SSM allow folder does what?

Hopefully this doesn't qualify as a "Google is your friend" post...

I've noticed that SSM has an option to allow entire folders in its rules panel. Can anyone tell me if this:

a) Recursively take the checksum of everything in the directory, and allows everything thus checksummed

b) Takes the checksum of the directory itself, and allows everything in it until the checksum changes

c) Simply allows everything in the directory regardless of checksums

I ask this because (a) would be useful, (b) would be absurdly useful to the point of clear advantage over most other HIPS, and (c) would be useless and dangerous in most cases... And I want to know what I'm doing before I click "Yes."

 

If I remember correctly it is option c). I allowed folders and subfolders where I was testing software that our company is making.

 

A folder rule that allows applications will allow all of the applications in that folder to execute within the limits of any parent-child permissions that you set. You have the option to extend this to subfolders. As far as I can tell, it does not use checksums of the contents since the rule applies to everything in the folder. The exception would be applications that have their own specific rules. Depending on the folder contents and how much access other applications have to that folder, this can be quite dangerous. Use care with this option.

I haven't completely tested folder rules for libraries and drivers, but I would assume that they behave the same as folder rules for applications.

 

Yeah, when running as administrator that option would be very dangerous then. Thank you very much!

 

It could be dangerous either way, unless your system has another means of controlling the contents of that folder or limiting the damage executables in that folder can do. If something in that folder uses a privilege escalation exploit, it could be game over right there.

IMO, that option is very limited in its usefulness. I wouldn't use it on any general purpose PC.

 

I was thinking "allow C:\Program Files as limited user." Basically something similar to LUA + SRP, where you can only execute stuff from folders you can't write to. That would (I think) be reasonably safe, though I suspect there are ways around it.

BTW, do you do any software development? Because I've been wondering for a while how people deal with using a HIPS when compiling and testing software. (Let alone LUA + SRP.)

 

I'm not a coder. My experience is in beta testing. Most of that is with the unofficial upgrades for older operating systems and beta testing SSM throughout its development. Most of the time, I do testing on virtual systems and on offline units. When I tested SSM against malware, that was on a real system with internet access, which was also equipped with a wide assortment of monitoring tools and system snapshots.

 

Ah well... Thanks anyway.

(Shame Windows doesn't have chroot jails...)