Let's Talk About System Safety Monitor:):)

Discussion in 'other anti-malware software' started by jmonge, Dec 1, 2009.

Thread Status:
Not open for further replies.
  1. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    for those who likes this program and all those who used in the passed or for those who likes hips program;) :)
    how protected am i with it alone or together with other security?do you feel protected with it?this application is not develop anymore:) but still powerfull,does it block dll injection? do you find it very strong and feel kind of protection is need it in security set up?what do you think?want to coment about it?thanks all in advance:thumb:

    note:it generates some pop ups and it has network protection;)

    can SYM detect actions of loading DLLs.?
     
    Last edited: Dec 1, 2009
  2. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Yes, SSM does detect DLL injection. As far as it's not being developed anymore, I don't consider that to be important unless you're updating to Vista or 7. For all purposes, SSM is a finished product that doesn't require vendor support.

    Regarding its ability to protect your system, SSM will enforce the rules you set, regardless of what they allow or block. How well it protects you is entirely dependent on how well you configure it. Except for a couple of core processes, SSM does not differentiate between system components, user applications, and malware executables. The user/administrator bears the burden of knowing what to allow, what to block, what can interact with what else, what is normal, what is suspicious, etc. In short, SSM is only as good as the user writing the rules. SSM itself doesn't protect your system. It's the security policy it's enforcing that does. If you allow a trojan to run or a rootkit to install, you're infected. If you really mess up on the rules, you can lock yourself right out of your system. When installed on a clean system and tightly configured, it's just about bulletproof.

    Even though the paid version has network rules, it is not a replacement for a true firewall. It's limited to allow/block for individual executables. It doesn't recognize different protocols, IPs, ports, etc, only trusted and untrusted zones. IMO, SSM should be used with a good rule based firewall (without a HIPS component).

    SSM is at its best when enforcing a default-deny security policy on systems that don't change much. It also requires an administrator that understands the processes they configure it to control. If you install or change a lot of software, the alerts/prompts will never stop. If you have a finished system that's equipped the way you want it, SSM will grow silent when the rules are finished.
     
  3. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,273
    But it's the difficult part. A system is never finished. New mails come into Outlook. SSM asks if to add something to some cache. IE is used, similar alerts. Explorer is used, SSM asks about adding something or other to still some other list ...

    It really requires an incredible amount of experience to be able to respond properly. And the last issued version doesn't even behave similarly to earlier versions - for instance parent-child relations just are not that obvious (everything allowed??).

    So is there some all-in-one-place typical settings use for, say, WindowsXP and typical browsers and AV products?
    I do muddle my way through, but don't trust myself one little bit.
    SSM-2.4.0.621-beta.exe, XPhomeSP3 or XPproSP3; Eset NOD32 or Antivir or Avast; Kerio2.15 or Sunbelt FW 4.6.1861 or Windows fw or Outpost Pro the latest; Opera or IE(if must).
     
  4. nikanthpromod

    nikanthpromod Registered Member

    Joined:
    Oct 9, 2009
    Posts:
    1,369
    Location:
    India
    Im currently using SSM free edition 2.0.8.575. Wat r the differences btw Free edition and paid version such as 2.4?
    There is no Network protection in free.
    Also how can i get a license for paid version.
    Product is discontinued thats y asked:doubt:
     
  5. wat0114

    wat0114 Guest

    nik, check your pm :)
     
  6. nikanthpromod

    nikanthpromod Registered Member

    Joined:
    Oct 9, 2009
    Posts:
    1,369
    Location:
    India
    Thanks:argh:
     
  7. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    By "finished", I mean a system that's basically built and equipped the way the user wants it. The user has the apps they like installed and isn't altering the software on a regular basis. True, Windows update is always making changes and user apps need occasional updating. To me, that's just normal maintenance.

    Regarding SSM and Outlook, IE, etc, After they're allowed, there should be no prompts for those apps unless they try to launch something else that SSM hasn't seen them do before. If something tries to execute from the browser cache or an e-mail folder, the chances are good that it's not something you want.

    Yes, there are major changes between the early versions of SSM and the later "pro version". I also prefer the design of the free version. It was more straight-forward. I have the free version installed on more systems than the pro version. The pro version does have some advantages, but ease of use isn't one of them. IMO, they could have left the "rule groups" idea out completely. The registry rules leave a lot to be desired as well. Unlike some other apps, the free version isn't a restricted or crippled version of the paid one. Properly configured, it's very capable of defending a system. When I install SSM on someone elses PC, it's usually the free version, assuming their system is XP-SP2 or older. SP3 breaks the free version.
    No, it doesn't have any type of configuration database for common apps or a standard setup that can be loaded. SSM was designed not to rely on updates, databases, or access to a server with configuration data. The user is expected to know how to configure it. That's the primary reason SSM didn't last. It targeted too small of a user base to be financially viable. It does have a learning mode which should only be used on new installs or on systems that the user knows for certain are clean. The learning mode basically makes allowing rules for whatever is running at the time, no matter what it is. I wouldn't use it on anything except a new install that hasn't seen the internet. You could end up with rules that allow malware if you're not careful. With SSM, there's no real way around it. You have to know what the processes you're making rules for are and what they do. You have to know what should be there and what shouldn't. If you don't know your system well, the learning curve is steep.
     
  8. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    The last free version is 2.0.8.583. Works on 98Fe through XP-SP2.
    The last pro version is 2.4.0.622. Works on 2K thru XP-SP3, not sure on Vista.
    The developer has made licenses for the pro version available at no cost, with the understanding that there is no vendor support.
    PM me if you need a license.

    Differences between the free and pro:
    Pro has extensive registry rules
    Real time monitoring of services. Free version polls services.
    Pro version has much more detailed control over inter-process activity, protection from suspending, messaging from other processes, etc.
    Supports fast user switching.
    Loads earlier.
    More that I can't think of at the moment.
     
  9. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    @noone_particular thanks alot buddy good information:thumb:
     
  10. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,273
    That's what I thought, that it should be silent, but what I see is, for instance an alert about change in some index or whatever such as this - where two places with hex6F got changed to 70. It was after reading a mail, no links, no attachments, nothing weird really.
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\CpMRU]
    "Enable"=dword:00000001
    "Size"=dword:0000000a
    "InitHits"=dword:00000064
    "Factor"=dword:00000014
    "Cache"=hex:9f,4e,00,00,6f,00,00,00,b0,6f,00,00,04,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00
    I've never seen anything wanting to execute from/after Outlook.
    If you got alert about a change such as I quoted, would you permit it? I do because I have a hunch it's the way Outlook works, and I know it's clean. But sometimes I deny and really see no adverse effects. Similar alerts for IE, none for Opera. Which is why I said, I just muddle my way trying to get the feel for these things ...

    I would think groups are handy. Because you can, if you know how :), set different rules for browsers group or malware updaters group or some other similar applications without having to fiddle with each individually. No?

    What I love about SSM besides learning from, is that, unlike some firewalls, you can give a permission for applicationA starting applicationB, and no other, rather than a global "applicationA can run anything it wants" once you permitted applicationB. So even if I have no clue on some finer points, this, to me, is a gem worth using.

    And thank you both for running this thread :) Great answers.
     
  11. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    your welcome and let's see what others talk about it:)
     
  12. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    it is very fast and with the password protection set can be as anti-executable;)
     
  13. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Now it makes sense. It didn't occur to me that you were referring to registry rules. I was thinking you meant a process alert. SSM monitors the entire "HKCU\SOFTWARE\Microsoft\Internet Explorer" key and all its subkeys. Several keys and subkeys in this area contain sensitive Internet Explorer settings, toolbar data, home and search page settings, etc. That particular change is harmless. I'd allow that particular change, but only for that specific key. The registry rules can be confusing. IMO, too many different interfaces. They're quite comprehensive in their coverage and very customizable, but the user needs to be good at working with the registry. You might consider disabling the registry rules until you get the other rules finished.
    I find it easier to work with the rules when they're all together in order. It's largely a matter of preference and what you're used to. I got used to the way the free version was set up. The paid version and rule groups are a comparatively recent addition. To me, the design of the free version seems more intuitive and more comfortable to work with.
    That is one of its best features, the ability to fine tune parent-child settings. IMO, that ability is what makes it possible for SSM to replace a resident AV. The ability to specify what apps/processes each individual process can launch or be launched by enables the user to create a "policy sandbox" that can effectively isolate the apps that make up the attack surface (browser, mail handler, media player, PDF software, etc). This ability can often prevent a compromised or exploited application from being used to gain access to the rest of the system. This is one place where the paid version is much stronger than the free one. Both can control parent-child settings, but the paid version controls many other activities. Those additional abilities are available under "special permissions" on the rules>applications tab. Just be careful with them.

    For those willing to invest the time, SSM can teach you a lot about your system, what the components do, and how they interact. In time, you may even reach the conclusion that you no longer need a resident AV. It just depends on how far you want to go with SSM. In that respect, it's flexible. It can function as a backup to your AV, serve as your frontline defense, or anything in between.

    Just in case you didn't notice it, both the free and paid versions can export the rulesets as files. This lets you back up your rules or even switch between rulesets if you want. Run a simple ruleset when you're doing other stuff and save a detailed one that you can work on when you feel like it. BTW, both versions will let you use separate rulesets customised for each user if you want to go that far. When you have time, check out the "window filter" module. It has the potential to be a very potent parental control tool. Works on websites, apps, file names, system folders, named interfaces, etc.
     
  14. dw2108

    dw2108 Registered Member

    Joined:
    Jan 24, 2006
    Posts:
    480
    If you never allow SSM to go into the learning mode, it's fun protection. I consider it one-half a HIPS, in that a few other light-weight freeware apps can really give good protection.

    Dave
     
  15. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,273
    noone_particular,
    I ran free and liked it, but only for a short time. So when they were shutting down the shop, I couldn't resist grabbing the licence to this version from their generous offer. Was there ever a user guide to this version? I only have the free guide.

    OK, registry rules. I might turn of for a bit. Most of the alerts I see are of the sort I mentioned, but I don't have a good grasp of the registry. Only if I see that a value doesn't change really I allow. Scary to go either way 'cause I could kill the system. Besides, it's a nuisance to dig those keys, though a learning field.

    I know about being able to save configurations. Works well if I don't get confused what's where. And does work for other user.
    Special permissions I almost don't use with the exception of protecting the firewall from being shut down.

    Thank you very, very much for what you wrote. Every little bit of good advice helps. Anything you throw at us will be appreciated.

    Those worms in your signature don't have much chance, do they?
     
  16. dw2108

    dw2108 Registered Member

    Joined:
    Jan 24, 2006
    Posts:
    480
    One thing for those who do not feel comfortable with registry modifications and SSM: Get ERUNT free from Snapfiles, and keep the SSM dialog box in the "allow this action just once" mode no matter how many times you may iterate the process. In case of a mistake, ERUNT can restore the registry.

    Dave
     
  17. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,875
    You might be able to get a 'Help' file(maybe outdated) from,

    Internet Archive(Wayback Machine) - http://web.archive.org/web/20080731160709/http://www.syssafety.com/files.html
     
  18. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    i wonder if SSM is vista readyo_O
     
  19. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    Basic Network Firewall (BNF) is a new SSM feature which allows users to control outbound network traffic generated by applications. For example the user can prohibit any application to connect to network or to allow it to connect to the trusted network IP addresses only. BNF works with two IP address groups - trusted and untrusted. The user configures each group through SSM network activity pop-up or Network Rules tab of the main window. An application can only be allowed/disallowed to connect to each IP address group as a whole. NOTE: BNF only controls outbound traffic thus it may be considered a helpful supplement to the built-in Windows Firewall which in its turn allows controlling of inbound traffic for applications.
     
  20. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,732
    funny you talking about a security software which status is beta and from
    Aug'08 and only verified till XP/2003, not vista - not win7.
    you should realise that meanwhile other holes have been discovered this
    software cant protect.
    also the homepage has been "parked" in fact, there is none official to ask.

    btw any reason you asking? is DW not enough?
     
  21. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    first defensewall is more than enough for me and i will advice you to give it a try;) you may fall in love with :) ,i love to test diferent kind of software is that bad?dont need customer support from them:D and guez what it works very smooth with my old unpatch xp2 so what?am suppose to be scare of the net not all i am in charge:D :cool: if i choose to give system safety monitor a try is for the reason first i love hips and i am not a loser;) and it was recomended from a friend nothing wrong with that is it?:)

    note:this may be the latest beta the very last one but it works:):)
     
  22. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    How well SSM works on Vista or 7 only matters if you're using those systems. On XP and older systems, it works fine. For all practical purposes, the beta testing on the 2.4 series was finished. I don't know why Vitali left it in "beta" status. The beta time limit was removed several versions back.
    Could you be more specific? A link? A file or POC? Something I can test? If any "holes" still exist, they would require that the user initially allows that malicious code to execute to begin with and then allows it to perform some further action. If the users security policy allows malicious code to execute and then expects the HIPS software to intercept every possible malicious activity that code might perform, the real flaw is in the security policy. SSM can be configured to work much like a policy sandbox but it was not designed specifically to be a sandbox or virtual environment. As a tool for enforcing a default-deny policy and isolating the legitimate apps that make up the attack surface, SSM is completely up to the task. HIPS vary substantially in design. The user should choose the one that best matches the security policy they're implementing, not the other way around.
     
  23. chris2busy

    chris2busy Registered Member

    Joined:
    Jun 14, 2007
    Posts:
    477
    Still vulnerable to rustock variants(did bypass many hips when it first popped http://translate.google.com/transla...c=4564&pid=37613&st=20?entry37613&sl=ru&tl=en most of them patched it long ago).and , iirc the free version does not protect vs low level disk access.you cant buy it any more,so unless you got a licence already, you got urself a bucket load of malware ur vulnerable at.
     
  24. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    chrisbussy of course you know that the free versions of some hips didnt include complete protection you must have a licence to fully get protected:)
     
  25. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    i personally tested System Safety Monitor my self againts new malware,braviax.exe,install.exe,1.exe,setup.exe,spyblaster,winantivirus pro etc,etc and SSM was a winner on top of this new malware:D SSM dont need to be updated at all:D it is fast and stable so why not?;)
     
Thread Status:
Not open for further replies.