I'd like to start a Learning Thread on configuring/using System Safety Monitor (Paid). It seems like such a good program but I need some help with creating a quality guide to help others and myself with tweaks/configuration.

Thank you.

I am not so sure this program is still relevant. It is not actively developed. There are better, more capable, alternatives available; such as EQS, DefenseWall, or Safe n Sec.

{QUOTE-> I am not so sure this program is still relevant. It is not actively developed. There are better, more capable, alternatives available; such as EQS, DefenseWall, or Safe n Sec. <-QUOTE}

I would disagree with that. I'd be interested in seeing people more advanced then I posting what they do with SSM

Pete

{QUOTE-> I am not so sure this program is still relevant. It is not actively developed. There are better, more capable, alternatives available; such as EQS, DefenseWall, or Safe n Sec. <-QUOTE}A- The developer (Vitali) of SSM is very active, and responds quickly to all forum posts, issues, etc at the SSM forum (http://syssafety.com/forum/).

B- The current version of SSM is quite up-to-date & is fully compatible with Vista and XP. Vitali and his helper/tester are currently working on adding a file protector to SSM, and have estimated its readiness for use by the latter days of this summer.

C- Except for its lack of file protection, SSM is fully the equal of other classical HIPS such as Defense+ & ProSecurity.

>Comparing SSM to DefenseWall is inapplicable because SSM is a classical HIPS whereas DW is NOT. Rather, DW is a HIPS/sandbox combo.

>Comparing SSM to EQS requires caveats. Although EQS is a classical HIPS, it offers very little default protection, but instead places 99% of the configuration load on the user. SSM on the other hand is fundamentally configured for effective protection right out of the box, and offers a learning mode for aiding users in further configuring its protection.

>As to Safe'nSec -- it is a very good classical HIPS; well-configured from the get-go; but it has no forum and its developers respond to support requests verrry slowly or not at all. If you can comprehend its out-dated & convoluted help files -- well & good. Otherwise, you're pretty much on your own.

D- Besides SSM, other good choices for actively-supported, "mostly classical" HIPS include: OnlineArmor (http://www.tallemu.com/), DriveSentry (http://www.drivesentry.com/), & Comodo Firewall Pro's Defense+ module (http://www.personalfirewall.comodo.com/download_firewall.html).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE 1- ProSecurity (http://www.proactive-hips.com/) is another great classical HIPS, but its developer (Jei) has been among the missing for several months. Fall in love with this one at your own risk.

Note 2-If you decide to try CFP's Defense+ (it's free), be careful not to accidentally click on the $39/year "Plus" version. Also, stay VERY alert during install so that you do not inadvertently allow it to install its crappy toolbar.

{QUOTE-> A- The developer (Vitali) of SSM is very active, and responds quickly to all forum posts, issues, etc at the SSM forum (http://syssafety.com/forum/).

B- The current version of SSM is quite up-to-date & is fully compatible with Vista and XP. Vitali and his helper/tester are currently working on adding a file protector to SSM, and have estimated its readiness for use by the latter days of this summer.

C- Except for its lack of file protection, SSM is fully the equal of other classical HIPS such as Defense+ & ProSecurity.

>Comparing SSM to DefenseWall is inapplicable because SSM is a classical HIPS whereas DW is NOT. Rather, DW is a HIPS/sandbox combo.

>Comparing SSM to EQS requires caveats. Although EQS is a classical HIPS, it offers very little default protection, but instead places 99% of the configuration load on the user. SSM on the other hand is fundamentally configured for effective protection right out of the box, and offers a learning mode for aiding users in further configuring its protection.

>As to Safe'nSec -- it is a very good classical HIPS; well-configured from the get-go; but it has no forum and its developers respond to support requests verrry slowly or not at all. If you can comprehend its out-dated & convoluted help files -- well & good. Otherwise, you're pretty much on your own.

D- Besides SSM, other good choices for actively-supported, "mostly classical" HIPS include: OnlineArmor (http://www.tallemu.com/), DriveSentry (http://www.drivesentry.com/), & Comodo Firewall Pro's Defense+ module (http://www.personalfirewall.comodo.com/download_firewall.html).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE 1- ProSecurity (http://www.proactive-hips.com/) is another great classical HIPS, but its developer (Jei) has been among the missing for several months. Fall in love with this one at your own risk.

Note 2-If you decide to try CFP's Defense+ (it's free), be careful not to accidentally click on the $39/year "Plus" version. Also, stay VERY alert during install so that you do not inadvertently allow it to install its crappy toolbar. <-QUOTE}

I see that I struck a nerve. Sorry about that. But my point still stands. When was the last update to SSM? It may be capable of protecting a system but my point was that there are other out there that, in my opinion, are better.

If users really want to learn about what is going on with their system than I suggest EQS. Yes, it may not be as easy to use. And, yes, the default ruleset might not be very tight. But its potential is unmatched.

I'm not comparing A to B. Both will protect, and that is the bottom line. Which one can do that better is up for debate. Different configurations suite different people. I, for instance, use no resident AV. I also do not like classical HIPS, I find them incredibly restrictive.

Also, DW is not a sandbox. It is a policy HIPS.

The last update to System Safety Monitor was on 1st March 2008. That is good for a classical hips IMHO.

ProSecurity for example was last updated on 29th January 2008. Hence compared to this you can see that SSM is not being abandoned at all.

Learning Thread Content:

One of the first things to do with SSM is enable all the modules.

Then enable the learning mode for a couple of days.

When learning mode off, enable the network access tab along with the windows firewall. This will monitor outbound connections. (Windows firewall monitors inbound connections).

To be continued... (Maybe Regrun thread info)

{QUOTE-> The last update to System Safety Monitor was on 1st March 2008. That is good for a classical hips IMHO. <-QUOTE}

True. But that was version 2.4.0 beta 621...a beta build. The last stable build was 2.3.0.612 which was released on January 29, 2007.

{QUOTE-> True. But that was version 2.4.0 beta 621...a beta build. The last stable build was 2.3.0.612 which was released on January 29, 2007. <-QUOTE}Version 621 is in RC status. It is, and has been for some time, THE current stable version of SSM. Vitali has made these facts quite clear in his forum guidance. Further, several users have confirmed these facts. Vitali may be slow to update his version designations, but SSM itself is fully updated -- to wit, version 621.

{QUOTE-> I see that I struck a nerve. Sorry about that. But my point still stands. When was the last update to SSM? <-QUOTE}The latest SSM version 621 was updated in March, and has been "tweaked" several times since then. In other words, SSM is being actively & vigorously maintained current. Meanwhile, back at the thread...

A- No nerve has been hit in my case. I own a license for SSM & remain an ardent supporter. However, I have been using D+ for several weeks now, & shall continue to do so until SSM's upgrade, to add file protection, becomes available in late summer.

B- Maybe it's time that we get ON topic. Original poster asked for guidance to configure SSM, NOT a critique of SSM, and NOT comparisons of the pros/cons of using other HIPS.

C- Thus far everyone is OFF topic (including me) except dmenace.

D- I fully agree with dmenace's suggestion to start out by putting SSM in Learning Mode.

>While in Learning Mode, fully exercise your computer by performing all of your daily routines.

>SSM has excellent parent-child controls. So it is helpful, while in Learning Mode, to do such things as (a) have your email client access an internet link from within a message and (b) have your word processor activate &/or access another app, such as your browser. These sorts of actions are important factors in effectively *training* SSM.

> It is important to include updating of all your security apps while SSM is in Learning Mode.

E- You should turn off SSM's Learning Mode after 2 or 3 days of "training* as explained above. Even so, Learning Mode remains useful for re-activation, at certain times, ever afterward...

>In effect, "learning mode" is also SSM's "install mode."

>Before installing a new application or a major update to an existing application, put SSM into Learning Mode.

>After the installation or upgrade is completed, turn off Learning Mode. When you do so, SSM will automatically delete any useless rules created during the installation.

>It is also a good idea to use Learning Mode during updates of the OS (Windows Updates).

Bellgamin is right. BACK ON TOPIC.

If you think SSM has no useful life left, then just don't bother with this thread. Simple.

As a newbie in SSM
1. I would search or ask for an import/export function to save all the rules. I'm not going to spend so much time on configuring SSM without having that possibility. I hope the developper was so smart to provide that function.
Not providing an automatic configuration of SSM during the installation (as an option) was already not so smart of the developper.
Which user is willing to spend so much time on configuring a software ? Only a very motivated user will do this.
AE is much smarter, it configures itself automatically during the installation.

2. Then I would disconnect from the internet first and do what Bellgamin said. Use each non-internet softwares, while SSM is in learning mode. This is very safe because my system partition is clean and working properly and I can do this without being worried and making mistakes.
After that I would image/archive my system partition to have the possibility of rolling back when something goes wrong in the next step.

3. Then I would go online and use each internet software, while SSM is in learning mode. After that I would image/archive my system partition again.

4. Then I would export all the rules to a file in my data partition.

5. Then I would restore a clean image, install SSM for good and import all the rules in SSM and image/archive again and put SSM out of learning mode.

Any forgotten rules later can be adjusted in my clean image by using import/export until it is finished.
Testing and ditching new softwares is not a problem, if necessary I can turn SSM off or rollback to a previous state.

{QUOTE->
1. I would search or ask for an import/export function to save all the rules. <-QUOTE}

This is easily possible, at least with the pro version.

I ran SSM Pro for many months and absolutely loved it as a classical HIPS. However, it really only helped me as a learning aid in how various Windows processes interact with each other. I never once needed it to thwart malware, though I did test it extensively against POC leaktests.

The only kind of HIPS I run now is what's included in a couple firewall programs I have, Jetico 2 and Outpost, and even then I have that functionality limited, especially in J2. After so long I just kind of grew weary of HIPS. Probably the most difficult part of SSM to figure out is how the registry protection works, otherwise it's not too difficult, especially if the enthusiasm to learn is there.

TheKid07, maybe just install it, follow the initail advice offered so far in this thread, then ask questions as needed as you go along. I'll help as best I can and maybe even re-install it to freshen my memory.

{QUOTE-> As a newbie in SSM
1. I would search or ask for an import/export function to save all the rules. I'm not going to spend so much time on configuring SSM without having that possibility. I hope the developper was so smart to provide that function.
Not providing an automatic configuration of SSM during the installation (as an option) was already not so smart of the developper. <-QUOTE}SSM has several pre-configurations when it is installed, and adds others during usage. These are found in SSM's file global.cfg. However, Erik is correct that SSM could do a more thorough job of configuring itself during install -- as (for example) is done by ProSecurity and Online Armor, both of which allow the user to deal quickly with all presently installed applications which s/he considers to be safe.

Configurations added by the user are recorded in SSM's file ssm.cfg. When using SSM, I always keep a back-up of global.cfg & ssm.cfg. Although I am not presently running SSM, I still have copies of those files so that, when I re-install SSM's next version, I will be able instantly to restore all my settings & tweaks.

Conceivably, I could give another user a copy of those files & s/he would be instantly set-up equally to my set-up. However, I agree that SSM should have a SPECIFIC import/export button.

{QUOTE-> 2. Then I would disconnect from the internet first and...

3. Then I would go online and...

4. Then I would export all the rules...

5. Then I would restore a clean image... <-QUOTE}Erik's 2,3,4, &5 are altogether good & logical methods for getting a relatively easy start with SSM. It would be helpful if he would post them on SSM's forum as a suggested addition to SSM's help file. Vitali is very open to suggestions, especially when it comes to augmenting and improving SSM's help file.

{QUOTE-> which allow the user to deal quickly with all presently installed applications which s/he considers to be safe.
file. <-QUOTE}
That is exactly my point. When users have alot more practical examples, created by an automatic configuration, they will understand SSM faster and then the manual of SSM will become more understandable also.

Thanks for giving both cfg-files and yes, an import/export function is necessary, because no average user knows these files. AE has also an import/export function on each screen when needed and I use them for the same purpose.
With import/export you don't only save input time, but you also avoid possible typo's and other mistakes.
It's a general rule in applications : you type info only ONE time and then re-use it over and over again. :)

Nice thread.
Using SSM free with Kerio 2.1.5 with free Avira.
This combo is nice and light and hopefully effective.
I'm enjoying the SSM. Installed it, set it on learning mode and rebooted and immediately did one shutdown. Just to be safe I did not lock myself out of my PC. Then I set it out of the learning mode and just have been using the popups for it's configuring.

Any advice on adding extra registry entries or is that idea really a good idea?

12fw.

{QUOTE-> When using SSM, I always keep a back-up of global.cfg & ssm.cfg. <-QUOTE}I don't have, and don't remember ever seen, any file named "ssm.cfg".
{QUOTE-> However, I agree that SSM should have a SPECIFIC import/export button. <-QUOTE}Preferences -> Options -> Configs
> have choice of: "Save as...", "Import" and "Change config file".
Or is it not specific enough?

I have used SSM for ages now with no problems. Very good suppoty when needed and it has great functionality.

{QUOTE-> I have used SSM for ages now with no problems. Very good suppoty when needed and it has great functionality. <-QUOTE}

Irrelevant to the topic. This is supposed to be a thread about learning. It's not turning out that way.

For example can some show how they have manually change the parent child relationships.

{QUOTE->
2. Then I would disconnect from the internet first and do what Bellgamin said. Use each non-internet softwares, while SSM is in learning mode. This is very safe because my system partition is clean and working properly and I can do this without being worried and making mistakes.
After that I would image/archive my system partition to have the possibility of rolling back when something goes wrong in the next step.

3. Then I would go online and use each internet software, while SSM is in learning mode. After that I would image/archive my system partition again.
<-QUOTE}
I forgot to mention this.
Everything what happens in step #2 regarding creating rules is not a problem, because my system is clean and whatever SSM asks me to do, I will always make the right decision.

The problem begins in step #3, when I go online and I wouldn't be so sure anymore to make the right decisions.
Also my Sygate Personal Firewall asks questions like do you allow this inbound or this outbound ? Do I have to block all inbound and/or outbound without getting in trouble sooner or later ?
Some of these questions are related to objects, I don't even know.
I guess SSM will ask me similar or the very same questions. Answering the same question twice isn't really my style.
So I consider step #3 alot more "dangerous", because my knowledge is too poor to give the right answers and guessing isn't really my style either.
The bottom line is : how am I going to do this step in a safe way as an average user ?

I would just like to add that inside System Safety Monitor lies a feature i wish many other HIPS employed, and not just for preventions against malware attacks. I'm speaking of the "keep this process in memory" feature! This is always been one of my favorites and i tested it against malware that would shutdown say your firewall or AS/AV before they hardened self-protection and it was a joy to have use of this.

The other benefit if you're a customizer like myself, sometimes third-party windows customs apps like the ones that dress up XP to mimic the looks of Vista are sometimes subject to sudden crash-downs that require a manual restart. SSM's feature eliminates going thru that trouble and auto-starts ANY active processes that might experience this tiny but annoying flaw, so with it you get kind of the best of both world's, protection when an app is forced down maliciously and also due to unexpected crashes.

A very welcome feature that as far as i know, SSM instituted first before any others.

{QUOTE-> I would just like to add that inside System Safety Monitor lies a feature i wish many other HIPS employed, and not just for preventions against malware attacks. I'm speaking of the "keep this process in memory" feature! This is always been one of my favorites and i tested it against malware that would shutdown say your firewall or AS/AV before they hardened self-protection and it was a joy to have use of this.

The other benefit if you're a customizer like myself, sometimes third-party windows customs apps like the ones that dress up XP to mimic the looks of Vista are sometimes subject to sudden crash-downs that require a manual restart. SSM's feature eliminates going thru that trouble and auto-starts ANY active processes that might experience this tiny but annoying flaw, so with it you get kind of the best of both world's, protection when an app is forced down maliciously and also due to unexpected crashes.

A very welcome feature that as far as i know, SSM instituted first before any others. <-QUOTE}

Easter

If you can post how you set up these features. That's where this thread needs to go.

Pete

{QUOTE-> Easter

If you can post how you set up these features. That's where this thread needs to go.

Pete <-QUOTE}

Yeah, i think some screenshots would better indicate these different features too so i'll try to put some together for us. SSM is a Multi-Faceted HIPS and that equates to meaning it's equipped with "MANY" & "SEVERAL" individual features some of which aren't that simple to find even by word descriptions.

EASTER

{QUOTE-> Yeah, i think some screenshots would better indicate these different features too so i'll try to put some together for us. SSM is a Multi-Faceted HIPS and that equates to meaning it's equipped with "MANY" & "SEVERAL" individual features some of which aren't that simple to find even by word descriptions.

EASTER <-QUOTE}
Is EQS better than SSM and do I better spend my time on EQS, than SSM or what ? Both are unuserfriendly, so I better spend my time on the BEST.

{QUOTE-> Is EQS better than SSM and do I better spend my time on EQS, than SSM or what ? Both are unuserfriendly, so I better spend my time on the BEST. <-QUOTE}

That's up to the individual user to decide i think, but i found EQS "Extremely Versatile" and IMO far more "user-friendly" with respect that once you're acquainted/familiar enough with it's RULES SECTION and how they apply to the File, Registry, plus Applications Protections sections, everything else is a piece of cake.

I have to add however, none of this confidence would be complete without the generous assistance courtesy Alcyon with his tireless effort in fashioning his RuleSets for EQS. IMO, that made all the difference in the world and increased user-friendliness at the same time.

SSM is no slouch by any stretch, but for me it became too overly complicated in comparison to EQS, plus EQS's gui is much more eye friendly and simpler to locate settings for some including myself.

{QUOTE-> Is EQS better than SSM and do I better spend my time on EQS, than SSM or what ? Both are unuserfriendly, so I better spend my time on the BEST. <-QUOTE}PLEASE do not do this Erik. The topic is SSM. If someone wants to debate which HIPS is best, please start a thread & do not hi-jack this one.

{QUOTE-> PLEASE do not do this Erik. The topic is SSM. If someone wants to debate which HIPS is best, please start a thread & do not hi-jack this one. <-QUOTE}
I don't see any answers regarding post #18 either.

{QUOTE-> I don't see any answers regarding post #18 either. <-QUOTE}First, you will probably get an answer if you stop speaking in meaningless and context free hypotheticals that go in circles and decide to focus in on actual details. How about you provide some specific examples that you are concerned about? You appear concerned about guessing on answers - have you verified that this is the case? Bear in mind that context if governed and informed by your prior usage of the product.

Second, stay on the thread topic.

Blue

{QUOTE-> PLEASE do not do this Erik. The topic is SSM. If someone wants to debate which HIPS is best, please start a thread & do not hi-jack this one. <-QUOTE}

Exactly!!!!

{QUOTE-> First, you will probably get an answer if you stop speaking in meaningless and context free hypotheticals that go in circles and decide to focus in on actual details. How about you provide some specific examples that you are concerned about? You appear concerned about guessing on answers - have you verified that this is the case? Bear in mind that context if governed and informed by your prior usage of the product.

Second, stay on the thread topic.

Blue <-QUOTE}
I know already, there won't be any answer to my question in post #18.
SSM, like any other HIPS and Firewalls with HIPS, is NOT for average users, because they don't have the required background knowledge. You can't learn SSM or handle SSM, unless you have that background knowledge already.
SSM is unsafe in the hands of an average users, because he doesn't know the right answers and that means that his SSM will be collection of right and wrong rules.
There is NO userfriendliness in SSM and if some posters claim it is, then they don't know the true meaning of userfriendliness.
Average users need something else, than gambling with their security.
SSM is nothing but a software for a very small group of users, like members of Wilders. :)

{QUOTE-> I know already, there won't be any answer to my question in post #18. <-QUOTE}So why ask the question? Are you trying to make some point? If so, at least be upfront about it.
{QUOTE-> SSM, like any other HIPS and Firewalls with HIPS, is NOT for average users, because they don't have the required background knowledge. You can't learn SSM or handle SSM, unless you have that background knowledge already.
SSM is unsafe in the hands of an average users, because he doesn't know the right answers and that means that his SSM will be collection of right and wrong rules. <-QUOTE}While I agree in generalities, i.e. users need to understand how to approach this type of software to use it productively, that's the point of this thread. How does one optimally "teach" a product like this to function. It can be done and does not require an advanced degree in Computer Science.
{QUOTE-> There is NO userfriendliness in SSM and if some posters claim it is, then they don't know the true meaning of userfriendliness. <-QUOTE}User friendliness is in the eye of the beholder. I hate to break this to you, but I don't believe that your the designated arbiter of user friendliness for the planet.
{QUOTE-> Average users need something else, than gambling with their security.
SSM is nothing but a software for a very small group of users, like members of Wilders. :) <-QUOTE}Sort of like another application that seems near and dear to your heart.., yes? There is nothing wrong with someone finding a path to use and deciding to use it. That's what it is all about. You seem all to focused on the path people choose, not the final result. In other words, you've completely missed the point.

Now - let's get this thread back on target - SSM configuration/usage.

Blue

{QUOTE->
Now - let's get this thread back on target - SSM configuration/usage. <-QUOTE}
Yes do that, the OP will need it and I wish him good luck. Certainly not my choice of safe security.

{QUOTE-> Certainly not my choice of safe security. <-QUOTE}You appear to have a bizarre notion that one size fits all and that if it's not right for you, it's not right for any casual user. Depending on the needs and capabilities of a user, any given approach may work or fail, including your preferred approach. The specific machine implementation is only one piece of a larger picture. Appreciating that requires an understanding of nuance, which seems beyond the scope of your worldview.

Blue

I hope to post my screenshots in the next few days on certain particular features in System Safety Monitor that i find in no other HIPS atm. I always like to know also, WHEN, a driver is been unloaded and SSM can alert to this along with path/filename. Otherwise, i have to rely on AutoRuns drivers/services TAB to check and/or manually remove a driver that should been auto-built into the code where when certain apps close that launch their drivers to work, equally they also remove their drivers.

As for EricAlbert, so as not to go to far Off-Topic here since theres already been some detours noted, somewhat like myself perhaps, he seems to be trying the waters of SECURITY PROGRAMS in an effort to maybe ween off temporarily from ISR-boot-to-restore to see "IF" it's at all possible (like i'm testing right now), to rely soley on certain security solutions and in his case, how these methods stack up in relationship to his boot-to-restore methods.

System Safety Monitor does cover a wide-field of prevention techniques, and NO, it's not for an average user IMO, but those who do spend time "Learning" it can benefit, but you absolutely have to accept that IT WILL ALWAYS REQUIRE USER INTERACTION, thats the chief purpose for them to begin with IMHO, for a user to get involved into what exactly is communicating within their own system and with time understand the differences when a "Red Flag" comes up.

SSM is like any other security programs IMO. There is a stretch of releases that seem to do all a user expects from it and sometimes more, and newer versions don't always equate to better, but that's up to the individual user to determine in the end.

{QUOTE-> SSM is unsafe in the hands of an average users, because he doesn't know the right answers and that means that his SSM will be collection of right and wrong rules. <-QUOTE}Probably correct, but could also be the same for any classic HIPS. I thought that was the reason for the thread, to learn and make correct choices/ settings. Being permantly negative of the available security of an application based on user knowledge is actually being obstructed for those who want to learn, by your intervention of un-needed, un-wanted comments.

I am certainly willing to contribute to the thread, I will start from the initial installation and show how I react to popups from SSM if that would help.

Learning is good, those that just want to post to thread without reason/off topic, simple, dont post.

{QUOTE-> Probably correct, but could also be the same for any classic HIPS. I thought that was the reason for the thread, to learn and make correct choices/ settings. Being permantly negative of the available security of an application based on user knowledge is actually being obstructed for those who want to learn, by your intervention of un-needed, un-wanted comments.

I am certainly willing to contribute to the thread, I will start from the initial installation and show how I react to popups from SSM if that would help.

Learning is good, those that just want to post to thread without reason/off topic, simple, dont post. <-QUOTE}

Excellent. This is what I'd like to see myself.

Pete

I have been using SSM for a couple of years now. I am by no means an expert. I was reasonably sure when I installed it, that my system was malware free.

I just put it in learning mode for a few days, and that was it. I still get popups, but that goes with the territory. I basically like the program.

However, it does throw up the occasional curly one, ie see attached screenshot which relates to the Sygate firewall that I have been using for a long time. I had never see this one before, until a few days ago. I blocked it without any ill effect. BTW, I am hoping for some good contributions from some with more advanced knowledge.....always wanting to learn!:)

To the OP or anyone else using SSM for the first time, the "Technical information" shown in Tarnak's ss is achieved by clicking the "Details" button. By default, this information is not shown on alerts.

Also, if using SSM with a software fw, I would disable the "Network rule" in SS, simply because I see no point in having two apps alert on network access.

Also, two of the most important and frequently used right-click functions in SSM are under: Rules->Applications

Screenshots are attached.

I'll try to offer more as time permits.

{QUOTE->

Also, if using SSM with a software fw, I would disable the "Network rule" in SS, simply because I see no point in having two apps alert on network access.
<-QUOTE}

Thanks wat0114, I had that disabled.....I knew it was illogical to have SSM "Network rule" enabled too!

{QUOTE->
For example can some show how they have manually change the parent child relationships. <-QUOTE}

Rules->Applications, click on application you want to change the parent/child relationships on, in this case svchost.exe, right-click->Advanced properties->Applications.

In the Parent and Child colums, the checkboxes can be changed by clicking in them to select "Ask (?)" "Allowed (green checkmark)" or "blocked (Red circle w/line)".

Hopefully the ss explains the details of this functionality.

{QUOTE-> Thanks wat0114, I had that disabled.....I knew it was illogical to have SSM "Network rule" enabled too! <-QUOTE}

No problem, though it was actually intended to answer an earlier post in this thread regarding Sygate :)

And note that wat has the default parent and child for the group normal as ask, so this is applied as default for all programs inside the groups (you will be alerted).
As you answer the alerts, the boxes will change to allow or block according to your answer, per application (in the screenshot, services.exe, defrag.exe..).

Those will be the rules applied. If there are no rules (set to ask), you will be prompted. If there's a rule, allow or block, that is applied.

Hi Wat0114

This is exactly what I was hoping to see. Anything else you can do in the same manner would be great. Big help to me.

Thanks,

Pete

{QUOTE-> Hi Wat0114

This is exactly what I was hoping to see. Anything else you can do in the same manner would be great. Big help to me.

Thanks,

Pete <-QUOTE}

You are welcome Pete. I see a very labor/time-intensive task to post everything I would like to about this product, because there is so much to it that I don't want to leave out anything important. However, I will forge ahead posting a little bit when I can. Probably tonight I can post some more.

{QUOTE-> And note that wat has the default parent and child for the group normal as ask, so this is applied as default for all programs inside the groups (you will be alerted).
<-QUOTE}

Thank you Pedro because you have reminded me that SSM Pro has the odd propensity of automatically placing checkmarks (Allow) in the Parent & Child boxes for the group name "Normal". I have on several occasions found the need to change them back to "Ask (?)". It seems to be a bug.

Hi wat

No doubt it's time intensive. I just want you to know it's very helpful, at least to me. Thanks,

Pete

As promised:

This is a screenshot pinpointing the very useful feature (IMO) of restarting important or even not so important processes if terminated by any means, crash or forced by another means. I hope to expound more on SSM's features along with pictures to better help clarify exactly where these security features reside and the purpose of their use.

Be advised however pls, this SSM version is (Full) but stands at 2.3.0612. I preferred this one for the time being.

More to come, hope it helps.

Now to add a registry rule for a given application, in this example "cmd.exe" will be used:

Of note, there are 15 (numbered 0-14) built-in default registry object rules for SSM Pro.


Select the application and right-click to bring up the context menu
Select "Advanced Properties"
Select the Registry tab then right-click in the blank window and select "Add rule...
From this window you can select either a Registry object" (Group) from the left pane or an individual Registry key from the right pane, then select the corresponding "Add rule" button
Finally, you highlight the new rule, then select the "Access" and "Logging" options from below


**EDIT**
I should have called the Registry objects in the left pane Registry groups

Now a pictorial example of creating a new Registry Group with a new Hivekey added to it.

BTW, I'm focusing on the Registry objects first because I'm trying to take a similar approach to the way chess is often taught, from the end game first ;) I believe if someone can master this area of SSM, considered by many to be the most difficult, the rest should be pretty straight forward.

**EDIT**
Please swap the first two screenshots around; they are in reverse order

{QUOTE-> The last update to System Safety Monitor was on 1st March 2008. That is good for a classical hips IMHO.

ProSecurity for example was last updated on 29th January 2008. Hence compared to this you can see that SSM is not being abandoned at all.

Learning Thread Content:

One of the first things to do with SSM is enable all the modules.

Then enable the learning mode for a couple of days.


<-QUOTE}

Quote. All definitely right. :)

{QUOTE-> Version 621 is in RC status. It is, and has been for some time, THE current stable version of SSM. Vitali has made these facts quite clear in his forum guidance. Further, several users have confirmed these facts. Vitali may be slow to update his version designations, but SSM itself is fully updated -- to wit, version 621.



A- No nerve has been hit in my case. I own a license for SSM & remain an ardent supporter.

<-QUOTE}

I also have a regular SSM License and I'm a strong supporter too. :) EqSecure not only - as said in a previous post - " places 99% of the configuration load on the user ", but sometimes it is too slow in new- exe apps detecting, and his alerts in these events are lated.

I'm flabbergasted seeing people having SSM in learning-mode for a few days. Install on a clean PC, put it in learning mode while NOT on the internet and open/close your software. Reboot and disable learning mode. Then answer the occasional popups.

Wooo, all that looks so complicated, how on earth could a regular user who never used it before possibly get a handle on all that, and so the reason for my own transition. It takes boo coo time, plenty of it to learn it.

It's a solid performer, but even member herbalist brought this up to their support forum staff a long long time ago, apparently in vain.

@Easter: Is your post in response to mine? I don't think so, because my post wasn't describing a complicated method, but i might be wrong, so please elaborate if that's the case.

Hopefully it's okay to post another SSM sample alert again :)

This time it involves the somewhat mysterious Rundll32.exe process, occasionally talked about in these forums. There is some info on the process here (http://windowsxp.mvps.org/rundll32.htm) and here (http://vlaurie.com/computers2/Articles/rundll32.htm).

In this example I attempt to launch a Linux file called: "menu.lst" (lists the operating systems available at startup), found in the Linux Grub folder, using the "Open with" option in XP, where I choose Microsoft Word 2007. SSM give me the alert found in the screen shot.

SSM alerts on this attempt even though I already have a rule for WINWORD.EXE. I am not really sure what it is about the nature of the alert, because SSM seems to indicate WINWORD.EXE is an "unregistered" program? Or could it be that since it is a DLL being launched as an app that it is seen as unregistered? My guess is that the switch "/DDE" (Dynamic exchange data) is somehow responsible for SSM seeing WINWORD.EXE as unregistered.

I wanted to post this alert because I consider it one of the less obvious users might see.

We can now take a look at creating a new Group.

SSM by default contains five Groups:
SSM System Normal Blocked Unregistered

**Very Important**
These Groups also contain default Special permissions and Advanced properties. Special permissions can not be changed on the Group SSM, while Advanced properties can not be changed on the Group Blocked. They are hard-coded by the developer for good reason.

It is a good idea to check the Special permissions and Advanced properties on the other Groups, - especially Normal – because SSM by default tends to
assign the “Allow” (green checkmark) for all Parent/Child checkboxes for all applications under it! This is a very liberal permission set for these applications. My recommendation is to change the checkmarks to question marks.

FWIW, I don’t use Blocked or Unregistered, as these imply, to me, Groups of applications that should not be allowed on my computer. However, I find the remaining three Groups are not sufficient for me to properly organize all the applications in SSM, so I like to create a couple others.

How to create a Group:

Rules-> Applications…anywhere in the application window right-click-> Edit groups-> Add group
Give it a name (I’ll use “Sample group”) -> Ok
You will now want to set Special permissions and Advanced properties on the new Group. Special permissions can be attained by highlighting the Group the right-click-> special permissions, or you can select any of the tabs in the lower pane. The screen shot loosely illustrates this. Advanced properties is by highlighting Group-> right-click-> Advanced properties.
Keep in mind that a red circle w/diagonal line through it means those Special permissions options will not be checked What exactly you choose for these parameters determines the restrictiveness of the Group.
Again, I would recommend question marks for the Group’s Parent/Child checkboxes under Advanced properties.
Next time we can look at moving existing applications that already have rules, into this new group, then reverting their rules to that of the Group.

Are there any known conflicts of SSM with other applications?