System Safety Monitor Free- Is the free version strong enough?

Discussion in 'other anti-malware software' started by duke1959, Mar 18, 2007.

Thread Status:
Not open for further replies.
  1. duke1959

    duke1959 Very Frequent Poster

    Joined:
    Jul 21, 2006
    Posts:
    1,238
    Reading a thread on ProcessGuard Free, (and now copying the title of it. LOL) I do seriously wonder the same thing about SSM Free? I have it on board in learning mode and actually like the GUI better than Prosecurity Free. I have Comodo Pro Firewall, AVG Pro AV and am currently using Cyberhawk while SSM Free is learning mode. I also read the thread SSM Free-real life experiences, and saw some conflicting opinions which makes me wonder if SSM Free is strong enough.
     
    Last edited: Mar 18, 2007
  2. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Hi,

    SSM-free protect against data injection, process modification and physical memory vialotion and global hooking. This is by far a broader protection than any other classic HIPS. You can even configure your registry protection, see
    https://www.wilderssecurity.com/showthread.php?t=168928

    I have a SSM-full lisence, but I use SSM-free because it is faster. True SSM full offers better registry protection, low level disk access protection and some additional protection against rootkits. Because I run DefenseWall paid also I am not worried about rootkits and keyloggers.

    Regards K
     
  3. duke1959

    duke1959 Very Frequent Poster

    Joined:
    Jul 21, 2006
    Posts:
    1,238
    Hello everyone, I have a question, but first. I have left SSM Free in learning mode for a few days, opened as many programs as I could, and rebooted twice. I had the AVG ISS and Cyberhawk installed during this time, but have now uninstalled Cyberhawk, and I'm sure I have a clean system from running various scans over the last few weeks with AVG, and SuperAntiSpyware. Now for my question. If I don't want to attempt any configuration on of my own with SSM Free, will it be ok now for RealTime Protection?
     
  4. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,422
    Location:
    New Mexico, USA
    I ran SSM free after booting and spending some time opening the programs I most used. Then I took it out of learning mode and felt perfectly safe. I know there are other things I could set rules for, but I never bothered. I think after letting SSM learn for a few days, you're well covered.
     
  5. duke1959

    duke1959 Very Frequent Poster

    Joined:
    Jul 21, 2006
    Posts:
    1,238
    Thanks Chuck57. Also what firewall do you use? I'm behind a router firewall and use the AVG FW that's part of my Internet Security Suite, but was thinking of using Comodo Pro, or the latest version of ZA Free if it turns turns out to be safe to use. The AVG FW is basic and maybe that's all I need with SSM Free on board, but I think you'll understand when I say I like more features in my software.
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I hope u don,t install/ uninstall software in learning mode and also don,t make permanant rules for prompts which u get during various software installations.
     
  7. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Duke, Chuck

    When you install and uninstall only use allow once, rest will be fine. When you want additional regsitry protection (all Toni Klein's startup protection plus some more cherry picked from Regdefend, RegRun and SSM pro) have a look at the post I included earlier. First start using with the log/ask option. Browse your SSM free log and change them to block when no messages are in the log.

    Regards K
     
  8. jawadde

    jawadde Registered Member

    Joined:
    Mar 7, 2007
    Posts:
    18
    can i use this program if i have only 285 RAM?
    Or should i use an other HIPS program i my case...
     
  9. herbalist

    herbalist Guest

    SSM free is a very light load, much lighter than most resident AVs. I have it installed on several units with less RAM than that. It even runs well on a Win98 box with 64MB RAM.
    Without actually seeing your ruleset, it's difficult to give a good answer. Learning mode allows most anything. This can be a problem in certain situations. An example would be finding a malicious website that drops a trojan while in learning mode. Before you shut down the learning mode, scan your system with one of the online AVs, just to be sure nothing malicious is running.

    Don't be suprised if you do get some prompts after you shut down learning mode. It's easy to overlook some applications or system processes. Office suites and CD/DVD burning software are a couple of examples. Many use separate executables for different tasks. A CD burner may use different executables for data and music CDs or for ripping. AVs are another example. Many use multiple executables for different tasks. The updater is often a separate process. Try to make sure you use all the functions/features of the apps you use before shutting down the learning mode. Don't forget about scheduled maintenance tasks.

    How well SSM defends your system will depend on several things, including your settings. When you shut down the learning mode, will you be using the "block process creation" or the "block everything (paranoiac setting)"? The "block process creation" setting will prevent any new processes or applications from running. The paranoiac setting gives you more control over the behavior of allowed processes and does a better job at preventing the malicious use of legitimate processes. How much real time protection is "OK" depends on your usage habits and how much control you want over your system. It will also depend on whether you run SSM with the UI (user interface) connected and how you answer prompts. With the UI disconnected, you won't be prompted when a malicious process (or a previously unused legitimate process) tries to start. It's just blocked. Regardless of whether you used the learning mode or created all your rules manually, SSM will prevent unknown processes from running, as long as you don't specifically allow one to run by clicking "allow" on an alert. The learning mode does a pretty good job. The default module settings aren't too bad either. You can either use the ruleset as is or edit them later as you learn the details.
    Rick
     
  10. duke1959

    duke1959 Very Frequent Poster

    Joined:
    Jul 21, 2006
    Posts:
    1,238
    Thanks herbalist. (Rick) I truly like this program and it does run very light. Should I be concerned about A Third Party Firewall? I like Comodo Pro, but not sure it's overkill with having a router firewall and SSM Free on board.
     
  11. herbalist

    herbalist Guest

    I'd still run a separate firewall. A software firewall will give you more detailed control over incoming traffic than a router, plus letting you control outgoing traffic. When used with SSM, the extra functions found in many firewalls aren't that important as they duplicate coverage that SSM provides. A rule based firewall like Kerio 2.1.5 is an excellent complement to SSM, as long as you're comfortable working with firewall rules. If not, there's other choices. Pick one that gives you good control over traffic in both directions that you're comfortable with.

    Add some content control for your web applications like NoScript or Proxomitron and you'll have a strong core security setup that will resist most attacks.
    Rick
     
  12. duke1959

    duke1959 Very Frequent Poster

    Joined:
    Jul 21, 2006
    Posts:
    1,238
    Thanks again sir.
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    In my opinion SSM free needs to be upgraded, because I noticed that it could not stop certain child processes from being launched, so no it´s not strong enough, but then again there will always be flaws in apps. If you´re concerced about stopping process execution, I would look elsewhere. :rolleyes:
     
    Last edited: Mar 21, 2007
  14. herbalist

    herbalist Guest

    The only instances of that I've run into involve DOS commands. SSM doesn't deal well with DOS. Not a problem if you limit access to the command prompt or block command.com when the UI is disconnected.
    Rick
     
  15. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Any examples?
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    What a bummer, there is an app who bypasses both SSM Free and Pro, this really should not be possible! I´ve tested it with Neoava, EQSecure and ProSecurity and they didn´t have any problems. Keep in mind that I don´t know if this app is malware or not, so don´t execute on your real system. :shifty:

    http://www.syssafety.com/forum/viewtopic.php?t=891
     
  17. duke1959

    duke1959 Very Frequent Poster

    Joined:
    Jul 21, 2006
    Posts:
    1,238
    aigle, why is Cyberhawk crossed off in your sigs?
     
  18. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Current version causing false keylogger alrams, though not a big concern ATM as they promised to fix.
    Main reason is that out of all my security appliances( Antivir, SSM, GW and Comodo) all are lightweight on my PC and no slow down. I felt CH causing a lot of CPU spikes on lauch and termination of every application on my OS, also a lot of I/O reads etc and there is a slow down on my systrem, so I removed it. I really like, may be I will install previous version or wait for some better version.
     
  19. duke1959

    duke1959 Very Frequent Poster

    Joined:
    Jul 21, 2006
    Posts:
    1,238
    Thanks aigle, I'm not sure I ever noticed any slowdown with CH, but I can understand why it may be possible because of the way it scans in RT.
     
  20. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Actually, SSM (2.4.0.614 beta) crashes when arpr.exe executes. SSM is not able to alert. Arpr.exe also crashes Sysinternal's Process Monitor (1.10). The file is a cracked version of Elcomsoft's Advanced RAR Password Recovery.

    Nick
     

    Attached Files:

  21. EASTER.2010

    EASTER.2010 Guest

    NxFsMon.sys
    NxKbMon.sys
    NxNetMon.sys
    NxSysMon.sys


    Having "4" drivers running all the time from CYBERHAWK may prove a bit too much? Perhaps responsible for some of the false posivs? Whatta ya think? I'm only speculating ATM but Other HIPS, in fact most others Load only a single driver or two don't they? And a process? Maybe 2?

    It runs OK on my machine for now (latest version) but still is in the back of my mind that couldn't the drivers be reduced and still perform? I know it takes time to balance these type apps and i expect it will improve but you can also see every HIPS developer uses a different style of compiling their crafts but most users do prefer minimum intrusive impact on system performance. Just a thought.
     
  22. herbalist

    herbalist Guest

    That's an odd one. SSM blocked it fine when I clicked "deny". When I allowed it, the file behaved normally. Apparently, the file behaves differently on my 98 box than it does on XP.

    Easter,
    You still have a 98 box. Could you give that file a try with SSM? I'd like to see what results another SSM user with 98 gets.
    TIA
    Rick
     
  23. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    That looks insane, four drivers for one application. I never noticed it.
     
  24. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi herebalist, I don,t use DOS commands on XP but I guess some of the sofrware must be using command prompts. I am curious what type of functionality I am going to loose if I disable cmd.exe in SSM.
     
  25. ggf31416

    ggf31416 Registered Member

    Joined:
    Aug 20, 2006
    Posts:
    314
    Location:
    Uruguay
    Can you give a specific example?
     
Loading...
Thread Status:
Not open for further replies.