SpyShelter 12.1 Released

[Bot]

SpyShelter version 12.1 is live now! Newest version of SpyShelter is always available on our Download Page. SpyShelter 12.1 introduces new Screen Phantom feature, which was described in our latest beta release here. Screen Phantom is an independent module which protects your screen from being captured. It works in a Continue reading "SpyShelter 12.1 Released"

The post SpyShelter 12.1 Released appeared first on SpyShelter | World's best anti keylogger.

 

[ichito]

Already installed...great!...as allways
----------------------------
edit:
if you have automatic update enabled it will work without issue...everything is going silently in background.

 

[Lenny_Fox]

Free version provides HIPS & Firewall protection. I installed it on high auto allow and added

1. Allow folder rules for Windows, Program Files and Windows Defender (in ProgramData)
2. Deny folder rules for all non-Microsoft programs (and user/AppData/programs), with WD ASR and Exploit protection (Code Integrity Guard) Microsoft programs are sufficiently protected, HIPS protection adds a nice layer for non-M$ programs.
3. Allow rule for inbound (still using Windows FW for inbound with outbound blocks from H_C/Firewall Hardening
4. SpyShelter takes care of outbound with auto allow on high
5. Allow non-M$ programs to go outbound (like Opera). Only hassle is that I have to allow each new version of opera (I guess). Because I still use FirewallHardening for M$ programs within WindowsFW these M$ programs are blocked by Windows Firewall

So Windows programs are managed by Windows programs (using Hard Configurator, Defender Configurator and Firewall_Hardening) and non M$ programs are monitored by SpyShelter. I know it is not supposed to use this way, but together with Hard_Configurator and WD on MAX it works great (Yes I replaced Kaspersky free with WD again )

I wait a Windows and a Opera update and when it does not throw a popup, I will enable auto-block suspicious behavior

 

[ichito]

Free version provides HIPS & Firewall protection. I installed it on high auto allow and added

1. Allow folder rules for Windows, Program Files and Windows Defender (in ProgramData)
2. Deny folder rules for all non-Microsoft programs (and user/AppData/programs), with WD ASR and Exploit protection (Code Integrity Guard) Microsoft programs are sufficiently protected, HIPS protection adds a nice layer for non-M$ programs.
3. Allow rule for inbound (still using Windows FW for inbound with outbound blocks from H_C/Firewall Hardening
4. SpyShelter takes care of outbound with auto allow on high
5. Allow non-M$ programs to go outbound (like Opera). Only hassle is that I have to allow each new version of opera (I guess). Because I still use FirewallHardening for M$ programs within WindowsFW these M$ programs are blocked by Windows Firewall

So Windows programs are managed by Windows programs (using Hard Configurator, Defender Configurator and Firewall_Hardening) and non M$ programs are monitored by SpyShelter. I know it is not supposed to use this way, but together with Hard_Configurator and WD on MAX it works great (Yes I replaced Kaspersky free with WD again )

I wait a Windows and a Opera update and when it does not throw a popup, I will enable auto-block suspicious behavior

Interresting but some questions becuase I don't use free version:
ad. 1 - how?...by exclusions?
ad. 2 - how?...free version don't offer files/folders restriction feature
If you like to controll not MS apps and allow those from MS maybe "Allow Microsoft" protection level with set as "Undefined" network (firewall module settings) will be for you useful?

 

[Lenny_Fox]

@ichito picture tells a thousand words

Auto Allow - High Security Level
Auto-block suspicious behavior

Added a rule for FileZilla to block outbound except a three IP-addresses and port 21 (three websites I maintain). I can't find action 59 in the list of monitored actions, see picture

Enabled Windows FW to block inbound and allow outbound except for LOLbins and Office programs, told Spyshelter FW to only monitor outbound

 

[ichito]

@ichito picture tells a thousand words

Haha It's ald trick used years ago by @Windows_Security

SpyShelter Anti-executable vs HIPS of free version

I have been using the free version of spyshelter, and due to the many pop-ups, which come every time a new program started or updated, I was under the impression that it was an anti-executable. But then I saw on their site that anti-executable is a feature of the paid version. Can someone...

malwaretips.com

and it's as I've supposed earlier - by making folder exclusions...and now something for you

I completely forgot about it because I don't use folders exlusion...all actions are allowed only for processes of some security apps. As I remember from earlier disccuss on MT and Wilders also "exclusion" is not intended to block action...is deisgned to allow all actions of all content of specified folder...so actually it can't block all actions. You should check such rules.
BTW...nice ssettings

 

[Lenny_Fox]

@ichito

I tried to delete a folder allow rule and had by accident positioned my mouse-cursor wrong and to my surprise it changed the allow rule to block Do you know which actions a folder rule can't block?

To understand your suggestion correctly. You are also suggesting to add block and an allow folder in my (AppData) temp folder, so I can easily install applications without disabling SpyShelter? Is that the idea?

thx

 

[ichito]

@ichito

I tried to delete a folder allow rule and had by accident positioned my mouse-cursor wrong and to my surprise it changed the allow rule to block Do you know which actions a folder rule can't block?

To understand your suggestion correctly. You are also suggesting to add block and an allow folder in my (AppData) temp folder, so I can easily install applications without disabling SpyShelter? Is that the idea?

thx

OK...is not easy to answer but as I think everything depends on:
- kind of launched file/app
- way of launching - protection level, existed rules, using or not "installation mode", automatic allowing for some controlled actions (the list of monitored actions)
I don't remember if there exist...was discussed...something like full list of allowed/blocked actions in scenario we currently talking about...I think there is no rules that we can prepare in this matter. Your question was so interresting that I've prepared some "test" to check what will happen when we create folders as blocked. Below some info and observation:
- I tested things using SS Firewall (I don't have SS Free installed) - no rules for tested files, no actions for signers allowed, no own added signers, log tab empty, "ask user" level of protection
- two folders created - one for portable apps, second for installation files...the list of apps below

Lenny_Fox_test portable:
AnvirTask Manager
Autoruns
Everything-1.4.1.935
Privazer
RevoUninstaller_Portable

Lenny_Fox_test install
1by1_194.exe
SetPoint6.69.126_smart.exe
mbae-setup-1.13.1.164.exe
tfinstall.exe
TinyWall-v3-Installer.msi

It's hard to separate all allowed-blocked actions, list them here and add some comment because we have a lot of entries in log file. Below you have copy of log. A few words of summary:
- actions "allowed" were made mostly manualy to get the expected result of launching/working
- in case of security apps (MBAE, ThreatFire, TinyWall) I decided to set "installation mode" in first alert
- actions "blocked" were made automaticaly
- it seams that portable apps were mostly blocked in its actions
- installation file were mostly allowed especialy in case of security app.

 

[Lenny_Fox]

Looks like actions of elevated processes are allowed when using folder block, not a bad deal for me. This implies that the chances of messing up updates of installed programs with the HIPS is low, but unelevated processes are limited in their actions.