SpyShelter 10

Discussion in 'other anti-malware software' started by Mops21, Jul 30, 2015.

  1. pablozi

    pablozi Registered Member

    Joined:
    Oct 24, 2010
    Posts:
    215
    Location:
    nowhere
    Is anyone else facing the same issue with SS installed together with StartIsBack on Windows 10 x64?
    When those two are installed desktop automatically refreshes every few seconds and right click doesn't work. Any open explorer window shuts down automatically and start menu does not work either. The only solution is to run CCleaner and uninstalling SS or StartIsBack.
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,788
    Location:
    The Netherlands
    I think some have misunderstood your question, but yes I agree. HMPA is indeed able to tackle attacks that SS can not stop. SS doesn't protect against certain code injection methods, including process hollowing, and also can not protect against most ransomware variants, not even with the file/folder protection feature. The reason why I still haven't installed HMPA, is because of concerns about incompatibility with Sandboxie.
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,788
    Location:
    The Netherlands
    BTW, about the file/folder protection feature, I noticed that when I upgraded to Firefox 50, I got alerted about file modification of the Firefox folder, but I never made a rule to protect this specific folder. So isn't it possible for SS to protect only certain sub-folders, instead of all folders in for example C:\Program Files?
     
  4. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
  5. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,973
    Location:
    Poland - Cracow
    Why do you think so? How much makes a "most" and how many tests you know? Post #32 (page 2) in this thread shows link to anti-ransom test of "Protected files/folders" and the result is "files are not encrypted".

    We don't know how rules you have so it's hard to answer your question...but trying to be a palmist I can say ;)
    - folders are protected with subfolders and whole content of it according to main rule - "general" or "personal" (which is default attribute)...
    - ...except individual rule made for specified objects...e.g. main rule for folders is "general" but some files/folders have "personal"
    - it means that - if the "Programs Files" folder is protected as the single object - every object inside are by default protected also and no matter how attribute they have
    - different attributes give for user less or more alerts as the visible effect if potential changes are detected...
    - but sometime you don't have an alert when process is allowed for every action.
    I tried to repeat on my system your situation - upgrade from Ff 47.2 to 50 with Program Files protected as the single object and as the result I've got:
    - two alerts about Firefox folder modification with "general" rule
    - four alerts about modification with "personal" rule
    - no alerts for Shadow Defender as the application which is automaticly allowed for every action (SD is also installed in Program Files and was involved also in this experiment)...
    - and no alerts for similar allowed processes.
    If you want to see what was happened look inside log file.
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,788
    Location:
    The Netherlands
    Because most ransomware makes use of process hollowing, and use trusted system apps like explorer.exe or svchost.exe to encrypt files. If ransomware directly encrypts files, then only files inside protected folder are safe. But you can't blame SS, since it is not designed to tackle ransomware.

    I didn't understand everything you wrote, but I have basically protected a couple of sub-folders, they are all marked as "Personal". But are you saying that SS will automatically block file modifications to system folders like C:\Windows and C:\Program Files?
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,788
    Location:
    The Netherlands
  8. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,986
    Location:
    Location Unknown
    One of the things I'm having trouble with is printing via a wifi printer. When SS Firewall is active nothing can print, and I don't even get any log entries about it. But with it disabled I can print just fine.

    Any ideas on what I might try to resolve this?
     
  9. SanyaIV

    SanyaIV Registered Member

    Joined:
    Oct 17, 2013
    Posts:
    278
    Does it work if you set all your "Blocked" Firewall zones to "Undefined"? If so, then figure out which one it is, when you find which it is, look through it and evaluate if you understand why it's happening, if "ICMP" traffic is enabled for the rule, then try disabling that and see if it works.

    Coming from Comodo Firewall, I must say that how a lot of things is done in SpyShelter is really confusing, it could have been made both more customisable and more (to me) logical. There's even undocumented limitations, for example regarding ICMP, if you have a rule regarding inbound traffic and you enable the ICMP option, then it's enabled for both inbound and outbound traffic and regardless of IP etc.. at least that's what I understood from Support and it seems to be right but it could have been somewhat different so don't take that as a fact.. *shrugs* My point is, a lot of things in SpyShelter could have been designed in a better way, according to me.
     
  10. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,484
    okay, but SS functions also as an anti-executable, right? So an unknown file can't even execute in the first place. How does the malicious file ever get to the stage of injecting code, etc, if you blocked its execution?
    I must be missing an important point here. Perhaps SS only does default/deny on exe files, but not on scripts?
     
  11. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,973
    Location:
    Poland - Cracow
    Realy?...hmmm...i thought I've wrote my explanation quite clear and understandable...the main goal was - if you make rule for main folder with some objects inside you don't need to set single rules for such single object - the object inherits just main rule ("general" or "personal"). So that's the reason that you saw an alerts about Firofox's folder modification eventhough you didn't make rule for it.
    About automatic blocking of modifications in Windows and Program Files...I didn't tested such option because I more focused on protection of my private data on non-system disks than system with aplication - for this purpose I just have Keriver which enable me to recover clean state. But I think in protection of Windows/Program Files folders main rule is how are the rules for specific process in "Rules" module...
    - processes allowed to "everything" are not presented in alerts about folders/files modification (like SD in my example)
    - processes allowed to read/write/modify are presented when they try to access/modify protected content
    - unknown processes or unknown action of known processes are also presented in alerts...but if enable feature "Auto-block suspicious behaviour" they are perhaps automaticaly added to black list and blocked.
     
  12. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,788
    Location:
    The Netherlands
    The point is that HIPS is meant to be the last line of defense. So of course, when you run/execute some app, you have made sure it is probably clean, by scanning it with AV/Cloud AV and by downloading it from a trusted source. But you can't be 100% sure that the file is actually clean, so with HIPS you can monitor apps for abnormal/suspicious behavior. If you want to rely only on some AV, then you don't need HIPS.

    So you're saying that if I protect C:\Program Files\NoVirusThanks, then all folders of C:\Program Files are protected?
     
  13. What about programs like Smartscreen (sadly only for downloaded programs), Avast Hardened mode, WSA (seen by the community feature) when the fingerprint matches a known good program in the cloud whitelist?
     
  14. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,973
    Location:
    Poland - Cracow
    No...I said
    if you make rule for main folder - it means Program Files
    with some objects inside - e.g. NoVirusThanks folder
    you don't need to set single rules for such single object - NVT folder
    the object inherits just main rule ("general" or "personal") - rule for Program Files folder.
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,788
    Location:
    The Netherlands
    The things that you mentioned all have got nothing to do with behavior blocking. The truly paranoid will never rely only on AV related technologies, and that was my point. Back in 2003, I started reading about how easy it was to bypass AV's, so that's why I started messing around with tools like Process Guard and System Safety Monitor. Without HIPS/behavior blocking I don't feel safe, and don't forget it can also be used to block annoying/risky behavior of legit apps.

    OK, I see. I do think this feature needs to be improved a bit, and should be more visible in the GUI.
     
  16. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,973
    Location:
    Poland - Cracow
  17. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,599
    Location:
    North Carolina, USA

    Attached Files:

    Last edited: Jan 5, 2017
  18. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    402
    Location:
    router
    thanks for heads up.

    detail
    https://www.spyshelter.com/blog/spyshelter-10-9-released/
     
    Last edited: Jan 5, 2017
  19. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,599
    Location:
    North Carolina, USA
    Hello co22,

    You are most welcome ;) ...
    I see the site is no longer in "Maintenance mode", so thanks for posting the changelog :thumb: ...
     
  20. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    402
    Location:
    router
    you are welcome too
    plus seems they forgot upload screenshot :)
    edit:they upload now thank you
     
    Last edited: Jan 5, 2017
  21. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    402
    Location:
    router
    now its alert when you have custom protected key
     
  22. nptphoto

    nptphoto Registered Member

    Joined:
    Jan 10, 2017
    Posts:
    1
    Location:
    New York City
    In searching for a resolution to a problem I have encountered with SpyShelter (SS), Keepass (KP) AtuoType and AutoHotKey (AHK). I found this forum with a poster who is having the same problem. Post #783.

    I have been in contact with SS Helpdesk with no resolve yet. Here is what I have found and can verify on my PC.

    1. Both KP and AHK (it does auto typing from a script) exhibit the exact behavior, so it seems to be a SS bug.

    2. When the problem occurs, only the top row of characters of the keyboard get scrambled. Specifically, only 1234567890 and !@#$%^&*(). All other letters, punctuation, brackets and other symbols such as `~-=+\|/? are not effected.

    3. Both KP and AHK will work as long as you do not use the keyboard.

    4.Once you type something, then the scrambling starts. Launch KP → launch Notepad → invoke Autotype and numbers and shift/numbers are correct in Notepad. Now use the keyboard to type something while in Notepad and invoke KP Autotype and numbers are scrambled. You can also do the same procedure with AHK. A simple script that outputs numbers and shift/numbers will do.

    5. When typing to cause the error, you must type in the app. If you open Notepad and then use the keyboard to type outside the focus of Notepad, the error will not happen.

    6. If you close and reopen the app that received the auto type (e.g. you don’t have to close KP), the numbers and shift/numbers are injected correctly again.

    7.The problem does not follow from app to app. Open an instance of Notepad and do the procedure until the error occurs. Then open a separate instance of Notepad and injected characters will be correct until you type in that instance of Notepad.

    SS Helpdesk said “You would have to add your browser's executable to Process Filter exceptions to make these programs compatible (for example, if you use Google Chrome, adding chrome.exe to Process Filter exceptions make AutoType work correctly)”.
    . So the questions are:

    1. Why are keystrokes 1234567890!@#$%^&*() handled differently than all the other keystrokes
    2. Why do both auto typing programs work fine until you use the keyboard
    3. Do I have to add all targets of auto typing (Firefox, Chrome, IE, Notepad, Wordpad, OpenOffice etc) to the exclusion list. Might as well turn it off.

    It would be nice to know if anyone could verify my observations.

    If the Helpdesk gets back to me, I’ll let you know.
     
  23. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,986
    Location:
    Location Unknown
    I just discovered what I think is a huge negative for SSF. It seems there's no way to print from an application that's running as restricted!. You cannot even add c:\windows\system32\spooler\printers to the write list because it doesn't show up as an option when you try to add it from the list.

    That sucks!
     
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,788
    Location:
    The Netherlands
    This feature needs to be improved a lot, it's also annoying when you can't easily save files. I currently do run Vivaldi restricted with SS because SBIE seems to make Vivaldi slower on my system.
     
  25. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,986
    Location:
    Location Unknown
    The interesting thing is that it seems the support staff was unaware of this issue at all. I opened a ticket. Here was my response:

    That was a rude response, and one that shows a lot about the attitude of the company. I suggest everyone look elsewhere.
     
    Last edited: Jan 31, 2017
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.