HIPS and run dll

Well, I don't know how to do it. As far as I know, SSM will alert you about EVERY child process that´s launched by an app. Let´s say if I execute some app, and it wants to launch notepad, should I care? No, because it´s not dangerous, but the executables that TopperID mentioned could be dangerous, and of course executing of .bat/pif/com etc. files could be dangerous too.

Yes it is.

Obviously, I don´t know as much about malware as you, but if I´m correct, launching executables is not a problem, it´s the possible malicious behavior that they trigger, that could be a problem. So I don´t really care whether it´s the parent or child process (or both) that is triggering it. And thus, I don´t know if it makes sense to alert about certain child processes being launched (which you will allow anyway).

The same with registry protection, I´m not sure if it makes sense to guard certain reg-keys, of course they may be used by malware, but you will have to be an expert to know if activeX controls/dll files are malicious or not. It´s these kind of things that make "dumb" HIPS so noisy, at least, from my experience.

 

After fine tuning a HIPS rules to reasonably acceptable levels for you, the only noise you should encounter would depend on how often you enter some turbulent ground as in dicey sites or some new program installer you launched that isn't been identified or approved yet by the user for passage.

Thats the nature of controlling security with any HIPS, and IMO but a small effort to perform in return for better than average coverage.