Protecting security programs using SSM

One of the biggest incentive for me to use SSM is the ability to protect security programs I am already running on my Windows XP SP2.

In this thread, I'd like to solicit ideas of SSM application rules to protect security programs. The goal of the rule configuration is to have SSM protect security programs from termination and modification. As the well thought out SSM by default already protects files or registry entries, I want to limit the rule configuration in this thread to applications level.

Code:

[b]Security programs I am running[/b]:
- Outpost Personal Firewall Pro 2.5.375.4822 (374)
- Avast Antivirus Pro 4.7.938
- BOClean 4.22
o SSM 2.2.0.604

I feel comfortable with protecting as tightly as possible security programs that do not get updated often using SSM. However, I don't feel the same about those programs that do get updated often. I am concerned that super-tight rules may result in failed/aborted updates of those programs.

As such, so far I configured SSM to protect only Outpost Firewall explicitly.

It is the frequently updating programs - Avast and BOClean in my case, that make me scratch my head. On one hand, I want to prevent them from undesirable modifications. While on the other, I want those program to get legitimate updates smoothly.

I have found the following Avast and BOClean processes running. To protect Avast and BOClean, do I want to apply the same rules that I've applied to Outpost.exe? If different, please advise, in details if possible.

Code:

Avast application processes (please advise anything missed):
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe

Code:

BOClean application processes:
C:\Program Files\BOC422.EXE
C:\Program Files\BOCore.exe

Of course, if your security programs are different from mine and/or you've configured your SSM to protect your security programs differently, by all means, please add all those to this thread.

I hope this thread will be helpful to all users of SSM.

 

Using SSM to protect the firewall is fine. I use it to protect Kerio. AVs and other anti-malware apps are another story. At times, AVs replace executables during a major update. Using SSM to protect or restart them will interfere with the update process if the scanning engine is being updated.

It's open to debate just how necessary it is to use additional termination protection on an AV. If you think about it, SSM already adds several layers of protection against malware terminating security-ware.
1, SSM will intercept the process starting.
2, SSM requires apps to ask permission to terminate apps when it isn't specifically allowed for that app.
3, Most malware that attacks AVs is also detected by AVs once it's discovered.

Protecting AV executables is problematic with auto-updating. You usually don't know ahead of time when an update will replace an executable. If you want to use SSM to defend the AV, you might consider updating manually so you can approve changes in the core AV files. Otherwise, you'll probably have to set SSM to ignore signature changes in the executable, which defeats half the purpose of protecting them. Then again, the chances of something getting past your AV and changing a file without SSM stopping it is remote.
Rick