Learning Mode again in SSM

Discussion in 'other anti-malware software' started by poirot, Nov 2, 2006.

Thread Status:
Not open for further replies.
  1. poirot

    poirot Registered Member

    Joined:
    May 4, 2005
    Posts:
    299
    Just installed SSM 2.0.8.583 in my XP home since a few days and i am going very slow and cautious with settings after a previous version incident which caused freezing and uninstall. This time i installed according to old rules with most apps non working , enabled only Applications,StartUp and Services Modules,leaving the Registry for later, and limited myself to giving the running ,Trusted all, Processes and Applications Rules (most of them) just the F3-Allowed status.
    I ran nearly everything previously during the Learning Mode,including ShadowUser,and i guess that by now,after 2 days of learning mode and 2 days of continuous normal mode usage, i am well covered -in respect of SSM knowledge of my pc.
    Still,unforeseen events may happen,so my first question is:
    is it feasible-normal to revert on special occasions to Learning Mode without somehow upsetting the internal workings of SSM?
    I had just to do this in order to UDF format a DVD for Acronis which was recalcitrant because a Registry cleaner had deleted some legit values and the thing didnt work properly at first,so i preferred to create an entire Acronis image as a trial in order that SSM could get well informed about it.
    Also: what is generally preferable, to allow just the running of a program or the allowing of the parent application?
    As this second choice would define the Process/Apps as Advanced in SSM, if i dont make any 'Advanced' choice in Application Rules (as i plan to do at least for a few days more),will those Advanced Rules be somehow 'impaired'? In other words, do i have to do that mandatorily for a correct functioning of the program?
    (At the moment i have just Hewlett-Packard/Digital Imaging, verclisid.exe, and aAcroRd32.exe as brownish 'Advanced' Rules-because i allowed the Parent opening (Explorer) when they were running-Edit: i am in a limited account now ).
     
  2. herbalist

    herbalist Guest

    I'm not certain how much affect switching back to the learning mode would have on existing rules. It may change the existing parent-child settings. There is a safe way to find out. Make a backup copy of the ruleset before switching back to learning mode. If switching back to learning mode does change settings or dependencies unfavorably, load the backup ruleset and you'll be right back where you started from.
    Allowing applications to be run only by specific parent processes is the more secure option, but it also requires more configuring. The ability to control what other processes each process/application is allowed to start (or be started by) is one of best features of SSM. You used Acrobat reader (aAcroRd32.exe) as an example. If you used Explorer to start Acrobat reader and used the "allow....by its parent application" option, Explorer is the allowed parent. If Firefox tried to launch Acrobat, you'd be prompted again, unless the UI was disconnected in which case it would be blocked. When you make rules for commonly used processes using the "...by its parent application" option, you need to go thru the process list on the advanced screen and select the ones that you want to be able to start that process.
    Rules made using the "allow ..... parent application" option sets the default parent option at the bottom to "Ask". When you create rules using the "allow running this application" option, the default parent option becomes "Allow" for all other permitted processes. Here's an example from my ruleset for YPager.exe, the main executable in Yahoo Instant Messenger.
    http://i138.photobucket.com/albums/q277/herbalist-rick/advanced.gif
    Whenever you see a question mark in the box, the default settings at the bottom will be used for that process, "ask" in this instance for both parent and child. When the SSM UI is disconnected, "ask" becomes "blocked". In this rule,YPager can only be launched by Explorer.exe. YPager.exe is allowed to start Mozilla and RNAAPP.exe (dial up). It's blocked from launching regedit.exe and yupdater.exe (Yahoo's updater component) whether the UI for SSM is connected or not. If any other process tries to start YPager or if YPager tries to start any other process other than these, I'm prompted if the UI is connected, otherwise the action is blocked.
    The only way you could really "impair" an application while setting allowable parent and child dependencies would be to miss some of them. Some programs use a lot of different executables, both their own and ones that are part of the system. At times, processes can start another instance of the same procesess, effectively being their own parent and child process. I ran into this with my CD burner. If nothing else, you can start with "allow" rules and slowly change them over to "ask" on both the default parent and child settings, editing them 1 or 2 at a time. Be careful making these changes to processes involved in system bootup and shutdown. If you miss a dependency for a process used in startup, you can end up with a system that won't finish booting. I made that mistake too. That's one instance where a backup ruleset can save you from a big headache.
    Rick
     
  3. poirot

    poirot Registered Member

    Joined:
    May 4, 2005
    Posts:
    299
    Hello Herbalist,
    at first sight-nothing extremely scientific-absolutely nothing changed in SSM after a temp return to learning mode.
    As usual,your reply opened new avenues of awareness about SSM usage.
    I'll make a few adjusting and then i'll come back again with a few more questions for you.
    In the meantime,thanks a lot.
     
Thread Status:
Not open for further replies.