System Safety Monitor Free- Is the free version strong enough?

[duke1959]

Reading a thread on ProcessGuard Free, (and now copying the title of it. LOL) I do seriously wonder the same thing about SSM Free? I have it on board in learning mode and actually like the GUI better than Prosecurity Free. I have Comodo Pro Firewall, AVG Pro AV and am currently using Cyberhawk while SSM Free is learning mode. I also read the thread SSM Free-real life experiences, and saw some conflicting opinions which makes me wonder if SSM Free is strong enough.

[Kees1958]

Hi,

SSM-free protect against data injection, process modification and physical memory vialotion and global hooking. This is by far a broader protection than any other classic HIPS. You can even configure your registry protection, see
http://www.wilderssecurity.com/showthread.php?t=168928

I have a SSM-full lisence, but I use SSM-free because it is faster. True SSM full offers better registry protection, low level disk access protection and some additional protection against rootkits. Because I run DefenseWall paid also I am not worried about rootkits and keyloggers.

Regards K

[duke1959]

Hello everyone, I have a question, but first. I have left SSM Free in learning mode for a few days, opened as many programs as I could, and rebooted twice. I had the AVG ISS and Cyberhawk installed during this time, but have now uninstalled Cyberhawk, and I'm sure I have a clean system from running various scans over the last few weeks with AVG, and SuperAntiSpyware. Now for my question. If I don't want to attempt any configuration on of my own with SSM Free, will it be ok now for RealTime Protection?

[Chuck57]

I ran SSM free after booting and spending some time opening the programs I most used. Then I took it out of learning mode and felt perfectly safe. I know there are other things I could set rules for, but I never bothered. I think after letting SSM learn for a few days, you're well covered.

[duke1959]

Thanks Chuck57. Also what firewall do you use? I'm behind a router firewall and use the AVG FW that's part of my Internet Security Suite, but was thinking of using Comodo Pro, or the latest version of ZA Free if it turns turns out to be safe to use. The AVG FW is basic and maybe that's all I need with SSM Free on board, but I think you'll understand when I say I like more features in my software.

[aigle]

Quote:

Originally Posted by duke1959

I have left SSM Free in learning mode for a few days, opened as many programs as I could, and rebooted twice. I had the AVG ISS and Cyberhawk installed during this time, but have now uninstalled Cyberhawk

I hope u don,t install/ uninstall software in learning mode and also don,t make permanant rules for prompts which u get during various software installations.

[Kees1958]

Duke, Chuck

When you install and uninstall only use allow once, rest will be fine. When you want additional regsitry protection (all Toni Klein's startup protection plus some more cherry picked from Regdefend, RegRun and SSM pro) have a look at the post I included earlier. First start using with the log/ask option. Browse your SSM free log and change them to block when no messages are in the log.

Regards K

[jawadde]

can i use this program if i have only 285 RAM?
Or should i use an other HIPS program i my case...

SSM free is a very light load, much lighter than most resident AVs. I have it installed on several units with less RAM than that. It even runs well on a Win98 box with 64MB RAM.

Quote:

I have left SSM Free in learning mode for a few days, opened as many programs as I could, and rebooted twice...... If I don't want to attempt any configuration on of my own with SSM Free, will it be ok now for RealTime Protection?

Without actually seeing your ruleset, it's difficult to give a good answer. Learning mode allows most anything. This can be a problem in certain situations. An example would be finding a malicious website that drops a trojan while in learning mode. Before you shut down the learning mode, scan your system with one of the online AVs, just to be sure nothing malicious is running.

Don't be suprised if you do get some prompts after you shut down learning mode. It's easy to overlook some applications or system processes. Office suites and CD/DVD burning software are a couple of examples. Many use separate executables for different tasks. A CD burner may use different executables for data and music CDs or for ripping. AVs are another example. Many use multiple executables for different tasks. The updater is often a separate process. Try to make sure you use all the functions/features of the apps you use before shutting down the learning mode. Don't forget about scheduled maintenance tasks.

How well SSM defends your system will depend on several things, including your settings. When you shut down the learning mode, will you be using the "block process creation" or the "block everything (paranoiac setting)"? The "block process creation" setting will prevent any new processes or applications from running. The paranoiac setting gives you more control over the behavior of allowed processes and does a better job at preventing the malicious use of legitimate processes. How much real time protection is "OK" depends on your usage habits and how much control you want over your system. It will also depend on whether you run SSM with the UI (user interface) connected and how you answer prompts. With the UI disconnected, you won't be prompted when a malicious process (or a previously unused legitimate process) tries to start. It's just blocked. Regardless of whether you used the learning mode or created all your rules manually, SSM will prevent unknown processes from running, as long as you don't specifically allow one to run by clicking "allow" on an alert. The learning mode does a pretty good job. The default module settings aren't too bad either. You can either use the ruleset as is or edit them later as you learn the details.
Rick

[duke1959]

Thanks herbalist. (Rick) I truly like this program and it does run very light. Should I be concerned about A Third Party Firewall? I like Comodo Pro, but not sure it's overkill with having a router firewall and SSM Free on board.

I'd still run a separate firewall. A software firewall will give you more detailed control over incoming traffic than a router, plus letting you control outgoing traffic. When used with SSM, the extra functions found in many firewalls aren't that important as they duplicate coverage that SSM provides. A rule based firewall like Kerio 2.1.5 is an excellent complement to SSM, as long as you're comfortable working with firewall rules. If not, there's other choices. Pick one that gives you good control over traffic in both directions that you're comfortable with.

Add some content control for your web applications like NoScript or Proxomitron and you'll have a strong core security setup that will resist most attacks.
Rick

[duke1959]

Thanks again sir.

[Rasheed187]

In my opinion SSM free needs to be upgraded, because I noticed that it could not stop certain child processes from being launched, so no it´s not strong enough, but then again there will always be flaws in apps. If you´re concerced about stopping process execution, I would look elsewhere.

The only instances of that I've run into involve DOS commands. SSM doesn't deal well with DOS. Not a problem if you limit access to the command prompt or block command.com when the UI is disconnected.
Rick

[aigle]

Quote:

Originally Posted by Rasheed187

In my opinion SSM free needs to be upgraded, because I noticed that it could not stop certain child processes from being launched, so no it´s not strong enough, but then again there were always be flaws in apps. If you´re concerced about stopping process execution, I would look elsewhere.

Any examples?

[Rasheed187]

What a bummer, there is an app who bypasses both SSM Free and Pro, this really should not be possible! I´ve tested it with Neoava, EQSecure and ProSecurity and they didn´t have any problems. Keep in mind that I don´t know if this app is malware or not, so don´t execute on your real system.

http://www.syssafety.com/forum/viewtopic.php?t=891

[duke1959]

aigle, why is Cyberhawk crossed off in your sigs?

[aigle]

Quote:

Originally Posted by duke1959

aigle, why is Cyberhawk crossed off in your sigs?

Current version causing false keylogger alrams, though not a big concern ATM as they promised to fix.
Main reason is that out of all my security appliances( Antivir, SSM, GW and Comodo) all are lightweight on my PC and no slow down. I felt CH causing a lot of CPU spikes on lauch and termination of every application on my OS, also a lot of I/O reads etc and there is a slow down on my systrem, so I removed it. I really like, may be I will install previous version or wait for some better version.

[duke1959]

Thanks aigle, I'm not sure I ever noticed any slowdown with CH, but I can understand why it may be possible because of the way it scans in RT.

[nick s]

Quote:

Originally Posted by Rasheed187

What a bummer, there is an app who bypasses both SSM Free and Pro, this really should not be possible! I´ve tested it with Neoava, EQSecure and ProSecurity and they didn´t have any problems. Keep in mind that I don´t know if this app is malware or not, so don´t execute on your real system.

http://www.syssafety.com/forum/viewtopic.php?t=891

Actually, SSM (2.4.0.614 beta) crashes when arpr.exe executes. SSM is not able to alert. Arpr.exe also crashes Sysinternal's Process Monitor (1.10). The file is a cracked version of Elcomsoft's Advanced RAR Password Recovery.

Nick

Quote:

Originally Posted by aigle

Current version causing false keylogger alrams, though not a big concern ATM as they promised to fix.
Main reason is that out of all my security appliances( Antivir, SSM, GW and Comodo) all are lightweight on my PC and no slow down. I felt CH causing a lot of CPU spikes on lauch and termination of every application on my OS, also a lot of I/O reads etc and there is a slow down on my systrem, so I removed it. I really like, may be I will install previous version or wait for some better version.

NxFsMon.sys
NxKbMon.sys
NxNetMon.sys
NxSysMon.sys

Having "4" drivers running all the time from CYBERHAWK may prove a bit too much? Perhaps responsible for some of the false posivs? Whatta ya think? I'm only speculating ATM but Other HIPS, in fact most others Load only a single driver or two don't they? And a process? Maybe 2?

It runs OK on my machine for now (latest version) but still is in the back of my mind that couldn't the drivers be reduced and still perform? I know it takes time to balance these type apps and i expect it will improve but you can also see every HIPS developer uses a different style of compiling their crafts but most users do prefer minimum intrusive impact on system performance. Just a thought.

Quote:

Originally Posted by Rasheed187

What a bummer, there is an app who bypasses both SSM Free and Pro, this really should not be possible! I´ve tested it with Neoava, EQSecure and ProSecurity and they didn´t have any problems. Keep in mind that I don´t know if this app is malware or not, so don´t execute on your real system.

http://www.syssafety.com/forum/viewtopic.php?t=891

That's an odd one. SSM blocked it fine when I clicked "deny". When I allowed it, the file behaved normally. Apparently, the file behaves differently on my 98 box than it does on XP.

Easter,
You still have a 98 box. Could you give that file a try with SSM? I'd like to see what results another SSM user with 98 gets.
TIA
Rick

[aigle]

Quote:

Originally Posted by EASTER.2010

NxFsMon.sys
NxKbMon.sys
NxNetMon.sys
NxSysMon.sys

Having "4" drivers running all the time from CYBERHAWK may prove a bit too much? Perhaps responsible for some of the false posivs? Whatta ya think? I'm only speculating ATM but Other HIPS, in fact most others Load only a single driver or two don't they? And a process? Maybe 2?

It runs OK on my machine for now (latest version) but still is in the back of my mind that couldn't the drivers be reduced and still perform? I know it takes time to balance these type apps and i expect it will improve but you can also see every HIPS developer uses a different style of compiling their crafts but most users do prefer minimum intrusive impact on system performance. Just a thought.

That looks insane, four drivers for one application. I never noticed it.

[aigle]

Quote:

Originally Posted by herbalist

The only instances of that I've run into involve DOS commands. SSM doesn't deal well with DOS. Not a problem if you limit access to the command prompt or block command.com when the UI is disconnected.
Rick

Hi herebalist, I don,t use DOS commands on XP but I guess some of the sofrware must be using command prompts. I am curious what type of functionality I am going to loose if I disable cmd.exe in SSM.

[ggf31416]

Quote:

Originally Posted by herbalist

The only instances of that I've run into involve DOS commands. SSM doesn't deal well with DOS. Not a problem if you limit access to the command prompt or block command.com when the UI is disconnected.
Rick

Can you give a specific example?