SpyShelter Anti-executable vs HIPS of free version

Status
Not open for further replies.

shmu26

Level 85
Verified
Trusted
Content Creator
Jul 3, 2015
8,082
I have been using the free version of spyshelter, and due to the many pop-ups, which come every time a new program started or updated, I was under the impression that it was an anti-executable.
But then I saw on their site that anti-executable is a feature of the paid version.
Can someone explain to me the difference between the HIPS of the free version and the anti-executable of the paid version?

By the way, is this whole thing useful for non-experts?
I mean, I can usually identify what program is trying to run, and if I can't, I can always google it.
But I wouldn't notice, for instance, if some obscure windows process is not located in the right folder, and whether it is exploitable or not. So maybe I am wasting my time with this whole thing?
 

Soulbound

Moderator
Verified
Staff member
Jan 14, 2015
1,770
Are you referring to Application Execution Control?

That is not on simply paid version. its on Spyshelter Firewall version. They have a 14 day free trial.

The HIPS on free version is not even full blown HIPS. It is a limited version. For full effect of HIPS from Spyshelter, you need the premium version or the firewall version.
 

shmu26

Level 85
Verified
Trusted
Content Creator
Jul 3, 2015
8,082
okay, so let's compare the HIPS of the free version to the Application Execution Control of the firewall version. Forgive my ignorance, but I see so many pop-ups on the free version (until it is trained) that I can't imagine what is left for the firewall version.
 

Online_Sword

New Member
Verified
Trusted
Mar 23, 2015
555
In @hjlbx 's post Application White-Listing (Software Restriction Policy & Anti-Executable), he listed some literature regarding Application Whitelist (Anti-EXE). Among the literature, NSA's document mentioned that:

Application whitelisting is a proactive technique where only a limited number of programs are allowed to run, while all other programs are blocked from running by default.

So, in my opinion, I think an anti-executable program has two basic characteristics:
  • User could implicitly define what programs could be executed.
  • Any program that is not implicitly allowed will be blocked from running in a default-deny manner.
I think these two characteristics are basic requirements to an anti-executable program. For example, although the Hyper-Sensitive mode of Trend Micro and the Hardened Mode of Avast could also prevent the execution of suspicious programs, they cannot be called anti-executable, because the users cannot implicitly define the whitelist. By contrast, these two products store the whitelist on the cloud server.

HIPS program could monitor the suspicious activities of programs. Some of them could monitor the execution of programs (e.g., Comodo Firewall, Private Firewall, etc), some of them could not (e.g., Spyshelter Free & Spyshelter Premium), some of them "partially" could (e.g. Outpost Firewall could only monitor the execution of programs that can connect to the network).

For those HIPS programs who can monitor the execution, they could be used as "Anti-EXE" when they are properly configured. @hjlbx have posted many times that how to use Comodo to emulate the famous anti-EXE programs, such as AppGuard, EXE Radar Pro and VoodooShield.

But anti-exe programs still have some features that can hardly be emulated by HIPS programs. For example, EXE Radar Pro, Bouncer Beta, and Smart Object Blocker Beta could define the whitelist in the granular of command line arguments. I do not know any HIPS program could do this. Maybe MD could? I am not familiar with MD...

So, could Spyshelter Firewall (SSF) be used as an anti-executable? As mentioned by @hjlbx a long time ago in my thread (Spyshelter *Firewall* can be also used as an anti-exe), the answer is "Yes and No".

First of all, SSF satisfy the two requirements listed above:
  • By checking "Auto-block suspicious behavior", SSF could work in a default-deny manner.
  • In the Application Execution Control Panel, you can define your own whitelist.
However:
  • In the application execution control panel, you can only create rules for .exe files, but cannot for script files, dlls, and any other PE files.
  • You cannot define a rule for a folder in the application execution control panel, let alone paths with wild chars.
So, SSF could be used as Anti-EXE, but not strong enough compared with some other anti-exe programs.
 

shmu26

Level 85
Verified
Trusted
Content Creator
Jul 3, 2015
8,082
hey online sword, that was pretty good!

question: If spyshelter free cannot monitor the execution of programs, so what are all those pop-ups all about, every time a new or updated program starts up?

observation: out of all the choices for HIPS and anti-execute, I would think Voodooshield is probably the best choice for intermediate-level users. Would you agree?
 
  • Like
Reactions: Deleted member 2913

Online_Sword

New Member
Verified
Trusted
Mar 23, 2015
555
question: If spyshelter free cannot monitor the execution of programs, so what are all those pop-ups all about

Sorry if I cause any misunderstanding. I just use "execution" to refer to the "start up" of a process. :)
The following figure is from wiki: Process state - Wikipedia, the free encyclopedia .
It shows different states of a process.
Roughly speaking, I think that, anti-exe programs prevent the creating of processes, while Spyshelter Free will monitor the activities of processes in the running state.
process state.png
 
  • Like
Reactions: Deleted member 2913
D

Deleted member 2913

I have tried AppGuard, No Virus Thanks & Voodoo Shield.

For me Voodoo Shield is the easiest of all.

You should give Voodoo Shield a try.

There are 2 versions, Stable 2 & Beta 3. And as per Dev Beta 3 is recommended & stable especially on Win 10.

Free & Paid versions available. Free version works by default, you cannot change settings. Paid version settings changes are available. In my opinion free version is enough & good.
 
  • Like
Reactions: shmu26
H

hjlbx

In @hjlbx 's post Application White-Listing (Software Restriction Policy & Anti-Executable), he listed some literature regarding Application Whitelist (Anti-EXE). Among the literature, NSA's document mentioned that:



So, in my opinion, I think an anti-executable program has two basic characteristics:
  • User could implicitly define what programs could be executed.
  • Any program that is not implicitly allowed will be blocked from running in a default-deny manner.
I think these two characteristics are basic requirements to an anti-executable program. For example, although the Hyper-Sensitive mode of Trend Micro and the Hardened Mode of Avast could also prevent the execution of suspicious programs, they cannot be called anti-executable, because the users cannot implicitly define the whitelist. By contrast, these two products store the whitelist on the cloud server.

HIPS program could monitor the suspicious activities of programs. Some of them could monitor the execution of programs (e.g., Comodo Firewall, Private Firewall, etc), some of them could not (e.g., Spyshelter Free & Spyshelter Premium), some of them "partially" could (e.g. Outpost Firewall could only monitor the execution of programs that can connect to the network).

For those HIPS programs who can monitor the execution, they could be used as "Anti-EXE" when they are properly configured. @hjlbx have posted many times that how to use Comodo to emulate the famous anti-EXE programs, such as AppGuard, EXE Radar Pro and VoodooShield.

But anti-exe programs still have some features that can hardly be emulated by HIPS programs. For example, EXE Radar Pro, Bouncer Beta, and Smart Object Blocker Beta could define the whitelist in the granular of command line arguments. I do not know any HIPS program could do this. Maybe MD could? I am not familiar with MD...

So, could Spyshelter Firewall (SSF) be used as an anti-executable? As mentioned by @hjlbx a long time ago in my thread (Spyshelter *Firewall* can be also used as an anti-exe), the answer is "Yes and No".

First of all, SSF satisfy the two requirements listed above:
  • By checking "Auto-block suspicious behavior", SSF could work in a default-deny manner.
  • In the Application Execution Control Panel, you can define your own whitelist.
However:
  • In the application execution control panel, you can only create rules for .exe files, but cannot for script files, dlls, and any other PE files.
  • You cannot define a rule for a folder in the application execution control panel, let alone paths with wild chars.
So, SSF could be used as Anti-EXE, but not strong enough compared with some other anti-exe programs.

SpSFW lacks the ability to define a list of vulnerable processes; the user has to know about malware behaviors and vulnerable processes to respond accordingly in alerts. SpSFW is just a tool and the protection results are only as good as the user's understanding of SpS' brand of HIPS (the chief complaint about HIPS).

For example, there are instances where it is safe to create a permanent allow rule and other instances where it is best to allow, but not create a permanent rule (primarily for vulnerable processes). Still yet, there are times when Deny (Block) is the correct choice and others where Terminate is best. To complicate matters, SpSFW has its quirks that can cause confusion for someone who is not very familiar with it.

One can get very good at using HIPS by practicing with malwares, but that is unreasonable to expect from the typical user. I think faced with an unfolding infection, even a seasoned HIPS user can be fooled if they don't pay careful attention.

I think NVT ERP - while not nearly as comprehensive as SpSFW HIPS - is stellar at the three most important things:

1. Block system-wide executions (to include all partitions)
2. White-list command lines
3. Black-list vulnerable processes (customizable - user needs to know which ones to define; this is not difficult - just get list and add them)

NVT ERP is a simplified, targeted HIPS of sorts... and it is a great freeware.

In terms of ease-of-use between NVT ERP and SpS, ERP is the clear winner. However, SpS can be quite powerful in the right hands. With a correct config, using either one, I think it would require either a user mistake or a rare, advanced malware to get infected.

On 64 bit, combine ERP or SpS with AppGuard and Excubits MemProtect or NVT's Smart Object Blocker - and you can get as close to "bullet-proof" as is possible with security softs at this point in time.

The point is that if it is unknown, don't allow it to execute on your system in the first place. I just don't understand why this simple idea is not fully embraced by the wider user community...
 
Last edited by a moderator:

Windows_Security

Level 23
Verified
Trusted
Content Creator
Mar 13, 2016
1,303
SpSFW lacks the ability to define a list of vulnerable processes; the user has to know about malware behaviors and vulnerable processes to respond accordingly in alerts. SpSFW is just a tool and the protection results are only as good as the user's understanding of SpS' brand of HIPS (the chief complaint about HIPS).

Spyshelter Free HIPS can be made silent and through a trick define a list of vulnarable processess

Figure 1: make it silent (auto allow signed applications from SS internal trusted list)
Spy_Shelter_install.png


Figure 2: Add Exclude folder and Make it denied (so it auto blocks vulnarable applications)
Spyshelter_Free.png


Note: second deny all rule is for Chrome (only blocks Chrome application folder, not the Chrome Updater)
 
Status
Not open for further replies.
Top