System Safety Monitor Learning Thread

Discussion in 'other anti-malware software' started by TheKid7, Jun 18, 2008.

Thread Status:
Not open for further replies.
  1. wat0114

    wat0114 Guest

    Hopefully it's okay to post another SSM sample alert again :)

    This time it involves the somewhat mysterious Rundll32.exe process, occasionally talked about in these forums. There is some info on the process here and here.

    In this example I attempt to launch a Linux file called: "menu.lst" (lists the operating systems available at startup), found in the Linux Grub folder, using the "Open with" option in XP, where I choose Microsoft Word 2007. SSM give me the alert found in the screen shot.

    SSM alerts on this attempt even though I already have a rule for WINWORD.EXE. I am not really sure what it is about the nature of the alert, because SSM seems to indicate WINWORD.EXE is an "unregistered" program? Or could it be that since it is a DLL being launched as an app that it is seen as unregistered? My guess is that the switch "/DDE" (Dynamic exchange data) is somehow responsible for SSM seeing WINWORD.EXE as unregistered.

    I wanted to post this alert because I consider it one of the less obvious users might see.
     

    Attached Files:

  2. wat0114

    wat0114 Guest

    We can now take a look at creating a new Group.

    SSM by default contains five Groups:
    • SSM
    • System
    • Normal
    • Blocked
    • Unregistered

    **Very Important**
    These Groups also contain default Special permissions and Advanced properties. Special permissions can not be changed on the Group SSM, while Advanced properties can not be changed on the Group Blocked. They are hard-coded by the developer for good reason.

    It is a good idea to check the Special permissions and Advanced properties on the other Groups, - especially Normal – because SSM by default tends to
    assign the “Allow” (green checkmark) for all Parent/Child checkboxes for all applications under it! This is a very liberal permission set for these applications. My recommendation is to change the checkmarks to question marks.

    FWIW, I don’t use Blocked or Unregistered, as these imply, to me, Groups of applications that should not be allowed on my computer. However, I find the remaining three Groups are not sufficient for me to properly organize all the applications in SSM, so I like to create a couple others.

    How to create a Group:

    1. Rules-> Applications…anywhere in the application window right-click-> Edit groups-> Add group
    2. Give it a name (I’ll use “Sample group”) -> Ok
    3. You will now want to set Special permissions and Advanced properties on the new Group. Special permissions can be attained by highlighting the Group the right-click-> special permissions, or you can select any of the tabs in the lower pane. The screen shot loosely illustrates this. Advanced properties is by highlighting Group-> right-click-> Advanced properties.
    4. Keep in mind that a red circle w/diagonal line through it means those Special permissions options will not be checked What exactly you choose for these parameters determines the restrictiveness of the Group.
    5. Again, I would recommend question marks for the Group’s Parent/Child checkboxes under Advanced properties.
    Next time we can look at moving existing applications that already have rules, into this new group, then reverting their rules to that of the Group.
     

    Attached Files:

  3. bman412

    bman412 Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    261
    Are there any known conflicts of SSM with other applications?
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.