SpyShelter 12

Discussion in 'other anti-malware software' started by mood, Oct 21, 2019.

  1. Space Ghost

    Space Ghost Registered Member

    Joined:
    Apr 21, 2011
    Posts:
    87
    Location:
    Ireland
    @Cutting_Edgetech You can run apps from the list without restrictions, If you want to update them.
     

    Attached Files:

    • shp.png
      shp.png
      File size:
      75.3 KB
      Views:
      18
  2. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,971
    Location:
    Poland - Cracow
    Yes, you are right. It's working by the same way from the beginning of such feature in SS history...ca 8-9 years although it was called earlier "Sandbox".
    I think it's because if specific app is added as restricted nothing other apps/processes can run it as unlimited except SS.
     
  3. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    Thank you Space Ghost! I was not aware that you could right click an application on the Restricted list and run it as Unrestricted until you mentioned it. I have only used the Restricted Apps feature once before and it slaughtered my Firefox installation. All my settings went back to default and the applications would just freeze and lock up from that point on. That was shortly after they first added the Restricted Apps Feature, and I didn't have much time to trouble shoot the problem then. I just went ahead and reinstalled Firefox and removed Firefox from the Restricted Apps List.

    There still remains a problem when updating many applications. When you run an application Unrestricted it launches a separate instance of the application. Many applications attempt to auto-update themselves unless you configure them not to so the update process will have already begun, and launching a separate instance of the application will not allow the update in progress to complete. I configure applications to notify me when updates are available so I can install them when it best suits me, but i'm sure many users do not.

    I attempted to update Firefox by disabling SpyShelter, and I assumed that disabling SpyShelter would also disable the enforcement of the Restricted Apps mitigations; I mean there is nothing in the UI notifying the user that it does not. After Firefox update was blocked by the Restricted Apps mitigations, Firefox would no longer update. From that point on when attempting to update Firefox it notified me to download Firefox and reinstall Firefox from scratch. If I had done that I would have lost all the policy changes that I have made to Firefox in the about:info configuration, reconfigure all other settings, and install my plugins again. Luckily I had enough knowledge about Firefox to know how to fix the problem. I ended up having to delete everything inside the Mozilla update folder in the AppData directory, and clear out the cache. Most users would not have known to delete the content in the Mozilla update folder in the AppData directory. Many users would have to reinstall Firefox because they would not know how to resolve problems like these. They should put some text in the UI notifying the user that disabling SpyShelter does not disable the Restricted Apps mitigations or even better, they should design SpyShelter so that the Restricted Apps mitigations are also disabled when SpyShelter is disabled.
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,569
    Location:
    The Netherlands
    BTW, may I ask what you are trying to achieve when running Firefox as a restricted process? At the moment I have stopped using Sandboxie for browser protection because I'm testing MBAE, and I thought about protecting Vivaldi with SS but I don't see any big advantage since it's not using any virtualization, plus like you descibed it may cause problems.
     
  5. Space Ghost

    Space Ghost Registered Member

    Joined:
    Apr 21, 2011
    Posts:
    87
    Location:
    Ireland
    Code:
    SpyShelter version 12.6 is live now!
    
    You can find new SpyShelter Silent, Premium and Firewall editions there:
    Download Page.
    
    (free version will be updated in next weeks)
    
    One of the defining characteristics of this release is Windows 11 support.
    
    After almost a year and half Microsoft finally has fixed WinAPI function issue which caused ScreenPhantom non-working.
    ( Archive note about issue there: https://www.spyshelter.com/blog/spyshelter-12-2-released/ )
    In order to make sure this feature will work with SpyShelter you need either older Windows 10 build, or use new Windows 11
    (19H2 of Windows 10 was the last version with non-broken code)
    
    12.6 (27/Sep/2021)
    
    – Attempt to add support for Windows 11
    – Added support for Windows 21H2
    – Small internal updates
    https://www.spyshelter.com/download-spyshelter/
     
  6. moredhelfinland

    moredhelfinland Registered Member

    Joined:
    Mar 31, 2009
    Posts:
    117
    Location:
    Finland
    Spyshelter is very powerfull tool for advanced users. I used Spyshelter Premium for years. Now i want to switch back to Spyshelter and rebuild my PC security around it.
    If i understand this right, Spyshelter is one man project, which alone means that the coder of this deserves support.
     
  7. Eru

    Eru Registered Member

    Joined:
    Mar 23, 2010
    Posts:
    107
    Location:
    Poland - Sosnowiec
    SpyShelter is made by a Polish company named Datpol and it's not a one man project :thumb:
     
  8. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,971
    Location:
    Poland - Cracow
    Hi Eru...nice to see you here :thumb:

    Rasheed...do you ask seriously? It just prevention...it's actualy the same role like in LUA/UAC...like in Online Armor, GSW, EdGuard Solo, Core Force, Private FW and so one. Is it not big advantage?
    :oops:
     
  9. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    Rasheed, i'm just trying to use the software restriction policies offered by the restricted apps feature to prevent vulnerable applications from infecting the system in the event they are exploited in some way. For example, lets say I encounter a browser exploit or a Macro virus embedded in a Word or Excel document, the exploited application should in theory be effectively isolated from the rest of the system just by using software restriction policies. Software restriction policies can prevent vulnerable applications from doing anything malicious to the rest of the system without the use of virtualization. It's just another layer of security working in conjunction with the HIPS.

    Sandboxie is a great application for what it does, but for me I quite often find it inconvenient. I don't like having to recover many files from the sandbox. It takes up more of my time, and if I forget to recover them then I may lose them depending on what settings I use with Sandboxie. Microsoft is also constantly making changes to their OS that causes problems for Sandoxie's user-mode hooks, even third party applications seem to break quite often when sandboxed due to changes they make throughout their own development cycle.

    I currently can't say much for how effective the restricted apps feature is since I don't know what all is exactly being restricted. It says the following below in Spyshelter's UI. It's unknown to me whether Spyshelter's restricted apps feature is able to prevent vulnerable applications from reading and writing to the memory of other applications, but in theory it's HIPS should intercept any attempt by a vulnerable application from injecting into another application. I still would definitely like to see memory enforcement policies being used with the restricted apps feature if they are not already being used. I use AppGuard and it restricts vulnerable applications from reading and writing to the memory of other applications.

    This feature:
    -Increases chances of blocking attacks launched through holes in applications.
    -Restricts access to system resources such as registry and files.
    -Limits access for recording keyboard input, getting screenshots, accessing to other processes and so on.
    -Protects from shatter attacks, it makes exploits unable to increase their own rights.


    I also do not know what digital certificates are being used with SpyShelter or how many are being used. There is no transparency. A digital certificate could be used to potentially bypass all of SpyShelter's mitigations if they are being used in the way I think they are being used. I don't see any option that allows the user to choose which digital certificates to allow. Good security policy is to only allow digital certificates for software you have installed on your system, and only for those that your security software is causing problems with. For reference, I only use 9 certificates with AppGuard and 11 with ERP. Following good security practices, I removed all certificates that were on the list by default and only used those I needed.

    I believe I have identified a problem with SpyShelter's default policy in the Folders with Write Access. SpyShelter allows write access to the entire AppData Roaming directory. One of Windows startup folders is located in the AppData Roaming directory at the following path: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. It's a common tactic for malware to drop an executable or a shortcut to an executable in one of the Windows startup folders so the malware automatically executes at Windows startup. I don't see an easy way to only blacklist the Windows Startup folder in the AppData Roaming Directory. SpyShelter needs an option to blacklist a single folder from write access that overrides the Folders with Write Access. In other words the additional Blacklist Option would forbid a single folder from having write access even though it's parent folder and all other subfolders have write access. It would look nice to add this option in the UI as an additional tab next to the Folders with Write Access tab. I feel this option is badly needed!

    Edited 9/29/21 @ 3:24 am
     

    Attached Files:

    Last edited: Sep 29, 2021
  10. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,971
    Location:
    Poland - Cracow
    @Cutting_Edgetech
    You are right about apps that are potentialy vulnerable or vulnerable in reality. As I said it's just prevention because we don't know what and when can be recognised as a hole in application. Others unknown apps/processes and actions are monitored by HIPS/firewall module.

    You can create needed rules for specified file/folder in both "restricted apps" and "protected files" modules also. It just depends on you and I'm using such solution.

    Builtin certificates are hidden and no way to edit such list...you can only add your own apps/certificates. I think there is already ca 10k trusted
    signers but no info about that number, there is only info about optimizing that list

    That's how they work in praxis
    https://www.wilderssecurity.com/threads/spyshelter-11.402823/page-5#post-2802181

    Here are actions related to the memory protection (advanced rules editor), I think such rules wont be created and are automaticaly blocked in restricted processes
    210929204625_4.jpg
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,569
    Location:
    The Netherlands
    What I meant is that it's not really clear how it will protect against malware that's running via some browser exploit. And it's a bit of a hassle since you will need to whitelist folders yourself. That's what I liked about Sandboxie, you don't have to think about this stuff because of the virtualization. I have never liked tools like DefenseWall, GeSWall and AppGuard.
     
  12. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,569
    Location:
    The Netherlands
    Yes I understand, but the thing is, even without adding the browser to the restricted apps list, SS should already alert about suspicious stuff, no matter if malware is launched via the browser or not.

    That's exactly my problem, I can't visualize how it would help to protect the system. Or perhaps it will auto-block instead of alert about suspicious behavior. I guess I will need to test it with Vivaldi.

    That's why I always make shortcuts to sandboxed folders, it's easy to simply cut and paste all of those files to folders outside the sandbox, so it's not a big problem to me. I always disable auto-recovery since I find it annoying.

    Correct, that's why I have switched back to ''ask user'', it's simply too risky to auto-trust apps.

    I'm guessing it would cause too many problems if SS protected this folder. I personally would like to see a more clear redesign of the ''restricted apps'' feature. It should become more like OSArmor in terms of blocking suspicious process execution.
     
  13. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    I have found no way to only blacklist the startup folder in the AppData Roaming directory without having to individually whitelist all the directories within the AppData Roaming Folder that I want to allow, and then excluding the startup folder from the list of allowed folders with Write Access. If you have found a way to do it, then how can I do it? Having to whitelist every folder in the AppData Roaming directory except for the Windows Startup Folder is too much work!

    That's very disappointing. I do not want to use a product that forces the user to trust so many digital certificates. If I set the security mode to, "Ask User" then will SpyShelter ignore the Trusted Certificate List, or do you know? I currently have SpyShelter set to "Ask User" in the Security Settings. I used SpyShelter for a long time set to "Auto-Allow - High Security" to build the rules I needed for my System, and then I switched it to "Ask User". I rarely received any prompts from Spyshelter with it set to "Ask User".
     
    Last edited: Oct 5, 2021
  14. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    I switched back to "ask user' also, it's ridiculous to trust so many digital certificates!



    It should not cause any problems at all. I can not think of a single legitimate purpose of a vulnerable app needing to write to the Windows Startup Folder in the AppData Roaming Directory. If they want to use the Startup Folder to launch their own App at Startup then it will have already been placed in this folder after installing their application. A vulnerable application using this method to start their own application at Startup would be very unusual though, and I haven't used any that does. I have been using AppGuard for many years and it blocks all applications on the Guarded Apps List from writing to the Windows Startup Folders, and I have never seen AppGuard block any vulnerable application from writing to the Startup Folders. If I used a vulnerable application that needed to write to the Windows Startup Folder to function correctly, then I would drop it on bad developer design alone. Malware commonly tries to write to Windows Startup Folders to gain persistence. There are hundreds of exploits for Winrar alone that use this technique. The other Windows Startup folder is in the Microsoft ProgramData directory folder, and SpyShelter already does not allow Write Access to it.
     
  15. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    I just discovered it's not possible to update Firefox by running it unrestricted from the Restricted Apps List as Space Ghost suggested in post #226. Firefox needs to restart itself to complete the update, and when Firefox restarts itself, that instance of Firefox is automatically ran restricted by SpyShelter. The only way to update Firefox is to remove it from the Restricted Apps List, and then add it back after you complete the update.

    I never heard anything back from SpyShelter after reporting that Restricted Apps are still enforced when SpyShelter is disabled, and even after disabling SpyShelter Service. Maybe you don't get an email notification when they respond to your ticket. I wonder if I need to sign back into the support ticket system. I thought one would get an email saying their support ticket had been responded to though.
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,569
    Location:
    The Netherlands
    Yes exactly, it will cause difficulties in case of a so called ''supply chain attack.'' Of course it's also possible to first install all trusted apps and let SS make rules and after that you can put it back to ''ask user'' mode. And I meant it would cause problems if SS didn't allow access to the AppData directory, which is obvious. And now that I think of it, it already monitors autostart settings via the registry monitor, so no big deal. But anyway, I don't think I will be using the ''restricted apps'' feature, I'm afraid it will cause too many problems.
     
  17. Space Ghost

    Space Ghost Registered Member

    Joined:
    Apr 21, 2011
    Posts:
    87
    Location:
    Ireland
    -https://www.spyshelter.com/download-spyshelter/
     
  18. Surt

    Surt Registered Member

    Joined:
    Jan 23, 2019
    Posts:
    321
    Location:
    USA
    encryption in console applications is disabled by default
    I understand the words but have no idea exactly what that means in SpyShelter...

    can be enabled on demand
    ...or where in the UI that is done.
     
  19. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    SpyShelter prompted me a moment ago saying there was an update available for SpyShelter. It asked me if I wanted to update to SpyShelter 12.6. I'm already using 12.6 so I don't think it should be asking me if I want to update. I almost updated again because I was having trouble finding what version I was using. I almost did not find the version number because it was at the very bottom in somewhat small print. I think the best place to list it would be in the about tab or at the main top in the Header of the GUI. If it were me I would put it in both places. That's were most software developers list what version you are using.
     

    Attached Files:

  20. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    I have been experiencing a bug with SpyShelter on my system since version 12.5 when using SpyShelter with Shadow Defender. I don't know if it affects versions prior to 12.5 since I just started using SpyShelter again 8 months ago. Every time I reboot after being in Shadow Mode SpyShelter disables itself. I have to manually enable SpyShelter after each boot when rebooting in Shadow Mode or when exiting Shadow Mode. Is anyone else using SpyShelter with Shadow Defender?

    I'm using Windows 10 x64 Pro Version 20H2 and Shadow Defender version 1.5.0.726.
     
  21. Jan Willy

    Jan Willy Registered Member

    Joined:
    Jan 29, 2021
    Posts:
    29
    Location:
    Netherlands
    By the way: why did you disable Keystrokes Encryption. In my eyes this is just the core of SS.
     
  22. Space Ghost

    Space Ghost Registered Member

    Joined:
    Apr 21, 2011
    Posts:
    87
    Location:
    Ireland
    For me, this only happens when I switch to shadow mode and spyshelter protection is turned off.
     
    Last edited: Oct 14, 2021
  23. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    Because the Keystroke Encryption is not compatible with Keepass on my system. It causes the Keepass auto-type feature to fail when typing in user names and passwords. SpyShelter alters the characters being typed in by Keepass. Eventually just copying and pasting the username and password from the Keepass UI begins to randomly fail as well. I tried adding Keepass to the list of processes that are not monitored by SpyShelter, but that did not help. This bug has existed between SpyShelter and Keypass for several years. I experienced the same bug on two other machines running completely different hardware 3 years ago, and then again about 2 years later. During those times I was just trying SpyShelter out and uninstalled SpyShelter after about 2 weeks.
     
  24. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    I made sure that SpyShelter was enabled before entering Shadow Mode. I made note to myself several times that SpyShelter was already enabled before entering Shadow Mode, and SpyShelter was disabled each time after rebooting.
     
  25. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    401
    Location:
    router
    windows 8.1 no problem so far but i havent updated windows for long time so i can't tell
    acroding here
    https://www.spyshelter.com/download-spyshelter/
    20H2(October 2020 Update) should working fine
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.