System Safety Monitor 2.2.0.593 out of beta

Discussion in 'other anti-malware software' started by Chubb, Oct 27, 2006.

Thread Status:
Not open for further replies.
  1. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Yes,.. my own database of dll`s is quite large now,.... its nice to know whats loading,...... or if a question is posted concerning a dll

    I know nothing definite,.. I am not in contact with SSM as I once was, with the beta bugs/conflict reports as I once made,... but looking at some of the recent releases,... these reports I made may need to start again.
    I know dll loading/control was to be added to SSM,... but when,...
     
  2. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    Ok, i disabled also 'Process attack' in Jetico because SSM seams to catch the same and more.
     
  3. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
  4. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
  5. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    Just checking the configuration/rules of some applications in SSM Beta.
    I see that in allmost all advanced application rules all the child and parent are set to yes. That hasn't been this way in 2.1. Some ideas or is that a bug?
     
  6. cprtech

    cprtech Registered Member

    Joined:
    Feb 26, 2006
    Posts:
    335
    Location:
    Canada
    I seem to remember seeing that in the last few betas and being perplexed as to why that would be. One of the first things I do is load the config file from the last version, so most of those allowed checkmarks turn to question marks. Maybe it is a bug but can't be sure. I never used the 2.1 ver long enough to remember what the default settings are.
     
  7. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    Seams that the developer of SSM like to prevent a lot of popups in the deafult configuration. Anyway, it was easy to change; just modified the group rules and thats it.Had to start over but doesn't matter :)
     
  8. cprtech

    cprtech Registered Member

    Joined:
    Feb 26, 2006
    Posts:
    335
    Location:
    Canada
    Yes, the developers seem to be very cautious this way - maybe overly cautious :)
     
  9. Chubb

    Chubb Registered Member

    Joined:
    Aug 9, 2005
    Posts:
    1,967
    System Safety Monitor 2.2.0.596 Beta was released.

    What's new:
    * kernel level proactive blocking of all system calls for rootkit threads masquerading under system threads (phide_ex worker thread);
    * added applications option "Silent checksum update for digitally signed files".
    * minor improvements in rootkit detector

    Bugs fixed:
    * rootkit detection engine BSOD with phide_ex test rootkit.
    * not working checksum rules for libraries and drivers;
    * several "access violation" bugs;
    * minor GUI issues.
     
  10. cprtech

    cprtech Registered Member

    Joined:
    Feb 26, 2006
    Posts:
    335
    Location:
    Canada
    System Safety Monitor, version 2.2.0

    Build 597

    What's new:
    * kernel level proactive blocking of all system calls for rootkit threads masquerading under system threads (phide_ex);
    * added applications option "Silent checksum update for digitally signed files";
    * display format of version info in the tray icon tooltip;
    * added "WinEvents Hooks" list to the module "Hooks";
    * new application rule concept: application groups;
    * added new module: Windows Hooks;
    * added hidden process (rootkit) detection (eg. FU, FUTo, phide_ex etc.);
    * added support for Windows XP Fast User Switching;
    * added version info to the tray icon tooltip;
    * added PID to the App Activity dialog for both Parent and Child processes;
    * added new registry objects to the default registry rules;
    * Process termination protection extended to cover several new termination methods;
    * added tree-view in process monitor;
    * added new item - "reset to default view" to the context menu of Process Monitor and Rules list;
    * added tooltip window for CPU Graph;
    * added Basic Network Firewall (BNF) module - outbound connections only;
    * added installation mode in the application activity dialog - to reduce the number of pop-ups during installations.

    What's changed:
    * "Locate" command (Application Activity dialogs, Process Monitor and Rules tab) now uses the default system shell.

    Bugs fixed:
    * multiple minor GUI bugs and memory leaks.
     
  11. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    This version: 2.2.0.597 is a "full release"
     
  12. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    Up and running with complete new config file.
    I see the 3 musketeers now have checksum activated as default (not changeable).
     
  13. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I have not had chance to install this latest build yet,.... but if checksum is now available, then at least a step in the right direction. Have you tried any "Kill" attempts against any of the "3" (but be careful, the last time I killed off "csrss.exe" the SSM installation became corrupt.)
     
  14. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    Not yet, but i will load Mr. Smith & Weston as soon as my stomage got something to do.
     
  15. djg05

    djg05 Registered Member

    Joined:
    Apr 6, 2005
    Posts:
    1,565
    Can still kill of LSASS.exe, haven't tried the others. Gives a warning but if you go through it it shuts down on a countdown. Seems there is still no protecion enabled for any of them even greyed out.
     
  16. Roger_

    Roger_ Registered Member

    Joined:
    May 7, 2006
    Posts:
    89
    Location:
    Portugal
    As you have mentioned a countdown, do you mean that it is just a warning with no available option to cancel the killing?
     
  17. cprtech

    cprtech Registered Member

    Joined:
    Feb 26, 2006
    Posts:
    335
    Location:
    Canada
    There are still no "Protect from termination" entries for the three processes. May I ask what you used to terminate lsass.exe? When I tried using the kill function in Process Explorer, I got: "Error opening process: Access is denied" and was unable to terminate it.
     
  18. djg05

    djg05 Registered Member

    Joined:
    Apr 6, 2005
    Posts:
    1,565
    I used APT which you can get here or there is SPT here.
     
  19. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    LSASS.exe will give a shutdown warning(countdown) when killed (csrss.exe just terminates (when killed) windows session _hard restart).

    So it looks like no protection yet on these "3",..... I am not a "Happy chappy",.. I will re-post at SSM forum (well, I will add to my original post at their forum on this).
     
  20. cprtech

    cprtech Registered Member

    Joined:
    Feb 26, 2006
    Posts:
    335
    Location:
    Canada
  21. djg05

    djg05 Registered Member

    Joined:
    Apr 6, 2005
    Posts:
    1,565
    I wondered about the others but after your warning about "csrss.exe" I thought I would leave it LSASS.

    Perhaps if we keep posting on SSM forum they may take the hint.
     
  22. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I personally think this is needed,... I am going to install the latest build now, and then "Kill" csrss.exe (please dont do this,... I have full backups of my bios/system etc,.. and can fully recover from such hard_resets without problems to my system), as I said, the last time I did this it,.. well,.. it made a mess of my system,..... I will report back ASAP
     
    Last edited: Nov 11, 2006
  23. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    The good news is that "csrss.exe" is now protected from termination. But as "djg05" mentioned "lsass.exe" is still unprotected from termination,..... and "smss.exe" can also still be killed.
     
  24. djg05

    djg05 Registered Member

    Joined:
    Apr 6, 2005
    Posts:
    1,565
    Did you try all the APT kills? Since I had a fresh image I thought I would try it out csrss. First few ok but kill 4 or 5, forget which, brought out several warnings about "Interprocess Activity". Going through all those APT said unsuccessful but the app froze. I had an explorer window running and that was ok but nothing else could load and the task bar was out. Took a reset to get it going again and taking heed of your warnings reverted to my image to be safe.
     
  25. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    For protection against kill methods such as Kill5 (Terminate thread), I changed the setting for the "unregistered group" within SSM, changing the settings of "code/dll" injection to block.
    But yes, I suppose it is a problem, if you allow APT to become a member of the "Normal group" as then you would be prompted to allow or not.
    You could post at SSM forum and ask why this protection against "code/dll injection" is missing from csrss.exe, and why the other "2" are still not protected.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.