SpyShelter 11

Discussion in 'other anti-malware software' started by puff-m-d, Apr 17, 2018.

  1. guest

    guest Guest

    it didn't recorded anything too.
    Just detecting pressed keys isn't logging.
    Keylogging is to transmit exactly what you type to the attacker.

    anti-exe doesn't monitor drivers and dlls, (the only exception is NVT Smart Object Blocker) , HIPS does.


    default-deny isn't for beginners, user of such solutions must know how to differentiate a legit process than a suspicious one.
    some default-deny solutions implement cloud reputation/lookup to help the beginners to decide but it is not a requirement.
    that the point of default-deny solutions , if you want silent one, so use suite like kaspersky which whitelist stuff for you.


    check my point above. you are totally mistaken the purpose of two different mechanisms.

    how malware start ? via a file executed (LOLbins, dlls, drivers) or a script executed (LOLscripts)
    your anti-exe only monitors executables... drivers and dll are exempt from monitoring, however it can block later in the attack chain (if any).

    Every solutions have a scope, they have a distinct purpose , and SpS does the one it was made for very well, like NVT ERP does as very well.
    if you want an all-around full system monitoring of everything , use a suite, Kasperky or else. Single purpose default-deny are obviously aren't for you.
     
    Last edited by a moderator: Jan 27, 2019
  2. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    1,234
    Location:
    Europe
    I didn't test it much (like 15 mins?) but I do remember there was 1 dll rule in the rules list before I wiped the rules list and disallowed everything (emptied trusted vendors list, clicked on ask user and not auto-allow anything from the security tab). I remember starting chrome and it did not ask me to allow chrome to read any dlls, so idk how the dll monitoring works, but bouncer and memprotect module filtering tell me any time a program tries to use a dll if I set it in the config file, that did not happen with spyshelter, but there was a dll (I think it was from system 32) allow rule in the rules list when I first opened it

    See that's the thing. If I get alert about process explorer reading other processes' memory and trying to access them after I've ran it, I'll know it's legit, and if the same happens when I run paint, I'll know something is suspicious, but without having the source code of the process you're getting a prompt for and without knowing the windows 10 apis that are used, you can't really know 100% what process should be allowed what action, you can only guess (like the process explorer example), or try blocking all actions and see if something's broken with the process, if not likely the action(s) weren't needed anyway or the process was trying to do malicious stuff. Of course that implies that you're not using the internal database or auto-allowing stuff, which is less secure than you manually reviewing everything, obviously, and to me largely eliminates the purpose of using it if I'm just going to auto allow most of the stuff
     
  3. guest

    guest Guest

    @Floyd 57 I don't know how you tested it and if you used default setting or not...but 15mn or even an hour isn't enough to get the full picture.
    When i test a solution , i use it for at minimum a month, like a did for ERP, OSA ReHips, etc... Then I can have my own very clear ideas of the pros and cons, and if it deserves to be on my system.

    HIPS have a purpose, it is to give abundant monitoring, reason why i like SpS, but my favorite solution is Appguard Enterprise (SRP).
     
    Last edited by a moderator: Jan 27, 2019
  4. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    403
    Location:
    router
    62 action 4 of them not reveled yet:)
    hope see those till we alive:p:argh::D
     
  5. guest

    guest Guest

    I'm pretty sure I saw 66, I'm on RC 11.4

    Edit : indeed 62
     
  6. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    403
    Location:
    router
    then new tree_view excellent just need sort column to view all staff
    like date action number protection module comment hash
    just need one more thing when press for example "a" in keyboard it should select component with a in its first letter
    like alternative view
    ;)
    sshot-1.png
     
  7. guest

    guest Guest

    Yes I like the tree view, quite explicit and easy to use
     
  8. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,973
    Location:
    Poland - Cracow
    Those 4 actions are for non-standard rules or perhaps for planned features. For sure you can get action #59 (which is not presented on the standard list) by preparing non-standard network rule (in advanced rules window). So we have 63 actions and 3 next are not uncovered yet :geek:
     
  9. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    403
    Location:
    router
    :shifty:
    #59 action its uncovered for me yet.o_O
    but i know its related to network thanks;)
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,789
    Location:
    The Netherlands
    Exactly, you need to have some knowledge about what's normal app behavior, otherwise it's pointless to use such a HIPS in ask mode. I don't see anything wrong with using the white-list unless you can't control it like in SS, so that's why I don't use it. But a white-list can be very handy to reduce alerts. Also, SS monitors the most important behaviors that can be abused by spyware and trojans. The thing that's bugging me is that it doesn't have an auto-block option. I do not want to see alerts for stuff like protected file access and outbound connections.
     
  11. guest

    guest Guest

    it is why i kept saying since ages, if one doesn't have a decent knowledge of his system and can't handle prompts, don't use default-deny solutions and even less HIPS, go use an AV suite, most stuff there are simplified.

    personally i dont see the point of using an HIPS other than Ask User/Interactive/Paranoid mode. (those familiar with some famous HIPS will recognize the terms)
     
  12. Quassar

    Quassar Registered Member

    Joined:
    Oct 19, 2011
    Posts:
    194
    Location:
    Poland
    from theory most HIPS software are simple easy in use.

    "Allow process" or "Denny/Block Process" plus "Remember my choice" if you want wanna remember rule and auto set it in next same situation in next time.

    However problem is not with HIPS but with system knowledge most peoples just dont know what going up beetwen system and task from software which monitor HIPS and alert about this situation.

    ex: from where user have to know what mean if firefox start with paraments '-p" and etc started by procecc explorer.exe (and what is this!? explorer exe :p)

    Most software have rly usefull FAQs about software settings on web and pined in main softwre somewhere aurond menu about/help in menu,
    But from experience peoples are so damn lazy!! To open & read instructions which require more time than 5s reading and is bigger than half page A4 or even copule pages :p
    But every day they spend time on crap sites and read more and more bulk craps and other such comon things on sites...
     
  13. guest

    guest Guest

    Laziness of people is reason malware spread so fast and phishers are so successful...happy clickers...

    Just look at security/computer forums, people come ask here what they could find with a 5mn efforts on Google.
    How many times i had to redirect people to the help file of the software.
    This spreading laziness is forcing security vendors to simplify their software to such extent that they even becomes less strong than before.
    Lazy users want the security soft do all the job while they keep happy clicking on suspicious links and porn ads, and looking for cracks/keygens.
     
  14. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    1,234
    Location:
    Europe
    More like lack of education, people don't run malware cuz they're lazy, they run it cuz they don't know better. But they're also lazy :D

    Right?

    Many?

    I don't see the issue with the software taking the decisions for the user, what else do you mean?
     
  15. guest

    guest Guest

    they don't know better because they don't looking for knowing better.

    Way too many

    Not that, i talk about the fact that very powerful softs are reduced to almost just a GUI with 3 buttons when before you had many options to strengthen the said software.
     
  16. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    1,234
    Location:
    Europe
    I remember there was isolated processes (or maybe it was Rehips?) How does that compare to sandboxie's isolation?
     
  17. guest

    guest Guest

    - Spyshelter uses only restrictions. It is not a real sandbox (if we consider sandboxing as isolation).
    - ReHips isolates by using tightened Windows' user-profiles. So unless Win10 changes this, ReHIPS doesn't needs frequent updates.
    - Sandboxie is more like light virtualization using code whitelisting, so it needs to closely follow applications development, if not they can't run isolated or are broken, so Sbie requires immediate updates if the said applications receive major code changes.
    I don't have the article under hands but you can find it on Google.
     
  18. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    17,708
    Location:
    UK
    This thread is about SpyShelter.
    Stick to that subject or
    posts will be removed
     
  19. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,789
    Location:
    The Netherlands
    Exactly, and it's not like it's rocket science. I remember when I started using HIPS (Process Guard and later System Safety Monitor) back in 2004, I learned everything I needed to know about software/app behavior in about a year. The thing is, most apps do not need to perform certain stuff like code injection, recording keyboard input and registering services and drivers. So it's actually quite easy to spot suspicious behavior.
     
  20. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    41,735
    SpyShelter v11.4 Released (February 18, 2019)
    Announcement
    Download
     
  21. Jerry666

    Jerry666 Registered Member

    Joined:
    May 28, 2002
    Posts:
    176
    ? DID I GET WRONG VERSION ?I DOWNLOADED STILL SAYS 11.4 RC
     
  22. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,973
    Location:
    Poland - Cracow
    I don't know why...I've downloaded FW installer few minutes ago and I have 11.4 stable, than compared it to RC on my disk looking at SHA1 - you can see two different numbers. Maybe try do this one more time?
    190303132420_1.jpg
    190303132524_2.jpg
     
  23. Jerry666

    Jerry666 Registered Member

    Joined:
    May 28, 2002
    Posts:
    176
    Thanks , tried once more and got 11.4 release installed no problem , that's a relief , after the problems with the first 11.4 rc ruining my system . working te way it has in the past
     
  24. emil emil

    emil emil Registered Member

    Joined:
    May 5, 2016
    Posts:
    28
    Today I saw that the settings in list of monitored actions were changed to auto allow for signed. But I always had a setting not to allow for all components
    how is that possible? I did not change anything
     
  25. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    41,735
    SpyShelter v11.5 Released (March 18, 2019)
    Announcement
    Download
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.