SpyShelter 10

Discussion in 'other anti-malware software' started by Mops21, Jul 30, 2015.

  1. Schorg

    Schorg Guest

    @hjlbx is in my opinion is a decent chap.

    @hjlbx tests security software and there is nothing wrong with identifying issues in such software, which if acted upon could be beneficial to the users of such products.

    I appreciate his wisdom and testing in this area.
     
  2. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,986
    Location:
    Location Unknown
    I am having a problem setting up a rule that will allow my VPN (AirVPN.exe) to execute. Under "Application Execution Control" the default rules for any run is always deny all (*). That's that's the case here. But I usually am allowed to edit the rules I want to allow applications to execute; right-clicking on the deny rules and selecting "mark it allowed." However, I am not able to do this with AirVPN.exe; when I cto allow it the rule does not change.

    sshot-1.png

    Any ideas?
     
  3. hjlbx

    hjlbx Guest

    Did you try to delete the rule and re-create it upon next execution of AirVPN ?

    I had an issue with OpenVPN where I had to exit SpS and then restart SpS for the rule to become active - but that was different than your issue.
     
  4. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,986
    Location:
    Location Unknown
    Yep. I've deleted the rule, toggled SSF protection and restated both SSF and arivpn. Nothing seems to be able to change that rule.
     
  5. hjlbx

    hjlbx Guest

    Do you have "Block Suspicious Actions" enabled ?

    Are you using "Ask User" security setting ?

    Since Datpol has implemented some changes over the past few days, it could be a bug. There was a problem with Application Control and no hash checking - perhaps the fix introduced some minor snafu.

    Your image shows AirVPN.exe cannot execute any children processes.

    Nice avatar by the way...
     
  6. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,986
    Location:
    Location Unknown
    I did. But I though that since I put airvpn.exe as a trusted signer that should no longer be suspicious. Guess not.

    I was. But I found that is I toggle it to Allow Microsoft and back again the setting now works where I do get asked. That seems to have fixed my issue.

    Right. That's the rule I am trying to change.

    Thanks. Think Michael Scott when you see it!
     
  7. hjlbx

    hjlbx Guest

    Settings > Monitored Actions > at very bottom of list tick "Auto-allow for trusted signer..."

    I think it should work even with Block Suspicious Actions enabled (I don't have SpS installed at this very moment).
     
  8. Schorg

    Schorg Guest

    If you don't mind me making a suggestion try removing AirVPN.exe from Application execution Control and General tabs and manually add to general.

    Go to Rules>General>Create rules for a component(second icon just below General tab(icon which looks like a small green plus) or right click on the title Component name.

    Either enter full path into Component path: or left click ....(button)> to open SpyShelter's File Explorer>locate AirVPN.exe or type in the full path in File name:> press open.

    Go to Execution of an application>select allow>press ok

    Hope this Helps

    I believe @hjlbx is correct that is a bug as I have discovery a bug regarding create rule(no file hash checking) when importing rules only retains the first rule you have create via create rule (no file hash checking)
     
  9. hjlbx

    hjlbx Guest

    This is from both the SpyShelter and the qfx websites (borrowing the nice pretty graphics from QFX) and applies to all anti-loggers...

    This is how an anti-logger works:

    SpyShelter
    1. How does the Keystroke Encryption work?
      The SpyShelter Keystroke Encryption Driver encrypts all keystrokes in real time and sends them via safe tunnel directly to application on which your keyboard is focused, preventing dangerous applications from capturing them. Keystrokes are automatically decrypted once they reach the active window. We do not share detailed technical information about used encryption technique.
      Click here to read more about Keystroke Encryption
    QFX

    "Your keystrokes remain encrypted as they travel through the perilous path in the operating system, where keyloggers can be physically or remotely installed on your computer to intercept your keystrokes.

    When your encrypted keystrokes reach the destination app, the decryption module of the anti-logger goes to work, and you see exactly the keys you've typed."

    In other words, anti-loggers do not transmit encrypted keystrokes over the network; a keystroke decryption key is not transmitted to the remote system - it only happens on the local system. It all basically uses the same concept\methodology as when a wireless keyboard transmits encrypted keystrokes to the USB dongle and the keystroke decryption is performed by the dongle.

    howitworks_h.gif howitworks_v.gif

    The best you can do with an anti-logger is to combo it with a VPN for consumer. In other Consumer and Enterprise products you have a number of options - one is a data sandbox with VPN and the other is an end-to-end, certified clean remote hosted sandbox (Quarri). However, in all cases, once you put your data onto a remote system then you have no control over its integrity or security.
    https://www.qfxsoftware.com/uploads/images/howitworks_v.gif
    https://www.qfxsoftware.com/uploads/images/howitworks_h.gif
     
    Last edited by a moderator: Oct 15, 2016
  10. hjlbx

    hjlbx Guest

    A Scripted Keylogger is a webpage-embedded keylogger. Once the encrypted keystrokes are decrypted in the browser, then there's nothing that can be done in some cases -- with some webpage-embedded keyloggers, data capture doesn't even require you to post the data.

    No anti-logger can protect against a Scripted Keylogger.
     
  11. hjlbx

    hjlbx Guest

    I said this here (sentence below - at the bottom of one of my previous posts - link provided), but it is funny when these kinds of statements are completely ignored - and all the focus is on me pointing out the facts that some find unacceptable.

    "SpS products will protect system if it is configured and used properly; it has almost everything one needs to have a safe computing experience"

    https://www.wilderssecurity.com/threads/spyshelter-10.378379/page-27#post-2624363
     
  12. ald4r1s

    ald4r1s Registered Member

    Joined:
    Apr 8, 2013
    Posts:
    53
    So according to your logic VPN software is useless because it doesn't encrypt keystrokes against keyloggers but it encrypts the connections against being intercepted. You said exactly reverse thing about SpyShelter now. Do you have some inside info on SpyShelter VPN?

    Encrypting keystrokes internally and transmiting data over internet are two completely different things, are you capable of understanding that? Why do you create a problem that doesn't exist?


    You are repeating the same nonsense over and over.

    It's not task of any software to interfere with browser's own memory space.
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,789
    Location:
    The Netherlands
    Sorry, I must have missed this post, but I do indeed combine SBIE with SS. And I haven't been using any AV since 2006 when I dumped Avira, so this is my 10th anniversary. Of course I haven't had any problems with malware.
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,789
    Location:
    The Netherlands
    If this is truly the case, then it should be fixed ASAP. To clarify, I believe SS does block DLL injection when code is injected into other processes. But according to you it will fail when apps inject code into child processes. It also can not recognize a process hollow attack, once a child process is launched in suspended mode.

    I think this is a bit harsh. Don't forget that SS can correctly detect and block a lot of behavior related to malware, think of: service/driver loading, global and API hooking (keyloggers), low level disk access and read/write access to files.
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,789
    Location:
    The Netherlands
    Yes I agree with this.

    This is true.

    Very interesting link about the 2 separate process hollowing techniques. So you're saying that the newest version does detect it? But how does it do this, can you post some screenshots? Because we have to distinguish between regular code injection, and process hollowing.
     
  16. Spyshelter Free is discontinued, grab it while you can (for instance from filehippo).

    I run it at Medium level with all modules disabled except HIPS. With VoodooShield free (in Auto-pilot) it is an unbeatable freebie pair.

    The trick: select allow folder, choose existing files and future files in this folder, choose OK, next make this rule denied (changing allow to block). I also have enabled 'Auto block suspicious behavior'. This results in a HIPS containment for selected folders and mild auto-blocking of dangereous actions. I have also tuned down VoodoooShield from Smart to Autopilot, but kept blocking of child processes of borwsers on (the VoodooShield anti-exploit feature). I havve disabled CMD+scripts through registry tweak, so windows cmd+windows script+Powershell+scripts+DotNet can't do any harm (withe the command feature of VoodooShield this is enough to provide solid protection).

    :'( helas the end of the unbeatable combi of Spyshelter HIPS module + VoodooShield Anti Executable

    upload_2016-10-15_23-15-57.png

    In Dual core Pentium dual core @3.1 Ghz (G3240) with Sata2 SSD startup time with VoodooShield+Spyshelter HIPS only
    C:\Program Files\Chromium\chrome.exe - 2 executions (AppTimer log)
    0.7814 (cold from disk)
    0.5320 (hot from cache)
     
    Last edited by a moderator: Oct 15, 2016
  17. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,417
    Location:
    Under a bushel ...
    Might still be a combo worth considering with SpyShelter Premium? Would you care to elaborate on the registry tweak?
     
  18. hjlbx

    hjlbx Guest

    Using Registry

    Run regedit to open the Registry Editor. navigate to the following registry key:

    HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System

    If the Windows or System key is not present, you may be required to create them.

    In the right pane, double click DisableCMD and set its value to 0.

    If DisableCMD is not present on your system, you may be required to create a new DWORD value, name it DisableCMD and then give it a value 0.

    Now if any user were to try to open CMD, they would see a message:

    The command prompt has been disabled by your administrator.

    Enable CMD

    If for some reason, you need to do the reverse, ie. enable the command prompt, simply disable the Prevent access to the command prompt policy setting. In the registry, you may delete the DisableCMD DWORD or set its value to 1.

    * * * * *

    Disabling Windows Script Host (wscript.exe)

    https://technet.microsoft.com/en-us/library/ee198684.aspx

    * * * * *

    You can do the same with Powershell with powershell script execution (but can't disable powershell.exe) and other processes - just search online for the registry hacks.
     
  19. You have sufficient protection :thumb:

    Yesterday I could still download the free version from FileHippo and CNET
     
  20. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,417
    Location:
    Under a bushel ...
    :) I wasn't thinking of adding these - just playing around with that combo ...
     
  21. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,986
    Location:
    Location Unknown
    Update Released -

    https://www.spyshelter.com/blog/spyshelter-10-8-8-released/#more-7330

     
  22. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    Kees

    was just looking at download.com and the free version listed is called spyshelter anti-keylogger.

    is that the one you are referring to ?
     
  23. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,973
    Location:
    Poland - Cracow
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,789
    Location:
    The Netherlands
    No not really, the whole point of features like keystroke encryption and blocking of browser memory modification is to still protect the system even if you have made the wrong decision to allow a certain app to modify the system. So it's basically a failsafe. AppGuard and HMPA do the same, AG will block code injection once malware is allowed to run, and HMPA will alert you if your browser has been compromised with the safe-banking feature.
     
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,789
    Location:
    The Netherlands
    In theory, SS should be easily able to defeat hook and message based loggers. Same goes for loggers that want to install drivers. The only problem with SS is that it's almost never being tested against all kinds of malware, so it remains a question how will it perform against the most advanced attacks. Of course the problem with process hollowing/DLL injection into child processes should be fixed, but with SSFW you can at least block process execution of system applications which are often used in these kind of attacks.

    Interesting, but why no option to disable already monitored reg-keys? I would also like to see a more advanced GUI for the firewall/network monitor, perhaps something like Free Firewall and Windows Firewall Notifier, see links.

    http://www.evorim.com/en/free-firewall
    http://www.ghacks.net/2015/06/15/a-first-look-at-windows-firewall-notifier-2/
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.