SpyShelter 11

Discussion in 'other anti-malware software' started by puff-m-d, Apr 17, 2018.

  1. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,910
    Location:
    Poland - Cracow
    No...it oesn't but accoring to screenshots below it can detect a lot of suspicious action that can warn user that something in system is going wrong. You can find actions about trying using DNS, network connections and manipulation of specific system files connected with network management.
    This test was made using original sample of malware mentioned by Rasheed
    Panorama_dns change.jpg
     
  2. Surt

    Surt Registered Member

    Joined:
    Jan 23, 2019
    Posts:
    212
    Location:
    USA
    For sure. I mentioned that somewhat in passing in my post 224 replying to 222 on the previous page nine.

    Other than the interesting "Anti-NetworkSpy" actions 33 & 34, "setting hook to monitor network requests" and "accessing to raw socket," I don't rely on SpyShelter for the network side of things. In comparing the both superb Premium vs Firewall versions, I determined the former a better fit in my layered scheme, avoiding redundancy and possible conflicts.

    Thanks for all the testing you do!
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    13,024
    Location:
    The Netherlands
    Correct, it's not advertised but it's the job of any HIPS to monitor stuff that could be used in attacks. So that's why I call it a flaw.

    It would be handy if those screenshots were bigger. And from what I've seen, those alerts are about common stuff, nothing special. What would catch my attention is if I saw it changing my DNS settings.

    No, this won't help. Actually, this the dumbest thing you can monitor, because just about every app that connects out will trigger this alert. So you will always get two alerts, I've turned it off.
     
  4. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    33,301
    SpyShelter v11.9 Released (September 17, 2019)
    Announcement
    Download
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    13,024
    Location:
    The Netherlands
    You know what I've always wondered about? Keyloggers can often also monitor what websites are visited, but how do they do this? I suppose they need to inject code into the browser for this? And I also wonder how these apps can hide from the Win Task Manager. Would be interesting to know if SS can stop this.

    http://thinkertec.com
     
  6. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,910
    Location:
    Poland - Cracow
    Haha :)...another riddle? OK...in fact it's interresting so I'll try check what will happened and how SS will react.
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    13,024
    Location:
    The Netherlands
    OK thanks in advance. Like I said, AFAIK you need to use some form of code injection in order to hide from the Win Task Manager, and I wonder how keyloggers record websites visited. Perhaps they try to get access to browser history data? I don't have a clue.
     
  8. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,910
    Location:
    Poland - Cracow
    Due to new 12. version I want to repeat my test. @Rasheed187 please wait patient :)
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    13,024
    Location:
    The Netherlands
  10. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,910
    Location:
    Poland - Cracow
    OK Rasheed...I'll ask but at this time I'm still not ready with test mentioned above...sorry. I'm ill and lying in the bed and can't focus on a bitmore complicated things except watching TV or reading internet :)
     
  11. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,910
    Location:
    Poland - Cracow
    Hi all...probably I'm ready to show results of test of SyShelter's detection that was mentioned few posts above. The "threat" was logger-app called SpyPal...and I can say it's fairly smart app :) In the margin...sorry for a long time preparing but it was due to my personal problems and than for necessary modifications of SS v.12 instance on my wife's laptop (it has specific setup). Alright, let's start:
    * The base - Win 8.1 in Shadow Mode (SD), SS FW 12 on "ask user level", no action is automaticaly allowed and nothing is autmaticaly blocked, log tab is empty.
    * The beginning of installation and first detected action is modification of system file Wermgr.exe what is very smart bu can be also suspicious according such explanation

    https://appuals.com/what-is-wermgr-exe/
    191102103832_1.jpg

    * Than we have privileges elevating (as I think) and system folders and files modification - changing registry and ActiveX registration
    Panorama_SP inst.jpg

    * So...finally we have already installed "spy" in our system :)
    * The next step of its actions are modification of system (autostart, services)
    Panorama_SP serv.jpg
    and important for logger's work - modification of Firefox
    Panorama_SP Firefox.jpg
    As we can see SpyPal's forces Firefox not only to make internet connection but use it to read keyboard, install hook and open process pingsender.exe. It can be important as regards to Rasheed's question about logging of internet pages and its history
    More info here
    https://www.ghacks.net/2017/10/14/what-is-pingsender-exe-on-windows/
    The word "second " can be important so that's why...I think...SpyPal needs to deal with taskkil.exe
    191102104625_25.jpg
    * In this context such detected actions are obviously trivial :)
    Panorama_SP logging.jpg
     
  12. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,623
    So it looks like Spyshelter faired well in your test ichito.
     
  13. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,910
    Location:
    Poland - Cracow
    Yes...I think so. It seems tha SS can properly detect all vital (for spying apps) actions and needed for them systems modifications. It's important due to similar...or even the same...tricks used by the real threats.
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    13,024
    Location:
    The Netherlands
    Thanks for the test. :thumb:

    Seems like this SpyPal keylogger is indeed quite advanced. And seems like SS gives enough alerts to let you know something might be wrong. But I'm guessing that SpyPal uses the "global hooking" method to monitor Firefox. However, it's not clear to me how it tries to hide from Win Task Manager.
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    13,024
    Location:
    The Netherlands
    BTW, about the Raccoon password stealer, you should scroll to the Stealing browser information part, it seems to scan the registry in order to steal data. AFAIK, SS doesn't protect these registry keys. This is a feature that needs to be added.

    https://www.cybereason.com/blog/hunting-raccoon-stealer-the-new-masked-bandit-on-the-block
     
  16. Scott W

    Scott W Registered Member

    Joined:
    Sep 21, 2008
    Posts:
    613
    Location:
    USA
    Hey guys, admittedly I haven't read through this entire thread so I may be asking something that's already been addressed. If so, please indulge me...

    Does SpyShelter Free 'play well' with Windows Firewall and Windows Defender?
    Also, is SS Free's HIPS very 'noisy' (i.e., 'chatty')?
     
    Last edited: Nov 7, 2019
  17. Surt

    Surt Registered Member

    Joined:
    Jan 23, 2019
    Posts:
    212
    Location:
    USA
    The version 11 Free was discontinued a long ways back.
    The new SpyShelter Free was released as version 12. There's more information in that thread.
    https://www.wilderssecurity.com/threads/spyshelter-12.422366/
     
  18. Scott W

    Scott W Registered Member

    Joined:
    Sep 21, 2008
    Posts:
    613
    Location:
    USA
    @Surt, thanks for the link - looks like it got buried further down!
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.