried it, and decide to try it by installing Hyper-V, the BSOD may be of such a nature that fixing it may be troublesome, as such I recommend a full-system backup first)

    Even with the above in mind I'd like to say that I have personally had a really good experience with their support. I also like the program but personally believe it needs some serious work in several areas, for example if your code is old and it would be a hazard changing something there, then perhaps it's time to go through it, understand it and then re-write it.
     
    Last edited: Sep 6, 2016
  19. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,973
    Location:
    Poland - Cracow
    "New version of SpyShelter is now available.

    Known issue: Automatic update option in background will not work while upgrading to 10.8.6, so please do manual update by downloading the installer from our Download Page.

    NOTE: Installer file name for Premium version has changed its name to premiumsetup.exe (previously setup.exe).


    SpyShelter 10.8.6 introduces an option to enable non-styled table lists. It is for users who prefer performance over visuals. Disabling it speeds up scrolling experience, especially at Rules list. We also updated some translations and added a button on alternative rules view which allows to delete single rule.

    List styles can be disabled in Settings>General tab.

    SpyShelter 10.8.6 Changelog (07/Sep/2016)

    – GUI: Added option to disable lists skinning
    – Language updates
    – General small improvements"
    https://www.spyshelter.com/blog/spyshelter-10-8-6-released/#more-7059
     
  20. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    405
    Location:
    router
    thank you updated.:)
    hope add option for other skinning part :);)
     
  21. SanyaIV

    SanyaIV Registered Member

    Joined:
    Oct 17, 2013
    Posts:
    278
    The above issue regarding the installer refusing to install in the presence of Zemana AntiMalware has been fixed with the 10.8.6 release. :thumb:
     
  22. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,843
    Location:
    The Netherlands
  23. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,973
    Location:
    Poland - Cracow
    Sygate, Jetico, Rising...they have similar monitor but for me the coolest was in Online Armor..."was" - unfortunately it's a good word in this case...
     
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,843
    Location:
    The Netherlands
    @ ichito

    Yeah, a tool like SSFW should have had a more advanced Network Monitor, with the ability to show all active connections. And that's what I mean when I say there is no true innovation going on. Also, why isn't there a simple process monitor which lets you mark running processes as trusted or restricted, know what I mean? And there still isn't an "auto-block" mode.
     
  25. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,485
    how do you do sandboxing in spyshelter? is that a feature of the SpS firewall edition?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.