Spyshelter 12.7 "restricted apps" is this a bug or by design?

Discussion in 'other anti-malware software' started by kC_, Oct 25, 2021.

  1. kC_

    kC_ Registered Member

    Joined:
    Apr 6, 2007
    Posts:
    525
    A weird issue ive come across relating to "restricted apps"... not sure if this is expected behaviour? (normally id expect any (non microsoft signed) application that needs internet access gets prompted for) (im in the allow MS mode)

    Ive figured out the issue, but not sure if its expected? (appears that using restricted mode is actually less secure?)

    if i use MSEDGE in "restricted mode" should any applications EDGE launches then get full internet access without creating additional rules? (seems a security hole when thinking restricted mode is more secure!)

    on my work machine we use a MSP remote management platform called Solarwinds N-able, its a website i access using MSEDGE and I had previously had MSEDGE in restricted mode thinking it was more secure, but i found a odd issue, that using the platform, when MSEDGE calls up the software to remote connect to servers, i found it never prompted for anything, the remote software below just launched and worked fine, no rules got created, no pop ups or prompts, nothing in spyshelter, it had just allowed it to run & access the internet.

    the path to the executables that EDGE launches is
    C:\Users\username\AppData\Local\Take Control Viewer\TakeControlRDViewer.exe


    So in restricted mode, yes im more secure in that edge can only write to the specified folders, but its a huge problem if ANY .exe that MSEDGE launches is just granted full access to do what it wants to do

    Once i removed MSEDGE from restricted mode, when i click on the remote button, I then correctly got plenty of pop ups asking for rules to be created to TakeControlRDViewer.exe

    Is this by design or is this not normal?
     
    Last edited: Oct 25, 2021
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,929
    Location:
    The Netherlands
    I can't tell you much about it, but I do think the ''restricted apps'' feature is one of the weaker points of SS. I wouldn't rely on it for exploit protection, in my view this feature needs to be redesigned.
     
  3. kC_

    kC_ Registered Member

    Joined:
    Apr 6, 2007
    Posts:
    525
    thanks, yeh doesnt seem great! "weaker" its a massive security hole!
     
  4. Jan Willy

    Jan Willy Registered Member

    Joined:
    Jan 29, 2021
    Posts:
    41
    Location:
    Netherlands
    I assume this has something to do with the location of the exe-file: ...AppData\Local\... This location is excluded from the restriction mode. See the tab Folders with write access in the SS program.

    Schermafbeelding 2021-10-25 184717.jpg
     
    Last edited: Oct 25, 2021
  5. kC_

    kC_ Registered Member

    Joined:
    Apr 6, 2007
    Posts:
    525
    thanks, for now ive just removed from restricted apps, id rather be prompted for any app access.
     
  6. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,974
    Location:
    Poland - Cracow
    @kC_
    Here you have how trusted cretificates and protection levels are working together
    https://www.wilderssecurity.com/threads/spyshelter-11.402823/page-5#post-2802181
    I don't think its the matter of restricted apps and in my opinion it's not reasonable to run Edge as restricted. It's because of a lot of diferetnt processes that are working at the same time and some of them are strictly connected to the system
    https://www.askvg.com/windows-10-wh...ning-in-task-manager-and-how-to-disable-them/
     
  7. kC_

    kC_ Registered Member

    Joined:
    Apr 6, 2007
    Posts:
    525
    Thanks very useful!
    in my (basic) understanding, running web browsers in restricted mode should have tighter security, in my thinking, edge would run.... not be able to leak info, and not be able to save files into any folder thats not in the restricted allow list folders... but I found it had quite the opposite effect... it weakened security, for example if i launched egde i restricted mode, potentially any malware or virus under localsystem would of had full access to do whatever it liked, and I would not of been prompted... I dont see any single reason anyone would use restricted apps feature? surely that is not by design is it?
     
  8. kC_

    kC_ Registered Member

    Joined:
    Apr 6, 2007
    Posts:
    525
    support confirmed its by design..... if you run an app in restricted mode, then any child process it spawns will have full access without prompts to everything/internet upload_2021-10-26_11-44-29.png
     
  9. kC_

    kC_ Registered Member

    Joined:
    Apr 6, 2007
    Posts:
    525
    Another weird random bug found, lost my faith in this thing now!

    my settings are set to "trust microsoft signed" & I have NO custom trusted signers,
    upload_2021-11-30_13-43-20.png


    yet I was wondering when i spotted wiztree (https://diskanalyzer.com/) ran and just created rules itself... (as if it was added as a "trusted signer")
    so looking in the component details.... how did this become auto accepted?
    upload_2021-11-30_13-46-19.png

    i would expect ANYTHING signed & non microsoft to show as below where you have to click to make it trusted"
    upload_2021-11-30_13-47-33.png


    now totally lost faith and trust in this thing, its so good and so powerful, but so buggy!

    I then went through all of my rules for non signed Microsoft applications component details & found the following software signers were just "Auto--Accepted" so they now reside in my untrusted list so they cant just create rules.. (its not that i dont trust them... its just that I want to be prompted for what rules for anything non Microsoft
    upload_2021-11-30_13-50-25.png
     
  10. Space Ghost

    Space Ghost Registered Member

    Joined:
    Apr 21, 2011
    Posts:
    92
    Location:
    Ireland
    Try Ask user for full control
     

    Attached Files:

  11. kC_

    kC_ Registered Member

    Joined:
    Apr 6, 2007
    Posts:
    525
    had tried that, and for example with wiztree, deleted the rules for it, run it, click check for updates, and it just creates whatever rules it wants without prompt.
    in the component details it still says
    upload_2021-11-30_16-33-24.png
     
  12. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    405
    Location:
    router
    clear all rules before ask user mode
    also try this clear all rules
    set allow microsoft go to list of monitored action
    select action 53 then untick Auto-allow the action for a component signed by a trusted signer
    just for action 53
    then it should work as auto allow Microsoft and ask rest of exe

    please tell if it work
     
  13. kC_

    kC_ Registered Member

    Joined:
    Apr 6, 2007
    Posts:
    525
    Hi, yes if i untiick "Auto-allow the action for a component signed by a trusted signer" then it does prompt (as expected)
    but i do want that feature (for example for microsoft) to not prompt at evey store app update or windows update etc..

    the problem is why are certain applications "auto trusted signers" why is antibody software "auto accepted signer"
    it was actually my IDS/threat protection in my firewall that prompted me to investigate why it was even accessing the internet when i hadnt manually allowed it
    upload_2021-12-1_9-0-26.png
     
  14. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    405
    Location:
    router
    its have builtin trusted signer therefore shows auto accepted signer.i don't know why some software auto accepted signer maybe because trusted certificate?
    and i tested trick, and its work as i write above allow Microsoft and prompt for other
    exit from spyshelter and delete SpyShelter folder from AppData so to be clean
    if you have prompted for Microsoft file maybe because they are not signed or not from Microsoft
    you can try medium level too
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,929
    Location:
    The Netherlands
    OK, so it's because of the ''Auto Allow'' feature right? So then this isn't a bug? But I agree, if you set it to ''allow Microsoft'', it should only allow processes related to MS and Windows.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.