System Safety Monitor 2.2.0.593 out of beta

That's good news. Is it proved in the actual beta? But still remains the fact of no full control and possibility to manage the processes as i want.

 

That was mentioned with regard to the firewall which is what we were discussing at the time.

Your are right in that there is no protection for LSASS. Although you can create a checksum rule there is no checksum available so says it cannot be verified, though I could be missing something here.

What is the object in closing LSASS apart from annoyance, or is it that it could be replaced by malware during the reboot?

Will you be posting this up in the SSM forum?

 

The title of the screenshot lists Jetico. Is this the right one for SSM?

 

It looks like you could use: Rules->Applications->Edit Rules->Add Rule for a File (using beta 595).

Just navigate to the file - including system files - you want and add it. You can apply all the security measures you want to it, even adding it to one of the default groups or a custom made group. Still, I can understand why SSM makes it difficult to modify the "loose" rules on these files. You and only a handfull of others may know how to lock them down without crippling your machines, but the majority of us could lament playing around with the defaults. As for network access on them, why not use your firewall to control that?

 

That was just the program I was protecting.

 

This approach was already made (creating a second rule), this does not work.(read this thread from the start)

The point in having network control within SSM, was so no firewall would be needed (or use XP firewall_ or router), or a packet filter firewall(no application control, such as CHX or Injoy as examples) could be used, and SSM would control network access. If there was an application firewall installed, there would be no need for SSM to control this access.

 

But do you not think that you should be able to protect any application on your system from termination.

If you look at the "tabs" (rules~applications) select any of the 3 processes mentioned "csrss.exe" "smss.exe" or "lsass.exe" you will notice that the "protection" tab is missing. So does this then mean that these 3 processes are not protected?,...certainly lsass is not fully protected from termination,... does this mean lsass is not protected from suspending / remote code control / remote data modification, if not, and there is no verification on checksum,.. how would I know if these processes are corrupt or modified. I really should not need to start attacking these processes to verify if there is protection,.. I should be able to set this protection / checksum as I do for my firewall, AV etc.

Just a test

I see no point,... SSM team are doing what they are doing. The point of the hard_coded rules as been brought up a number of times, but the hard_coded rules are still there.

 

Okay, it is possible to create, for example, another rule for LSASS.exe, but the program will not allow the deletion of the built-in system rule for LSASS.exe.

This is either a bug or, I suspect, by design. The developers do not want the misinformed to inadvertantly screw up their systems. Yes, this will be annoying for control freaks, but what will the expertise level be of the average SSM customer? System Safety staff must feel the majority will not know how to handle these system-critical files. I suppose they could add an option to disable the constraints on these files for those who want complete control over them, provided a bold, enequivocol warning accompanies its activation.

 

Oops, I didn't read the thread discussion closely. Thanks for the clarification.

 

The built in rule cannot be over-rided

Well, if you think that wanting of the ability to protect these 3 processes from termination/modification is only the need from a control freak, I am obviously wasting my time posting concerning this.
ProcessGaurd allows the user to set this protection, within PG the only options removed from user control, for example on "csrss", is the ability for this process to terminate/ modify other processes/programs,.. maybe then PG should take away the ability to protect "csrss"(and the 2 other processes mentioned)

 

This to me is not the point,... SSM= system safety monitor. If the 3 main windows processes are not protected, then should not SSM be re-named to "Some/most(but not all) of the system safety" (as I mentioned in my last post,.. PG will protect these 3 processes,... why not SSM)

It was just that wound me up the most, if those rules had stayed, what hard_coded rules would be next,.... maybe allow svchost full network access, so XP users dont have problems with DHCP,...

 

I understand what you are saying. On another point. I have just been reading about DFK and if it is all valid then we might as well all give up. The example shown highlights the point I was trying to make about going through the warnings when you don't believe them to be threatening.

 

I think i will give the Beta a try. One question before. Could the network rules be completly disabled, incl. the hard_core rules?

 

If you are talking about the 3 "cavaliers" that Stem has mentioned then you can Allow or Deny access to trusted addresses. No other options are allowed.

 

Yes,.. The hard_coded rules to allow network access for these 3 processes have been change to allow the user to set as required.
SSM have stated that the hard_coded network rules on these 3 processes was a bug.

 

No, you are not wasting your time. Your posts carry considerable merit. From my point of view I'm just trying to understand the considerations of the developer, System Safety. They don't want the misinformed to crash their systems. However, from what I have seen, they seem to be very open to suggestions and willing to accommodate the suggestions of the forum members. Maybe with a little friendly persuasion they would be willing to provide full control of those files.

 

Any problem to install the Beta over the final or is a clean install advicable?

 

I went beta 595 over beta 591 with no problems, but I'm not sure about beta over top of final.

 

I agree totally!

Stem, PLEASE do post your comments at the SSM forum. And let us know when you do. I, for one, will immediately post an amen to your post and so also, (I hope) will others.

I think SSM is possibly concerned that some users might make changes that could cripple their systems. Unfortunately, some of those who do dumb things ALWAYS blame the application. Someone suggested that SSM add "Expert user" options (such as is done by Ace Utilities). THAT might be something SSM would consider doing.

 

Ok, last Beta up and running. So here comes a question special for Stem as i know he also loves Jetico 2. Opinion are wellcome from others also.

As Jetico and SSM have some rules/features in commun which is to be prefered in which program.

1. SSM and Jetico have Hash Check
I notice that HASH Check is generaly disabled in SSM, why? If enabled in both, could there be some conflicts?

2. Network Rules in SSM i think is not necesary as Jetico is more advanced regarding this.
3. Are there other features in comun, asking because i am new to the beta of SSM.

 

@cprtech and bellgamin,

I have tried before with SSM about the hard_coded rules,... o.k. I will present in a different manner,.. as my main concern is for user safety,... not my own ability to block csrss or any other windows application.

@Tommy

A possible mix up,.. hash (checksum) is on by default within SSM, but disabled within Jetico2.
There is no need for both,... as soon as the application is executed, SSM will see any change (Jetico would only see this when internet connection is attempted). So just leave SSM for this.

This addition within SSM was really for users of windows firewall (or users who have a router and feel no need for a firewall) or in my case at times, when I use packet filter with no application control. In the case as yourself,.. with a software application/rules firewall, there is no need to enable this module.

There are a number of "overlaps" in protection between SSM and Jetico2,.. I have not seen any direct conflicts between the two,... SSM does work hard to resolve any possible conflicts,... I would say this is really down to yourself,... and how many popups you can put up with,... given time you will see the overlap,... and also what one protects, and the other does not.

 

Sten, thanks for the advice, i have the same opinion as you.
I prefer in the beginning as much popups as possible to see exactly what's going on. That's one of the reason why i like SSM - full control. After two or three days most stuff is configurated and popups won't appear anymore, only in rar executions, after updates, etc. or malicious stuff (hopefully not).

I must say the Beta seams to be a big improvement so far.

 

I do like to see what is happening, I will sit there quite happily noting what dll`s are loaded by an application, and then check on these to see what thay are,..... its one way I learn.

They still have to add dll control (loading)

Yes,..agree (well apart from the memory leak on the last (but one) build)

 

How easy it is to make us happy , but as you say, best way to learn.

DLL loading control will be added in this beta circle or more far in the future. You know anything about that?