System Safety Monitor 2.2.0.593 out of beta

Monkey see, monkey do. I just now copied Stem's ingenious setting to my unregistered group. Shazam!

 

I have already done that.

 

Well here an other one who set those configurations. Didin't thought of that.

 

Here is an observation I made while playing around a little bit with the APT and SPT termination tests: First, upon attempting to launch either process from a command line, I get a SSM alert that parent cmd is trying to launch child APT or SPT, depending on the one I'm attempting to launch. Upon accepting the attempted launch - because I know what both APT and SPT are - I am now presented with a number of "terminate" options and how to launch them. No matter which option I try in either termination program, I am presented - yet again - with another SSM alert. In the case of APT it is: "APT is trying to modify the memory of csrss.exe", while in the case of SPT it is: "cmd.exe is trying to launch spt.exe 636 16 -e". I decided not to allow either of them to proceed because I didn't want to deal with the hassles of the consequences, regardless of how harmless they may or may not be (And yes, I do take Stem's word that csrss.exe is protected from termination).

Now a question and some thoughts: If, in a hypothetical situation, I had never knowingly installed either of the APT or SPT termination apps and I was presented with those same or similar alerts regarding either one of those termination apps before they were given the opportunity to launch, why on earth would I, or any one else with average intelligence and HIPS knowledge, allow not only the initial alert, but - heaven forbid - the second and most damning alert as well?? I don't know about anyone else using a HIPS, but I know I'm using it because I cherish and value the opportunity to stop a potentially harmful process dead in its tracks before it gets the chance to plague my machine with its destructive mechanisms.

Now another question: are we not confident in our abilities to recognize suspicious activity, thus allowing it on not only one, but potentially two or more attempts to plague our machines? I do understand that the termination attempts have to be allowed to function in order to see if they are successful at their intended purpose, but shouldn't we also take comfort in knowing that with our abilities and common sense we can actually prevent the attempts from even happening in the first place, because the HIPS is doing its job in alerting us to this fact?

It seems we are asking HIPS to prevent termination of system-critical processes, but at the same time it seems okay that the person in control of the decisions on the alerts does not have to exercise diligence and common sense in dealing with them.

Please no one take offense as none is intended. I just wanted to bring up this observation because it seems that some fundamentals can get lost in the shuffle and collective hype of other concerns. Protection against termination of critical processes is valid, I agree, but no one sems to mention that there is very real and even expected potential to stop them from happening in the first place.

 

System Safety Monitor 2.2.0.598 was released.

What's new:
* Learning mode for a single processes tree (a process + all its children) - the app. activity pop-up extended menu for the process creation event;
* NetStat module.

What's changed:
* IP addres of System Safety web site won't be added by default to the trusted zone;
* "Don't verify checksum" option for System rules is now available for editing.

Bugs fixed:
* BSOD on startup if the SSM driver startup mode has been manually changed;
* Dead lock with Spy Sweeper;
* Registry rules bug (e.g. MS Outlook);
* Terminated processes detected as hidden (incompatibility with Kerio Firewall);
* Minor GUI bug - Process Monitor column order;
* Minor GUI bug - "Resize to content" didn't work;
* Minor GUI bug - registry value details for REG_MULTI_SZ in the app. activity pop-up;
* some performance optimization.

 

So now what's the situation with the infamous 3-some (csrss, lsass, smss exe's)? I installed 598 & it looks to me like the inflexibility has been ameliorated (what'd he say? ) -- correct?

 

Can't say I see said amelioration (eh - he said what ! -LOL) in my upgrade of 598.

What you seeing there Bellgamin ?

 

Yes there is a slight 'amelioration' as you can now enable/disable the Hashcheck funktion for the 3 Musketeers.
But still no protection tab
Somebody tried to shoot the 3 Musketeers down with this new build?

 

There can be a circular discussion on this,....
I can look at posts concerning how a user of SSM may simply keep clicking "Allow" while installing software, in the belief that SSM will protect "Whatever",.. I can see from this possibility that SSM have put in place rules to protect applications from such events, as you will notice from the "Protection" tab given to the majority of applications, these option allow the user to protect those application, even if a "termination" event is allowed against that protected application. So from this, I would of thought it would of been correct to give the same type of option/protection to the "system" files.

I think from a point of safety,.. it would be easier for advice to be given to a user on what applications, such as firewall, AV, or critical system files should be protected,... this then on what could be simple instructions, would make the users system really quite safe,.... but when protection is not available on system applications such as mentioned,.. then advising can become difficult given the need of some programs, such as games, that need to be given rules to remote data control/modification/terminate their own processes/applications.
I personally would like to see my ability to protect all applications on my system by SSM,... or at the very least, as I have requested on the SSM forum, an explanation as to why they believe fully protecting these applications is un-needed.

 

Just another new release:

System Safety Monitor 2.2.0.599 was released.

What's new:
* added protection tab for system processes;
* added item "Check for updates..." to the system tray icon menu.

Bugs fixed:
* Incompatibility (BSODs) with several firewalls (e.g. Kerio, Sygate, Avast, Rising Personal Firewall);
* "SSM driver not found. Please reinstall..." message while logging on under Power User (Limited) account;
* StartUp Menu module bug;
* SSMUpdates minor bug.

 

It seems we now have our wish in that the 3 musketeers can now be protected. Have not tried all of the options but LSASS is protected on the APT options I tried.


Stem

I would be interested to know if this now answers the faults with SSM?

 

Now that we have what was wanted,what needs to be checked for the 3 to protect them?

 

Now that's what i am talking about. Finaly the musketeers are protectable. Thanks SSM
Let's test it, or Stem do you allready have done this?

 

Can everything under Protection be checked for all 3 ? I want to protect but don't want any problems. Thank you for the help.

 

I have been out most of the day, so only now got the update alert,... I will download and have a play.

 

And with bated breath we await the results

 

Well that is much better. There is now full protection for these applications. (we got there in the end).
I have only (at this moment) checked on "csrss.exe", the protection is available and working.
I did remove the protection, and terminated csrss.exe, really just to see if any hard_coded rules where present, I was able to terminate,... but that is correct,.... and the good news was that this termination did not corrupt the SSM installation (as it did on my last testing of the termination of csrss.exe)

I have noted, that once the the protection for csrss.exe is changed, from the default "ask", that then there is only the option to "allow" the protection, on "deny" the protection,.. I am unable to set this back to "ask",... can this be confirmed.

 

Hi Stem,

Yup only allow or deny is present.

 

Hi KikiBibi,
Thanks for confirmation,... now I wonder why they have done that,... or a possible bug?

 

Actually, I don't see the "ask" option for any of the System processes. Nor do I see that option in the "Normal" and my custom-made "Secured" groups. Only "allow" or "deny" are available, and I can't remember if I have ever seen the "ask" option for protection against "termination", "suspending", "remote code control" or "remote data modification". Is this what you are refering to Stem?

 

Hi cprtech,
Yes,.. if you check, lets say on the protection of your firewall, and click through the protection, say for termination, you will get 3 options, a green tick(to allow/give protection), a red circle with a line through(block/ stop protection) and a grey circle with a line through(ask)
Pic attached to show different options (only for example) selected for protection on my firewall:

 

Hello Stem,

you mean the grey circle with line thorugh it is an "Ask" symbol? I have always been under the impression that the (?) is the "Ask" symbol I am interpreting this incorrectly? I have to admit, I am confused as to why the symbol goes from grey to red the first time it is changed.

*EDIT*

Now I do see that other than the "three musketeers" the other "System" processes can be set back to the grey circle with line through it, even after applying an "Allowed' setting to them. This does look like a bug.

 

Hi cprtech,

In the earlier builds of SSM, the "?" was not actually "ask", it was whatever the default action was. I would need to install an earlier build so I can show this, as explanation is a little difficult.

But basically, if you select one of the groups, lets say "normal" you can set up a default action, and then the "?" or in these later builds, the "grey circle with line", would default to this action. But further changes, now dont give an option to set the default to "ask". SSM keep changing and moving these options, without any "change log" to show this, and it does become a bit of a maze to try and find what option does what at times.

 

Okay, thanks Stem. According to the latest Help file, it would seem the (?) is an "Ask user" option, but I will admit it is not as clear as it could be. However, based on the number of pop-ups I get, SSM does not seem to miss anything that attempts to launch first time and that I am asked when I'm expecting it.

 

Hi cprtech,
It would depend on what action is being set, as in the help files we can see different explanation for "?". ("?" now appears to default to ask, as in this case the drop down menus have now been removed)