SpyShelter 11

Discussion in 'other anti-malware software' started by puff-m-d, Apr 17, 2018.

  1. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,971
    Location:
    Poland - Cracow
    No...it oesn't but accoring to screenshots below it can detect a lot of suspicious action that can warn user that something in system is going wrong. You can find actions about trying using DNS, network connections and manipulation of specific system files connected with network management.
    This test was made using original sample of malware mentioned by Rasheed
    Panorama_dns change.jpg
     
  2. Surt

    Surt Registered Member

    Joined:
    Jan 23, 2019
    Posts:
    319
    Location:
    USA
    For sure. I mentioned that somewhat in passing in my post 224 replying to 222 on the previous page nine.

    Other than the interesting "Anti-NetworkSpy" actions 33 & 34, "setting hook to monitor network requests" and "accessing to raw socket," I don't rely on SpyShelter for the network side of things. In comparing the both superb Premium vs Firewall versions, I determined the former a better fit in my layered scheme, avoiding redundancy and possible conflicts.

    Thanks for all the testing you do!
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,569
    Location:
    The Netherlands
    Correct, it's not advertised but it's the job of any HIPS to monitor stuff that could be used in attacks. So that's why I call it a flaw.

    It would be handy if those screenshots were bigger. And from what I've seen, those alerts are about common stuff, nothing special. What would catch my attention is if I saw it changing my DNS settings.

    No, this won't help. Actually, this the dumbest thing you can monitor, because just about every app that connects out will trigger this alert. So you will always get two alerts, I've turned it off.
     
  4. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    40,218
    SpyShelter v11.9 Released (September 17, 2019)
    Announcement
    Download
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,569
    Location:
    The Netherlands
    You know what I've always wondered about? Keyloggers can often also monitor what websites are visited, but how do they do this? I suppose they need to inject code into the browser for this? And I also wonder how these apps can hide from the Win Task Manager. Would be interesting to know if SS can stop this.

    http://thinkertec.com
     
  6. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,971
    Location:
    Poland - Cracow
    Haha :)...another riddle? OK...in fact it's interresting so I'll try check what will happened and how SS will react.
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,569
    Location:
    The Netherlands
    OK thanks in advance. Like I said, AFAIK you need to use some form of code injection in order to hide from the Win Task Manager, and I wonder how keyloggers record websites visited. Perhaps they try to get access to browser history data? I don't have a clue.
     
  8. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,971
    Location:
    Poland - Cracow
    Due to new 12. version I want to repeat my test. @Rasheed187 please wait patient :)
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,569
    Location:
    The Netherlands
  10. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,971
    Location:
    Poland - Cracow
    OK Rasheed...I'll ask but at this time I'm still not ready with test mentioned above...sorry. I'm ill and lying in the bed and can't focus on a bitmore complicated things except watching TV or reading internet :)
     
  11. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,971
    Location:
    Poland - Cracow
    Hi all...probably I'm ready to show results of test of SyShelter's detection that was mentioned few posts above. The "threat" was logger-app called SpyPal...and I can say it's fairly smart app :) In the margin...sorry for a long time preparing but it was due to my personal problems and than for necessary modifications of SS v.12 instance on my wife's laptop (it has specific setup). Alright, let's start:
    * The base - Win 8.1 in Shadow Mode (SD), SS FW 12 on "ask user level", no action is automaticaly allowed and nothing is autmaticaly blocked, log tab is empty.
    * The beginning of installation and first detected action is modification of system file Wermgr.exe what is very smart bu can be also suspicious according such explanation

    https://appuals.com/what-is-wermgr-exe/
    191102103832_1.jpg

    * Than we have privileges elevating (as I think) and system folders and files modification - changing registry and ActiveX registration
    Panorama_SP inst.jpg

    * So...finally we have already installed "spy" in our system :)
    * The next step of its actions are modification of system (autostart, services)
    Panorama_SP serv.jpg
    and important for logger's work - modification of Firefox
    Panorama_SP Firefox.jpg
    As we can see SpyPal's forces Firefox not only to make internet connection but use it to read keyboard, install hook and open process pingsender.exe. It can be important as regards to Rasheed's question about logging of internet pages and its history
    More info here
    https://www.ghacks.net/2017/10/14/what-is-pingsender-exe-on-windows/
    The word "second " can be important so that's why...I think...SpyPal needs to deal with taskkil.exe
    191102104625_25.jpg
    * In this context such detected actions are obviously trivial :)
    Panorama_SP logging.jpg
     
  12. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,685
    So it looks like Spyshelter faired well in your test ichito.
     
  13. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,971
    Location:
    Poland - Cracow
    Yes...I think so. It seems tha SS can properly detect all vital (for spying apps) actions and needed for them systems modifications. It's important due to similar...or even the same...tricks used by the real threats.
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,569
    Location:
    The Netherlands
    Thanks for the test. :thumb:

    Seems like this SpyPal keylogger is indeed quite advanced. And seems like SS gives enough alerts to let you know something might be wrong. But I'm guessing that SpyPal uses the "global hooking" method to monitor Firefox. However, it's not clear to me how it tries to hide from Win Task Manager.
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,569
    Location:
    The Netherlands
    BTW, about the Raccoon password stealer, you should scroll to the Stealing browser information part, it seems to scan the registry in order to steal data. AFAIK, SS doesn't protect these registry keys. This is a feature that needs to be added.

    https://www.cybereason.com/blog/hunting-raccoon-stealer-the-new-masked-bandit-on-the-block
     
  16. Scott W

    Scott W Registered Member

    Joined:
    Sep 21, 2008
    Posts:
    632
    Location:
    USA
    Hey guys, admittedly I haven't read through this entire thread so I may be asking something that's already been addressed. If so, please indulge me...

    Does SpyShelter Free 'play well' with Windows Firewall and Windows Defender?
    Also, is SS Free's HIPS very 'noisy' (i.e., 'chatty')?
     
    Last edited: Nov 7, 2019
  17. Surt

    Surt Registered Member

    Joined:
    Jan 23, 2019
    Posts:
    319
    Location:
    USA
    The version 11 Free was discontinued a long ways back.
    The new SpyShelter Free was released as version 12. There's more information in that thread.
    https://www.wilderssecurity.com/threads/spyshelter-12.422366/
     
  18. Scott W

    Scott W Registered Member

    Joined:
    Sep 21, 2008
    Posts:
    632
    Location:
    USA
    @Surt, thanks for the link - looks like it got buried further down!
     
  19. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    665
    Location:
    Island of Woman
    @ichito or someone else

    any idea what these modifications represent or should be allowed or denied? In BCD 0 UEFI, process started by taskhostw.exe , it happens often and out of the blue
     

    Attached Files:

  20. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    665
    Location:
    Island of Woman
    btw why the spy shelter try icon keeps disappearing, I can;t access GUi as well even though spy shelter is working
    it works fine after install then it break again
     
  21. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    401
    Location:
    router
    in windows 8.1 there is no taskhostw.exe but if its legit windows file then allow it and second screenshot seems apperr after that and belong to that so safe to allow.
    these happen sometimes to me logoff or restart bring it back and not sure why
    or if these option enabled Allow terminating Spyshelter via Task Manager you can restart it via taskmgr
     
  22. Space Ghost

    Space Ghost Registered Member

    Joined:
    Apr 21, 2011
    Posts:
    87
    Location:
    Ireland
    What else do you have with SpyShelter?
     
  23. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    665
    Location:
    Island of Woman
    any idea what this might mean? and whether I should allow or not, if I disallow chrome, I can't use chrome, I am getting it today it wants UDP out and in, it's doing that on any app
     

    Attached Files:

    Last edited: Apr 18, 2021
  24. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    665
    Location:
    Island of Woman
    they are about language synching (between hosts or apps? SettingSync routine), the process is at log off log in routine by default, it can be disabled


    what registry settings , I should be able to block them with registry guard
     
    Last edited: May 11, 2021
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,569
    Location:
    The Netherlands
    That's the thing, I don't know which registry keys to monitor, that's why SpyShelter should have offered this feature. The developers really dropped the ball when it comes to this.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.