SSM dll allerts are not appropriate?

Here is my thread at their forums. There is an official response now but I could get nothing!

https://www.syssafety.com/forum/viewtopic.php?t=915&sid=korfuf8hjrgpkkgpn7onfvhol6

 

Yes, I am seeing this in SSM 618 (beta). I removed all library files, but these are automatically added on boot, explorer is certainly using browseui.dll, but I am only getting alert for shell32.dll.

update,
On W2K setup, this library is given popup.(I knew I had seen the popup for this dll somewhere)

 

Then I'm not losing my mind I also deleted the browseui.dll under the library tab, but nothing I did to try and regenerate the alert worked. Running the SSM 618 beta as well on XP Pro, SP2. Also got only the shell32.dll alert. But then this morning I noticed that a rule is silently created for the MS file ntvdm.exe, so when I went to save the screenshot seen below, I get alerted that Snagit32.exe wants to inject browseui.dll globally!

 

Hi Stem and wat! I am sure bowseui.dll is alowed by default without popup, but for some weired reasons u wil ocassionally get popup about this. I failed to get this popup now but in the past I sure have seen this pop up on my system.
This is my conclusion. I posted on their forums but in SSM freesection as I was not sure.

 

Herbalist is getting it too on Windows 98.

 

I remember that discussion. ON my box, it does affect the resulting ruleset. That's another topic. I assume that you're not running in learning mode now. If you're using the "block process creation" setting, SSM allows hooks or DLL injection by allowed processes when the rule is not specifically blocking it. On this setting, it only blocks processes. Rules made when using the "block process creation" setting have "allow" as the default library setting. In order to get rules created that don't allow hooks to libraries like browseUI.dll by default, you'll need to use paranoiac setting.

Try setting the program behavior setting to "block everything" and apply, then edit the library tab of the rule for explorer.exe as shown below and apply. Unless the free version is behaving that differently on XP than it does on 98 or 2K, you should get prompted.

 

I have tried all options already. No pop ups

 

I'm looking at my clients XP box that uses SSM free. There is a pre-existing rule for browseUI.dll, with explorer.exe and iexplore.exe listed as allowed sources.
It behaves completely different than my box. I reset both explorer and iexplore to "ask" on the library tab. Clicking on the menu in explorer or IE6 draws a prompt for shell32.dll instead of browseUI.dll, which is the alert I get on mine. The hook type was WH_GETMESSAGE on this XP box.

So far, the only ways I can get a prompt for browseUI is by using "search" on the start menu or via an apps "save" dialog. Just got one from MSPaint when saving the screenshot. The alerts were for mouse hooks.

Since SSM free does give an alert for browseUI on both 98 and 2K, but on XP the same activity brings an alert for Shell32.dll, I'm wondering if the system files themselves perform different tasks on XP than on earlier systems. I'd dig into this deeper but the not without the owners OK, and they're not available to ask.
Rick

 

That is the same behaviour I got using SSM Pro on my XP box. Only shell32.dll was prompted on - not browseUI.dll, until this morning when I went to save a screenshot using Snagit, then Snagit32.exe wanted to inject browseui.dll globally. Earlier, SSM silently allowed ntvdm.exe (located under the System folder in SSM) to inject browseui.dll.

 

I don,t think so. See my post no.17 and snapshot above. PS is giving pop up about browseui.dll injection here on XP SP2.

 

BTW regarding global and non-global hooks, on their official forums they have promised to look into this issue with a possible fix if possible.
However nothing about browseui.dll so far.

 

aigle, I think you're mixing something up here. What PS shows in that screenshot is iexplore.exe wanting to load this dll into its own process space and not inject it into other processes. The prompt you see comes from library/dll load control module of PS (a unique PS feature that SSM does not have) and is something different than hook module. SSM's "Libraries" is equivalent to PS' "Hook" section, both contain only those dlls which get injected into other processes, whereas PS' "Library" lists all dlls a program is allowed to load and use itself.

 

Hi, U may be right. i am not an expert at all.
BTW u r right that these are two separate issues. Bowseui.dll issue was not my concern actually. It just came under discussion.
My concern is the same as I posted in my first post.
Browseui.dll i a separate isssue and that,s the reason, I made two threads on syssafety forums.

 

@aigle,
I was not looking at the time, but noticed (on XP). When opening explorer-> file, an alert from SSM(full) is given for explorer~shell32 inject. If you go to start menu-> run, and start to type in the "run" box, alert given explorer~browseui inject.

 

U r right, I got it. However no browseui.dll alert on File menu. PS gives alert for both( shell32 and browseui.dll) on file menue.
Anyway as long as it,s a system dll, I am not much concerned.