SSM - can't find process without rules

Discussion in 'other anti-malware software' started by act8192, Jun 26, 2011.

Thread Status:
Not open for further replies.
  1. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,272
    WinXP, SSM v2.4.0.622

    I keep getting the little yellow alert "There are running processes without rules set". There is not one process in the list that's blue. How can I find what has no rule?

    If I tell it to trust all (ouch), it'll be quiet for a long time. And then it reappears. I can't figure out what makes it reappear.
     
  2. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    XP has a few service processes that run for a short duration at startup. On the application rules, advanced properties menu for services.exe, svchost.exe, and explorer.exe, check what the default child settings are for each of these. You could also clear your logs, then set SSM to log all starting and stopping processes. It's quite possible that the process is finished running by the time you look for it. Under options>applications, what is the default action you're set to?
     
  3. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,272
    1. Re: "XP has a few service processes that run for a short duration at startup"
    When I installed, I put it in Learning mode. I did two shutdowns and startups to make sure those are learned and won't bug me. Then I worked various local things. Perhaps day later started internet and answered prompts.

    2. Re: "services.exe, svchost.exe, and explorer.exe, check what the default child settings are for each of these"
    This is a can of worms for me. I may have installed badly because all of them can run everything and be run by everything :( Yikes, this makes no sense. I probably did not set the Normal group to ask :(
    This section is a total mess and I didn't touch it. I saw the entire column have checks, which is not what I expect (not that I'd know how to fix). The old version defaults weren't like this. And I don't remember it.

    3. Re: "log all starting and stopping processes"
    Processes or applications? I only see applications can be checked. Everything is checked to be logged.
    Logonui.exe, explorer, winlogon writes virtual memory, winlogon shuts down system, explorer runs browseui and shell dlls as windows hook, as is tclock.exe, ctfmon (Office uses that), one or two apps I use load a driver. I was logging everything, i.e. put checkmark on all options. I don't see anything surprising there. Annoying (wga, ois) yes, but those always been around.

    4. Re: "It's quite possible that the process is finished running by the time you look for it"
    That is a good hunch. But then I should have gotten an alert from SSM, no?

    5. re: "options>applications, what is the default action you're set to?"
    I don't think, but am not sure, if I changed anything here from installation. These are checked:
    When GUI is off, block process creation
    Alert on changed and temp files in Learning mode
    Silent checksum update for digitally signed files, using MD5

    Maybe I messed up the installation badly. I don't know. I use SSM, then I give up, then I use it again and give up. I installed about a week ago, and this strange alert just started yesterday. SSM just might be too rough for me. I'd hate to waste your time if my skill level is hopeless.
     
  4. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    The free and pro versions behave quite differently. IMO, the free version was much more intuitive. Some parts of the pro version seem to behave exactly the opposite of what you'd expect.
    The group settings can be quite confusing. All of the processes in each group inherit the permissions given to the group. By default, SSM puts almost everything except a few core processes in the "normal" group. The default parent and child settings for this group is "allow", which places no parent-child restrictions on any allowed processes. This was done to prevent SSM from bombarding you on the first runs with an almost unending number of prompts, each of which would have required you to know what the normal parent process for each one would be. It would have been really bad with all the default services running. To change this for the entire group, right click on the "normal" group and select advanced properties. You'll see check boxes for parent and child. Click on the until you see question marks, which changes the default settings to "ask". On mine, I couldn't get the "ask" setting by clicking on the child box, even though both change together. Had to click on the parent box to get "ask" as the default setting. Once this is done, you'll be able to specify individual parent and child settings for each executable.

    On the logging question, you're right. It doesn't mention processes. I was running 98 at the time and didn't remember which term it used. If you have SSM set to log all application starting and finishing for all the groups, the process without a rule should show up in the logs.
    The SSM executable is started by winlogon.exe. If the unknown process is also started by winlogon, it would be running before the SSM interface is active.
    I was referring to "program behavior". On the free version, the "block everything" setting tends to make more restrictive rules. I'm not sure if this applies to the paid version.

    When you installed the pro version, did you import an existing ruleset created by the free version? On mine, I've found it doesn't import all of the existing parent-child settings properly. I had to redo a lot of the settings. If this is the case, you might want to save a backup of your existing rules under a different name, then reinstall SSM again and instruct it not to use the pre-existing rules. Under options>configs, you can export and change rulesets. Be careful with the import option. It might not behave as you expect.

    edit
    If you haven't installed SP3, the free version will work. SP3 breaks it. You might find the free version much easier to work with. Unlike some other free versions of security apps, it's not a watered down or restricted copy of the full version. It's completely operational, and IMO, quite sufficient for most uses. It's one of the reasons I haven't installed SP3. It's not a direct reflection of your skill level. The interface of the pro version is confusing, especially the registry rules. The command line parameter options behave differently that many would expect. For a lot of people, myself included, the groups made it harder to make rulesets rather than easier. A lot of the advanced options in the pro version are redundant when you think about it. How useful they are will depend on the security policy you're enforcing. With a default-deny policy, several of them will never come into play.
     
    Last edited: Jun 27, 2011
  5. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,272
    No, I did not use old rules from the free version.
    And I did not use previous rules from this version.
    Completely clean installation with the default config file in place then a bit of learning mode.

    So far, I have not found the offending process. I searched through the .xml logs as well.
    I think what I'll do now is cleanup and reinstall correctly. I just hope I can wade through the parent-child stuff, especially for the windows services :( I have to use the paid version because I have SP3 with a license from Vitaly when he shut down the shop. But I never really learned either version.

    Don't ask me why, but I see no alerts about unknown process today. And no, rebooting is not it, because I've rebooted several times yesterday and the day before. Your answer to pt4 is likely what happened.

    I'll come back to this thread if things start being strange again.

    Thanks for your helps. Here and in many other threads. Very valuable to me at all times.
     
  6. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Another thought on the issue. Do the alerts for unknown processes take place shortly after installing updates? If Windows update replaced an executable, SSM will regard it as an unknown. I've also seen some screen savers that randomly choose different patterns cause SSM to want to recalculate its MD5.

    I'm not that familiar with the learning mode on either version, so I'm not sure how it behaves in all circumstances. I've always started with the UI connected, block everything selected for the default behavior, then changed the parent and child settings for every application and group to "ask", then sort through the big wave of prompts. With the default settings, SSM assumes that one permitted application will be allowed to launch another permitted application. I'm pretty sure the learning mode makes rules like that too. Regarding services, the command line parameter options do make it possible to fine tune what the individual services are allowed to do. If you decide to go into that level of detail, you might want to work with this separately, especially if you're running all the default services. It will take a while.

    The pro version is easier to deal with if you save the registry rules until the application rules are done. IMO, the interfaces for the registry rules make it harder than it has to be.

    A couple other thoughts. Over half of the items listed in the system group can be moved to the normal group or any other group you choose to create. If you will be using the network rules, it can simplify the groups if you create a separate group for apps and system executables that will not be allowed internet access. Except for a couple of the unmovable ones in the system group (which crashed the system when their actions were intercepted by SSM) for which many options are greyed out, the rest can be relocated to fit any group plan you might want to try. You can also save rulesets under different names and switch between them if you want to experiment.
     
  7. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,272
    Great news: Your tricks of how to deal with ? ? worked like a charm. Thanks. Not only that, No BSODs, computer behaves just fine. My brain is cooked but I'd like to go on a bit more than previously.

    Learning mode did set parent/child things just fine once the ? ? are done correctly. I see nothing terrible, though I'm not a good judge. It's a iteration of (enormous amount of) learning and setting things as I go along.

    So, can you comment, please, on these few items at this time. I hope you don't mind my long list.

    1. I'm reading the logs and maybe understanding a bit more. Coupled with Process Explorer and AutoRuns I crosscheck and things look reasonable.
    One thing that surprised me is svchost being a parent to Excel and Word. Ditto for MediaMonkey which is a music player. No such rule was made, nor should be, I think.
    In the logs, I enabled all columns to see what it might be doing - nothing there to learn from.
    Might it be not really parent/child situation, but some handover from wherever to svchost to follow up? Or a catchall column (I've seen 255.255.255.255 there as well as my router IP when DHCP kicked in)
    Any ideas what's the computer doing with the apps vs svchost?

    2. Another surprise: When I used Learning Mode after installation just for shutdown, bootup, standby and screen saver activities, SSM made Network rules for csrss.exe, lsass.exe and sms.exe to access both trusted and untrusted networks. Ditto for svchost, spoolsv, VLC (a better WindowsPlayer), MPNscan (scanning paper on my network printer). While my firewall will not permit those three in the System group, and others, to go anywhere, I'm not worried. But Why would SSM do that as a default, if you can read their mind :)

    3. I haven't yet moved any apps from one group to another, nor have I created new groups, though I tried the mechanics of it and it works fine.
    Reason is, I can't figure out non-orthogonal group names!

    4. Services issue. I have a bunch of Windows services disabled or manual. I've never been able to shutoff (per BlackViper site suggestion) Telephony, Telnet, Terminal services. I don't want any of them, all I want is be able to do filesharing with another 1-2 boxes. Yet even though all three of those are manual start, Telephony and Terminal Services starts at startup. What makes it so? Do I relly have to have them not disabled?

    5. You suggested to leave the registry rules alone till I learn a bit more. Should I, then, disable the registry rules at this time? Or allow and struggle with alerts to which (other than cache or MRU) I have no idea how to answer, so Allow might be what I'll do and regret :(
     
  8. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    It is a long learning curve, especially as you go deeper into the options. Learning how to configure SSM in detail has probably taught me more about the inner workings of my system than any other single avtivity. Since it takes a while, treat the rules as a work in progress and make backups of them at key points during the learning curve (such as finishing the applications but working on services, or apps and services done but registry just beginning). Regarding the registry rules, I disabled mine completely and left them until the rules for the apps were done. My registry rules aren't finished either. I'm in no hurry on them as I rarely use XP, and not for anything I consider sensitive.

    I can't directly address your question regarding word and excel. MS office does add services, some of which are related to SQL server. I don't use it so I don't know how necessary they are or what they really do. I'm not familiar with Media Monkey, but the media center edition of XP also adds services that aren't part of XP pro. I don't know exactly what they do or how they interact with the rest of the system. You can take the risk out of experimenting with these services by making a system backup before starting. This way, it's easy to get back to where you started, no matter how bad you mess it up. In that respect, the services are much like the registry, easy to end up with a lot of unexpected problems. On mine, each OS, the data, and the shared swap file are all separate partitions. Using an older Acronis rescue CD, it takes less than 5 minutes to back up either OS and even less to restore it. Experimenting is so much easier when the risk is removed.

    Regarding network rules for 255.255.255.255, this is the broadcast IP for your local network, used to send messages to all devices on that network. This page goes into more detail. http://en.wikipedia.org/wiki/Broadcast_address You mentioned sharing files with 1 or 2 other boxes. Are you using DHCP or static IPs? Your question regarding Telnet, Terminal services, and Telephony is also tied into this. Some of the services that depend on one or more of these are involved with sharing files on a network. You'll have to determine which ones are necessary for the network setup you have. It's likely that you have other services running that depend on a couple of these. I don't specifically remember which of those it is, but on one of them the start and stop buttons were greyed out. The only way I found to keep it from starting was to disable it and another service that depended on it, then reboot. If I remember, it was one of the remote access (auto) connection manager services, which I think are also connected to Windows updates normal functioning. There's a lot of inter-dependency in these services, and each service pack seemed to make it worse. I'm very inclined to believe that this was done in order to make it difficult to disable some of them. It's times like this that I kick myself for not taking notes on just what it took to disable some of them and what else each was necessary for. Black Vipers site is excellent, but I'm pretty sure that there's some things missing and/or changed by other updates. It's not absolutely necessary that you disable those services (assuming that your setup really doesn't need them). Like many other things, it's a tradeoff. A slightly smaller attack surface and a small decrease in the load on the system versus the potential of breaking or disabling something you need that doesn't become obvious right away. Don't do like I did when I went thru mine. Take notes.
    Not at all critical. I've toyed with a few ideas here as well. Given a choice, I'd get rid of the groups completely. Right now, I'm using 2 additional groups:
    1, System-no network access
    2, Applications-no network access

    The first gets all system components that don't require internet access. The 2nd is non-internet applications. I haven't done much with this as it's redundant with a separate firewall in use.
     
  9. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,272
    Steep uphill! I'm saving rules as I go along.

    Re:
    I didn't report my surprise about svchost comingling with Office apps or MediaMonkey correctly. What I see is Explorer does "Create process", then svchost does "Open thread". Or userinit creates explorer process, then svchost opens thread in explorer. I just need to learn what's there. DLLs are certainly involved, and various process interactions, and services (spooling), but not obvious to me from the log. Much learning to do here. Yes, I know I won't learn this in a day, or ever.

    Snagit is one that really bugs me because this Open Thread meddling by svchost produces thousands of lines in the log. I set snagit to not log, but it didn't work. I'm not about to kill logging of svchost, but maybe I should find which section of svchost logging to suppress, what do you think?

    6 min differential here.

    I know that from firewall. But it surprised me that the IP was in the Child column rather than the DHCP client service. In any case, it only happened when I played with the Network rules enabled on only Windows firewall in the picture.

    You're right. I looked at dependencies. I'll look more, and deal with it. Thanks for the idea that it's related to file sharing.

    Re: my original post
    For a while I thought it might be. But no. For two days it was quiet even though Avira updates 2-3 times/day. Then booom! there it is again. Invisible.

    Another SSM puzzle: originally, before ? ? group settings put in place, everything could run everything else. But SSM still alerted (explorer wants to run Opera...). There must be some, behind the scenes, builtin, intelligence that maybe ignores all those silly permissions. in this SSM version.

    Oh, thanks for all your encouragement and hints :)
     
  10. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I'm hoping that "thousands of lines" is an exaggeration. Mine is also set to log everything with a 7 day limit on the log, and I've never had 1000 lines total in that log. Then again, I'm running a very stripped down system, thanks to XPlite and a lot of disabled services. Are most of these reporting reporting the same activity or different instances of it? Are they for "verclsid.exe" by any chance? If many or most of them have something in common, could you post some examples? SSM's logging can give you too much information at times, especially services. Svchost is not one that I would stop logging unless you have all of the allowed command line parameters set, which is a project in itself.
    Just to rule out an easy mistake to make with SSM, after you changed all the group permissions to "?", you did click on apply, right? If not, none of the changes were kept. The logs still don't identify the new/unknown process? I'm still suspecting that this is an auto-updating issue.
    Auto-updating + classic HIPS = big headache.
    There just doesn't seem to be any easy way around it that doesn't involve weakening SSMs level of protection. Classic HIPS literally acts like anti-change software. Never used Opera. Does it have auto-updating of itself or components? Do you allow auto-updating for Flash Player? If I remember, it adds its own auto-start entry to the registry and the updater changes each time. More than anything else, AVs updating will set off SSM alerts. Some updates are just definitions while others change components. The last time I checked (which has been a while) AntiVir/Avira doesn't tell the user what it's updating, only that it is. A while back, I had AntiVir and SSM-free installed on a friends PC, and had big problems with process alerts. Don't specifically remember exactly what they were. The only way I found to stop it was to allow the AntiVir executables to run anything (the free version has an "Allow this process to execute any unclassified program" option on the process alerts) which IMO is risky, given that AVs are being directly targeted by malware. I also had to shut off checksum verification for all of the AntiVir executables. The choices came down to doing both of the above or shutting of auto-updating. Since I was going over there at least once a week socially anyway, I chose to shut down auto-updating.

    I'm thinking we're overlooking something that's allowing this executable to run in the first place. There's also the possibility that this system has a problem that hasn't been caught. You mentioned the Explorer launching Opera alert specifically. Is it always for Opera? Always explorer? Did you launch Opera at that moment or did this appear to happen by itself? Have the alerts ever mentioned a changed checksum? Is it possible that this isn't the actual windows explorer, wrong path, wrong checksum, etc? If you haven't integrated your AV into SSM, on the right edge of the process alerts you'll see "locate" for both the parent and child process. If you've already integrated your AV with SSM, "locate" will be replaced with "scan". Assuming that you do have permanent rules for both executables and that one is allowed to launch the other, the next time you see such an alert, click on "locate" for the parent process. If Windows Explorer is one of the 2 processes on the alert, the "locate" function won't work until you either allow or deny the alert. Choose "deny once" and check the file that "locate" takes you to. Check thru your ruleset and make sure that there aren't 2 rules for explorer.exe. SSM won't make 2 rules for the same file but it would make a separate rule if there's an instance of explorer in another non-standard location or for a not too obvious misspelled version (common malware tricks). One other item to check here. Under the parent-child permissions (advanced properties) for explorer.exe, is explorer.exe allowed to parent itself? This isn't something explorer would need to do often unless you've added and use an "open in new window" option to the right click menu. If it is, uncheck it and let me know if/when explorer tries to launch another instance of itself. A while back a member on another forum sent me a copy of malware that uses explorer.exe to launch another instance of itself (which has the malware's code injected into it) and terminates the original. It does as soon as explorer.exe starts up. This particular malware worked the same way on both 9X and NT systems and is as close as I've seen to a rootkit for 9X systems. Once it's running, it's nearly undetectable (files, registry entries, etc all hidden). I haven't got around to exploring its behavior in detail on XP or 2K. This one is detected by AVs now, but if something newer that an AV doesn't yet detect (or is blocked from seeing) is using a similar method, it could inadvertently have been allowed. Yes, these are long shots but the possibility is there.
     
  11. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,272
    Wow! Thank you so much for your helps. I'm learning. Maybe :)
    I did few screen shots of where svchost is when some applications run. Snagit is the one that bugs me.
    Snagit is in the system tray hooked to PrtScrn button, so likely svchost will be involved, maybe hooks cause the logs so big and it does startup during user initial login after booting.
    During, or towards the end of userinit.exe and winlogon, all that initial booting stuff, I have 90 entries of snagit.
    90snagitByUserinit.png
    Then when I do a screen shot and save it (browseui came in to save), I get 30 to 80 rows per second, total >300. Few screen shots will be thousands. PITA.
    330snagit-a.png
    and after saving a file, snagit still open
    330snagit-b.png
    In SSM I've set all columns to log. In both instances, all svchost columns to the right of what I showed are blank, so I can't tell what svchost is doing.

    My idea of windows hooks doesn't hold up though, because excel, while only doing 4-5 such svchost entries, has no hooks listed. MediaMonkey sets windows hook and it's so clearly listed in the log. Today I just see 2 instances. MM is my default player, so double click a .mp3 file after clicking on a drive shortcut then navigating through 2-3 directories
    MMandExcel.png
    In case I haven't made it clear, there might be other apps where svchost comes in, I jut zeroed in on those during this learning. Just trying to figure out what's going on. Not easy SSM.

    I'm slowly going through your many ideas on the original post "unknown rules" issue.
    - AV is updating automatically. I'll try looking into it, not yet sure how.
    - Opera could, but is not updating. Flash is not. Java is not. I do them all.
    - One thing I do see in the rules is that explorer is a parent of explorer, and it showed up in the above screen shot as well, possibly due to file association (though notepad's .txt doesn't do it). I doubt I have a rootkit, though you never know. Before installing SSM, gmer was one app I used to check - nothing there, and Avira looks for it as well.
    There's only one instance of windows\explorer in the app rules.
    And "open new window" is not checked in any folder properties, neither is hunt for files on the internet.
    Oh, yes, I did APPLY rules, it works fine - here's explorer and Normal group setting
    Explorer2parents.png
     
    Last edited: Jul 9, 2011
  12. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,272
    I have a hunch that using shortcuts to drive partitions caused SSM to put a check in the parent column for explorer. SSM alerted after I changed checkmark to ?, applied, and hit this shortcut
    ExplorerShortcuts.png
    When I clicked, on a later alert, create a rule, the checkmark got back in.
    The presence of switches in the shortcut properties did not seem to cause it. I have one shortcut to explorer right next to the Start button. It has no switches, behaved the same.
     
  13. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I have never seen SSM logs like those on my PC. It has me asking if yours are unusually long or if mine are unusually quiet. Just out of curiosity, right after you boot up and before you do anything, how many instances of svchost do you have running? I think the difference between yours and mine has everything to do with how much mine has been stripped down and the number of services I've disabled. I normally prefer the free version of SSM. In order to use it, I removed SP3 from the PC right after I got it. As soon as I can, I'm going to dig up an old SP3 image for XP from before I stripped it down, load in SSM pro, and see if I get results like those. This will probably take a while, but now you've got me curious about this difference. It would be simpler if I had an XP install disk, but I'm stuck working with a pre-installed system. Never planned on getting XP. The PC was payment for other work. Are you using NTFS or FAT32?

    Most of those log entries have "open thread" in the entry. Under logging, the "interprocess activity" and "system control" options are probably responsible for most of those entries. Unchecking them for svchost or the entire group should quiet down the logging. Have you noticed if the extent of this logging is slowing down your system? IMO, that seems like a lot of unnecessary disk writing.

    You are right about your drive partition shortcuts. The command line shows that you did set them up to open the partitions in a new instance of explorer. The "drag and drop" shortcuts I use contain just a path and use the same instance of explorer. If you remove "%windir%\explorer.exe /n,/e,/root," from the shortcut and leave just "S:\", the shortcut will lead to the same place but won't use a separate instance of explorer to do it. It depends on what you need if such an arrangement would be suitable. If you need the separate instance of explorer.exe, by all means allow it.
     
  14. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,272
    Explorer parent - gone. Thanks! I need it only for one shortcut. Two, three others don't need the second instance.

    My drive is a laptop drive, 5400rpm, NTFS.
    Laptop is fast, 3gHz, 1g RAM, Pentium4. I didn't notice slowdown, not much HD activity. The slowest thing is opening the SSM log :( with % loading indicator due to those too many snagit lines. I just tried to stop interprocess activity under svchost. No log entry for snagit at all. I'll play with it more. Don't want to toss out important information, which I'm sure I just did.

    You asked about svchost instances, I see five. Might as well show PE state right after bootup and login. Let me know if it answers your question
    PE-bootup.png
    Blue rows belong to user=me.
    1st svchost is for DCOM and Terminal services. Sometimes wmiprvsvc.exe runs under it and goes away.
    2nd is RPC
    3rd does a lot:
    PE-Svchost3.png
    4th is TCP/NetBios stuff
    5th is related to my camera.

    OT: See that firewall GUI? It allows me to see it when fast switch users (Kerio can't do that unfortunately, so it lives on another box). Cost of convenience of this and great IP groups is 16meg with most features turned off :(

    If you do revert to XP-SP3, don't forget the couple hundred patches will take a lot of time. I wanted to discourage you from doing it, but perhaps you will find why process with no rules - I haven't yet started playing with possible AV effect.
     
  15. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    The difference between your system and mine is huge. At this moment, I have half that number of processes running and half as many services. Not having SP3 probably has a lot to do with it too. Looking at those has me remembering fighting with something here that produced a lot of prompts from SSM free. As always, at times like this I'm kicking myself for not taking notes.
    I won't be going to SP3 on my default system. I'll just put the original hard drive back in, unhook the external drives, reload the original image, and get it up to date. There's been more than one instance when I've wanted a "normal" updated SP3 unit for testing. This will give me another reason to get it built.

    Regarding the Sunbelt firewall, I'll have to give it a look. I don't use fast user switching on this PC, but that does look interesting.
     
  16. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,272
    Sunbelt FW is very cool, really. Their HIPS is limited to code injection and buffer overflow. Their behavior watch is good as in SSM. You allow explorer to run something - it does NOT mean you allow explorer to run everything. I think few firewalls do it that nicely. It's just you gotta disable web watch and intrusions and applications and just make your own rules, like in Kerio, and that includes IP groups! (Remember? Kerio has only one place for a list of trusted IPs, here you can have several and turn them on and off in a jiffy, and yet just one rule)

    Incidentally, I normally shutoff Sunbelt Hips and behavior. But it's perfectly all right with SSM. SSM alerts first, and sometimes more detail, then Sunbelt alerts. Busy work but works fine on XP-SP3.

    We took few detours during this thread. Here's my situation regarding the original theme, that of SSM telling me about 'running processes without rules'.
    Yes, it appear to be usually related to antivirus. Reason we don't see it all the time, with every upgrade, I think is that it depends which of the many Avira components run at the time. Sounds correct or not?
    I also get that kind of alert when a new process is added to an already permitted application. Just the other day I wanted to copy something from Outlook to notepad - SSM kicked in an alert because, again, I think, Outlook previouly did not run Notepad.
    Does this make sense? Unaccounted for bits and pieces?

    Still, I do not like it that SSM is not telling me what it is that's new. I think it's dangerous and scares me.

    I tamed Snagit logging, so can finally read the logs without all the needless trash :)
     
Loading...
Thread Status:
Not open for further replies.