Building Your Own Privacy Package

Discussion in 'privacy technology' started by Reality, Aug 5, 2014.

  1. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    Haven't seen it disappear, but then again I don't leave it in Stop All Traffic very long so that may be why.

    Would be interested in your results in setting up and using SSM. Between using Kerio and SSM one can have
    their hands full (personal experience) when using a rule based firewall and classic HIPS. I have no doubt though
    the combo is very good at securing your machine.
     
  2. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    1,198
    Just as a point of interest, does your Kerio dialog box have this spelling error? (hovering over tray icon, while traffic is stopped)

    Kerio DB 2.png

    Ha, I see you've had your hands full KeyPer, but this is what this thread is about... thrashing things out till they work and as time allows for all concerned. You must have done some hard out reading in that Kerio thread, because there's a lot in it to take on board. I'm really interested in the things you're bringing up just lately. I have time restraints and some way back I got stuck with my router, which noone so kindly tried to help me with through pms. I still need to get more understanding about all that, and I'm keenly aware that instantiating a HIPS is probably biting off more than I can chew until I get these basic things sorted first. I wanted to get this tool while it's still available to get. (You never know when something is going to disappear off the net) I'm reticent to install it until I know more about it.
     
  3. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I've used Kerio forever and never noticed that. Regarding the block all icon in the tray, it does get inconsistent at times about displaying it. Never got around to investigating why.

    Regarding SSM, if you're going to try it, take it slow. Make a system backup before you install it. With the pro version, do not enable the registry rules until you're finished with application rules. They can be overwhelming. If you're running a separate firewall like Kerio, the network rules can wait too. Do not set a password until the rules for the core system processes are done. Setting a password overrides the "connect user interface at startup" option. With the user interface disconnected, you will not be prompted regarding applications that don't yet have rules. They'll be blocked. Make sure that the "show icon in system tray" option is enabled. Focus on the prompts and rules involved in boot up, shut down, and reboot before you start worrying about user applications. The "block everything" option under Options>Applications>Program_Behavior will give you tighter control over the activities of permitted applications but will also give you a lot more prompts and more to configure.
     
  4. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    Yes same error. It should read "Stop All Traffic" to match the context menu.

    View attachment 247813

    Yeah read a lot and noone has been a great help. When I was using OA HIPS I got a taste of many popups to
    answer when I disabled (not recommended by Emsisoft) the whitelist. The default setting is to leave it checked
    to reduce the number of popups. HIPS part was very good, but firewall especially in free version needed
    improving IMO. Apparently though, they improved firewall in EIS. SSM has been around for quite sometime
    and with any HIPS program is really geared towards a selected group of users that understand setting up
    and answering prompts or users who have a strong desire to learn. Give it a go and see how you like it
    and there is always help here if needed.
     
  5. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    That's one of the biggest differences between SSM and the HIPS component of OA. SSM has no default whitelist of any kind. It does not differentiate between a system component, a legitimate user application, and a trojan. The decision of what to trust and allow is entirely on the user. This in itself should tell you what SSM requires of you. It will do exactly what you tell it to, whether it's right or terribly wrong.

    The pro version has an option to trust signed binaries and another to silently update checksums for digitally signed files. These are a matter of preference and trust. They will make it easier to create rules for Windows components and other signed user applications. They also take some of the work out of updating rules when Windows is updated, not an issue on XP any more. On the other hand, a digital signature is no guarantee that the file can be trusted. Stuxnet was signed. Myself, I don't trust digital signatures or certificates of any kind.

    Unless you can guarantee that everything on your system is clean and trustworthy, avoid the learning mode. Learning mode will automatically trust everything that you run, including malware.
     
    Last edited: Apr 15, 2015
  6. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    On both the free and pro versions, if you look under options>configs, you'll see options to save and change configuration files. I suggest that you avoid the "merge" option on the free version. On the pro version, make a backup of the current set before you use the "import" option. It may not be what you expect. If you're adventurous, these options will enable you to work with and experiment on more than one configuration. Example, you could work on two configurations, one that uses the block process creation setting and another that uses the block everything option. The first would be much simpler by comparison. The 2nd would allow to to manage in detail what is allowed to happen on your system. Just take good notes about what you do, and especially why you did it. The rule groups on the pro version can be confusing until you figure out how it works. Don't be afraid to define more groups. You'll find a few hard coded rules on the pro version. These were problems when the process was suspended pending a response to a prompt or when an option was selected that interfered with a core process and caused Windows to crash. There's only a couple of these. The SSM forum is on the Wayback Machine if you want to research the details behind those decisions.
     
  7. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    OA did have a setting you could uncheck on trusting digitally signed files. As far as whitelists go I got in the
    habit of removing them even in extensions .
    Creates more work, but default-deny is better approach that default-allow IMO.
    I do have Kerio still set in "Ask me First" which is sort of like learning mode or so I've read.

    Couldn't find SSM forum on Wayback Machine.
     
    Last edited: Apr 15, 2015
  8. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Not really. I view it as a "default-ask" setting. On that setting, you'll be prompted if something that's new or altered attempts to obtain direct internet access. In some situations, this can serve as a form of intrusion detection. The "deny unknown" setting is the same as placing a block all rule at the end of the ruleset. If you use any form of auto-updating, this setting will silently block the updated applications from internet access, leaving you to figure out why.

    Regarding the old SSM forum, here's a link to it from 2008. Not sure how deep the archive went when saving pages.
    http://web.archive.org/web/20081219124357/http://www.syssafety.com/forum/
     
  9. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    1,198
    Just to be clear, is that because your copy doesn't do that, or just that you haven't seen it til now?

    @ KeyPerForLife " Give it a go and see how you like it and there is always help here if needed."
    Thanks. I'm going to hold off this program for a while. I searched for some documentation on it like a user manual or something and I basically came up empty handed. I want to know more about it before I install. BTW, I downloaded the latest beta, which I had seen somewhere, it was perfectly stable. Does it have an uninstaller?

    Did a lot of looking around that forum recently and went back there yesterday. Sadly many threads only show at the top level... the actual posts within them it seems aren't archived in the waybackmachine. I only tried the latest date so I'm not sure if you go back earlier that would change. I was also really disappointed to get a "bummer, the server is down, we're working on it" message when I went to click on the screenshots.
     
  10. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    System Safety Monitor final beta 559

    Fixed incompatibility with:
    • Kerio Personal Firewall HIPS

    I take it there talking about version 4 here.

    Come to think of it I did at one time use version 4 and it was Sunbelt Software.
    (Sunbelt Software acquired Kerio)
    Didn't last long on machine and removed it.

    System Safety Team: DLL libraries loading by means of SetWindowsHookEx API is blocked in the
    SSM process.

    SSM still fails PCFlank leaktest. // Wasn't able to get to pages.
     
  11. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    1,198
    Clicking on the Downloads link in the left pane (from noones link above) it shows the latest beta to be 2.4.0.619. That's the one I DL'd.
     
  12. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    Went there myself and same result and if I didn't get that message still was unable to see any screenshots that were listed on the page.
    There are a couple screenshots available online at SnapFiles.com you could check out .

    Here are some snapshots of SSM.
    https://web.archive.org/web/2008051...dows/System-Safety-Monitor-Review-31107.shtml

    Like noone mentioned I would make a system backup before installing SSM.
     
    Last edited: Apr 15, 2015
  13. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    If your referring to get SSM from CNET download.com I don't trust that site.

    There is another page under SOFTWARE downloads that lists SSM

    SSM-2.4.0.622-beta.exe
    SSM-2.4.0.621-beta.exe
     
    Last edited: Apr 15, 2015
  14. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,789
    Yes, normal uninstall with an option to preserve your last rules.
    PM me for link to help file.

    This forum had a bunch of good threads about SSM - you'll see many if you use this URL:
    "SSM site:wilderssecurity.com" without the quotes.
    Start with the older posts, they're the best giving some basics.

    The current=last issued SSM is 2.4.0.622-beta. Beta because of some Vista code. Works fine on XP-SP3.
     
    Last edited: Apr 15, 2015
  15. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,789
    Sunbelt got a bad reputation when their early v4 had some issues. 4.6.1861, 4.7.4.0(free), 4.7.5.0(free) are fine.
     
  16. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Mine has that typo. Just never paid any attention to it.

    The last SSM pro version was 2.4.0.622. I have copies of both the free and pro versions. Both have uninstallers. The only reason it was called beta was due to compatibility issues with Vista. That issue is moot as SP1 for Vista broke SSM. For XP, it's completely stable.
    SSM hooks a huge number of APIs. If you have a copy of RKU (RootKit Unhooker) any version will do, have it create a report while SSM is running. It will show you a long list of them. On the pro version, you can also go to the rules page, applications tab, click on a rule, then explore the options on the tabs that appear below the ruleset. Those tabs include System Control, Code/DLL injection, Process control, Protection, and others. When you hover the mouse over many of them, SSM will display a tooltip that names some of the APIs it hooks to provide that ability. API hooks have been given a bad reputation by Microsoft and others, at time being referred to as malware methods. The current versions of Windows don't allow many of the hooks that SSM used. The most common arguments against them were that they're unapproved and/or unofficial methods of controlling an OS that can cause problems if not implemented properly. Considering that SSM uses several hundred of them and both the OS and SSM remain stable, I have to conclude that they did their job properly. When properly implemented, very few things can bypass them, including most malware. The tools that are capable of undoing those hooks would still need SSMs permission to run. IMO, on the systems that permit them, they are one of the most effective ways to implement control over that system.
     
  17. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    1,198
    Thanks for the correction guys. For some reason Ive got noones link mixed up with the webpage I dL'd from. I just checked from that webpage which I saved and indeed it's from the 2007 archive.

    @act8192 I'll pm you for the link and thanks for the headsup on the Wilders links.

    @KeyPer - thanks for that snapfiles link which I'll visit shortly. I wouldn't (knowingly) touch CNET with a bargepole. Really, the decent places you can download from now without getting excess baggage or some scumware are far and few between and sadly what you trusted today, may not stay that way tomorrow.
     
  18. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    1,198
    Is there much difference in the GUI between the versions? I managed to get about 1/2 of those to enlarge.
     
  19. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    The images on this page seem to work. I think they're from the same older version but many of them are still accurate. They don't show the many configuration options available on the application rules, 3rd image, top row.
    https://web.archive.org/web/2011112...dows/System-Safety-Monitor-Review-31107.shtml

    If there's specific images you'd like to see, I can post them.

    I checked the captures from later dates. They're all from the same old version, 2.1.5.580.
     
  20. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    Not sure. It looks like snapshots are showing SSM version 2.1.5. 580 . Newer versions are probably similar,
    but noone may know changes to the GUI.
     
  21. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    1,198
    Thanks noone and KeyPer, I've saved the images and I'll look more in depth a bit later and let you know if there's something Id like to see.
     
  22. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Here's screenshots of what I consider to be some of the more important options the screenshots on the other links didn't show.
    Special permissions, configurable for each individual process.
    Process rules, special permissions.png
    Advanced properties for rules of each individual process. This is where parent-child permissions are set.
    advanced properties.png
     
  23. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    I checked Kerio firewall SSDT hooks and it shows 5 (fwdrv.sys)

    ZwClose
    ZwCreateFile
    ZwCreateProcess
    ZwCreateProcessEx
    ZwCreateSection

    I also to recall SSM hooking a large number of API'S.

    I was also looking at Malware Defender. Both SSM and Defender one could age another year before
    setting either of these apps up and running them correctly. :)

    http://www.snapfiles.com/screenshots/malwaredefender.htm
     
    Last edited: Apr 16, 2015
  24. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    Man, those two screenshots... I really want to go back to XP now! Damn those settings are insane! It's like a GUI version of Online Armor!

    At the moment on W7HP, using internal firewall along with Windows Firewall Control. I have SpyShelter Premium as my HIPS.

    It looks like the new Kerio is more targeted towards businesses? Big $$$ for one year subscription...
     
    Last edited: Apr 16, 2015
  25. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    That was one thing that I noticed regarding RKU and its list of hooks. If there is more than one hook on an API, RKU reports only one of them. The last version of SSM is bigger than the one shown on the Softpedia Web Archive. It's now 4.3MB, very small when compared to most security applications. Malware Defender does look quite similar. I wanted to try it but could never get it to install correctly. It always blue screened before it finished. I suggest you avoid using SSM or MD in combination with any other security application that has a HIPS component. When more than one application hooks the same groups of APIs, they start interfering with each others ability to function. Windows can be very intolerant when certain API functions are suspended or delayed.
    It takes a while. With XP especially, you're taking over the support of the operating system. That can be better accomplished by learning how the OS works and what its various components are for. It's a long process but you don't have to do it all at once. I would hope that a first time user doesn't start by setting SSM to the block everything mode, set all of the parent-child permissions to ask, and have it prompt on every special permission and command line parameter. With no rules made, you'd be buried in prompts. Enable options as you learn them and understand which applications each would be important to. After the application rules themselves, I suggest focusing on the parent-child permissions (advanced properties).
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.