Can SSM Free do this?

dylanfan in #38 of his What is the best HIPS out there ? poll revealed that:

As i am considering a change to System Safety Monitor i'd like to know if the particular setup depicted by dylanfan can be carried out with just the Free edition of SSM,or if you need the pro version.

 

The free version works the same way. I'm assuming it's a typo in the quoted portion above regarding the tray icon color. When the UI is disconnected, the icon turns blue. As for the modules you mentioned, they will also help protect your system, but with the UI disconnected, you'll receive no alerts from them. They'll work silently.
I wouldn't call the results "bulletproof" but it's a good start. Just because you want to allow a given application doesn't mean you want every other allowed application on your system to be able to start it. Exploits are found for different apps and system components regularly. Regedit.exe is quite legitimate when you start it via windows explorer. You don't want your browser or IM program using it. If for example your IM program is allowed to run Regedit.exe (which Yahoo does try to do) and someone finds an exploit that allows malicious code to be sent thru Yahoo, that code has access to your registry because you allowed it.
Using the method you quoted, SSM will stop any unknown process from running. What it won't do on those settings is protect you from exploits found in the apps you've permitted. That level of protection is achieved by controlling what permitted apps are allowed to do. Personally, I'd treat the procedure you described as a starting point, except I would have been using the "allow running this application by its parent application" option, which gives you more control over what is allowed to start that process. The resulting rules are more restrictive but it will take you longer to configure everything. My preference is to have total control, but SSM will allow you to to do either. The best method is the one you're comfortable with. If you're not comfortable with specifying every allowed activity or dependency, don't try to. If you decide to use the results of the learning mode as is, SSM is still protecting you from unknown processes, which goes a long way against most adware/malware. Besides, you can always edit the rules later, if you want to.
Rick

 

Thank you very much herbalist for your very detailed and informative reply,
i am very glad i can begin with the Free one and try out these settings.
Obviously i'll have to ponder and understand better what you just suggested as soon as i've installed SSM, but i hope you'll be around here in the near future!

 

Thanks. I hope to still be around for a while. There are other long time SSM users here too that would gladly help.
SSM is the kind of application you can "grow into." The more you learn what it can do, the more it will do to protect your system. Unlike a lot of other software, the free version of SSM is not watered down or otherwise restricted. It's fully functional. The version that's free now was the pay version, until they released 2.1 and made 2.0 free. While the 2.1 (and the 2.2 beta versions) can do more than the 2.0 versions, the free versions are not weak by any means. Aside from some extra features, the main difference between 2.0 and 2.1 is that 2.1 is for NT systems only, (2K, XP, etc) while 2.0 works on all versions of windows from 98 up, except Vista. Where it stands with Vista remains to be seen.
A couple of suggestions for you. The help file for SSM is quite good and intuitive. Definitely worth reading and referring back to. If you have SSMs main interface open, the help file opens to the info that applies to the tab or section of SSM you're viewing at the time. It doesn't cover all the details of the advanced options and special permissions. It would take a small book to really to justice to those features.
SSM can be set up to require a password to access the screens, make and edit rules, etc. It's an excellent option once you're done configuring it. During setup, the password option can be a big inconvenience. Hold off on setting a password until you have the basic configuration done.
On the main screen, options tab, you'll see "general" on the left side. The "start automatically" option is listed there. Once your ruleset is finished, you'll probably want this enabled, but for the first part of the setup, leave it unchecked. If you're using the learning mode, reboot your system a couple times during the setup. When you do enable the "start automatically" option, leave SSM in learning mode for at least one more shutdown and reboot. There are system processes and activities involved in the shutdown and startup process that SSM will need to make rules for, which are not normally visible to the user.
Pay special attention to your AV while in learning mode. Make sure it gets to run thru the update process, even if you have to launch it manually. Better yet, if it updates on a schedule, add a scheduled update to happen while you're at the PC and able to respond to any alerts you might get. Although not common, you can still see an alert while in learning mode. If your AV in integrated into other programs such as a download manager or instant messenger, have them launch it once. If your AV added an entry to the right click menu, use it at least once. Most AVs have a lot of components nowadays, some of which aren't used very often. CD/DVD burning software is another that may need special attention. Many have a lot of executables. Some use different ones for burning music and data CDs and for ripping. Try to cover all its functions.
On the modules tab, for several of the modules listed on the left, there's a default behavior at the bottom of the screen. The start menu and internet explorer modules are 2 that have that option. If I remember correctly, the default option for the startup menu module is "allow", meaning that changes to the startup menu are allowed, whether the UI is connected or not. If you want to block changes to these areas, make sure the "block" option is set for that module. On the registry module, the default action can be set for each key individually. If you have a good understanding of the registry, you can tighten these even more. If you aren't used to working with the registry, leave it on the default settings. They're pretty good. The "window filter" module makes an effective parental control tool. It works on file names, folder names, control panel applets, programs/applications, and web pages.
SSM has the ability to create and store more than one ruleset. Look on the "Options" tab on the main screen. On the left edge, you'll see "Configs". The "save as" option will save the existing ruleset under the name of your choice. The "change config file" will allow you to replace the existing ruleset with any ruleset you previously saved. Avoid the "Merge" option for a while. Once you get past the initial learning mode, save the resulting ruleset as a starting point that you can come back to, should you need to do so. If you're concerned about causing problems by editing rules, make a backup copy before you do. SSM names the original ruleset "global.cfg". Pick a name that lets you follow the progress as you go. Names like global1, global2, etc. You can also use the date/time you saved it. Whatever is easiest for you.
If you're installing SSM on a multi-user PC, concentrate on the ruleset for your account or profile first. When it's done, edit it to fit whatever you require for other users. If you have an account for a child for example, you can block him from using any application you choose while permitting it on your account. SSM can use a different ruleset (and windows filter list) for every user if you want it to.
When you do decide to switch out of learning mode, consider leaving the UI connected for a while, on your user account/profile, not someone elses. There's bound to be a few items that get overlooked, either user programs, updaters, scheduled tasks, maintenance utilities, etc.
If you need help with any of the setup, just ask.
Rick

 

herbalist,i'm overwhelmed by the cornucopia of tremendous tips and suggestions you produced, new users have no unnecessary mountains to climb anymore!
I didnt have time to install SSM yet,but i'll do it within the next couple of days,as i prefer to install such an important piece of software in a relaxed mood without being pressed for time.
I'll print your tips and keep them handy,however.
Let me tell you that,judging from your writing style,(its a pleasure to read your posts),you're more a 'Shaman' than a mere 'herbalist'....
Thanks again, poirot.