System Safety Monitor - Questions

Only in pro version.

 

I ditched SSM and it doesn't matter how good it is. Sooner or later, this software will do something wrong on my computer due to my lack of knowledge, because I have to make decisions in SSM with multiple choice questions.
According my readings SSM is one of the best, but what's the point if you work with the best, if you don't understand the best.

Of course I can learn SSM over the years and I will learn how my computer works, etc., but that's not what I want and that's what most average users don't want either, my favorite target.
Don't expect from an accountant to work with SSM, because his job is accounting and he needs all his time to upgrade his knowledge concerning accounting, not SSM.

SSM is a software designed for knowledgeable users, the minority group, the EASY group. It's much easier to create security softwares for knowledgeable users, than average users, who don't know anything.
Average users are also the easiest target to make them buy anything, what do they know ?
You only need to scare them and they buy anything, even softwares, they can't handle.
Vendors tell them all about the advantages of their softwares and they keep their mouth shut about the disadvantages and that's what you read on their website. They even use words like intelligent and intuitive to make it look even better.
If scanners were so intelligent and intuitive, they would NOT have false/positives, but they do have false/positives because they have the I.Q. of a brick and can only do, what programmers told them to do.

I needed something much better, but I can't use what doesn't exist, so I had to satisfy myself with softwares that were close to what I really want : a clean, trouble-free and malware-free computer, that is able to cure itself without me and without creating more problems, because I'm the weakest link in security due to my lack of knowledge.
Am I satisfied with my boot-to-restore solution ? NO, but I can't find the right softwares to do it better.
The main problem is that my boot-to-restore acts TOO LATE when something bad happens.
Scanners are also acting TOO LATE, except their real-time shield, if they have one. Unfortunately a real-time shield is as good/bad as the scanner itself and can't be trusted either.

HIPS doesn't help me either, because I have to make decisions myself, me, the stupid one who doesn't even see the difference between good and bad on his computer. All objects on my computer look the same to me and I only recognize the files, I created or downloaded myself. Do I have to guess about the MANY OTHER files to keep them or not ? That would be very risky.

My boot-to-restore doesn't see the difference between good and bad objects either, just like me. It does only one thing during reboot : it removes ALL changes based on a whitelist of ALL objects on my system partition and that gives me my clean, trouble-free and malware-free computer back after each reboot.
That's good, but not good enough, because my system partition isn't protected during two reboots and that's why I still need a group of security softwares, that is specialized in stopping the execution of infections, because they act IMMEDIATELY, not on reboot. They don't need to stop the installation of infections or to remove the infections, that job is done during reboot.

My wish is that I wouldn't need these security softwares in my signatures.
Why do I need to reboot to remove changes ? Why don't I have buttons like "REMOVE ALL CHANGES" or "KEEP ALL CHANGES" or "KEEP ONLY THIS ...", etc. ? These buttons would be at least a small improvement and make it more attractive.

This kind of software doesn't exist yet, they all act INCOMPLETE and/or TOO SLOW and/or require KNOWLEDGE.
So the security industry has still alot of work to do. Each time the security industry comes up with a new scanner, a new HIPS, a new SANDBOX, ... I get angry. Can't they invent something else for a change, instead of re-inventing warm water over and over again.

 

If you want a dummy-proof solution, go with SandboxIE and a firewall. Execute all unknown inside the sandbox. Doesn't get any easier than that.

 

Hmmm... "ALL changes"... Have you ever installed Power Shadow 2.8.2 just as a test? If you did, it place something on your harddisk... https://www.wilderssecurity.com/showpost.php?p=1008439&postcount=5

Mike

 

Hi

This is my umpteenth time with SSM and this time I do feel I'm making progress.

Previously, I've installed on what to my knowledge was a clean system but with several existing layers of security, hence conflicts and problems.

This time I've reformated, installed SSM NOT in learning mode, stayed offline, run as many Windows related applications as I could think of on the machine, allowed SSM to run whatever they needed, installed AV and firewall plus Shadowsurfer, allowed SSM to run them.

Then I disconnected user interface and I'm done. Machine is the fastest I can remember, SSM is silent and if I try and run something other than the above, SSM simply doesn't allow it. There is nothing I require to download from the internet that I don't already have saved to disk so from now on I can install offline and either put it in Learning Mode for the install or use Install Mode.

One thing I always had a problem with previously was parent/child rules. This time I set all Groups to 'ask' for these relationships and again using the above method all the applications I need, appear to have only the parent/child relationship they need for my system to function.

Seems to be working this way but I stand to be corrected by the more experienced.

 

@Old Monk,

GREAT post!

Mike

 

Hi flinchlock

From that I guess you think I'm doing ok.

Nice to know there's no 'madness' in my method

 

Disconnected GUI is a very nice option in SSM.

 

You better talk about what PowerShadow doesn't do.
PowerShadow is nothing more than an additional feature in FDISR, which I already have since March 2006.

 

So what ? Why would I make it difficult for me, if I can avoid it. SSM is like a quiz, if I'm wrong I lose, if I'm right I win. That's not security, that's a game.
I leave it up to other members, to play that risky game.

The people in this thread are just SSM-fans, I know in advance, what they will say.

 

What? Ahh, it can not cut my grass?

What? Are you saying PS is what??

Mike

 

Anything wrong with being keen on what a certain software might do for you?

SSM has frustrated the hell out of me in the past so I'm no fanboy. But I do see the potential so will persevere to see if can get it right. It's interesting as much as anything else and if I DO get it right then I will feel a sense of learning and accomplishment.

Care to guess what I will say next Erik ? (meant in good humour)

 

Hello ErikAlbert,
Well, your analysis and conclusions in your Post #27 are correct, of course! And the reason you are so frustrated (and rightly so) is that you get bogged down in discussions of products rather than discussions of solutions.

If you want to stay on that course, then you just have to learn how to use these products.

However, your frustration with this aspect of security can be dealt with from another perspective.

Security is first and foremost a state of mind, and the way information on security exploits is presented, for the most part keep many people in a continous state of anxiety and concern. Often, threads in a forum are based on an article about an exploit.

A recent example - this article was posted on another forum:

New and improved version of Gozi Trojan horse on the loose
Stealthier Russian malware on the loose since April
http://www.computerworld.com/action...icleBasic&articleId=9019978&source=rss_news10

A few quotes:

Most discussions will deal with effects, and not the cause.

Taking the threat of keylogger may start a discussion of anti-keyloggers. Some may point out that running in a Sandbox would contain the threat. Yet, recent discussions have suggested that sandbox and VM technology might not be so impervious after all, and what about the idea that your personal data can be sent out even though the browser is running in a Sandbox? It's a never-ending cat-and-mouse game because the solutions discussed are those which start from the premise that the computer has been compromised with installation of the trojan, and now we have to have in place some type of security aparatus to deal with the effects. If the security program throws up an alert, how do you know what to do, which you rightly point out.

If that is the premise from which you start, then you will continually be frustrated, because there will never be the type of software that you envision: the perfect solution doesn't exist, and probably never will.

You state,

Well, you will never have a computer that can cure itself without you, and you don't have to be the weakest link in security.

The user should be the strongest link in the security strategy, because it is you that sets up the strategy, not the company that makes the products. Your knowledge is gained by compiling data, analyzing, and drawing conclusions.

So, instead of assuming that the scenario that has been presented about an exploit is enevitable, you can analyze the exploit, see where the attack vector is (how does the trojan get installed on the computer in the first place), and then see what security you have to deal with it.

Towards the end of the article is this:

Now, these articles ususally don't have a detailed analysis, so you have to get the information and do it yourself. If you search around, you will find SecureWork's analysis:

http://www.secureworks.com/research/threats/gozi/?threat=gozi

So, now we know that the attack vector is via remote code execution on a web site (one of the three principal means by which malware gets installed) and triggers the download of a trojan executable -- here, specifically aimed at the IE browser vulnerabilities.

Your solutions are obvious, and your first step is to decide if you have the security in place to deal with preventing the trojan from installing in the first place.

Unless you approach every exploit scenario from this starting point (what are the attack vectors) and develop a security strategy -- it usually turns out that the solutions are basic and simple -- you will never be satisfied that you have a complete and secure security setup. You will continually be frustrated, and will never get to the point where you enjoy using your computer. From this standpoint, it's a no-win situation.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

Excellent post Rmus.

Expecting to put the responsibility squarely on security vendors to come up with some kind of magic bullet and refusing to educate oneself about the ins and outs of security is nothing but an exercise in futility.

 

Me thinks SSM is userfriendly. If you mean with not “userfriendly” a synonym for not doing a little bit of thinking yourself, your are right.

I think the difficulty of this program is highly exagerrated. Granted, when you want to milk out the program’s full potential, you have to be a knowledgeable user.

Try this shortcut (I have the paid version, I am not familiair with the free version):

1. stay away from the Leffe Triple
2. take care your pc is malware free
3. disconnect from the internet
4. install SSM and enable "learning" mode
5. run every program you have on your rig, SSM now makes rules for these programs (now you can get insight in the rulemaking of SSM. e.g. go to the rule tab and select an application rule made by SSM, rightclick this rule and take a look what SSM has done).
6.(after having run all your programs) disable learning mode and connect to the internet
7. if SSM asks you permission to allow/disallow for e.g. an xxxx.exe and you don’t know what this is all about go to: http://www.file.net/ for more info. If you are still unsure what to do, disallow/allow it once.

SSM is the primus inter pares (if these are the words I’m looking for ) in the HIPS department.

"You can do it if you believe you can !” (Napoleon Hill)

 

Aw!, go on Rmus, don't be shy, tell us the solutions!

Well, as an IE6 user who isn't going to change (this side of Vista at least!), I have the following protection:-

1) Launching programs and files in IFrame is set to 'Prompt' in my browser;

2) Java script is normally blocked by ZAP's mobile code control;

3) I run Merijn's 'BugOff', which disables both MS XMLHTTP Objects and ADODB Stream Objects;

4) If an .exe file lands on my system it has to be allowed to run (PG or SSM should take care of that).

I think that should be good enough for this one shouldn't it?

 

Hi guys,
Don't waste your time on me, I already ditched SSM and I don't need another approach either. Mine is working fine and alot more simple and efficient than SSM.
I don't need #1 in HIPS, because it won't be #1 anymore, when "I" start using it.
SSM doesn't have a chance in the average user group and that's it.
Keep on teaching other users how to use SSM, because SSM really needs it.

 

Don't you think your solution also takes care of a large number of today's exploits besides this one!

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

Hi Pete,

Under Rules/Applications, you have SSM, System, Normal, Blocked & Unregistered.

Select Normal, right click (for DropDown List) select Advanced Properties.
The AP box will pop up showing Child / Parent. Just click through till you get a ?.

hth,

...screamer

edit: I just un-install 615 beta and went back to 612, that's why the boxes all have ?

 

Another way to accomplish this is to run Whats Running. That lists all the child / parent relationships. You can just add them that way.

 

Layered and non-signature approach
1- Browser security policy.
2- Whitelisting of browser-interpreted scripts.
3- Hardening.
4- Execution interception.