What are the best settings for “non-techno” using System Safety Monitor (SSM)?

Discussion in 'privacy general' started by sweater, Sep 21, 2005.

Thread Status:
Not open for further replies.
  1. sweater

    sweater Registered Member

    Jun 24, 2005
    Philippines, the Political Dynasty Capital of the
    I’m just wondering if I can still do some settings in SSM to make it more “friendly”… I mean.. can I make it be more “automatic” in detecting “friendly” things while surfing and allow or block those things to have lesser pop-ups? Coz some of those things (e.g. dll, and other things I don’t understand & asking me to decide) in those pop-ups are very hard to grasp by non-expert. :( :p
  2. herbalist

    herbalist Guest

    SSM is basically rule based application control. When you mentioned DLLs, I assume you're referring to alerts about dll injection or windows hooks, similar to this one?
    Without knowing what application is doing the requesting and whether the requested DLL is a legitimate system file, the question doesn't have a simple answer. Take the image above for example. Before I made rules regarding them, it was one of three alerts I'd get whenever I launched Yahoo IM, version 5.6. Both ypager.exe and idle.dll are legitimate files installed by Yahoo IM.
    The legitimacy of the files is the first thing you need to check on whenever you get these alerts. A Google search on the file name should give you plenty of info. Be very careful if a search of the filename yields no results. A lot of malware uses random filenames, but so do some legitimate apps.
    Even if the filenames and apps are legit, it doesn't necessarily mean that the hooking or DLL injection is necessary. That's going to vary with every application. The "allow....this time" and "deny....this time" help here. The first 3 options the alert gives make rules for the named application. The last 2 do not. My "normal policy" for this kind of problem is to only allow what's absolutely necessary for the application to function. For the alert above, I decided to try blocking the hook once, and found that Yahoo IM functioned quite normally without it. Other programs and system components may respond differently. Experiment with the "block this time" option and see how the app functions before you make any permanent rule. Some apps will crash or fail to function when not allowed to set hooks or start other processes. This is especially true when dealing with actual OS components. I managed to crash my whole system many times while making rules for the system components. Fortunately, SSM doesn't automatically launch on the next system start when your operating system crashes or doesn't properly shut it down, a very good precaution.
    If the rules you presently have in place for SSM aren't causing any operational problems, make a backup copy of that ruleset. You can do that from the service tab. Make changes slowly, opening and closing the apps you're working with to see how the rule changes affect them. If it's actual windows system components you're working with, reboot after making changes to make sure the changes don't interfere with normal system function. If everything still works normally, make another backup of the new ruleset under another name. When I was tightening up my ruleset, I used a date-time combination for the filename to make it easy. Keep the original backup as a starting point.
    While I don't know of any easy way to set up SSM, there are certain options you will want to use.
    Do enable the plugins. They monitor the different autostart areas of your system.
    Do set it to watch application activity.
    On the options tab, under "behavior", you'll see the option:
    "Create allowing rules for current parent+child pair instead of any parent+child"
    Although it decreases the amount of control you have over your system, you'll see a lot fewer alerts if you leave this unchecked.
    I'm sorry that I don't have any easy answers for you. Learning to configure SSM is a learning experience in itself and can teach you much about your system. Just take your time. The more you learn about your operating system and SSM, the more control you'll have over your system.
    One other thing, slightly off topic. SSM does give you the ability to keep a process in memory. I use this option with the executables for my firewall and resident AV. If something manages to shut either one down, SSM will restart them. It's a good way to use one security app to protect another (layered security). You'll find that option on the "Application rules" tab, process creation control. The lower tabs become active when a rule is highlighted. Don't use this on windows system components. You will also need to disable this feature when updating your AV or firewall. The easiest way is to shut down SSM when doing so.
Thread Status:
Not open for further replies.