System Safety Monitor Free- Is the free version strong enough?

Discussion in 'other anti-malware software' started by duke1959, Mar 18, 2007.

Thread Status:
Not open for further replies.
  1. EASTER.2010

    EASTER.2010 Guest

    Yep, they all belong to the latest install version of CyberHawk and in fact have for many versions ago. I take it as their own method of compiling CH to accomplish what it does, so far.

    You betcha' i do and always will. It's my speedo O/S. LoL
    The URL to that file timed-out on me yesterday when i read this post because i wanted to try to downwload and test it myself. I'll give it another try and Saturday try to show my results. Thanks
     
  2. herbalist

    herbalist Guest

    The command line on XP may look a lot like DOS, but it's totally different. SSM has trouble with actual DOS executables because they're 16 bit programs. CMD.exe is 32 bit so SSM should have no problem with it.

    On my 98 box for instance, SSM can allow or block the opening of a DOS window. Once I have a DOS window, I can launch other 16 bit executables with the running command prompt, unaffected by SSM. On DOS based PCs, if a user is allowed to start a command prompt, that user has access to all other 16 bit executables, including:
    1. attrib.exe
    2. format.com
    3. fdisk.exe
    4. find.exe
    5. move.exe
    6. start.exe
    7. xcopy.exe
    8. undelete.exe
    9. deltree.exe
    10. cscript.exe, the command line version of Windows Scripting Host
    11. ipconfig.exe
    12. netstat.exe
    13. tracert.exe
    14. eraserd.exe, the DOS component of Eraser
    15. most any batch file that doesn't call a 32 bit executable.
    In addition to these, the user would also have access to all the internal commands from command.com, which includes:
    1. Dir
    2. Copy
    3. Delete
    4. MKDIR
    5. Set
    6. Path
    7. Verfiy
    8. Time
    9. Date
    These are just partial lists, but they're more than sufficient to completely compromise a system when used properly. While SSM doesn't control the interprocess activity of 16 bit executables, it does control the launching of 16 bit apps by 32 bit apps and vice versa. The only realistic way to secure against the malicious usage of 16 bit apps is to limit access to all of them. You can either set the default parent setting to "ask" without specifying any allowed parents, or you can use the "block for disconnect UI" option. It's not necessary to make rules for all of the 16 bit apps on your system, just the ones you start with or use separately, like command.com. Let SSM treat the others as unknown apps, which will prevent their usage by 32 bit apps but won't interfere with using them via a DOS prompt.
    Rick
     
  3. BrainWarp

    BrainWarp Registered Member

    Joined:
    Aug 26, 2004
    Posts:
    289
    How good is the proactive defense in kaspersky security in comparison to SSM.

    In kaspersky internet security you have:

    application activity monitor
    application integrity control
    registry guard
    office gaurd

    Was just curious if it is worth me running any other software like SSM.
     
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Thanks. I have no idae of DOS( never used it) so I thought DOS and cmd is same. So I want to ask how to disable DOS commands completely on XP Home via OS itself or via SSM? What type of functionality I will loose by this?

    Thanks
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    I don,t use KAV so I am not sure but I know there is considerable overlap. I will keep some of feature of PDM especially behaviour analysis for trojans, worms, keyloggers and rootkits etc( because SSM is a classic HIPS and does not cover behavioral detection of malware). Also one can use reg defence of PDMs instaed of SSM reg defnece. Application activity monitor is not needed at all in this scenario I think.
    All depends upon u, u might not need SSM altogether.
     
  6. EASTER.2010

    EASTER.2010 Guest

    As promised it's Saturday but sorry no results.

    Herbalist You have an alternate way to upload that file? That Live-Share link stops on me everytime around 35% and before that is slow as molasses.

    I'll be glad to still test it if someone can get a different url to it.

    Regards EASTER
     
  7. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Use SSM to block the execution of C:\WINDOWS\system32\ntvdm.exe. Go to Start > Run, type in command.com and press Enter. SSM will alert you that ntvdm.exe is executing. Click Block after ticking the option to create a permanent rule. I have yet to see any loss of functionality, although I have read that some application installers still use 16-bit code.

    Nick
     
  8. herbalist

    herbalist Guest

    If you're referring to command line functions on XP, on the rule for cmd.exe, set its default parent setting to "Ask", then don't specify any allowed parent processes. This won't totally disable it but will alert you when anything tries to start it, effectively making it an "ask before running" process. Both XPs "cmd.exe" and the DOS "command.com" use internal commands and can call external commands, those provided by another executable. The items in the first listing of my previous post are all external commands/processes. If you're interested, open a command prompt and type cmd.exe /? to see XPs basic command list. While both systems have many commands in common, there are differences. The biggest difference between the 2 systems is that the DOS executables are 16 bit while their XP counterparts are 32 bit, which makes them controllable with apps like SSM. On my 98 box for instance, I can start "XCOPY" from a DOS window with no reaction from SSM. If I try that via a command window on XP, SSM prompts.

    I'm not certain, but I think windows update uses cmd.exe as does many installers. Depending on how you have windows update set, you might need to allow the windows update components to be a parent to make it work automatically. If you do your updating manually, you can leave it set to ask each time.

    If you're referring to actual DOS apps running on XP, these run inside of ntvdm.exe, the Windows NT DOS Virtual Machine. Depending on what software you run, other apps can use this process, especially older ones. I'd set the ntvdm.exe default child setting to "Ask" and specify allowed child processes as necessary. If you're concerned about the DOS system commands (not those that run thru cmd.exe) I listed earlier, they don't work on XP the way they would on 98/ME. Actual DOS commands can't be used against your file system.
    For a more detailed explanation, see http://www.auditmypc.com/process/ntvdm.asp
    Rick
     
  9. herbalist

    herbalist Guest

  10. EASTER.2010

    EASTER.2010 Guest

    Thanks. Got it. I'll need to mess with this some 'cause first couple times it "freezes" my explorer (screen) enough to force a hard reboot. I could immediately hear the CPU intensity strain and stayed that way till flushed by restart. SSM was completely silent and didn't move toward it at all.

    Let you know more as i tinker with it. System Safety Monitor forum official already confirm this as a "bug" by the way.
     
  11. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    This will work in catching any attempts to start a command shell, but once a shell is started, SSM still won't be able to intercept all the commands run in it (e.g. if you run a batch file).

    This has been discussed at the SSM forum.
     
  12. herbalist

    herbalist Guest

    It's doing that on your 98 box?? Did this happen as soon as you clicked on the file? I'd be interested in the details of exactly what's happening.

    This is getting bizarre, not so much that it may be a bug in SSM, but that SSM has no trouble dealing with it on my box. It seems I have a project tonite, trying to determine just what it is about my setup that negates this "bug", whether it's my particular configuration or one of the alterations I've made on my system.

    Then again, the more things like this I see, the better I feel about the security policy and package I've assembled.
    Rick
     
  13. EASTER.2010

    EASTER.2010 Guest

    Negative, that was on the XP Pro box. Sorry i didn't point that out right away.

    I'll try it on 98SE box next. I found it really odd that other XP security proggys i have in place allowed this thing to fire up too. :blink:

    I expect things will be different on the 98 box but dunno yet, will post my results today.
     
  14. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Nick s, herbalist and Paranoid 2000!
    Thanks for replies.
    I think I will disable ntvdm totally and keep cmd.exe at Ask User both as child and parent( or block with disconnected user interface).
    I will play with it later to have some satisfactory settings.
    Well, can anyone tell me if free version of ProSecurity will handle these issues better than SSM? Thanks
     
    Last edited: Mar 25, 2007
  15. Get

    Get Guest


    PG free stops it. SSM paid (2.3.0.612) didn't do anything against it but crash (acces violation bla bla -screen). 2 HIPS doesn't feel so "not done" right now:). I don't know if the cracked arpr is malicious (I don't think so), but it leaves arpr.ini in the windows-folder for what it's worth.
     
  16. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    ntvdm.exe is used for running .com executables and runs if you invoke System Configuration Editor (Sysedit.exe) for example, and once started keeps running until reboot (unless you shut it down with TM or PE etc).

    I have both cmd.exe and ntvdm.exe set to 'permit once' in PG so they must ask to run. Things are slightly more confusing in SSM full where ntvdm has been placed as a system file, hence having different default settings vis a vis other system files when compared with normal files.

    If you need to use cmd.exe from time to time, and don't want the pop-ups, you can always make a copy and paste it to a new location with a new name. By creating a shortcut icon you can run this copy whenever you wish; but it should not get exploited because its name and file path are wrong. Unless I'm missing something, you should be able to do the same for progs like TM, msconfig, regedit etc - hence having protected originals (set to run once) whilst being able to use the copies freely.

    That way you just get pop-ups when the system etc tries to run the originals.
     
  17. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    I don't know quite what prog you are referring to, but I recently trialled Advanced RAR Password Recovery from ElcomSoft, and that left arpr.ini in system32 (or maybe Windows, I can't remember now!) after uninstall.
     
  18. Get

    Get Guest

    I'm referring to the cracked arpr.exe ( Advanced RAR Password Recovery) as being downloaded in post 34 (herbalist) and it leaves arpr.ini in the windows-folder (not in the system32 folder in this case) upon starting the exe/program.
     
  19. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Oh I see; I was using an official version of the prog and it did exactly the same thing - so no change there!

    I opened the .ini file in notepad (just to make sure it was something I should delete) and it just contained some configuration details, such as the filepath of .rar files you've attempted to open etc. Nothing sinister!
     
  20. Get

    Get Guest

    Well not exactly the same, because with you it was in C:\windows\system32 and with me it was in C:\windows, but indeed nothing sinister.
     
  21. EASTER.2010

    EASTER.2010 Guest

    Thanks for that report. I have PG not installed at present so good to know.

    SSM (full) was quiet as a mouse when clicked on it here then the CPU went thru the roof. It seems more like bad code then anything sinister i agree.
     
  22. Horus37

    Horus37 Registered Member

    Joined:
    Jan 4, 2007
    Posts:
    328
    I'm just trying to wrap my brain around using the free version with comodo and avast and powershadow and setting it up correctly so it can be left on instead of just manual.

    I've got one question. How do you set up the Avast antivirus to be INVOKED by SSM as it looks like there is a place to put a command line inside SSM to get the host system's av to start working in the event of something. Just putting the EXE without the DLL seems like it's not going to work for me with avast. Anyone got AVAST invoked correctly inside SSM?
     
  23. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    If Avast is set up to do background scans, then there is no need to configure it in SSM since it will scan all program files when they are accessed (using SSM to scan it again would be redundant).

    If however you are using it as an "on demand" scanner only, see the Avast forum Command Line Interface thread.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.