SpyShelter Personal Free Review – HIPS protection software

SpyShelter, in its full-fledged form, is complimentary to an antivirus software. The paid version contains a firewall, keylogger detectors and few other malware protection services. However, we will review SpyShelter Personal free version only, here. According to their website, SpyShelter claims that the free version provides protection in following forms:

  1. HIPS (Host Intrusion Prevention System)
  2. Prevention of Screen Capture
  3. Clipboard Capture Prevention
  4. Keylogger Detection & Blocking

Thus, if you combine all the four above, you essentially have an antimalware, with few added features – in this case, point 2 and 3. Most of the anti-malware from different brands – both paid and free – offer Host Intrusion Prevention System and Keylogger Detection.

What is HIPS or Host Intrusion Prevention System

For those new to the term HIPS, it is a system that alerts users about changes to system. For you to get an idea of how it works, I lay it down in the following steps:

  1. Collects information about the computer – settings, including control panel items
  2. Creates a database using information collected in above step
  3. If any program or user attempts to change anything, it would lead to change of value of one or more field of the database created in the second part.

In case any program tries to change system settings, SpyShelter will provide you with an alert. This again, is dependent on whether you’ve set it to auto learn or to ask you every time. It won’t tell you whether the attempt to change any system setting is okay or wrong. And if wrong, what could be the extent of damage. It is up to the decision of the user to allow or prevent the change from happening.

Assuming there are people/users who might not know about system type alerts, there are chances of malware or hackers gaining access to your computer if the user authorizes any kind of malicious change. Thus, though HIPS is a good system, it relies on users’ ability to decide about system changes. For most part, if you are installing any application, changes are bound to happen and you will be getting alerts.

For Windows Vista and later, you also have User Access Control to alert you. Some firewalls (especially Comodo and ZoneAlarm) are good at providing alerts if any program or user tries or changes any particular system setting. There are some third party tools too – for monitoring and locking system settings.

We have an article on using WinPatrol instead of UAC for better control on system property changes – including changes in your browsers’ home page. The following image shows how WinPatrol HIPS works. The popup appeared as I changed the home page of Internet Explorer.

01 - HIPS What Is - WinPatrol

In short, HIPS is available with almost any anti-malware and also with stuff like WinPatrol. And because it cannot decide itself that if a particular change is malware or part of processing, it is only as good as the users’ ability to judge the change. Using paid version of WinPatrol allows you to check out details of the alert on the Internet. This feature aids you in deciding whether or not to approve a change.

NOTE: You can also lock file types using WinPatrol – a facility not available with SpyShelter.

Installation Hiccups – Don’t Confuse The Users!

Do you want Higher Security or Medium? This is a question asked by the installation package while you are installing SpyShelter. You can change the option later from Settings of SpyShelter free version. But for beginners, what is the difference between Higher security and Medium? The installation page/dialog tells us Higher Security means more protection and Medium means less alerts.

02 - Confusion During Installation

If I select Medium, what all changes would SpyShelter allow or deny without asking me? There should be a help button that assists users in deciding the best option for them. Without knowing what all alerts would be disabled, I don’t think anyone would go for Medium. This is an extra step and could be eliminated from the Installation process. People can always change the settings from the main window of SpyShelter once they get to know what all alerts are being shown by the application.

SpyShelter is set up to auto-learn what programs to allow and which ones to deny access to the core system components. Even if you set up the protection level to High, the alerts may be less if Sp Shelter has already learned that a particular program is safe. As such, the installation dialog asking to choose between Higher and Medium protection is just a confusion and should be removed in my opinion.

SpyShelter Personal Free Review

The first keylogger it detected soon after a reboot pending installation was WinPatrol. Probably because WinPatrol runs a check on every system resource to make sure no changes happened during reboot. Here is a screenshot that SpyShelter gave me upon reboot when WinPatrol started. It explained that the process is dangerous and asked me if I should allow it to run or block it. It also has a “Remember My Answer” type of checkbox so that you need not have to allow it every time you fire up your computer.

SpyShelter Personal Free

I downloaded and installed few keyloggers including Spyrix. Initially, the auto rules created by SpyShelter denied installation. I had to exit SpyShelter to install the keylogger.

Later, as soon as I turned SpyShelter on, it added Spyrix to its program blacklist under the category of Anti-Keylogging and under Anti-ScreenCapture. The image below shows you cannot install keylogger as long as SpyShelter is active.

Fig 4 - Access Denied For Installing Keylogger

Anti-ScreenCapture & Anti-Clipboard

The PrintScreen button did not work for anything. However, I was able to use Windows Snipping tool. SpyShelter added Snipping Tool to its whitelist under AntiScreenCapture allowing me to take snaps using the tool. In the image below, you can see that the SpyShelter marked it as Green – meaning it was allowing the Snipping Tool even though the Anti-Screen Capture was enabled.

Fig 5 - SpyShelter Log - Snipping Tool Allowed Under Anti Screen Capture

SpyShelter has its own algorithms that help it in identifying programs and thereby in choosing whether or not to allow access to Clipboard etc.  According to the website of SpyShelter, the program is not dependent on any kind of databases or fingerprints to identify malicious files. They say it checks the behavior of the file and based on the behavior, it allows or restricts access for that file.

The log file showed all the programs and applications I opened while SpyShelter protection was on. It also showed what all programs were being permitted to use Clipboard and which ones where blocked. For example, Microsoft Word was marked Green, meaning it can access clipboard. Then there was a DLL that was marked Red meaning it could not access the clipboard.

Conclusion

Our SpyShelter Personal Free review concludes that the program is worth trying out for the following reasons:

  • It is low on resources so won’t slow down your computer.
  • It auto-learns the behavior of programs on your computer. That way, even if you choose High Protection during installation, alerts decrease over time.
  • Your computer is protected using program behavior and you need not update the database all the time
  • Integrates encryption driver.

Sometimes, false positives may occur, as in the case of WinPatrol, but you can easily whitelist such cases. The free version now supports 32-bit, as well as, 64-bit systems too.

Download: Home Page. As of October, 2016 SpyShelter Free will no longer be supported

Have a look at VoodooShield too.

Posted by on , in Category Security with Tags
Arun Kumar is a Microsoft MVP alumnus, obsessed with technology, especially the Internet. He deals with the multimedia content needs of training and corporate houses. Follow him on Twitter @PowercutIN

2 Comments

  1. Ed

    The free version doesn’t support 64 bit systems.

  2. The free version now supports 32-bit, as well as, 64-bit systems too.

Leave a Reply

Your email address will not be published. Required fields are marked *


9 + 1 =