MalwareTips Bot

Robot
Verified
Content Creator

ichito

Level 9
Verified
Content Creator
Already installed...great!...as allways :)
----------------------------
edit:
if you have automatic update enabled it will work without issue...everything is going silently in background.
 
Last edited:

Lenny_Fox

Level 12
Free version provides HIPS & Firewall protection. I installed it on high auto allow and added

1. Allow folder rules for Windows, Program Files and Windows Defender (in ProgramData)
2. Deny folder rules for all non-Microsoft programs (and user/AppData/programs), with WD ASR and Exploit protection (Code Integrity Guard) Microsoft programs are sufficiently protected, HIPS protection adds a nice layer for non-M$ programs.
3. Allow rule for inbound (still using Windows FW for inbound with outbound blocks from H_C/Firewall Hardening
4. SpyShelter takes care of outbound with auto allow on high
5. Allow non-M$ programs to go outbound (like Opera). Only hassle is that I have to allow each new version of opera (I guess). Because I still use FirewallHardening for M$ programs within WindowsFW these M$ programs are blocked by Windows Firewall

So Windows programs are managed by Windows programs (using Hard Configurator, Defender Configurator and Firewall_Hardening) and non M$ programs are monitored by SpyShelter. I know it is not supposed to use this way, but together with Hard_Configurator and WD on MAX it works great (Yes I replaced Kaspersky free with WD again :) )

I wait a Windows and a Opera update and when it does not throw a popup, I will enable auto-block suspicious behavior
 
Last edited:

ichito

Level 9
Verified
Content Creator
Free version provides HIPS & Firewall protection. I installed it on high auto allow and added

1. Allow folder rules for Windows, Program Files and Windows Defender (in ProgramData)
2. Deny folder rules for all non-Microsoft programs (and user/AppData/programs), with WD ASR and Exploit protection (Code Integrity Guard) Microsoft programs are sufficiently protected, HIPS protection adds a nice layer for non-M$ programs.
3. Allow rule for inbound (still using Windows FW for inbound with outbound blocks from H_C/Firewall Hardening
4. SpyShelter takes care of outbound with auto allow on high
5. Allow non-M$ programs to go outbound (like Opera). Only hassle is that I have to allow each new version of opera (I guess). Because I still use FirewallHardening for M$ programs within WindowsFW these M$ programs are blocked by Windows Firewall

So Windows programs are managed by Windows programs (using Hard Configurator, Defender Configurator and Firewall_Hardening) and non M$ programs are monitored by SpyShelter. I know it is not supposed to use this way, but together with Hard_Configurator and WD on MAX it works great (Yes I replaced Kaspersky free with WD again :) )

I wait a Windows and a Opera update and when it does not throw a popup, I will enable auto-block suspicious behavior
Interresting but some questions becuase I don't use free version:
ad. 1 - how?...by exclusions?
ad. 2 - how?...free version don't offer files/folders restriction feature
If you like to controll not MS apps and allow those from MS maybe "Allow Microsoft" protection level with set as "Undefined" network (firewall module settings) will be for you useful?
 

Lenny_Fox

Level 12
@ichito picture tells a thousand words

1588076112624.png


Auto Allow - High Security Level
Auto-block suspicious behavior

Added a rule for FileZilla to block outbound except a three IP-addresses and port 21 (three websites I maintain). I can't find action 59 in the list of monitored actions, see picture
1588076570698.png


Enabled Windows FW to block inbound and allow outbound except for LOLbins and Office programs, told Spyshelter FW to only monitor outbound

1588076713274.png
 
Last edited:

ichito

Level 9
Verified
Content Creator
@ichito picture tells a thousand words
Haha :) It's ald trick used years ago by @Windows_Security
and it's as I've supposed earlier - by making folder exclusions...and now something for you :)
200428181418_2.jpg


I completely forgot about it because I don't use folders exlusion...all actions are allowed only for processes of some security apps. As I remember from earlier disccuss on MT and Wilders also "exclusion" is not intended to block action...is deisgned to allow all actions of all content of specified folder...so actually it can't block all actions. You should check such rules.
BTW...nice ssettings :)
 

Lenny_Fox

Level 12
@ichito

I tried to delete a folder allow rule and had by accident positioned my mouse-cursor wrong and to my surprise it changed the allow rule to block :) Do you know which actions a folder rule can't block?

To understand your suggestion correctly. You are also suggesting to add block and an allow folder in my (AppData) temp folder, so I can easily install applications without disabling SpyShelter? Is that the idea?

thx
 

ichito

Level 9
Verified
Content Creator
@ichito

I tried to delete a folder allow rule and had by accident positioned my mouse-cursor wrong and to my surprise it changed the allow rule to block :) Do you know which actions a folder rule can't block?

To understand your suggestion correctly. You are also suggesting to add block and an allow folder in my (AppData) temp folder, so I can easily install applications without disabling SpyShelter? Is that the idea?

thx
OK...is not easy to answer but as I think everything depends on:
- kind of launched file/app
- way of launching - protection level, existed rules, using or not "installation mode", automatic allowing for some controlled actions (the list of monitored actions)
I don't remember if there exist...was discussed...something like full list of allowed/blocked actions in scenario we currently talking about...I think there is no rules that we can prepare in this matter. Your question was so interresting that I've prepared some "test" to check what will happen when we create folders as blocked. Below some info and observation:
- I tested things using SS Firewall (I don't have SS Free installed) - no rules for tested files, no actions for signers allowed, no own added signers, log tab empty, "ask user" level of protection
- two folders created - one for portable apps, second for installation files...the list of apps below

Lenny_Fox_test portable:
AnvirTask Manager
Autoruns
Everything-1.4.1.935
Privazer
RevoUninstaller_Portable

Lenny_Fox_test install
1by1_194.exe
SetPoint6.69.126_smart.exe
mbae-setup-1.13.1.164.exe
tfinstall.exe
TinyWall-v3-Installer.msi

It's hard to separate all allowed-blocked actions, list them here and add some comment because we have a lot of entries in log file. Below you have copy of log. A few words of summary:
- actions "allowed" were made mostly manualy to get the expected result of launching/working
- in case of security apps (MBAE, ThreatFire, TinyWall) I decided to set "installation mode" in first alert
- actions "blocked" were made automaticaly
- it seams that portable apps were mostly blocked in its actions
- installation file were mostly allowed especialy in case of security app.
 

Attachments

Lenny_Fox

Level 12
Looks like actions of elevated processes are allowed when using folder block, not a bad deal for me. This implies that the chances of messing up updates of installed programs with the HIPS is low, but unelevated processes are limited in their actions.
 
Top