The Events module at work

The attached composite screenshot jpg displays the detail available in the Events viewer and is posted up for your entertainment. SpyShelter is running in Suspicious mode on my Windows 10 Pro 22H2 system.

Shortly before hibernating my test system, the last events yesterday occurred when my MpCmdRun scheduled task ran and found new signatures, then inserted via an AM_Delta_Patch_version.exe. (Up until yesterday, I had the task disabled. During my testing of SSv15beta over the past few weeks, I kept the system simple and began a gradual bringing up of my veteran processes.)

Upon waking it up today, the task, no longer a new binary, logged only the latest AM_Delta_Patch_version.exe process as a result of the task’s “start is missed” setting. (The task is scheduled to hit MS for a signature check every hour.)

PhotosApp is the first launch SSv15beta has seen.

I then chose an install of a typically bloated device app, Garmin Express, for my Venu SQ watch, beginning at 11:19:21.

Note the highlighting of unread processes.



Thank you for posting and contributing to our new community! :+1:

I’m curious why Garmin doesn’t seem to want to sign some of their software for some reason. If I am not misunderstanding the view.

For myself, when I look at SpyShelter events, the first thing I look at is the right side publishers to see if I don’t recognize something. I would be concerned to see those unsigned items on my own PC!

Perhaps I should have added “dysfunctional” to bloated in describing the Garmin app.

Nothing new to unsigned stuff. I’ve been using some of these apps for decades.

Others like OffByOne and Enigma Encryptor I are in my ancient archives. And I throw 'em at security apps I test. Like yours. :slightly_smiling_face:

BTW, what’s the diff between the blue and blank dots?

1 Like

Good question! The first dot represents launching, the second dot represents access to the registry, and the third is related to the File Integrity Control feature under the Protection tab.

It’s a dot if that action was never accessed, a gray icon if action was accessed but there’s no rule, and then green icon if there’s a rule,no matter if action was accessed or not.

There is a red icon if there’s “deny” action. And of course there is “Quarantine” if you quarantine something.

Perhaps it’s a bit confusing so we’re looking to improve this so it’s less cryptic.

Here is some help documentation: SpyShelter Detailed User Guide – SpyShelter Help

You can play with File Integrity Control under the Protection tab.

1 Like


Look at the word CurrPorts. Note the blue dot.
Look at the words CleanMem Settings. Note the not-blue dot.

There’ a dot of either for each app.

What do they mean?

Blue dot means process is active, not-blue dot means process was active.

1 Like

Yes, this is exactly right. If there is a dot, then the process is currently running.

It’s useful because when you look at “Events”, you can see if that process is still actively running (as you view the latest events), or if it terminated.

Thanks again.

That is in the Detailed User Guide which is indeed detailed, as it should be. Good work!

1 Like

Our next update adds a setting for the “Events” so you can choose to only receive a red dot alert if there is a known threat, or unsigned app. It should look less chatty than our current public version of SpyShelter, if you change the setting.