SSM - One Opinion, and One Question...

The problems with SSM are its complexity; any fool can install it, have it in learning mode for a bit, take it out of learning mode and then think he is protected. But unfortunately he will not be adequately protected if he does not understand the implications of its actions.

I can't argue with with this review extract:-

 

Neither do i, i been using this one since it was way back in beta and it's been like a mini-miracle for my machine. Although i would never suggest it as a pure replacement for an AV, i certainly have replaced my AV with it and not been disappointed one iota.

I never tried a Prevx or PG but there are many who have regarded them highly, so when you find those satisfied users turning to SSM after having relied on those programs for so long, there must be something very useful for them that they find in SSM now in comparison.

I've throwed everything at it including the kitchen sink and it's stabilty is nothing short of fantastic AFAIK.
SSM will stay first and foremost with my confidence in it untill it proves otherwise.

System Safety Monitor certainly can be intimidating AT FIRST!
Even i was in awe of so many features/rules to compare & set at first glance and wondered if this was a bit much. It did take some considerable time to perfect but was well worth the effort & wait. I never tried Learning Mode because it was "I" who was wanting to "Learn" all the ins and outs and set/establish my own "SolidSteel-Like" rules.

Depends on how tight you want to ramp up SSM against anything malicious.

 

Yeah, if. What a glowing endorsement for anyone who may aspire to give this type of security app a try. Nothing but focusing on the negative. No, just stick with what you already know because you probably don't have the ability to figure this stuff out. Just keep it nice and simple so you don't have to think ...unbelievable.

Good to see someone who can think for themselves

 

I'm glad TopperID posted that for you. I was just about to post it and saw it had already been posted. For some reason, I don't have that section in my 3.15 help file or I would have set it to System a long time ago. When I did finally do this, PG loaded before everything except my video driver. It gave one time permissions to a bunch of programs in the systray that had been loading before it. I've had no problems with setting the driver to System instead of automatic. At automatic, it loaded about 8th in the systray.

If I were to set SSM to load "with Windows" where in the process does its driver load? I can't check it out because I don't want to uninstall PG and as I said I don't want to set SSM this way and then have PG and SSM fight each other, lockup, and freeze the computer or something. But I am very curious as to where in the boot process SSM loads its driver.

 

You're ever so right! However...

I've just spent a fair amount of time over the past months getting PG up & running in what I believe to be a rock solid configuration. While I'm certainly impressed by SSM's abilities, so far I have no reason to believe that switching to SSM would add to overall system security in everyday practice - as opposed to in theory - whilst the threat of actually compromising system safety due to one's ignorance is, as you rightfully pointed out, very real. So yes, at this time I prefer to 'just keep it nice and simple'. Please correct me if I'm wrong.

 

I can't speak for why users may be turning from Prevx to SSM but for PG users, at least myself and I think most others also, it has nothing to do with "something very useful for them that they find in SSM now in comparison". The reason is simple. PG is no longer being developed, therefore, it has a limited life value now sadly to say. Eventually all of us PG users will have to turn elsewhere as PG becomes too stale. I don't believe (although many panicked and left PG even before Wilders made the announcement about the forums) that PG will need to be abandoned for quite some time. I'm trying SSM at this time only because of the site of the day giveaway of SSM. I was not going to install it for some time then I learned that this giveaway is good only until the middle of May so I figured I better install and see if I can get used to it enough to later, when PG is too old, switch to it. So, I think people are coming to SSM from PG only because PG development and support have stopped. People are also trying all the HIPS software looking for a replacement for the Gold Standard and, of course, there is no replacement and I hurt every day when I think about when I will feel it necessary to give up PG. I still hope that somehow Wayne will work out whatever his problems are and reappear before that day comes when I have to stop using PG because it is too old. PG and Proxo are my two favorite applications and I can't really imagine being without either.

 

Well I took my life into my hands here and set SSM to 'Start automatically' with windows and did a few boots alongside PG. The result was that SSM was incredibly fast into my sys tray - quite honestly I could have gone out and made a cup of tea between SSM loading and PG finally putting in an appearance! I have to admit I have PG set to 'Automatic' rather than 'System', but even so it really wouldn't have made that much difference!

I do have a question for someone though - namely where are my application rules and exceptions? For two days I have been creating rules and clicking pop-ups (I took SSM out of learning mode after 5 mins so I could create my own rules) but now I can't find any of them.

Where can I go to edit and check on all the special exceptions I've allowed for what prog can run what other prog as a child, or what prog can make what changes to what Keys in the Registry etc. I'm completely flummoxed; I've been tearing my hair out trying to find them - where are they?

 

under preferences, and then the application rules tab, right click on a process and you will be able to go into advanced properties down the bottom in bold, there you will see the parent/child associations and moderate them accordingly. I think this is what you were asking no?.....

 

Set PG driver to "System" and then see what happens. Of course, SSM would probably load a lot faster than PG set to "Automatic" as then PG loads around 8th application in the systray on my computer. When I set PG driver to "System" I got a bunch of applications being allowed ONCE only because PG loaded before them which it NEVER did when on "Automatic". PG loads now right after the video driver and before anything else. I don't know if the behavior is any different if using 3.4.

So, I don't think that was a fair test. SSM may still load before PG ...I don't know ...it would need to be tested that way and I'm reluctant try it especially now that you say SSM loads very fast and way before PG set on automatic...I think there is a distinct possibility that they would fight it out to be first if PG driver was set on System. SSM might very well win since it is newer and currently developed (I just got a new version) but if you are really brave try it this way...I'm very curious...who knows, I might go against my better judgement and try it myself. If I do, I hope the saying "Curiosity killed the cat" doesn't apply. I guess in that case Safe Mode would be my saviour.

 

Unfortunately not! I can certainly find the Child/Parent relationships, and I can tick boxes to allow apps to run as child or parent; but I cannot see any way to adjust rules to allow a specific app to run another specific app etc.

Nor can I see any way to configure what progs may make what specific changes to Registry Keys, without that SSM would be all but useless for my requirements, so it must be there somewhere - but where?

Mele, go on have a go, I dare you! Actually you'll be OK as the two apps don't fight each other at all.

 

Where is the best place to have PG and SSM load?

I see a choice for "boot" also.

 

Don't use"boot" for PG. That is not valid. The PG help file (that is not in my PG help file for some weird reason) says:
"Also note that ProcessGuard should only ever use AUTOMATIC or SYSTEM. No other options are valid."
https://www.wilderssecurity.com/showthread.php?t=113712&highlight=processguard driver startup

I don't know when SSM loads. I don't see a driver for it in Device Manager like with PG.

 

Topper: Here Explorer is the parent and other chk'd boxes are child. Explorer has control over these.

 

Here's some registry rules:

 

You can get a decent measure of relative HIPS driver startup times by doing bootlogging (add the /bootlog switch to your boot.ini and check out the ntbtlog.txt in your \Windows directory after rebooting). For me, safemon.sys starts quite early, if not the earliest in my comparisons...

Service Pack 2 1 27 2007 23:40:28.375
Loaded driver \WINDOWS\system32\ntkrnlpa.exe
Loaded driver \WINDOWS\system32\hal.dll
Loaded driver \WINDOWS\system32\KDCOM.DLL
Loaded driver \WINDOWS\system32\BOOTVID.dll
Loaded driver ACPI.sys
Loaded driver \WINDOWS\system32\DRIVERS\WMILIB.SYS
Loaded driver pci.sys
Loaded driver isapnp.sys
Loaded driver ohci1394.sys
Loaded driver \WINDOWS\system32\DRIVERS\1394BUS.SYS
Loaded driver pciide.sys
Loaded driver \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Loaded driver MountMgr.sys
Loaded driver ftdisk.sys
Loaded driver dmload.sys
Loaded driver dmio.sys
Loaded driver PartMgr.sys
Loaded driver safemon.sys

Nick

 

That ntbtlog is gigantic and has tons of not loaded drivers reported....repeated over and over and over. Then some loaded and some not and repeated over and over...not easy to find anything in that log! I finally found procguard but speed fan driver loads way before it even though I don't have speed fan running. It also claims RAID driver loaded yet Event Viewer always says it didn't load and Event Viewer is correct because I don't have RAID set up. So, I don't what that refers to. Very strange log.

 

Thanks screamer, I've got it now.

But it's not what I'd call obvious.

From the Registry point of view, it seems you must allow exceptions for progs to entire groups of rules; which is far from satisfactory. I suppose there may be ways around that if you create new groups for exceptions and place them above the original group - but that would be highly inconvenient if many rules and groups were involved. Hey ho

 

I pretty much let SSM handle the reg for me. If you want more control over it:

 

The "System Safety Manager 2.0 Core Engine" is in the list- I use Win2000

 

Yeah, actually I have that option unchecked already 'cos I need to be able to create my own rules where I can.

What I don't get though, is howcome I'm just creating an application rule allowing changes on a whole Group/s of Reg rules, while you seem to have specific actions listed? Perhaps that is a consequence of you having the option in question checked while I do not?

As I said, its not good practice to allow an app. carte blanche to change whatever rules in a Group it likes, 'cos if it got exploited by malware it (Rundll32.exe in our example) would have more scope to cause damage. In RegDefend you can create incredibly restrictive Application rules which enable the app to do only what it has to do (eg to set data on a specfic Value on a specific Key in the 'chain' being protected) and absolutely nothing else. But RD also has very detailed and easy to follow logs which makes that sort of rule creation rather straightforward.

 

Specific key/value:

 

Oh no! Now it seems I was doing the whole thing wrong and I have to delete all my Reg rules and start over again.

That's exactly what I mean when I say SSM is unnecessarily complicated.

 

I've used SSM a long time and like the protection it provides very much, but I don't lose my head over it. By this I mean that while I know how to use it, I still realize that using it can be like having a second job, that it is in fact very complicated to use, and makes me yearn for the day when security software truly comes of age.

Security software that requires users to become security hobbyists is security software that is poorly designed, in the grand scheme of things. Oh sure, just learn how processes interact, how to know when an application is launching another legitimately, what command line parameters are OK and which are not, when registry access is legitimate and when it is not--for all the myriad deep, dark corners of the registry--and so on. I can't believe that anyone honestly believes it is acceptable to expect an average user to do all of this. This is nonsense.

Average users operate under an entirely different paradigm than most people here do. They just want to look at web sites, send email, and whatever else they choose to do with their computer. They don't want to have to learn when it's OK for applicationx.exe to write to a registry key ten levels below HKLM. And you know what? They shouldn't have to.

And how about what SSM does to Windows updates? Since Windows updates employ their own mini-installers, SSM gets in the way of them, and can stop Automatic Updates from working altogether.

Some day, Windows-based security software will be able to intelligently block harmful, illicit activity, without making users respond to 700 alerts a day, and without screwing the system up entirely. Mark my word. And don't tell me that such software exists already--I've seen them all, and it doesn't.

 

I'm sorry to say, but it does exist. It has to mature, but it's here. I won't say out of fear of spaming. You have to know. Not only one, although my bet goes to one.

I agree that SSM is not for everyday use. It can mess up the system, i agree. PG was different somehow, easier to work with. But still a bit too much for normal users. For Wilders members, it's different

 

That can also depend on the steep climbing curve that's required to learn all the new additions these developers continue to pour into it.

I stopped back at a version i was more at ease with and didn't have to learn all over again like when they changed the registry layout like the screenies above showing the triple checks and question marks as well as other various settings. Now there i agree is when you can make a mess of matters if not careful to take all the time needed to follow their progressions.
Fortunately i don't have that kind of time to spend learning each and every new technique/setting they want to either change of invent.

For me , SSM as it is in it's earlier version before networking firewall and registry layout changes is as solid as a steel cage and needs nothing more, and if it does? Well, Kaspersky Internet Suite 6 is finished up the rest nicely thank you.