SpyShelter 11

Discussion in 'other anti-malware software' started by puff-m-d, Apr 17, 2018.

  1. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    6,245
    Location:
    Hawaii
    Got it, shmu. Thanks
     
  2. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    5,366
    Location:
    Europe then Asia
    @bellgamin

    Note that @cruelsister ' comodo settings emphasize the use of its auto-sandbox and sandbox rather than the HIPS which is disabled (aka sleep mode, will kick-in if nothing else kicked-in).

    videos and comments.

    https://malwaretips.com/threads/comodo-firewall-cruelsister-variation.80383/

    https://malwaretips.com/threads/comodo-firewall-setup-an-addendum.80620/page-3#post-718181

    the comodo section at malwaretips is quite furnished , you may take a look.

    https://malwaretips.com/forums/comodo.46/
     
    Last edited: Jun 18, 2018
  3. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,793
    Location:
    Poland - Cracow
    Yes...I agree with you...SS is not designed as anti-exe and such features aren't officialy documented... they are just the result of users inspirations and individual researches. SS+ERP combo was used long time on my XP and Vista - it was quite easy to manage and use.
     
  4. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,197
    @bellgamin: Umbra made a good point here. Your original quest was to compare one firewall/HIPS to another firewall/HIPS, but I answered you with a curve ball, as @CS config is not HIPS.
     
  5. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    6,245
    Location:
    Hawaii
    Yup, I knew cruel sister she no likee HIPS. But remember... if no HIPS, pretty soon pants fall down. :eek:
     
  6. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,425
    Location:
    Paris
    Hi Bellgamin! Actually that isn't the case. A few years ago there was a certain malware that acted in a certain way where the HIPS was of value. But since this mechanism was pointed out to Comodo this hole was filled; in addition (although Comodo for whatever reason did not take credit for it) the sandbox (especially at my setting) was made more restrictive. So currently if one uses preferred settings the HIPS (if it reacts at all) will just alert to things running in VTRoot (containment).

    As I personally use CF I tend to test it more vigorously than other products- and trust me, I can be rather nasty. To date I see no advantage to activating the HIPS with Containment at the Restrictive level.

    ps- in the past 10 days I was sent a couple of very, very fresh malware samples- one an H-worm, and the other some rootkit adware junk; both being at the time FUD. They were both nonetheless blown off by CF- both contained and eventually deleted. I was hoping for some infection excitement, but once again came away disappointed.
     
  7. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,793
    Location:
    Poland - Cracow
    And YOU can fall down :argh:
     
  8. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    6,245
    Location:
    Hawaii
    And aloha to you! I learned from your post. I always do. My main security is daily imaging with AOMEI, but I always have enjoyed tinkering with HIPS. When one is retired & a widower, a HIPS pop-up can be the highlight of the day.

    I miss Online Armor, System Safety Monitor, & their ilk. Right now I have fallen back to an old abandonware pal called Private Firewall. PFW's HIPS gives me a satisfactory number of daily pop-ups. I wish I could find something with HIPS, more up to date, but not Commode-o or SpyShelter.

    Please give it to me straight -- is PFW so outdated as to be a totally useless bit of flotsam, jetsam, & lagan?
     
    Last edited: Jun 19, 2018
  9. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,197
    Try ESET in proactive mode (or whatever they call it). It has a good and customizable HIPS.
    Or give Comodo one last chance. If you install it without AV, by default it will be in "Firewall" config, which gives you HIPS without autosandbox.
    If you switch to "Proactive" config, you get a stronger HIPS, and you can disable the autosandbox and other annoying features as you wish.
     
  10. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    6,245
    Location:
    Hawaii
    @ shmu26 -- Much grateful for your suggestions. You have convinced to give Commode-o another try. It sure comes with a lot of baggage, though. As for Eset, I have heard lots of good things about it but I no longer use any antivirus. FW+HIPS is my goal, nada mas.
     
  11. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,197
    Glad I could help. Comodo has improved over the years.
    I recommend to disable Virusscope and Web filtering, and maybe also untick the option that you see as unticked in the screenshot:
    Capture.PNG
     
  12. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    5,366
    Location:
    Europe then Asia
    no way !
     
  13. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,197
    Well, we are totally off-topic anyways, so I would suggest that anyone interested in discussing the relative value of various Comodo components should do so in another thread. :)
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    11,364
    Location:
    The Netherlands
    Do you also agree with my other comments in the other SS thread, because you didn't respond to those. I was hoping you could bring it to the attention of the developers.

    https://www.wilderssecurity.com/threads/spyshelter-10.378379/page-43#post-2761684
    https://www.wilderssecurity.com/threads/spyshelter-10.378379/page-43#post-2761685
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    11,364
    Location:
    The Netherlands
    No I don't see, because like I said, I don't use certain features in SS, like anti-exe, the sandbox and firewall, because they don't work in the way I want them to. For example, there is no way to white-list and exclude certain folders with anti-exe. There is no way to auto-block outbound connections and the sandbox doesn't make use of virtualization. So that's why I had to complement SS with other tools.
     
  16. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    5,366
    Location:
    Europe then Asia
    so just the HIPS?

    you would be better with Comodo then.
     
  17. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,793
    Location:
    Poland - Cracow
    Sorry for that...I forgot about it because it's in other thread about older version. I wil read this one more time and try give some answer.
    At this time maybe such disscus would be interesting due to observations of feature "Auto-block suspicious behaviour" especialy coonected to action type #48 and 50
    https://malwaretips.com/threads/does-oneself-really-need-an-antivirus.83648/page-4
     
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    11,364
    Location:
    The Netherlands
    Yes just the HIPS, all other components aren't good enough, so no overlap. I do use the firewall to block certain domain-names. And I never liked Comodo, too chatty but the auto-sandbox does look interesting.

    Yes, please do so, let's try to make SS better. Auto blocking should be possible, even DR Web Katana (which is pretty bad) offers this. And the ActionType should be in text.
     
  19. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    5,366
    Location:
    Europe then Asia
    i managed to make the HIPS set as paranoid almost quiet, you just need to juggle a bit with the settings and makes your own rules.
     
  20. Freki123

    Freki123 Registered Member

    Joined:
    Jan 20, 2015
    Posts:
    30
    @Rasheed187 Maybe "autoblock suspicious behavier" under settings combined with "auto allow high security level" or "ask user" will do what you want?
    More os less guessing to be honest. I only remember the auto blocking was not what i liked ages ago and soon get rid of it.
     
  21. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,793
    Location:
    Poland - Cracow
    OK...I'll try to follow step by step and give some answers...if only I can do this
    - you can allways block all connections by marking network as "blocked" (left MB) or ocasionaly using the command "block network traffic" from try icon (right MB)
    - you can prepare group rule that will block outgoing or/and incomming connection and than use it for needed single apps or processes
    - if you want to block network access for specific folder I think it's enough to add that folder to restricted...file that can't be launched can't make connection also but It's appeares me that earlier rules will be still valid
    - as regards network monitor and active coonections - you mean the list like this?
    180702111526_2.jpg
    - if we are talking about services...I think there is a some messleading with this because SS can detect services and its actions, and it can prepare specific rule for needed services...I think screenshots below show such things
    Panorama.jpg
    180702112905_4.jpg
     
  22. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,571
    Location:
    Location Unknown
    I know it's possible, after detecting or manually entering network zones, to completely block one yet allow another. In my case, I can block my local connection (192.168.x.x) while allowing my VPN (10.x.x.x). But I don't know how this is achieved. I thought that the zones dictate the rules before they are created, but this doesn't seem to be the case as al the rules I have either allow or deny something to pass, regardless of zone.

    Any ideas how to achieve this?
     
  23. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,793
    Location:
    Poland - Cracow
    I think the easiest way is to find connection to such IP - you can do this on "Network activity" tab (Firewall) checking listed "svchost.exe" entries. Than from RBM you block needed one what gives you new line in "Network zone" tab - an example from my system below
    180703124056_1.jpg
    180703124119_2.jpg
    180703124202_3.jpg
     
  24. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    357
    Location:
    router
    not tested latest version
    but for example with Malwarebytes Anti-Exploit service last try
    it does not prompt for some action 54 or 48 or 50
    and not show it in network activity tab too
    and even with manual rule creation still can check for update itself
    maybe fixed not sure
     
  25. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    6,245
    Location:
    Hawaii
    Does SSF require a restart during installation?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.