SSM Free Real-World Experiences

I've been using SSM Free since it came out but I seem to feel that I can't see any real world day to day benefit. Maybe, for any classical HIPS for that matter. Perhaps some day when something bad gets pass through and actually reach my computer will I see it's true value which is why I still keep it. But with a good firewall (linux) and safe hex, this possibility might not be in the near future.
Now, I want to ask anyone using SSM Free or even the paid one, what bad process or malicious programs have you actually caught with SSM? This is with regards to regular day to day computing and not doing any leak test...

 

I'm the same, haven't had any real worlds malware alerts that i know of. I attribute to my safe surfing habits however i continue running it just in case something does. It doesn't noticeably affect my systems performance so i'd rather have it and not need it than need it and not have it.

 

SSM free -- effective??

I'm looking for some "hole-filler" app that will cover me from intrusions. I'm running nod32 and jetico v.1 behind a NAT. I was running SpySweeper full-time but it is a resource hog and really slows down everything.

1. Will SSM-free cover me from any possible intrusions/injections??

2. Is paid SSM much better? How much?


Thanks!

 

Catching something bad is not the only reason to have apps like SSM, but also to control the behavior of "legitimate" processes and apps.

That's mostly what I use SSM (free and paid) for.

 

Re: SSM free -- effective??

The free SSM is still very effective. You can check the comparisons between the free and paid versions. It will cover you from possible intrusions/injections as long as you know/learn how to use it. You may desire something simpler such as Process Guard or some of the other similar apps out there. You did well to get rid of Spysweeper. It became a bloated, hunk-of-junk. Besides, the built-in antispyware monitor in NOD32 ver 2.7 is excellent

 

Re: SSM free -- effective??

Since you already have Jetico, I believe SSM free will not be too much to add to your arsenal. You can also go the Cyberhawk free route, though SSM free gives you more control. Either of the two, you should be covered from "any possible intrusions/injections." Of course, you can just run on-demand antispywares whenever you feel like it...

 

I don't really know, since I keep it the GUI disconnected, so whatever it blocks I, and all the others who use this computer are completely unaware of what happens

Alphalutra1

 

I also run with the UI disconnected, so I don't see any alerts. This is one instance where SSM is different than many of the more conventional security apps. I used to run a firewall that alerted to every port scan. The alerts were basically useless for any purpose other than providing a means for the security app to remind to that it's there and to tell you that it's doing something. Once configured, SSM is normally silent. For those who are used to a firewall that alerts to every stray packet, this takes some getting used to.
While this isn't exactly normal usage, when I was testing SSMs ability to replace my resident AV, I deliberately visited several malicious sites. SSM prompted quite a few times on those sites. Usually the alert said something like "Internet explorer wants to run....", naming a system component or some temp file I didn't click and wasn't trying to run. Depending on how you have the dependencies for IE6 configured, you can get some idea of how SSM would function when a malicious page is opened by visiting windows update. The update page launches a few processes via IE6, which SSM should alert you to if it's not already configured to permit that activity. Some malicious sites use similar methods, using one process like IE6 to launch or exploit another. In normal usage, a user doesn't encounter a malicious site that often, and apps like SSM just sit quiet.
The other day, my wife wanted to print some coupons she found on some site. When she clicked the "print" link, SSM alerted to a new process trying to start. That "print" button would have installed either adware or a trojan, depending on whose description you use. On a friends PC last week, SSM intercepted a homepage hijack, attempted by one of those pages that won't close by normal means until you agree to what they want. She was searching for a crochet pattern.
To many, SSM might seem like it's more than is necessary, but consider these things. In spite of a weekly patch day, new exploits are found almost daily. Microsoft patched 20 the last time, half of them classified as critical. AVs are almost useless against newly discovered exploits. Malware is evolving faster than AVs can add it to their detections. Rootkits are becoming extremely hard to detect and even harder to remove. When one missed detection or one mistake in judgement can result in a very nasty infection, prevention is key. Apps like SSM are one of the few things that can defend a system against previously unknown exploits or malware, if the user has configured it properly. If a free app can save you from a single reformatting or difficult cleaning job, isn't it worth it?
Rick

 

So I guess my question refined is: how much "real world" difference is there between SSM free and paid?


Thanks to all who have already commented and to those who will!

 

No offense, herbalist, since you said that this isn't normal usage - but: If somebody gets SSM prompts by simply surfing the Net, he/she should really reconsider his/her security concept (and that's what most users forget: Security is a concept and not only running a HIPS!). If he is always logged in as admin (of course), runs MS Internet Explorer (of course) with ActiveX, scripting and whatever enabled (of course), I'm not overly astonished that he gets these prompts. I also use SSM but I've never got these types of prompts although I've also visited many malicious sites (being a curious guy ).

If somebody is making SSM his first line of defense, he has no security concept or it is deeply fallacious. Simply relying on a HIPS (with possible flaws) but neglecting basic preventive measures is nothing but careless.

 

Btw, I´ve noticed that SSM free is not always able to prevent processes from executing, especially if they are not launched by explorer.exe, a serious bug. The Pro version is definitely better, but I have read on their forum that they will soon update the Free version, I assume they will now use the same code base as the Pro version, of course with certain features disabled but with the same GUI and bugfixes.

 

A fair question and in my opinion very little!

In the real world the extra features you get will never be needed because the malware never gets to run and therefore never gets to engage in the activities the extra features are protecting against. (Unless you allow it to run eg by installing dodgy software with a trojan attached).

I personally enjoy the extras, but that is because I like seeing what is happening on my system and like being able to control things (as was said by an earlier poster) but that has nothing to do with real world security - for that 'execution protection' will prevent a drive-by D/L from ever running.

I have been using PG for over 2 years, and now I have SSM full, but although I regularly go to 'bad' sites (using IE6 as my sole browser and I always run on an Admin account) and have been attacked countless times (on one memorable session at a very naughty site KAV picked up over 1,450 trojan/exploits while I was clicking away!) I have NEVER had a pop-up from PG or SSM warning me about anything - nor have they EVER had to protect my system (though, on very infrequent occasions I have had pop-ups from ZAP warning about IE attempting to spawn Rundll32.exe etc - obviously PG/SSM would have responded had I clicked to accept in those pop-ups).

The reason that PG/SSM has never had to save me is that most exploits get picked up by my AV, those that don't wouldn't hurt a fully patched system, and the very few that could hurt don't hurt because my browser/FW is set to block dangerous code etc - often it will be Java Script these days, but with a locked up browser there is very little the exploit can do. If, one of these days, I get unlucky and an exploit does succeed in putting a trojan on my HD, it is not going to run so long as I have PG or SSM basic; so that is my insurance! In the 'real world', with care, that is all you really need.

If you ever get one of those, bring up TM and terminate IE - problem solved! (If the worst comes to the worst just pull lead out of the socket and disconect from the net - anything so long as you do not 'accept'!).

That is serious,you won't find this problem with PG, which is just one reason why it is safer to run than SSM for the uninitiated.

 

those popups that dont go intill you say yes are really annoying and i got infected once with one of those when i was unsafe lodore about 4 years ago
turning off messenger service should stop those from ever popping up.
not going on dodgy sites helps thou lol
lodore

 

Aw, come on lodore, you're missing out on all the fun!

Does it, how is that connected to IE Windows and infection?

Surely messenger service is more to do with spam.

 

I found out the reason the popups wont go away unless you press yes is because its using the messenger service.
the messenger service is meant for admin to messages users about important information. and they only have an ok button.
the spyware ads only have an ok button and have to be stopped by using task manager if you dont want the infection.
so by turning off the messenger service the popups dont come up and cant infect you.
if i am wrong and they dont use the messenger service to do the popups then what do they use?

btw trust me my old pc had that fun when i once stupidly looked for nero cracks=D and then it turned out it had over 200 spyware and 20 trojans. no wonder if always crashed and never completed scandisc=D
lodore

 

Thanks for your feedback. Don't PG and SSM overlap a lot, though??

//

 

Yes, the incidents I described were testing, using known malicious sites and yes, I used only SSM free and Kerio 2.1.5 during this testing. I also used IE6 on its default settings, which basically duplicates the average user. Using my normal setup wouldn't have been much of a test. For all purposes, the only difference between what I was doing and "normal usage" is that I chose to visit a malicious site. In real life, you don't know it's coming. It doesn't have to be porn or warez sites. It can happen anywhere, like the Dolphin stadium website.

I never said that using HIPS equals security. I did say that it's one of the few security apps that can defend against unknown malware and new exploits when it's properly configured. If you look at my other posts, I always recommend layered security, using separate components. I limited the subject to SSM usage, since that is the topic of this thread. On any system that I secure for someone else, the firewall is the first line of defense, along with an AV and SSM if it's used on that particular system. Yes, I also tighten system and browser settings as much as their usage habits allow.

I wish I could get all my clients to use a different browser, disable ActiveX, practice safer surfing, etc. Some do, some don't. I can't force them so I do the best I can to protect them from themselves. Some of them couldn't begin to form a security strategy so I install and configure the security apps for them. Coming up with a security strategy for yourself is easy. Making one for someone else that accomodates their particular usage is harder, especially when their "normal usage" includes ActiveX games, IM, and sharing every joke or unusual picture they find with their friends. For them, the internet and the PC are primarily for entertainment. Disabling vulnerable items like ActiveX would take that away from them. Their PC, their choice. All I ask of them is that when they see a prompt from a security app they don't understand, either deny it or contact me.

As mentioned in another post in this thread, SSM is useful for more than just malware protection. Controlling the behavior of legitimate software and windows components are high on my list. The window filter makes an effective parental control tool. It can be used to deny access to folders, documents, websites, etc.
Rick

 

Oh yes, they certainly do (though SSM does much more) it is just that things like execution protection and the ability to allow programs to run or have to ask permission first is implemented differently in each, it is much more plain and comprehensible in PG which is why the problem highlighted by Rasheed187 could not happen with PG, thus ease of configuration makes it easier, and hence safer, to use than SSM for the average user.

In PG you just have a list of apps, together with the protection applicable to each, and a second list stating whether each prog on it can run (or be blocked), or must ask for permission first. These lists may be easily created using learning mode. With SSM, on the other hand, it is not so transparent since child/parent relationships determine what can run and in what circumstances; it is very easy to misconfigure it. Basically, in SSM, if you want something to ask before running in any circumstances, you must either take it off the list altogether (so it becomes an unregistered app) or make it ask in all its Child/Parent relationships - but even here we can hit a snag with a system file such as ntvdm.exe (which can be used to run other executables, such as .com files, and therefore needs to be controlled) which has default settings that could preclude this. (In the latest SSM it has been assigned to the System Group).

So things are not straightforward, but basically if a new program (such as a trojan in your TIFs) wants to run it must seek permission; and that basic protection is in the free version. The full version can protect network access (though your FW is most likely doing that anyway), protect certain Registry locations, inform you of new Sevices starting up - and a whole host of other things, none of which will happen if you do not foolishly allow the malware file to run in the first place.

 

@Herbalist As always, you give logical comments especially about SSM. When I've posted this topic, I knew you'll drop by because you're vast experience with SSM. Thanks for your replies.
I don't intend to ditch SSM, I was just looking for real-world experiences to boost my confidence in SSM. Yes, aside from possible interception of malicious programs, I also use it to control legitimate programs behavior.

 

Thanks again, Top. I've now installed both SSM and PG (free versions) to stand in the gap(s) my Jetico v.1 may have. As I am behind a router, I assume I'm protected from outside break-ins (?). Now, with SSM/PG (free versions both) I feel I am protected from inside attempts to mess with my system. (I'm running nod32, also.)

Am I misunderstanding something or leaving anything out??




//

 

I agree. That's why it's important to have a fully patched system, using a (relatively) safe browser like Firefox and disabling Javascript, Java and other Active Content by default through Noscript. And if it happens on a usually trustworthy site (where you enabled JS) captured by hackers, being logged in as a normal user protects you against most of these threats and other zero-day attacks.

I know that, and my remark wasn't meant to be personal. I made it because I watch a growing and annoying tendency here in the forum that for being safe it's only important to use the right HIPS. In countless threads various HIPS, AV and firewall programs are "compared" with postings that maintain that program A is better than program B without going into details, let alone presenting a meaningful comparison test. That's not only boring - it's going into the wrong direction. And it's a strong hint that the improved security features in Vista won't be used by most users (as mentioned here) - why should they? They have their HIPS after all .... And at the same time, many of them have probably disabled automatic updates in Windows because they are afraid of being spied out...

Yes, I understand your problem. But are sure that these people not willing to apply basic security measures are able to properly use a complex program like SSM? I'm not.

Sure, I agree. But the security problems of most users start at a much earlier stage.

 

I didn't take your comments as personal. I apologize if I sounded that way. One of those days at work that make you want to strangle something.
On the PCs I maintain that have SSM installed, I spent the better part of a day making the basic ruleset for them. On most of them, the UI is disconnected so they don't get prompted. With the ones that wouldn't just click thru the alerts, I leave it connected. No, it's not foolproof by any means and does result in some inconvenient phone calls and IMs, but for the most part it's working. Visited one of them last night after posting here. Found a trojan and New.net in the temp files on their PC but neither got installed. I don't install SSM on a clients PC unless I'm sure that they'll deny what they don't recognize.

I completely agree. Too much emphasis on features, leaktests, which is newest, etc. The ones that really get me are the ones running (or wanting to run) multiple HIPS apps. 2 separate apps, both wanting to have the "last say" on what's allowed. I'm amazed that there aren't more "my PC is locked up" threads. It used to be common knowlege, one firewall, one resident AV, using more can cause conflicts. The same should apply to HIPS and any security-ware that hooks the kernel as the potential for conflict is even greater. I don't see the point to using 2 unless you don't trust either one to do the job. Makes me want to ask, "if you don't trust it to work, why are you using it?"
As for Vista, IMO the security gains aren't that substantial and are more than offset by other "security features", starting with their locking vendors out of the kernel. I've been telling my clients to avoid Vista. If Vista does have any security advantages, it isn't worth the loss of privacy and control.
Windows update and deciding whether or not to let it run automatically is a tradeoff anymore. I won't argue that security patches are necessary, especially for XP, but M$ has demonstrated that they'll install more than security patches with it. I find it difficult to tell a client to allow auto-updating from a company that's proving they can't be trusted. I've had to make extra trip to 2 clients thanks to WGA. When M$ announced that IE7 was going to be installed automatically, I disabled auto-updating on most of their PCs. I'd rather update all of them manually or contact them individually about what to install. Maybe I'm wrong, but the more I see and read about Microsoft, the more I'm convinced that they're just distributing spyware disguised as operating systems. That's one place where HIPS apps like SSM is tops, controlling what M$ can do to a system.
Rick

 

I am becoming bombarded with phone calls and people wanting me to pull Vista out of their new PC's. They absolutely hate it with a passion, likely because some of the complaints in my ear have to do with their Printers and other periphials not working at all thanks to the driver issues i suppose.

I suggest they contact or hit the web page to their equipment manufacturer to get a Vista updated driver for them and they still are screaming nothing works and they are simply disgusted with it.

I got 2 service calls to take on where my customers want me to pull Vista completely out in exchange for XP again. Well what do you know about that? Good going Microsoft, you really are starting off on some good footing with customers already. ROFL

OK, back to SSM. I slammed on the brakes and am holding at version 206.568 and that is where i am staying since it does all that i could ever expect and thankfully without the extras that have been upgraded into it that frankly influenced my decision to stop where it best served my own needs.
I got enough Firewall and pro-active defense now with KIS6 "AND" for crying out loud, right back again with KERIO 2.15 that to my surprise AND relief works absolutely flawless along with KIS6 firewall; that's right, 2 of them. First time i been able to successfully pull that off but it's staying right like it is.
System Safety Monitor is a dream come true. I can finally examine when and what 'driver" is loaded and if when you exit a program that requires such, whether or not it releases that driver or allows it to hang.

Fantastic Invention SSM, and i still could not be any more satisfied and pleased by any other decision i have ever turned to before than this one.

 

Thanks for that info E.2010..
Some good applications implicitly says their programs come with IE toolbars which you can uninstall later. SSM allows me to prevent it from installing at all. yeah, that's fantastic to me also!

 

I especially like the window filter for keeping other users out of certain parts of the system, like control panel applets, IE settings, and any specific folders or files you choose to add.

Another not so usual use for SSM is capturing Windows updates, especially the software that's only available via an online install . If you require it to ask before lauching the updates installer, it shows you where the file is and the installer name. They use some odd locations at times. I've found a WUTemp folder on my external drive. You can copy the to another location before allowing it to run. Very useful for backup sets.

When I used AntiVir 6, I used it to stop that notifier from running. While this was easy enough on XP, it wasn't as easy on a 9X box.

I use it to stop Yahoo IM from hooking the keyboard and mouse. Works fine without them. From what Ive read, they're for the message archiving, which I won't use. Yahoo IM also tries to access Regedit on my box when it starts, which it doesn't need.

On my 98 box, I use to to block the hooks of IE6 and windows explorer, incluing the hook that's used when "Find" is used. They work fine without them. On 9X boxes, several apps and components want to set hooks but most of them work fine without them. Makes me question what they're really for.
Rick