SpyShelter 10

Discussion in 'other anti-malware software' started by Mops21, Jul 30, 2015.

  1. Mops21

    Mops21 Registered Member

    Joined:
    Oct 5, 2010
    Posts:
    2,363
    Location:
    Germany
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,385
    Location:
    The Netherlands
    Finally after all these years they have implemented this. But they forgot to do the same with the Logging tab. Potentially SS could have been the best HIPS, but it still has too many annoyances.

    Have you already tested this feature, does it now work correctly? And I also wonder how exactly this excluding feature works, for example if you exclude a process will it not be monitored anymore? Or will it not be able to modify network hooks (used by banking trojans) inside browser memory?
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,385
    Location:
    The Netherlands
    I've used it with MBAE without any problems, and as long as you mark the other tools as trusted (Allow all actions) I expect it will work just fine.
     
  4. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,621
    Location:
    USA
    Sorry, I have not tried the feature yet. I will not have time to test it for at least a week from now.
     
  5. hjlbx

    hjlbx Guest

    @Rasheed187 I agree with you completely.
     
  6. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,621
    Location:
    USA
    In my testing it does not inject into processes, and this seems to limit it's protection. Online Armor easily blocks Surfrigh'ts test tool from launching calc.exe, logging keystrokes, etc. I tested SpyShelter in Ask User Mode, and calc.exe successfully launched uncontested in all test. I did not test SpyShelter against the logging test. I emailed SpyShelter about this about 3 weeks ago, and they informed me SpyShelter prevented calc.exe from launching on their machine. I'm not sure how that is possible since I tested SpyShelter against these test twice in the past, and got the same results. SpyShelter wants me to test again, and send logs from Microsoft's autoruns application. I just have not had the time to do this. I recently had 2 hard drives that failed, and it's taking a lot of my time recovering my data.
     
  7. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,964
    Location:
    Poland - Cracow
    SS does this job properly on my Vista so probably the fail is elsewhere on your side...that's are results of my own test
    - run calc.exe
    calc 1.jpg calc 2.jpg
    - action of loggers
    keybord.jpg screenshot.jpg webcam.jpg
     
  8. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,621
    Location:
    USA
    I think there's a good possibility of a bug somewhere in SpyShelter. I switched SpyShelter's default settings to Ask User right before testing. Maybe SpyShelter is not switching modes. I did use an older build of SpyShelter though. Several more builds have been released since I conducted that test. I did not have any other security software installed when I tested. Online Armor passed the test on the same machine. I will record the test the next time I have time to conduct it.

    Edited 11/9 @4:04
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,394
    Location:
    U.S.A.
    Do this.

    Open your browser first before doing any of the Surfright exploit tests. Then execute each test.

    I have explained this a couple of times. What the test tool does is open a browser "stub" spawned process under it's own process. The stub runs so fast that any type of network driver filtering is not properly established. With your browser open, the "stub" instance launched by the test tool will be located under the browser main process that has established network connectivity. You can view all this activity using Process Explorer/Hacker.
     
  10. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,621
    Location:
    USA
    I did not have to do this for Online Armor.
     
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,394
    Location:
    U.S.A.
    It all depends on where the protection is located and how it is done. Online Armor hooks processes and it's dll is doing the monitoring. I suspect it immediate set a hook in the test tool the minute it started execution.
     
  12. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,621
    Location:
    USA
    Online Armor injects into all processes; well probably 99.5% of all processes. I checked all of mine out of boredom over the last few years I used OA. I think I remember finding 1 that OA did not inject into. I want to say it was a security application, but I can't remember for sure. I would say it was intentionally done for compatibility purposes.
     
  13. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,621
    Location:
    USA
    SpyShelter was not injecting into any processes I could find on my machine. Does it inject into any processes on your machine?
     
  14. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,394
    Location:
    U.S.A.
    I don't use SpyShelter so I can't help you. I suspect it uses a driver filter that is part of the network adapter. Check your network connection for same.
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,385
    Location:
    The Netherlands
    No it doesn't, it uses the driver for all the monitoring, but this is not a bad thing, injecting code can cause compatibility problems. Perhaps that's why SS is quite stable.

    Yes, it's very frustrating, weird that no one has complained about this earlier. The ability to see what exactly is blocked or allowed, instead of displaying only "Action Type" is basic functionality, come on now.
     
    Last edited: Nov 10, 2015
  16. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,621
    Location:
    USA
    I think using a driver would be a better method as long as it can accomplish the same objective as process injection. The problem i'm having is SpyShelter has not been reliable on the two machines I have tested on. It makes me believe there is a bug somewhere. SpyShelter is just allowing executions in Ask User Mode instead of prompting me. I did not have any other real-time security software installed when testing. There has been several builds released since I last tested though.

    That is a very good point. I didn't think to report that with the other issues I have reported.
     
  17. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,964
    Location:
    Poland - Cracow
    SS has its own internal signers database (in 2011 it was ca 10000 entries) that can't be managed by user - perhaps that is (one of) the reason that some decision of SS are automatic. As I remember the same was in OA which have also its own database but in cloud (AM-N...earlier OASIS).

    @
    Rasheed
    The new faetaure - "alternative view" gives you additional comment so it's easier to know what was created. I think too much info is just a "noise" and when we want to know much more we can just use tools like Tiny Watcher. We can use also other apps instead of SS or additionaly - I mean ThreatFire that gives a lot detailed information in its pop-ups (files, folders, registry entries) :)
     
    Last edited: Nov 11, 2015
  18. hjlbx

    hjlbx Guest

    @Rasheed187

    This is just my opinion... I think SpyShelter makes good products, but the user interfaces are clunky, clumsy and tedious.

    Now NVT ERP - that is example of a good user interface... simple, easy to learn, easy to use, useful infos that are needed, etc.
     
  19. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,964
    Location:
    Poland - Cracow
    And this is my also privat opinion...if we start talking and judging app according to its interface, the discuss is starting to be worthless.
     
    Last edited: Nov 11, 2015
  20. ald4r1s

    ald4r1s Registered Member

    Joined:
    Apr 8, 2013
    Posts:
    53
    Just tested with W10x64 Pro, all actions were detected in default installation settings and in Ask User mode. Perhaps try cleaning your rules, restart your PC and perform the test again?
    What happened to me once: Windows Defender crippled my SPS installation (after updating to new version), because it considered SPS to be malicious.
    So another thing I can suggest is disabling Windows Defender and reinstalling SpyShelter.
    Oh and old builds didn't work with Windows 10...SpyShelter 10+ works with Windows 10. If you tested older versions then they could not possibly work.

    SPS GUI is still better than those pseudo-futuristic-hackerlike-interfaces. It could use some usability upgrades but to be honest, I open the GUI like once a month if i block something legitimate, so it doesn't really bother me.

    http://core0.staticworld.net/images/article/2013/01/bitdefender_screen-100023083-large.jpg
     
  21. hjlbx

    hjlbx Guest

    That is not how security soft industry standards work... usability is equal in importance to protection. You can have a soft that protects 100 % against any and all known threats. However, if the user interface is difficult for typical user, then few people will use it.

    A primary reason why SpyShelter is not popular\widely used is the interface and the way information is presented to the user.
     
  22. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,964
    Location:
    Poland - Cracow
    @hjlbx
    SS is the specific and rather advanced tool with features and options which are for mostly users not understandable and by this not interesting...is a tool for specific range of protection and many users don't feel the needs to have aplication for detection of logger actions, for keystroke encryption or file/folders restrictions. Interface?...it depends of what people like and what is nice for his eyes...I don't want to speak about it becouse "de gustibus non est disputandum" :)
    BTW...where you see differences between interface of ERP and SS...are quite equal and based on the same model...where ERP is better?
     
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,385
    Location:
    The Netherlands
    I didn't know about this, will "ask user" disable this feature?

    Don't get me wrong, SS has got a nice looking GUI, and I applaud them for adding this feature, but they should have done this years ago. Like I said, they need to do the same with the "log window", how hard is it to figure this out for the developers? It's these kind of details that annoy the hell out of me. But anyway, I have also got some other issues on my system, so for now I'm done with SS.
     
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,385
    Location:
    The Netherlands
    Yes I agree, as a long time HIPS user I can say that it's not good enough. But SS is not on its own, take a look at Zemana and Private Firewall for example, they are also horrible when it comes to this. SS is way better, it just needs some polishing.
     
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,385
    Location:
    The Netherlands
    Yes I believe it can, other HIPS that I used in the past also didn't inject code into every process. I think you're experiencing some type of bug, I'm not sure why SS behaves this on your system.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.