SSM Pro ----> Parent - Child Control

Discussion in 'other anti-malware software' started by Rasheed187, Jan 29, 2007.

Thread Status:
Not open for further replies.
  1. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    Hi,

    Perhaps someone can explain this to me, because I don´t get it. It seems to me that the new "Groups" feature in SSM Pro has messed things up a bit. If I´m correct, the whole "Parent - Child Control" feaure of SSM is not working correctly anymore. The problem:

     
    Last edited: Jan 29, 2007
  2. ggf31416

    ggf31416 Registered Member

    Joined:
    Aug 20, 2006
    Posts:
    314
    Location:
    Uruguay
    Re: SSM Pro & Parent - Child Control

    Select the Normal Group, right click, Advanced Properties and set child and parent for Normal Group to Ask (?). Unfortunately that will overwrite the existing rules but then you can use learning mode to set the parent-child relations for each process.
     

    Attached Files:

    • SSM.png
      SSM.png
      File size:
      21.7 KB
      Views:
      420
  3. cprtech

    cprtech Registered Member

    Joined:
    Feb 26, 2006
    Posts:
    335
    Location:
    Canada
    *Edit*

    someone replied already.
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    Thanks for the feedback, this fixed my problem. But as you can see I´m not really into the new "groups" feature at all, I always sort my "Applications Rules" (object names) non grouped, so this means that I have like 5 groups in my list that are pretty useless to me. Perhaps I´m a bit slow but I still don´t see the point of the groups feature, can anyone explain?

    Also, there used to be a way to quickly see which applications are blocked from running (they showed up in red), but not anymore. Another question: I´ve noticed that eventhough rules are already in the list I now need to make a lot of rules again (I don´t use learning mode). I assume this will not give me any problems upon reboot? Will "trust all running processes" do any good? :)
     
  5. cprtech

    cprtech Registered Member

    Joined:
    Feb 26, 2006
    Posts:
    335
    Location:
    Canada
    The groups feature is very useful because you can setup custom "Special permissions" for the individual groups. For example, I have a group called "Secured" where I have the special permissions "Protect from termination", "Protect from suspending", "Protect from remore code control" and "protect from remote data modification" enabled. In this group I place my critical apps into it such as my antivirus and firewall executables.

    Check under: Options->Highlighting and ensure the color for any blocked actions is red, or whatever color you desire.

    Additional rules would be required because of different parent/child relations, registry access, program has changed, requring checksum recalculation, low level disk access...etc. There should be no problems upon reboot as long as you don't block a required process from having required influence on your system. For example, you don't want to be preventing services.exe from acting as a parent on svchost.exe. Trusting all running processes is too liberal. You should be able to specify permanent rules on an even-by-event basis for all apps and processes. The important thing to remember is to set all your groups with the ? on both the Parent and Child checkboxes.
     
  6. screamer

    screamer Registered Member

    Joined:
    Apr 14, 2006
    Posts:
    921
    Location:
    Big Apple USA
    You can also use Process Explorer or What's Running to set all your Parent / Child relationships. This can be used to create a tight rule set and circumvent the pop-up from "?".

    ...screamer
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    @ cprtech (& Screamer)

    A bit late, but thanks for the feedback. I have to say that after installing SSM Pro, my system actually feels a lot more stable. :thumb:
     
  8. Old Monk

    Old Monk Registered Member

    Joined:
    Feb 8, 2005
    Posts:
    633
    Location:
    Sheffield, UK
    Interesting. I'm a paid user of SSM and have in several threads made it known that for me personally I find it difficult. Having said that I sometimes can't resist a little play :D

    Notified of an update so I've just installed to see how it is and I remembered this post and this particular quote.

    Put LooknStop and others into a Security Group with those permissions and yes Task Manager couldn't terminate it.

    Just to experiment, put it back into Normal Group and yes TM could terminate it.

    BUT on restarting it LnS is now back as the trial with no Serial Number o_O o_O

    I tell you, SSM does seem to do some very,very strange things. Anyone like to comment on this ?

    Now where's that print off with my serial number.....................................
     
  9. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    The function to 'protect from termination' and 'protect from suspending' should only be used with discretion; usually on key system files that should never need to be terminated or suspended. However it is generally not recommended to use these protections for security progs such as AVs or FWs, unless you know exactly what you are doing, as these types of prog are well protected anyway and do sometimes need to be able to terminate/suspend parts of themselves. You can find yourself in trouble in certain circumstances denying termination/suspension to legit progs that need those rights.

    This is one area where PG really does score over SSM in my opinion; in PG any 'Protected' app with termination rights can terminate any other 'Protected' app while all 'Protected' apps are fully protected from termination by non-protected apps. This facilitates legitimate termination whilst protecting from termination by 'alien' processes. In SSM you don't seem to have the ability to protect progs from termination other than by excluding ALL progs from terminating them - this can lead to real problems. Another reason why PG is a better/safer choice for the uninitiated.
     
  10. Old Monk

    Old Monk Registered Member

    Joined:
    Feb 8, 2005
    Posts:
    633
    Location:
    Sheffield, UK
    Thanks TopperID

    ...and yes, I do consider myself amongst the 'unititiated'. Hence my oft quoted reluctance to use SSM on a permanent basis.

    However, cprtech says he puts his firewall executables in a group with those permissions, so does it depend on which firewall ?

    I really liked Process Guard and it was robust and pretty easy to use but it just doesn't feel right using an app whose developers are nowhere to be seen. Illogical perhaps I know.

    Just 15 mins again with SSM and it reinforces that this is an app for the 'expert'

    I don't at all question that cprtech knows what he's doing, but your comments on av's and firewalls goes to show that I simply don't :)

    Again, I retire from the arcane world of classical HIPS and into the comforting arms of Online Armor and Prevx !!"
     
  11. cprtech

    cprtech Registered Member

    Joined:
    Feb 26, 2006
    Posts:
    335
    Location:
    Canada
    Indeed, I do put my fw (Outpost) and av (NOD32) executables in there - with no consequences at all. I can still shut them down if I want to by using the "Exit" option on the programs. Yes, those apps do have built-in termination protection but I use SSM to reinforce that protection. BTW, not all fw and av apps have built-in termination protection, so using SSM to protect those apps may not be such a bad idea after all ;)
     
  12. Old Monk

    Old Monk Registered Member

    Joined:
    Feb 8, 2005
    Posts:
    633
    Location:
    Sheffield, UK
    How come I lose my serial for Lns validation in the scenario I outlined. Seems very odd to me o_O
     
  13. Old Monk

    Old Monk Registered Member

    Joined:
    Feb 8, 2005
    Posts:
    633
    Location:
    Sheffield, UK
    Well there you go !

    Uninstalled SSM and rebooted. LnS back with validation serial :doubt:

    Bizarre.
     
  14. cprtech

    cprtech Registered Member

    Joined:
    Feb 26, 2006
    Posts:
    335
    Location:
    Canada
    Having not used L 'n S with SSM, I'm not sure what's up there. It could be a bug either with SSM or L 'n S, or you may have inadvertantly blocked a process of L 'n S with SSM to cause that problem. Not sure.
     
  15. Old Monk

    Old Monk Registered Member

    Joined:
    Feb 8, 2005
    Posts:
    633
    Location:
    Sheffield, UK
    Hey Ho

    Not a problem cprtech. Will report at SSM forums just to log it. One very good thing about SSM is their support. They do seem to try and resolve issues and IMHO don't shy away from issues which is good.

    For me however, much as I like it's power it's still a bit beyond my expertise.

    For such as yourself and others here I congratulate you as I do think in the right hands it represents excellent protection.

    By default therefore, I congratulate also the developers of SSM.

    Just not for me :)
     
  16. cprtech

    cprtech Registered Member

    Joined:
    Feb 26, 2006
    Posts:
    335
    Location:
    Canada
    Yes, it's a powerful program and I'm not going to bs anyone by claiming I understand it completely. I don't. I just understand it well enough to afford my machine excellent protection, while ensuring I don't cripple it in the process :) There are a few things, mostly minor, that I'm not quite sure about yet, but I'll figure them out eventually.
     
  17. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    There are certainly consequences, in some circumstances, if you try and protect ZAP in this way; if you want to temporarily exit from ZAP and then start it up again you hit problems!

    That is why some people recommend you don't try this sort of thing with AVs and FWs etc unless you are quite sure. Everything may go OK at first, but that does not mean it will at all times.
     
  18. Old Monk

    Old Monk Registered Member

    Joined:
    Feb 8, 2005
    Posts:
    633
    Location:
    Sheffield, UK
    Why not check back at SSM forum in about 3 days (weekend here :D ) and see what their response to my log is

    Thanks for the discussion and to you also TopperID
     
  19. cprtech

    cprtech Registered Member

    Joined:
    Feb 26, 2006
    Posts:
    335
    Location:
    Canada
    I don't know why that would happen. It has never happened to me with Outpost and NOD32. I wouldn't mind seeing herbalist's take on this. He has tons of experiencce and knowledge with SSM. BTW Old Monk, you are welcome :)
     
  20. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Will do. ;)

    Sometimes their answers are a little brief though, a bit more detail would help; but I suppose it depends on who responds. :)
     
  21. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Wonder no more ;) :-

    https://www.wilderssecurity.com/showpost.php?p=923819&postcount=2

    Actually I don't agree with him about the FW, (in the case of ZAP), from my own personal experience.
     
  22. cprtech

    cprtech Registered Member

    Joined:
    Feb 26, 2006
    Posts:
    335
    Location:
    Canada
    Thank you for the Topper.

    And from that link...

    Hmmm, that's more like upgrading isn't it? All I can say is that NOD updates virtually daily and only applies signature updates. If there is a new version to install - replacing the executable in the process - then the "Install mode" can be used in SSM or it can simply be closed for the manual upgrade (the way I do it), then the checksum for the executable(s) can be recalculated upon starting the upgraded version.
     
  23. ggf31416

    ggf31416 Registered Member

    Joined:
    Aug 20, 2006
    Posts:
    314
    Location:
    Uruguay
    I think you are confusing "Protect from termination" that only exist in the Pro version with "Restart process if terminated" that exist in both versions.
     
  24. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    No, I'm specifically referring to 'Protect from Termination' and 'Protect from Suspending', which are both in the 'Protection' tab.

    'Restart process if terminated' is in the 'Process Control' tab.
     
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    Btw, SSM Pro can act funny sometimes, all of a sudden a couple of child processes could not start anymore because I had to make rules for them, but they used to work just fine without any rules, it must be related to this problem.

    I also noticed that zclient.exe starts up vsmon.exe if it can not be launched by services.exe, just some things that you can discover while using SSM. And btw, does anyone know why some apps (like Winamp and GOM Player) get launched by svchost.exe (-Embedding) instead of explorer.exe? :rolleyes:
     
Loading...
Thread Status:
Not open for further replies.