Is it me is or is SSM going mad.......

Discussion in 'other anti-malware software' started by Old Monk, Nov 10, 2006.

Thread Status:
Not open for further replies.
  1. Old Monk

    Old Monk Registered Member

    Joined:
    Feb 8, 2005
    Posts:
    633
    Location:
    Sheffield, UK
    Hi

    I posted this in NOD32 forums last week.

    Just started a scan with BitDefender 8 and exactly the same warning came. On this occasion, I thought I'll just press the 'allow' button to see what happen. Again sore fingers ! Had to click allow at least 10 times.

    Then I couldn't close the scanner and had to close it via Task Manager.

    Then I then get the DrWatson SSM prompts and Dump Log prompts.

    Restarted BD, tried to scan and got the message that the scanner couldn't be accessed.

    Rebooted, started BD and scan started normally ( as I type, BD says I have a trojan to quarantine -aaaargh - I'm not kidding either - scan not finished yet !)

    Whats happening here - does SSM not like AV Scanners ?

    I'll send Dump report to SSM on Monday but does anyone here have a clue ?
     
  2. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    its does seem its going mad. when i used ssm it stopped wincleaner ultra one click from finishing a check and now even with a reinstall of wincleaner ultra it still wont work. this is without ssm installed.

    so what is up with ssm lol.
    lodore
     
  3. Old Monk

    Old Monk Registered Member

    Joined:
    Feb 8, 2005
    Posts:
    633
    Location:
    Sheffield, UK
    Hi Lodore

    I see your sig states your still a fan though :)

    In principle so am I, but this sort of behaviour is raising some doubts, especially having paid for it after the free version working ok.

    On the brighter side the BD trojan was just Bill@GreenBorders browser test. Odd though, the last BD scan revealed the Eeye FP but nothing about the index.hta of Bill's. Wonder why BD missed it first time around ?

    Anyway, I guess that can wait. I'm more interested at present as to user's experience with SSM and what may be the issue there.

    Counterspy was a recent dud buy even at the offer price and I'm hoping SSM isn't going the same way :ouch:
     
  4. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    other than that i did like ssm but to many popups falsed me to get rid of it.
    lodore
     
  5. ThunderZ

    ThunderZ Registered Member

    Joined:
    May 1, 2006
    Posts:
    2,459
    Location:
    North central Ohio, U.S.A.
    Glad to hear it is not just me. Running SSM 2.0.8.583 free. Strange things here as well with no pattern. BSODs with various failure references. Sometimes the system reboots on it`s own. I will walk away for a while, come back and it is setting at the log on screen. Have been allowing SSM to send the error reports including a brief description of what I was doing at the time of the restart or BSOD. Also provided an e mail to receive a reply. As of yet no reply.
    Edit;No sooner finished typing and posting this and BAM BSOD o_O :(
     
    Last edited: Nov 10, 2006
  6. Old Monk

    Old Monk Registered Member

    Joined:
    Feb 8, 2005
    Posts:
    633
    Location:
    Sheffield, UK
    Hi ThunderZ

    I submitted a bug report to SSM a little while ago. Massive problems, BSOD's, can't send error reports, restored a TI image at start of problem, same again, can't send error report, SSM reporting unexpected termination, reinstall,....... now this - jeez this is cathartic :mad:

    They say not down to SSM and can't reproduce the problem.

    I love the concept and not voiced my doubts as sometimes I'm a little embarrased to say (and I bet I'm not the only one) -hey great, yeah I'll spend the money on this holy grail of security apps and then feel totally lost.

    There, thats got if off my chest - now, question is, is it running before it can walk and are these problems surmountable.

    Sorry to rant but theres another thread running about what is REALLY needed to be secure and as of now I'm favouring the 'less is more approach'
     
  7. ThunderZ

    ThunderZ Registered Member

    Joined:
    May 1, 2006
    Posts:
    2,459
    Location:
    North central Ohio, U.S.A.

    :isay: No problem with the rant. The squeaky wheel gets the grease first they say. ;) Not sure why you are unable to send error reports though. Mine seem to go without a hitch. Not that it seems to do much good. I am still running SSM in learning mode and experiencing the problems. :rolleyes: :mad: In the case of my limited resource lap top I am in the less is more frame of mind myself. Could you point me to the thread?
     
  8. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Hi,

    I ran SSM with Antivir and DefenseWall, after working splendidly for a long time. I got BSOD's after rolling back changes within DefenseWall. Soon after that the driver of DW warned it was not installed properly.

    I decided to fall back on Antivir + CyberHawk and DefenseWall. Works flawless
     
  9. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    The only insanity at SSM is that they are still putting out betas with new bells & whistles when what they OUGHT to be doing is smoothing out the few remaining bumpy spots in their final release version (presently 2.1.15.592 paid version).

    In other words, SSM, stop with the new stuff and FIX what you already sold!

    In my own case, using the version mentioned in my prior paragraph, everything is smooth sailing with SSM except that it recurrently asks questions about certain aspects of Cyberhawk's actions. SSM is VERRRRY suspicious of whatever it is that CH is up to. Since I have repeatedly told SSM to *trust* anything that CH does, I think SSM is now becoming suspicious of me, as well.:eek:
     
  10. herbalist

    herbalist Guest

    Some things you might try to narrow down specifically what is happening. Did the problems with the AVs show up shortly after they were updated? If the update changed any of the executables, SSM might be blocking them. Try updating SSMs signature database for all the rules. Right click on SSMs tray icon and uncheck the "enable application rules". Tray icon should turn red. Then run the application that's having problems. If it runs properly, start Process Explorer, run the app again and keep track of the AVs executables and svchost, especially what processes each one starts or terminates, then check the application rules in SSM and make sure that all the parent-child processes you observed are set up in the rules. I don't have access to an XP unit so I can't try to duplicate what you're seeing, but the last time I had behavior like that when SSM was involved, I tracked the problem to a missing parent-child setting in SSM for the process involved, one I remember setting but SSM didn't add it to the ruleset.
    I'm inclined to agree. As much as I like SSM, I question their adding all those new extras. They're turning it into a security suite, one that has the potential to conflict with a lot of other software, especially if the other software uses kernel hooks.
    Rick
     
  11. djg05

    djg05 Registered Member

    Joined:
    Apr 6, 2005
    Posts:
    1,504
    I am a recent convert to SSM and am currently running the latest beta 596 (I know you should be careful with beta's but what the heck). Previously I had PG.

    So far, and this probably tempting fate, I have not experienced any BSOD's in 2k, and in fact I cannot recall when I last did have one. Really should have consdering that I do try stuff out.

    When I installed SSM, contrary to all the advice given, I took it out of learning mode at the earliest opportunity. Of course you get pop ups but also SSM warns you of processes running without rules. I then go through each one deciding whether or not it is legitmate.

    I try and keep my setup simple so just have SSM, BOClean, Avast, Kerio 2.1.5. Out of interest I have just run AntiSpyware and it only found one cookie left by MS a year and a bit ago.
     
  12. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    If you have BoClean why do you feel a need for SSM?
     
  13. djg05

    djg05 Registered Member

    Joined:
    Apr 6, 2005
    Posts:
    1,504
    Good question. I do think SSM gives a different sort of cover and gives an overlap layer without apparent conflict.

    BOClean can be killed with APT kill 1 but SSM can protect it from that. Have not been through them all yet.
     
  14. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    BOC is largely signature based whereas SSM is primarily a behavior blocker. Also I can use SSM to very powerfully protect other apps from termination. Also I can exercise pin-point control over processes in such ways as...

    +Blocking AntiVir's notifier in such a *subtle* manner that AntiVir doesn't object

    +Restraining Cyberhawk from listening for key presses.

    +And much much more.

    If you are a paranoid control freak (like me) SSM is nirvana.:thumb:

    The only other app I know of that even comes close to SSM is ProSecurity. PS is sufficiently promising that it has even gotten the attention & *testing support* of such gurus as Stem in THIS on-going Wilders thread.
     
  15. Old Monk

    Old Monk Registered Member

    Joined:
    Feb 8, 2005
    Posts:
    633
    Location:
    Sheffield, UK
    Hi ThunderZ

    Learning mode or otherwise - I've tried both and it's made no difference so far :(

    I'm thinking this is the one. Not sure though - so many threads, so little time.:)

    Apologies if it's not, I'm running late and if it's not I'll find it Monday -

    https://www.wilderssecurity.com/showthread.php?t=153710

    @Herbalist


    Thanks Rick - let me digest this when I get a mo and I'll post back but I can say that BD wasn't after an update.
     
  16. herbalist

    herbalist Guest

    I hope it helps you. If anything, it may help to determine wheter the BSODs are caused by SSM blocking something the app needs to function or if the problem is an actual software conflict. I have run into a few instances where a process launches another instance of itself, effectively becoming its own parent and child process. The problem here is that unless a user is looking at a process monitor at the time, they'd never know it wasn't the same instance of that process.
    Rick
     
  17. Old Monk

    Old Monk Registered Member

    Joined:
    Feb 8, 2005
    Posts:
    633
    Location:
    Sheffield, UK
    Hi Rick - thanks for that - I'm not sure quite what that means but I'll give it some thought :ouch: .

    What I don't get it this. On this install of SSM I haven't put it in learning mode. Every alert I've got is expected i.e I start an app and the alert, being install driver, XY parent wants to start AB child, iexplore wants to delete/add object to the registry, is expected. Therefore, other than MSM Mssenger, every and mean every app has got the privileges it has asked for. So far nothing has been blocked.

    I don't understand how therfore there can be a parent/child conflict. On this install, I have not even got to application rights. It's almost like being in learning mode except I'm having to examine every alert and then give my consent, which as I say other than Messenger, SSM has been allowed all it's been asked for at present.
     
  18. ThunderZ

    ThunderZ Registered Member

    Joined:
    May 1, 2006
    Posts:
    2,459
    Location:
    North central Ohio, U.S.A.
    Toyed with a couple different similar apps. sense yesterday. Initially un-installed SSM. I am back to SSM in learning mode. No BSODs` either. hmmmmmmmm........ :rolleyes:
     
  19. Old Monk

    Old Monk Registered Member

    Joined:
    Feb 8, 2005
    Posts:
    633
    Location:
    Sheffield, UK
    Hi

    This is just getting silly :mad:

    On the basis, I've read that SSM have 'ceased' development of 2.1 which I bought not 1 month ago - @bellgamin, LOL

    ... I thought as all the resources were going into 2.2.and 2.1 caused no end of problems, I may as well try 2.2.0.597

    Downloaded, and set up over 2.1 no problem with previous 2.1 config.

    Looked ok and csrss, lsass and smss in Rules - Applications, were listed in the Normal group, therefore I could have some control over them.

    Under System, were ntvdm, dfrgfat, logon.scr, logonui, defrag and msiexec ONLY.

    Had second thoughts and wanted a complete clean reinstall - start from scratch and take it one step at a time (did this with PG several times until I was entirely happy)

    Uninstalled, ran RegMechanic and CCleaner - rebooted and reinstalled.

    NOW :'( all of a sudden csrss,lsass and smss are under System, are 'hard-coded' again and I can do nothing with them.

    I am utterly mystified, perplexed and lost. Again :ouch:

    What is going on with this software ?
     
  20. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    they have lured you in to there evil lair taken your money and held you prisoner :D
    i would like to know whats going on as well
    lodore
     
  21. djg05

    djg05 Registered Member

    Joined:
    Apr 6, 2005
    Posts:
    1,504
    Keep posting in the SSM forum and if enough people make a noise maybe they will do something. Perhaps make a new thread there. I think so far it is getting buried in an old one.
     
  22. Old Monk

    Old Monk Registered Member

    Joined:
    Feb 8, 2005
    Posts:
    633
    Location:
    Sheffield, UK
    Not sure about the lair and thankfully I'm still 'free' to go wherever I like but yep - they certainly have my money.


    Hi David - not sure if that was intended for me or lodore, but I certainly will post there. However, a number of knowledgable members are located here who also post at SSM and I was hoping to get their angle on this, particularly as there is another thread going with specific regard to the 'hard coding' of csrss, lsass and smss.
     
  23. djg05

    djg05 Registered Member

    Joined:
    Apr 6, 2005
    Posts:
    1,504
    Not you individually - just anyone who wants to further this. Stem has already made a point about this but he needs support to get their attention, at least I think that is what he meant. Probalby like you, I do not know enough about it, but nothing seems to be happening about it so if we add our support maybe they will look at it??
     
  24. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    The most similar competitor of SSM is ProSecurity. Stem & a couple of other security gurus who hang out at Wilders are among ProSecurity's testers. There are a couple of threads about ProSec here at Wilders. I have been following them all -- especially THAT one.

    The latest ProSec thread announces the newest version & lists its improvements. It's over THERE. If you read it, notice that I have suggested ProSec to give a discount to refugees from SSM. I'm not quite ready to jump ship yet, but if Stem or a couple others do, & the price is right, then I will probably follow.:ninja:
     
    Last edited: Nov 14, 2006
  25. Old Monk

    Old Monk Registered Member

    Joined:
    Feb 8, 2005
    Posts:
    633
    Location:
    Sheffield, UK
    Goodness me.

    Thanks Bellgamin

    I hadn't realised confidence had sunk that low for some :isay: Very interesting.

    I've been following that first thread for a while but hadn't noticed the second.

    How's your version of 597 treating the Big 3 ? My experience today feels very odd.

    I'm loathe to chuck good money after bad. Maybe as per my earlier post, some 'happy customers' are embarrased to admit they've made a mistake.

    On the other hand maybe it's only a few unfortunates who are having problems and the rest just don't have any problems at all. I don't know:doubt:

    I will post at SSM and see what the response is.

    By the way, my nick there is mtoto. Maybe it was an omen to all this but apparently 'Old Monk' was in the wrong language o_O

    Thanks again Bellgamin.
     
Loading...
Thread Status:
Not open for further replies.