Spyshelter 5.1x releases

You are correct there are 2 processes created by the malware. And Spyshelter only kills one and leaves one of them running. Heres is the conclusion I have come to from my testing of Spyshelter. I believe Spyshelter is probably one of the best if not the best anti-keylogger program available. That being said I believe the HIPS part of it could still use some improvement. While I understand that this piece of malware that I am using for this example is not allowed to do anything malicous why does Spyshelter allow a second process to be created even? Why does it allow it to continue to run in memory after I click terminate? I did the same test with Comodo with Defense + set to safe mode and everything else left on default settings. In the test I do not believe Comodo even allowed the malware to even create a second process. And even if it did it terminates it. There are no leftover pieces of the malware left running in memory malicious or not. I have created video of me demonstrating how both Spyshelter and Comodo handle this example piece of malware. Watch and decide for yourself what you think.

Spyshelter Malware test: -http://www.screencast-o-matic.com/watch/cXeQrG2vk"]http://www.screencast-o-matic.com/watch/cXeQrG2vk-

Comodo Malware test: -http://www.screencast-o-matic.com/watch/cXeQrY2vy"]http://www.screencast-o-matic.com/watch/cXeQrY2vy-

So in conclusion as I said Spyshelter is a great Anti-keylogger and is good at blocking processes from preforming malicious activity. On the other hand its HIPS does not seem to be as good as some others at terminating every part of a piece of malware.

 

SpyShelter 5.11

What an Update...

 

Re: SpyShelter 5.11

Wrong
It leaves (ONE OF THEM) SUSPENDED not running - (not more dangerous than Windows calculator or wordpad)
autoblock process creation - is not serious leak for my mind as you tell.
Matter of HIPS is to block really dangerous action what Spyshelter do (like antiscreenshoting,antikernemode keylogging) - that not all product can do so well
You said that terminate feature does not work and you were wrong
You said that there was one instance and you were also wrong.

There is nothing serious what User can worried about
There is no leak. There is no hole. There is no bug.

It works as expected and HIPS can catch actions what is really dangerous
All dangerous Malware's activity you’ve tested was blocked
Dangerous process was terminated successfully, other suspended process is just process that occupy memory of course TILL NEXT REBOOT only. No more.

BTW: For clearness, "Apply the choice to all actions for current component" do not change fact about chlid processes I hope you understood that option fully...

 

I really like the "add to trusted publishers" feature. When auto allowing Microsoft signed programs, you can easily add a few trusted of your own.

Only two change requests pending

I would like to exclude a few programs from auto allowing, like Windows live mail, Internet Explorer and Windows Media Player, these are the threatgate programs.

On x32 the run restricted is very powerfull. Downside is one can't copy/past from displayed IE pages. Would be nice when this type of restriction is removed (let it handle by the anti-keylogger part of Spyshelter). This is my second request to increase useability of restrcited option.

Great to hear you will provice run restricted on x64 also. Keep up the good work, promising program

Regards Kees

 

Re: Spyshelter 5.10 released

Thanks for the explanation.

 

Re: SpyShelter 5.11

I already FULLY understand everything you said. I realize the outcome of my test does not show that Spyshelter FAILED in blocking the malware from affecting the system. I guess my whole point is this and I said it before is this... I would rather have a HIPS that fully terminates every part of malware in memory. I do not want SUSPENDED processes or anything created by the malware to be in memory. When I click terminate ALL of these should be removed from memory. I guess if you want to play with words yes I was wrong to say "And Spyshelter only kills one and leaves one of them RUNNING." I guess instead I should of said "And Spyshelter only kills one and leaves one of them IN MEMORY." Which is what I met when I said running. When I say running to me that means something in memory. This is the whole point that I am trying to make. That other HIPS remove every part from memory altogether. Also as I said I dont think that the second process was even allowed to be created with other HIPS that I tested. With Spyshelter this is not the case. It allowed the other process to be created. Anyone watching the testing videos I posted in my previous post would see this for themselves.
Im not really disagreeing with anything you are saying. Im not sure if you are understanding what my point is.

 

Re: SpyShelter 5.11

I keep getting a weird message that anti-networks setting hooks for process firefox.exe blocked everytime I start it...

 

Re: SpyShelter 5.11

On the other hand I (for one) DO understand your point. It is a very good point. Thank you for posting it.

 

Re: SpyShelter 5.11

Thank you. I will also be doing some more testing of other anti-malware products in the future.

 

Re: SpyShelter 5.11

http://www.spyshelter.com/download.html

 

thx for info, spyshelter is getting better and better

 

Re: SpyShelter 5.11

Awesome! 5.12 seems to have fixed the issue I pointed out in my previous posts. Good job Spyshelter! The only thing I don't understand is why this is not just something that is just built in and enabled. Why have an option to disable the killing of the child processes? (processes created by malware) Who would want to allow child processes to run. Other than that great job in fixing this issue!

 

Re: SpyShelter 5.11

But it's enabled by default,
Simply saying SS do not want do something unexpected for User.

 

Re: SpyShelter 5.11

06 Apr 2011
5.14 version released

http://www.spyshelter.com/download.html

 

Re: SpyShelter 5.11

I wonder what's the compantibility list....
Did they ever announce it?

 

Hello. I have a quick question about SS, since I just put it on my Mom's computer for dedicated keylogger protection. I wanted to avoid making a new thread since there is one for SpyShelter.

My question is how effective is the "restricted mode". Is its protection comparable to AppGuard, GeSWall, DefenseWall? If a strange program, malware or not, tries to run, will SS prompt if you want to run it in restricted mode?

Thanks!

 

it is droprights kind of program like runsafer in OA or sandboxie
i tried to run some malware but it get blocked or cripled it protect your system very well

 

According to the manual it's very similar to drop rights/run safer approach of Online Armor as J says. Some other restrictions are placed on apps running restricted but it's not anywhere near the capabilites of Geswall, Defensewall or Appguard. You preconfigure your threat-gates to run with restricted status and any child processes inherit those same reduced privileges.

Just like Online Armor's Run Safer though it doesn't appear to have a lot of relevance for Vista and Win 7 users using UAC as apps already run with Medium rights. Or in the case of IE and Chrome with Low Integrity. It's a useful addition if you're running XP though.

Maybe there's more to it, but the manual is a bit scant on detail.

 

Well, I think restricted mode adds a lot of security

1. Most Internet facing software is signed (and often microsoft)

2. Setting the auto allow to signed programs will cause a potential user error risk

3. Adding the signed/microsoft internet facing software to restricted mode closes the doors as described with 1 and 2

Just my 2 cents

 

absolutely

 

Kees, can you explain how it works? From what you're posting it sounds like it's not the same/similar to OA's Run Safer at all?

 

Spyshelter is also a very decent HIPS.

It has the option to auto allow signed or only microsoft programs. When you set it to auto allow, intrusions caused by signed or microsoft programs are allowed (without asking the user). This theoretically may cause a threat when an exploit (e.g. a script within a webpage) causes an intrusion (Spyshelter will see it as the signed webbrowser causing the intrusion, hence auto allowing it).

With restricted mode one can set those internet facing programs running in restricted mode, hence causing very little damage. This closes this theoretical gap. Currently the parent-child process detection of Spyshelter is improved a lot, so the chances of this theoretical gap are near zero (maybe only theoretical), but in one of the earliest versions I noticed that restricted mode intercepted an exploit, silently, paralyzing it on the spot.

OA has a simular mechanism with run safer, but it has the nice option to run unknown programs as run safer. This also enforces the strength of OA a lot (while making it more user friendly at the same time). I think the HIPS of OA is more matured, but the restricted mode of Spyshelter is a little stronger (OA also has a well designed firewall).

I see little added value of running them together, but it is all to personal preferences and feeling protected.

I think I might have not understood your first response correctly, causing questions on your side with my response. Sorry for that

Regards Kees

 

Thanks Kees. On the subject of a restricted mode/run safer/drop rights functions for a UAC protected account, I've never seen a clear answer as to whether it serves any meaningful purpose. Any thoughts on that one? The question was posed on both the Online Armor forum and Wilders a while back but there was no clear answer. Thx

 

Well, I have gotten a free lisence and done some testing, but there is definitely a geeks configuration where restriced mode makes sense.

In my tests, I had set UAC to deny elevation of unsigned programs and set it to elevate silently. I have set Spyshelter to auto allow Microsoft only. I also have set signed microsoft programs (Outlook, IE9, WMP) to run in restricted mode, closing the last theoretical gap.

This silences both Spyshelter and UAC, with maximum security.

Regards Kees

 

kees