SpyShelter 10

Discussion in 'other anti-malware software' started by Mops21, Jul 30, 2015.

  1. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,974
    Location:
    Poland - Cracow
    Honestly?...I don't know how it exactly work...I think I remember some events when action on "ask user" level was done automaticly but it was connected more with run/installation of app than the action of logger/system modifications.
    The reason to build...I think...so huge database was to avoid "false positive" whatever it means. It was mentioned in changelog few years ago...quotes from changelogs

    So...it can mean that developer wanted to make live of user easier and make SS more automatic in its decision however talking about "false alert/positives" in HIPS matter is a bit unjustified.
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,929
    Location:
    The Netherlands
    IMO, in "ask user" mode it should monitor every app, except for trusted system applications. If they do indeed use a white-list, that would be bad stuff. The user should always have full control. Normally I run in "Allow Microsoft" mode to avoid problems.
     
  3. MGhell

    MGhell Registered Member

    Joined:
    Jul 9, 2006
    Posts:
    34
    Under "Settings" and "List of monitored actions" you have to uncheck "Auto allow the action for a component signed by a trusted signer"
     
  4. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,974
    Location:
    Poland - Cracow
    https://www.spyshelter.com/blog/spyshelter-10-5-released/#more-5821
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,929
    Location:
    The Netherlands
    I always have that disabled. I will now run SS in "ask user" mode to see if it auto allows certain actions. BTW, I noticed that in the status-bar you can see what action is allowed or blocked, but like said before, that should be a separate column in both the rules and logging tab, this would make it possible to sort on allowed or blocked actions, to get a quick overview.
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,929
    Location:
    The Netherlands
    BTW, I found another problem with SS, if you allow "opening process or thread for modify access", then that app will automatically be allowed to modify memory of other processes. So it seems like action type 29 and 40 are handled the same.
     
  7. biscuits

    biscuits Registered Member

    Joined:
    Feb 16, 2010
    Posts:
    112
    You could see what the"action type" means at the bottom most toolbar both in Rules and Log Windowd tabs.
     
  8. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,527
    I just installed spyshelter free, on windows 10 pro x64 with nov update.
    my AV is webroot.
    question: what other security products can I run with spyshelter free?
    what about:
    malwarebytes anti exploit
    voodooshield
    crystal security
    glasswire
     
  9. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,527
    spyshelter free
    windows 10 pro x64
    I checked the clipboard protection, and it doesn't pass its own test.
    whatever I copy to the clipboard appears in the test window.
    maybe it is because when the test exe file started up, spyshelter asked for permission, and I gave.
     
    Last edited: Nov 24, 2015
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,929
    Location:
    The Netherlands
    Yes I know, but this should have been a separate column, like I said. This way you get a quick overview, without having to click on each event or rule.

    I didn't have any problems with MBAE, and I suspect that it will also not conflict with the other tools, because they are all not HIPS.
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,929
    Location:
    The Netherlands
    I have been testing this, and it looks like in "ask user" mode it will only white-list crucial system applications, but will indeed alert about other "Microsoft signed" tools, so this is a good thing. BTW, I also checked out the new data protection feature, it seems to work as advertised, it's a nice extra protection against ransomware.
     
  12. fblais

    fblais Registered Member

    Joined:
    Jul 31, 2008
    Posts:
    1,294
    Location:
    Québec, Canada
    Trying SS Firewall right now.
    It opens popups with Chrome. They say it blocks hooks from being created.
    When I open a new tab for instance.
    (ActionType 33)
    What's that?
     
  13. guest

    guest Guest

    What other security programs are you using? MBAE, WSA maybe?
     
  14. fblais

    fblais Registered Member

    Joined:
    Jul 31, 2008
    Posts:
    1,294
    Location:
    Québec, Canada
  15. guest

    guest Guest

    If you disable MBAE you won't have those popups. There is as well an option to hide them without excluding a process
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,929
    Location:
    The Netherlands
    Can you perhaps tell which app you added to the "excluded processes"? Because if you added Chrome, then you basically disabled protection against banking trojans that are trying to hijack the browser, so it wouldn't be logical. Or did you add MBAE to the exclusions? Another option would be to disable tool-tips for network hooks.
     
  17. fblais

    fblais Registered Member

    Joined:
    Jul 31, 2008
    Posts:
    1,294
    Location:
    Québec, Canada
    Like I wrote above, it was uninstalled so it's a moot point now.
     
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,929
    Location:
    The Netherlands
    I understand this, but it would be interesting to know how you made it shut up, because if the only way was to add Chrome to the exclusions, it's basically a useless feature that has been added to SS.
     
  19. fblais

    fblais Registered Member

    Joined:
    Jul 31, 2008
    Posts:
    1,294
    Location:
    Québec, Canada
    Yes, I added it to the exclusions, like suggested in a post earlier in the thread.
    I agree this trick was not a real solution though.
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,929
    Location:
    The Netherlands
    OK, so perhaps this feature needs to go back to the drawing board. The way it should work, is that the app that is causing the alert, in this case probably MBAE, should be added to the exclusion list, to solve possible conflicts.
     
  21. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,974
    Location:
    Poland - Cracow
    Exclusion of some processes from ANS module (rule #33) is direct answer for users expectations what was mentioned about one year ago on this forum also...so I don't think is useless :)
     
  22. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,929
    Location:
    The Netherlands
    You should read my post again. I'm saying that if you exclude a process, then that process should be allowed to install network hooks inside the browser. But I get the impression that currently, it doesn't work this way. It looks like if you exclude a process, it will simply not be monitored anymore, leaving it open to attack by trojans.
     
  23. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,570
    Are default settings for spyshelter firewall sufficient ,or is some fine tuning recommended?. Also would you recommend that windows firewall runs alongside spyshelter firewall or disable it?]
     
  24. fblais

    fblais Registered Member

    Joined:
    Jul 31, 2008
    Posts:
    1,294
    Location:
    Québec, Canada
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,929
    Location:
    The Netherlands
    It depends on your needs, I've disabled the monitoring of certain actions, because they are way too common. To avoid problems it's probably best to choose "Allow Microsoft", otherwise you may get alerts about normal system operations. And there is no need to turn off the Win Firewall, unless you want SS to do all the blocking.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.