SpyShelter 12

Discussion in 'other anti-malware software' started by mood, Oct 21, 2019.

  1. Jerry666

    Jerry666 Registered Member

    Joined:
    May 28, 2002
    Posts:
    172
    Thanks that notice has been driving me crazy and I just don't remember what idid during setup all those years ago
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,480
    Location:
    The Netherlands
    Have you already asked the SS developers about SpyShelter's ability to block malware from stealing browser data? I believe SS doesn't protect against this, and I have never understood why.

    https://www.cyberark.com/threat-research-blog/raccoon-the-story-of-a-typical-infostealer/
     
  3. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,869
    Location:
    Poland - Cracow
    Why doesn't protect? Some actions in my opinion should be detected and blocked...I mean making connections, some files/folders modyfications, taking screenshot. I've asked friends on SG forum about samples or maybe some tests already done and I'm waiting some info...we will see :)
     
  4. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,869
    Location:
    Poland - Cracow
    Downloading already didn't work but in 1-2 hour will be avaliable next fixed build
    https://www.spyshelter.com/blog/spyshelter-12-1-beta-screen-phantom-feature/
    ---------------
    edit:
    OK...it starts to work :)
     
  5. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    378
    Location:
    router
  6. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,869
    Location:
    Poland - Cracow
    It was due to mention of user @Kot_Pocztowy...translation by Google of part of post #894
    https://safegroup.pl/thread-4263-post-224959.html#pid224959
    First "beta" was removed and links was empty, then they give proper beta #2
    -------------------------------
    New version working fine, without issues..."Screen Phantom" feature if enabled block screen capturing or better saing allow to see compeltely black screen what is useless for attacker. It could be useful against attack that uses allowed (in rules) processes to capture screen by injected malicious code.
     
    Last edited: Mar 12, 2020
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,480
    Location:
    The Netherlands
    I don't see any option in SS that protects against malware stealing data from disk and registry. I do remember that Outpost Firewall offered such a feature. I can't wait for the results, but why not ask the developers for this?

    Finally a new and exciting feature that has been added. So basically, it will block all apps from making screenshots or capturing videos, without bothering users with alerts, sounds cool to me. However, I assume it will still allow trusted apps? This didn't become clear to me.
     
  8. Jerry666

    Jerry666 Registered Member

    Joined:
    May 28, 2002
    Posts:
    172
    Are they saying that fireshot or other apps to take screenshots will not work if enabled ? guess i'll just use cntrl print screen if needed
     
  9. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    378
    Location:
    router
    thank you for info
     
  10. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,869
    Location:
    Poland - Cracow
    As regards to "Screen Phantom" feature what I've checked on Win7 - it will block diffrent kind of apps
    - 3rd party like e.g. FreeCommander (and perhaps others to do that job) with feature to make screenshot by clicking shortcut
    - system app like Snipping Tool (or perhaps 3rd also) that make screenshot pushing command "New" or similar in window menu
    - it block also specific keybord button or its combination - "Print Screen", "Fn+Print Screen" what means command directly from devices.
    I observe that it's no matter if process
    - is allowed in rules to take screenshot
    - is added to trusted signers list what can have different effect on SpyShelter on different protection levels
    - we have global "automaticaly allow" in list of monitored actions.
     
  11. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,869
    Location:
    Poland - Cracow
  12. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    273
    Location:
    Island of Woman
    if one wants a more modular approach he can use spyshelter free 12.0 HIPS system that would monitor vulnerable components like the windows management instrumentation event subscriptions, termservice (remote desktop), registry modifications, in/out connections and allows to set rules of each program and service that it spots
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,480
    Location:
    The Netherlands
    Then what's the point of this "Screen Phantom" feature, if it will also block trusted apps? Also, did you already contact the developers? I still have no answer about if SS is able to block data stealers or not. Everytime I ask this question, you seem to ignore it after a while. :doubt:
     
  14. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,869
    Location:
    Poland - Cracow
    Hi @Rasheed187
    Sorry that you have no answer about data stealer...we all have weird situation (both in privat live and our job also) so sometime is not easy to me deal with it...or better saing it's hard to focus on "security apps test" activity. Next thing - more than year ago I've changed my job which is completely different that my previous job and that's why I was forced to completely change my daily routines. Please...don't be disapointed...I have just less time to my hobby.
    But good news is - I've in fact checked "Racoon stealer" in real live what means on my Win7 but only to specific point of malware actions. Please give me some time to descibe my test and present a couple of screenshots that was made using smatphone (you will see how it looks) :)
    According your last question - yes, ScrPh block even trusted apps and looks that last beta builds of SS are connected with this feature. I have some info from dev but it was mantioned in our privat corespondence so I have to change it a bit and still to have a sense.
     
  15. Surt

    Surt Registered Member

    Joined:
    Jan 23, 2019
    Posts:
    140
    Location:
    USA
    Thanks ichito for all your updates.

    I think it would be beneficial to have it eventually explained by the developer the threat vector(s) addressed by Screen Phantom's "result in an output of black screen, thus making it impossible to capture screen content" that is not addressed by Screen Protection's "immediately stop all suspicious screenshot capturing activities."

    Already understood, I think, is the Phantom's "no rules, no alert, whack 'em all" not-HIPS operation versus Protection's "alert on suspicious, rules enabled" HIPS operation.

    Cheers.
     
    Last edited: Mar 23, 2020
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,480
    Location:
    The Netherlands
    OK cool. But what I meant is, did you hear from the developers or not about this issue? It's very simple, data stealers like Racoon, steal data by accessing certain files on disk and registry. These file and regkeys should be protected by SS but I don't believe they are at the moment.
     
  17. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,869
    Location:
    Poland - Cracow
    If you ask by this way - the answer can be quite easy but first...yes, I've asked dev and his answer confirm actually everything what you can find among features of SS. So...in this meaning I don't think it's right to name such thing as an "issue"...it's rather matter dependent on used aplications settings and created additional rules. Going to dev explanation...it's rather more than less like this:
    - SpyShelter offers two aditional features that can be enabled - first is "User defined protected files" (my comment: and folders also or even whole local disk with two kinds of access - "read" or "read&write" and each one of them with cathegory "privat" or "general")
    - and second is "User defined protected registry keys" - SS protects crucial parts of registry against modifications but you can add needed regitstry entries to do such job also
    200323103005_1.jpg
    - data stealers can read specific registry entries but blocking of registry reading can cause big problems in some apps job and even system stability.

    Next thing what means @Surt last question - Screen Phantom is the feature that is working simultaneously and in spite of created rules/enabled other features...it has nothing common to HIPS or created logs of actions and exclusions are not possible. That was the reason.

    And now mentioned small test
    - system - Win7 (64-) virtualised by SD...all local disks included to SM
    - tested app - SpyShelter 12.1 beta build 4
    - test was made first using Polish version (16.03) but due to possible problem with understunding of info in alerts it was repeated 22.03 in English translation...and that you can see on screenshots

    panorama RS eng_1.jpg

    panorama RS eng_2.jpg

    panorama RS eng_3.jpg

    As was mentioned earlier - screenshots was made using smartpfhone because they couldn't be saved on computer disk...all disks in SM :) All action on this popups had been allowed - it was one way to know what will happened in next step.
    As we can see all expected actions like launch installator, making connection, modyfying user temp files/folders were detected. I think interresting and important could be two below:
    - AddInProcess32.exe due to such info
    https://gbhackers.com/microsoft-legitimate-apps/
    and such analysis
    https://www.hybrid-analysis.com/sam...a4719a31122c0d66bc95ca1f732?environmentId=100
    - and the last picture: taskeng.exe is trying to execute sipnotify.exe...it could mean that our victim can receive fake alert (maybe cyclic) about end of support of Win7 (like on my machine) but antoher one in newer systems.
     
    Last edited: Mar 23, 2020
  18. Surt

    Surt Registered Member

    Joined:
    Jan 23, 2019
    Posts:
    140
    Location:
    USA
    @ ichito

    Thanks for your response to my post #40. And again, for all the work you do here.

    By your "Screen Phantom is the feature that is working simultaneously and in spite of created rules/enabled other features" is what I meant by "no rules, no alert, whack 'em all not-HIPS operation."

    By your "nothing common to HIPS or created logs of actions and exclusions" is what I meant by ""alert on suspicious, rules enabled HIPS operation."

    I admit I was a bit too colloquial in my expressions in that there's a language barrier to be crossed. Even though your command of English is greater than most for whom it is native. :thumb:

    @ not specifically ichito, IMHO

    In re-reading #40, the SpyShelter web site quotes (edited to bold) for Screen Phantom and Screen Protection, what calls for clarification is why Phantom is needed when Protection already exists.

    That is, what is inadequate in four monitored actions of Protection's suspicion that would compel the user to enable the absolute Phantom?

    And I believe it would nice for the developer to explain it to the customers on the web site. Even if it'll be implemented in the free version. (Will it??)

    Cheers.
     
    Last edited: Mar 23, 2020
  19. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,869
    Location:
    Poland - Cracow
    Haha :)
    Thanks @Surt for your compliments :rolleyes:
    You should remember that Screen Phantom is still beta feature wich is tested by developer and volountiers...is rather not in use to offer new feature to consumer on main page of app. It's mentioned "deeper" in his blog and specialised forums what is normal among developers. I think it will be offered in some next stable version...we should wait :)
    The cause of ScrPh?...I can ask about it on our Polish forum...I don't want to use privat chanel because it would be for me an overuse. Short answer now?...I think this phrase from post #31 can be the answer
    "It could be useful against attack that uses allowed (in rules) processes to capture screen by injected malicious code."
    "Allow" rules are and should be made for trusted processes and nothing except such apps should be allowed to take screenshot...ScrPh is like key that "closes" our system in specific circumstances like e.g. online banking, editing important documents, videoconferences etc.
     
  20. Surt

    Surt Registered Member

    Joined:
    Jan 23, 2019
    Posts:
    140
    Location:
    USA
    I'm aware of beta in this context but also understand that Screen Phantom is in active development and "this feature will be available in SpyShelter Premium and SpyShelter Firewall."

    Regardless then of all of the Spyshelter's components, you say there might be an "attack that uses allowed (in rules) processes to capture screen by injected malicious code." OK. The HIPS doesn't work in all capture scenarios is the premise.

    According the blog, "any attempt to take a screenshot or record a video of your screen will result in an output of black screen." This doesn't align with your conjecture it might be for specific circumstances. How would SpyShelter know that a document is important or not or if any one of the avalanche of browsers is used for transferring funds between accounts or just calculating some interest rates?

    Anyhow, as you point out, we should wait.

    In closing, there should be made available an easier method for toggling Phantom. Rather than drill to a checkbox under the Security tab, another switch in the Protection screen and/or an item in the systray icon right-click menu. That way, in keeping Phantom enabled, when my mostly occasional use of Greenshot outputs a black screen, I can curse silently under my breath and quickly toggle it off temporarily.

    Pass that on if you can. I might fire off that suggestion even though the only avenue for that is to open a ticket.

    Cheers. [WAIT]
     
  21. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,869
    Location:
    Poland - Cracow
    OK...you're right when you talk about way of enabling/disabling such feature...it should be much easier method of switching. This feature is still in development so we should wait :) According to "important" documents/sesions - my interpretation was that we decide what is important...not application :) You probably for sure will enable ScrPh wile creating sales agreement for your client, but not necessary when you will write in calendar "buying dosen of beers for football party" ;)
     
  22. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,480
    Location:
    The Netherlands
    Yes but that's the thing. It's SS that should make standard rules, so that only trusted apps and processes can get access to certain disk files and registry keys. It's too complex if you need make rules yourself. For example, only Firefox should have access to Firefox autofill data, passwords and cookies. But seems like the SS developers find it too complex to implement, too bad. Because it would protect against malware like Raccoon out of the box. This is a feature that SS lacks.
     
  23. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,869
    Location:
    Poland - Cracow
    Hmmm...it seams you are speaking about app like DefenseWall, GeSWall...generaly like this which restrict automaticaly apps and access to system recources. SS in't app like those...it has only some option/features to do similar job but additionaly. I don't know it would be necessary and wise to make SS autmaticaly working app but some task it can do by this way. And I like that way :)
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.