Discussion in 'other anti-virus software' started by ronjor, May 8, 2007.
HA! would that it were that simple, following download of updates and during the installation of said, the program disables my monitor and locks the system, causing me to force a shutdown by power off.
tradetime: you don't happen to run system safety monitor or some similar app doing massive ugly hooking?
Hi FRug, yes I run SSM but has been turned off both times I attempted to update AntiVir
Doesn't matter whether you turned it off, I had the same issue. It is because SSM does some very ugly hooking bypassing the usual standard routines offered to monitor module loads/unloads. When Avira unloads its rootkit driver required to activate the new driver, SSMs non-conformant hooking mechanism issues a call into uninitialized space since it thinks the next hook (Avira's) is still present at the same address (hook chaining).
Windows reports that the fault is in a component of Antivir, because the memory space the SSM jumps to has until a split-second ago been in valid use by Avira rootkit module.
That's generally why using this type of hooking is not endorsed officially by Microsoft, and one of the bigger changes in Vista was to completely forbid doing it. There's an official API but SSM is bypassing it, probably knowing about the implicit risks of their approach.
Ok thanx for that, bit over my head but I get the jist of it
Clever though, that it's still working even though it hasn't even been started. I presume there is only one solution to this.
How did you resolve this?
Uninstalled SSM since I didn't use it actively anyway.
You don't use any kind of HIPS?
Ok FRug, cheers, I went the opposite route, and uninstalled AntiVir, since I don't like it anyway.
SSM is nasty. It is running on my computer even though I uninstalled it some time ago. I don't know how to get rid of it. Avira thought it was ProcessGuard that was causing a STOP error at boot after I installed the new Avira anti rootkit driver. They had me run a HijackThis and it was there that I saw SSM process running even though I had not had SSM for a over a month.
Avira told me to remove both SSM and PG. I thought SSM was removed long ago. I don't know how to further remove it. I won't remove PG and I don't think it is causing problems as Avira was just fine with PG in the past. I uninstalled the anti rootkit and I refuse any requests from Avira pop up now to again install it.
I wish I had not tried SSM. It is too complex for me. I really like Avira so removing Avira is not a solution for me unless Avira and PG are conflicting and if I was forced to choose between one of them that would be quite difficult but I would probably choose PG and look for another AV. The problem though appears to be SSM running even when uninstalled. That is BAD....VERY BAD.
Mele20: I have no issues with process guard either, guess they knew better about what is good for for the system and what isn't than the makers of SSM.
I use a fairly outdated version of prevx on two of my systems (the one with the grey GUI) after having tried the current prevx1 version which totally ****ed up my system and tried quarantining system components like audio drivers and video codecs (yes, real codecs, not malware) resulting in a long fight to remove the software, keeping it from sending my data over the net, crashing my system and trying to abort a scanning process that has no cancel button and does everything automatically without asking like "repairing" my LSP stack, which until then had worked just fine. "Your LSP stack has just been repaired" -> Ok great, so why isn't anything working anymore....
Other than that I own a handful of Avira Licenses (Pro/Security Suite), and am using ProcessGuard on my main box where I do my more dangerous work
I like Sandboxies concept (although its anything but not fool- or failureproof), but it has fairly frequently led to an unresponding system, requiring me to do hard resets and reinstalls on 2 of my machines even though i had not been actively using it on these occasions. It really sucks if you can't even run task manager anymore, let alone ctr+alt+del.
So yeah, I'm basically running Avira + some execution control software. I have no interest in advanced HIPS stuff digging deeper in my system than is officially endorsed by Microsoft, or using undocumented hacks to provide "protection" at the sake of stability.
My OS range is fairly spread: a Debian Linux, one Win98, one W2K, several XP Pro / XP MCE and since two days ago a fancy new Vista 32Bit machine.
I'm also behind a hardware router with integrated firewall and am happy owner of a security-aware brain
My only infections date back to 1989 when my Atari got infected with some virus whose name I forgot, and once a very short-lived parity boot infection in 1993 when my school was infected by it and i forgot checking the disk when I plugged it in at home... so yeah, i've now been infection free for ~14 years.
I observe the path or place applications install as default before continuing with the install and have never made any changes because they always appear logical to me. So this would not be an issue for me. Best to let these things install as they wish for less problems. Exception would be "regular" or "default" "(recommended)" installs...I am gulity of selecting "custom" installs of apps. so I can do only those things I want. Even on this however, I have done research as to where I am going and would not do 'custom' unless I know where I am going and what features I will be installing.
My problem was not a feature of a custom install. I posted here mainly because the thread title was relevant, save making another one. AntiVir was installed on my computer as and where it chose, likewise with SSM. Like you I allow almost all programs to "pick their own spot"
Are you using the free or paid versions of Process Guard?
I suggest you GeSWall instead of Sandboxie.
U can go into safe mode, delete SSM folder from program files, see if any reg enteries are there( use Autoruns especially), remove them as well. Also delete the driver manually, C:\WINDOWS\system32\drivers\safemon.sys
OK! Folks, I know I am a little late to jump in here, but; as a newbiey with most all software I am not handycrapped by knowledge. I have SSM installed, recently, and Avira AntiVir v7 on Win98SE2ME. Have had some conflicts without any crashes. Just learning how to use them both, been with AAV for about 4 years and SSM about a week. From what I have seen there are many settings in SSM that need attention to solve some of these problems. I have been running mine, v184.108.40.2063, in Learning Mode for most of the time. Do not use the RootKit scanner from AAV as it will not work on Win98SE so that problem is not here.
I have set all AppRules to ADvanced with ? on all Child and Parent selections in Advanced Properties.
This may not HELP any for the problems you are having. Just wanted to post as to what I have with my system, if it in any way can assist anyone they are welcome to use it.
Thank you for reading my post toasties,
One new point if I may add some info?
Just did an update of Avira's AntiVir v7.0 and all went well not a problem. The only complaint I could put forward is AVGCrtl.Exe was restarted by the UpDater and I do not have that installed on my system. I have been told that SSM takes care of the software on your system and AVGC is not really needed, duplication of effort. They both would be doing this monitoring and both would be checking the Apps, Drivers, Libs as they are called to use. Making the system ssssllllooooowwwer, eliminate one of the operations and thingys should run smoother and they appear to do just that. Even updates.
Thank you for reading my ppoossttss,
AVGCrtl.Exe does not exist on my WinXP System, however on my Win98fe System, it is the systray icon.
Do you have a Red Umbrella by your clock? If so, what *.exe drives it?
Edited by Moa! > I neglected to answer your question, NO, I do not have an Umbrella ICON by my clock. I have removed it and using SSM to monitor my system.
The umbrella Icon is the AVGCtrl.exe in the folder with Avira's AntiVir software. These instructions are to be used with GREAT CARE, if you make an ERROR you could prevent your system from restarting. You may want to go into the Menu, Registry, Export to a file that you name and know where it is as a backup. Each boot, or should, there is a backup done for you. You may want to do a search for *.reg to see where they are stored and how many there are. Should be five copies with different dates that is the Default setting.
But what you need to do is go into RegEdit, if you are brave or maybe STUPID like me, HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ and look in the right panel for the NAME (AVGCtrl or something that will look somewhat like that) then to the right of that is a DATA field and in there will be something like the following: "C:\Program Files\AntiVir PersonalEdition Classic\AVGCtrl.exe /min" right click your mouse on that NAME (the NAME is the name for that DATA field) then select DELETE then YES to remove that from the Registry. You will need to reboot your computer for that to take effect or open TaskManager and select the AVGCtrl and then Alt+E (End Task), wait a short for the next window to come up for you to confirm the EndTask. No reboot is necessary now it is not in the SysTray any longer. The edit on the Registry was to remove it so it will not be restarted on next boot. If you do an update of AV you will need to remove it again with TaskMan because they reinstall it with the update.
Now you thought this was going to be short, if you do not find that entry under HKCU then you need to select HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ and do that remainder of the above process to remove it from this area that is used for autostarting of features you did not know would be here.
I can give you more info, but; this is all you need for now to clear that Underbrella from your SysTray.
Let me know how things go,
Thank you for your answer and best of luck with your SSM.
I did try SSM once about a year ago, but found it could not remember settings for what it was supposed to 'allow' and the pop-ups were an annoyance.
Never saw any conflict with AntiVir, but others have now, since build 244.
AntiVir does a great job of protecting both Win98fe and WinXP Systems for my use.
I am happy you were successful, just hope you use those instructions with great care and enjoy the use of your system in the manner you want. As I have reported in other locations, there seems to be NO conflict there are many popups but that goes along with establishing how you use your system and allowing your programs to operate. SSM has a learning curve to be able to keep you as protected as possible and YOU have a learning curve to know what you have on your system and what to allow and when to NOT allow. For some I can see where they could have some difficulties in knowing what to allow and which ones to block. Organization, keeping track of what you install (maybe make a list for reference) and probably the most difficult is knowing how these programs are launched. The Parent/Child concept and when to make the correct decisions. Sounds a bit complex and is a little but the benefits of knowing your system and keeping it under your control out weights the draw backs. Plus one other side benefit is it will HELP keep the old brain active and useful.
Good luck and thank you for reading my pusties,
Re: Registry, more than you ever wanted . . .
Here is a good location to learn more about your Registry than you ever wanted to know.
Leave off the /reg.htm and you get his opening page and there are more informative links from his webpage to his webpages and others. I do not know how he was able to create such a vast collection of knowledge. His hat size must be 10 bazillion. Give it a look C and maybe find some helpful info.
Thank you for reading my pousters,
Separate names with a comma.