The attached composite screenshot jpg displays the detail available in the Events viewer and is posted up for your entertainment. SpyShelter is running in Suspicious mode on my Windows 10 Pro 22H2 system.
Shortly before hibernating my test system, the last events yesterday occurred when my MpCmdRun scheduled task ran and found new signatures, then inserted via an AM_Delta_Patch_version.exe. (Up until yesterday, I had the task disabled. During my testing of SSv15beta over the past few weeks, I kept the system simple and began a gradual bringing up of my veteran processes.)
Upon waking it up today, the task, no longer a new binary, logged only the latest AM_Delta_Patch_version.exe process as a result of the task’s “start is missed” setting. (The task is scheduled to hit MS for a signature check every hour.)
PhotosApp is the first launch SSv15beta has seen.
I then chose an install of a typically bloated device app, Garmin Express, for my Venu SQ watch, beginning at 11:19:21.
Thank you for posting and contributing to our new community!
I’m curious why Garmin doesn’t seem to want to sign some of their software for some reason. If I am not misunderstanding the view.
For myself, when I look at SpyShelter events, the first thing I look at is the right side publishers to see if I don’t recognize something. I would be concerned to see those unsigned items on my own PC!
Good question! The first dot represents launching, the second dot represents access to the registry, and the third is related to the File Integrity Control feature under the Protection tab.
It’s a dot if that action was never accessed, a gray icon if action was accessed but there’s no rule, and then green icon if there’s a rule,no matter if action was accessed or not.
There is a red icon if there’s “deny” action. And of course there is “Quarantine” if you quarantine something.
Perhaps it’s a bit confusing so we’re looking to improve this so it’s less cryptic.
Yes, this is exactly right. If there is a dot, then the process is currently running.
It’s useful because when you look at “Events”, you can see if that process is still actively running (as you view the latest events), or if it terminated.
Our next update adds a setting for the “Events” so you can choose to only receive a red dot alert if there is a known threat, or unsigned app. It should look less chatty than our current public version of SpyShelter, if you change the setting.