Spyshelter *Firewall* can be also used as an anti-exe

[Online_Sword]

Some interesting features of Spyshelter are only provided in the Firewall version, even if they are not related to "firewall".

The figure below is a screenshot of the "Monitored Action List" of SSF. As you can see, the action "Execution of an application" is actually monitored. You may have noticed that this function is only provided in the Firewall version, rather than the Premium version.

Spoiler: Screenshot: Monitored Action List

Here is an example which shows that SSF blocks an application (ERP Installer) from running.

Spoiler: Screenshot: Example of blocking execution of application

The problem here is that, SSF cannot directly block scripts.

After allowing (resp. denying) applications and telling SSF to remember the choice, you will get an application whitelist and blacklist.

This white/black list can be viewed in the "Application Execution Control" panel.
Following is a screenshot of this AEC panel.
Still, this panel only exists in the Firewall version, not the Premium version.

Spoiler: Screenshot: Application Execution Control

The rules in this panel can be edited manually.
Furthermore, you can also manually create a new rule!
The only problem is that, in this pannel you cannot create a rule for an entire folder.
By the way, SSF also has the function of cleaning nonexistent processes in the white/black lists.
So, in my opinion, it is easy to use.

 

[hjlbx]

I chose "No," but the truth of the matter is both Yes and No.

For executables the answer is yes.

For scripts it is no.

One can add interpreters to the SSF executable black-list, but not rundll32 - since there is currently no way to create exceptions (white-list) safe, legitimate command lines for rundll32. Rundll32 should be black-listed since it is targeted by many malwares.

Adding rundll32 to the SSF blacklist - while not being able to create CL exceptions - will break many things - for example, Windows Control Panel utilities and particularly on a system with external devices, e.g. printers, external drives, their softs, etc - which most depend upon rundll32.

In its current version, SSF is good, but it is still a compromise.

From my perspective, you can either combine SSF and NVT ERP (I would disable Action Type 53 - Execution of an Application in SSF) ... or... just use NVT ERP + BiniSoft's Windows Firewall Control.

IF SS adds vulnerable processes and the ability to white-list command lines then I will take a serious look at it. From what I have seen it is a nice, but basic soft in its current version.

Put in a feature request...

PS - Believe it or not, SSF and Comodo Firewall are very similar. A few minor settings tweaks and CFW handily bests SSF... and the best part... it's free. The one downside to CFW is that if configured as an AE, then there is no way for the user to Allow-Block; CFW just blocks everything Unrecognized. On a static system this is no problem... even on a changing system it really isn't a problem - it just involves one or two additional mouse-clicks. I am just pointing out that the CFW does not prompt the user to Allow-Block like SSF or NVT ERP. Myself, I would choose the greater security of CFW at the cost of a less-than-ideal GUI.

You know what I mean.

 

[Online_Sword]

Rundll32 should be black-listed since it is targeted by many malwares.

I am not sure whether we need to worry about rundll32 when we use SSF.
In my tests, many behaviors of rundll32 are monitored and alerted by SSF, such as communication with other process and access OLE objects...

the ability to white-list command lines

Yes, I do agree with this. Spyshelter really need a command line based white list.
A disadvantage of Spyshelter is that, if users allow a program to take a specific action on a particular component and tell Spyshelter to "remember this choice", then Spyshelter will allow this program to take this action on any component.

A few minor settings tweaks and CFW handily bests SSF

Sorry but I cannot agree with this.
If a free product is completely better than a paid product, the paid one should not exist. But to the best of my knowledge, Spyshelter is still popular in some forums.

In my opinion, Spyshelter has the following advantages over Comodo:

• Spyshelter is lighter than Comodo.
• Spyshelter has the features of anti keylogger, anti screenshot, camera protection, sound protection, ect. In particular, its keystroke encryption function is really powerful in my test. Of course, if CFW is configured as an AE, it can definitely prevent keyloggers and other spywares from running. But the problem is that human beings are easy to make mistakes. For the case in which I mistakenly allow a spyware to launch, SSF can provide the second layer of protection.

 

[sinu]

Can you mention its resource usage

 

[Online_Sword]

Can you mention its resource usage

It uses only 8 MB hard disk and 14 MB RAM.

 

[Bergo]

Good program, but incompatible most AV

 

[Online_Sword]

Good program, but incompatible most AV

I know little about its compatibility.
But I have heard that it is compatible with Avira and Emsisoft Anti-Malware (EAM).
In my own tests, SSF runs well with the latest versions of both Symantec Endpoint Protection (SEP) and Norton Internet Security (NIS).

 

[sinu]

I know little about its compatibility.
But I have heard that it is compatible with Avira and Emsisoft Anti-Malware (EAM).
In my own tests, SSF runs well with the latest versions of both Symantec Endpoint Protection (SEP) and Norton Internet Security (NIS).

Is this compatible with qihoo

 

[Online_Sword]

Is this compatible with qihoo

Sorry, I don't know about that.

 

[babolly]

under Application Execution Control -><All components>
user can create single blacklist right now,as mentioned.but hope they make it better feature.
right now i have white listed my software,now i need block everything else.i hope people using this software make such as request to developer.also the new feature User defined protected files are amazing.its just need more category
and another options should be improved is firewall part.it is good but not enough.

 

[jamescv7]

Yes it can be anti-executable hence it act very well as brought to incorporate more HIPS concept, sufficient enough but far to compare to Comodo which occupy more on its capabilities to monitor.

+ in such trends, whitelisting should be a suffice and not relying too much on HIPS since it will generate more alert.