System Safety Monitor Learning Thread

Discussion in 'other anti-malware software' started by TheKid7, Jun 18, 2008.

Thread Status:
Not open for further replies.
  1. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    I'd like to start a Learning Thread on configuring/using System Safety Monitor (Paid). It seems like such a good program but I need some help with creating a quality guide to help others and myself with tweaks/configuration.

    Thank you.
     
  2. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,302
    Location:
    Location Unknown
    I am not so sure this program is still relevant. It is not actively developed. There are better, more capable, alternatives available; such as EQS, DefenseWall, or Safe n Sec.
     
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,040
    I would disagree with that. I'd be interested in seeing people more advanced then I posting what they do with SSM

    Pete
     
  4. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    A- The developer (Vitali) of SSM is very active, and responds quickly to all forum posts, issues, etc at the SSM forum.

    B- The current version of SSM is quite up-to-date & is fully compatible with Vista and XP. Vitali and his helper/tester are currently working on adding a file protector to SSM, and have estimated its readiness for use by the latter days of this summer.

    C- Except for its lack of file protection, SSM is fully the equal of other classical HIPS such as Defense+ & ProSecurity.

    >Comparing SSM to DefenseWall is inapplicable because SSM is a classical HIPS whereas DW is NOT. Rather, DW is a HIPS/sandbox combo.

    >Comparing SSM to EQS requires caveats. Although EQS is a classical HIPS, it offers very little default protection, but instead places 99% of the configuration load on the user. SSM on the other hand is fundamentally configured for effective protection right out of the box, and offers a learning mode for aiding users in further configuring its protection.

    >As to Safe'nSec -- it is a very good classical HIPS; well-configured from the get-go; but it has no forum and its developers respond to support requests verrry slowly or not at all. If you can comprehend its out-dated & convoluted help files -- well & good. Otherwise, you're pretty much on your own.

    D- Besides SSM, other good choices for actively-supported, "mostly classical" HIPS include: OnlineArmor, DriveSentry, & Comodo Firewall Pro's Defense+ module.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE 1- ProSecurity is another great classical HIPS, but its developer (Jei) has been among the missing for several months. Fall in love with this one at your own risk.

    Note 2-If you decide to try CFP's Defense+ (it's free), be careful not to accidentally click on the $39/year "Plus" version. Also, stay VERY alert during install so that you do not inadvertently allow it to install its crappy toolbar.
     
  5. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,302
    Location:
    Location Unknown
    I see that I struck a nerve. Sorry about that. But my point still stands. When was the last update to SSM? It may be capable of protecting a system but my point was that there are other out there that, in my opinion, are better.

    If users really want to learn about what is going on with their system than I suggest EQS. Yes, it may not be as easy to use. And, yes, the default ruleset might not be very tight. But its potential is unmatched.

    I'm not comparing A to B. Both will protect, and that is the bottom line. Which one can do that better is up for debate. Different configurations suite different people. I, for instance, use no resident AV. I also do not like classical HIPS, I find them incredibly restrictive.

    Also, DW is not a sandbox. It is a policy HIPS.
     
    Last edited: Jun 19, 2008
  6. dmenace

    dmenace Registered Member

    Joined:
    Nov 29, 2006
    Posts:
    275
    The last update to System Safety Monitor was on 1st March 2008. That is good for a classical hips IMHO.

    ProSecurity for example was last updated on 29th January 2008. Hence compared to this you can see that SSM is not being abandoned at all.

    Learning Thread Content:

    One of the first things to do with SSM is enable all the modules.

    Then enable the learning mode for a couple of days.

    When learning mode off, enable the network access tab along with the windows firewall. This will monitor outbound connections. (Windows firewall monitors inbound connections).

    To be continued... (Maybe Regrun thread info)
     
  7. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,302
    Location:
    Location Unknown
    True. But that was version 2.4.0 beta 621...a beta build. The last stable build was 2.3.0.612 which was released on January 29, 2007.
     
  8. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Version 621 is in RC status. It is, and has been for some time, THE current stable version of SSM. Vitali has made these facts quite clear in his forum guidance. Further, several users have confirmed these facts. Vitali may be slow to update his version designations, but SSM itself is fully updated -- to wit, version 621.

    The latest SSM version 621 was updated in March, and has been "tweaked" several times since then. In other words, SSM is being actively & vigorously maintained current. Meanwhile, back at the thread...

    A- No nerve has been hit in my case. I own a license for SSM & remain an ardent supporter. However, I have been using D+ for several weeks now, & shall continue to do so until SSM's upgrade, to add file protection, becomes available in late summer.

    B- Maybe it's time that we get ON topic. Original poster asked for guidance to configure SSM, NOT a critique of SSM, and NOT comparisons of the pros/cons of using other HIPS.

    C- Thus far everyone is OFF topic (including me) except dmenace.

    D- I fully agree with dmenace's suggestion to start out by putting SSM in Learning Mode.

    >While in Learning Mode, fully exercise your computer by performing all of your daily routines.

    >SSM has excellent parent-child controls. So it is helpful, while in Learning Mode, to do such things as (a) have your email client access an internet link from within a message and (b) have your word processor activate &/or access another app, such as your browser. These sorts of actions are important factors in effectively *training* SSM.

    > It is important to include updating of all your security apps while SSM is in Learning Mode.

    E- You should turn off SSM's Learning Mode after 2 or 3 days of "training* as explained above. Even so, Learning Mode remains useful for re-activation, at certain times, ever afterward...

    >In effect, "learning mode" is also SSM's "install mode."

    >Before installing a new application or a major update to an existing application, put SSM into Learning Mode.

    >After the installation or upgrade is completed, turn off Learning Mode. When you do so, SSM will automatically delete any useless rules created during the installation.

    >It is also a good idea to use Learning Mode during updates of the OS (Windows Updates).
     
    Last edited: Jun 19, 2008
  9. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,040
    Bellgamin is right. BACK ON TOPIC.

    If you think SSM has no useful life left, then just don't bother with this thread. Simple.
     
  10. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    As a newbie in SSM
    1. I would search or ask for an import/export function to save all the rules. I'm not going to spend so much time on configuring SSM without having that possibility. I hope the developper was so smart to provide that function.
    Not providing an automatic configuration of SSM during the installation (as an option) was already not so smart of the developper.
    Which user is willing to spend so much time on configuring a software ? Only a very motivated user will do this.
    AE is much smarter, it configures itself automatically during the installation.

    2. Then I would disconnect from the internet first and do what Bellgamin said. Use each non-internet softwares, while SSM is in learning mode. This is very safe because my system partition is clean and working properly and I can do this without being worried and making mistakes.
    After that I would image/archive my system partition to have the possibility of rolling back when something goes wrong in the next step.

    3. Then I would go online and use each internet software, while SSM is in learning mode. After that I would image/archive my system partition again.

    4. Then I would export all the rules to a file in my data partition.

    5. Then I would restore a clean image, install SSM for good and import all the rules in SSM and image/archive again and put SSM out of learning mode.

    Any forgotten rules later can be adjusted in my clean image by using import/export until it is finished.
    Testing and ditching new softwares is not a problem, if necessary I can turn SSM off or rollback to a previous state.
     
    Last edited: Jun 19, 2008
  11. wat0114

    wat0114 Guest

    This is easily possible, at least with the pro version.

    I ran SSM Pro for many months and absolutely loved it as a classical HIPS. However, it really only helped me as a learning aid in how various Windows processes interact with each other. I never once needed it to thwart malware, though I did test it extensively against POC leaktests.

    The only kind of HIPS I run now is what's included in a couple firewall programs I have, Jetico 2 and Outpost, and even then I have that functionality limited, especially in J2. After so long I just kind of grew weary of HIPS. Probably the most difficult part of SSM to figure out is how the registry protection works, otherwise it's not too difficult, especially if the enthusiasm to learn is there.

    TheKid07, maybe just install it, follow the initail advice offered so far in this thread, then ask questions as needed as you go along. I'll help as best I can and maybe even re-install it to freshen my memory.
     
  12. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    SSM has several pre-configurations when it is installed, and adds others during usage. These are found in SSM's file global.cfg. However, Erik is correct that SSM could do a more thorough job of configuring itself during install -- as (for example) is done by ProSecurity and Online Armor, both of which allow the user to deal quickly with all presently installed applications which s/he considers to be safe.

    Configurations added by the user are recorded in SSM's file ssm.cfg. When using SSM, I always keep a back-up of global.cfg & ssm.cfg. Although I am not presently running SSM, I still have copies of those files so that, when I re-install SSM's next version, I will be able instantly to restore all my settings & tweaks.

    Conceivably, I could give another user a copy of those files & s/he would be instantly set-up equally to my set-up. However, I agree that SSM should have a SPECIFIC import/export button.

    Erik's 2,3,4, &5 are altogether good & logical methods for getting a relatively easy start with SSM. It would be helpful if he would post them on SSM's forum as a suggested addition to SSM's help file. Vitali is very open to suggestions, especially when it comes to augmenting and improving SSM's help file.
     
  13. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    That is exactly my point. When users have alot more practical examples, created by an automatic configuration, they will understand SSM faster and then the manual of SSM will become more understandable also.

    Thanks for giving both cfg-files and yes, an import/export function is necessary, because no average user knows these files. AE has also an import/export function on each screen when needed and I use them for the same purpose.
    With import/export you don't only save input time, but you also avoid possible typo's and other mistakes.
    It's a general rule in applications : you type info only ONE time and then re-use it over and over again. :)
     
    Last edited: Jun 19, 2008
  14. 12fw

    12fw Registered Member

    Joined:
    Sep 12, 2006
    Posts:
    111
    Location:
    Canada
    Nice thread.
    Using SSM free with Kerio 2.1.5 with free Avira.
    This combo is nice and light and hopefully effective.
    I'm enjoying the SSM. Installed it, set it on learning mode and rebooted and immediately did one shutdown. Just to be safe I did not lock myself out of my PC. Then I set it out of the learning mode and just have been using the popups for it's configuring.

    Any advice on adding extra registry entries or is that idea really a good idea?

    12fw.
     
  15. ruinebabine

    ruinebabine Registered Member

    Joined:
    Aug 6, 2007
    Posts:
    1,097
    Location:
    QC
    I don't have, and don't remember ever seen, any file named "ssm.cfg".
    Preferences -> Options -> Configs
    > have choice of: "Save as...", "Import" and "Change config file".
    Or is it not specific enough?
     
    Last edited: Jun 20, 2008
  16. ChrisP

    ChrisP Suspended Member

    Joined:
    Jun 6, 2003
    Posts:
    447
    Location:
    UK
    I have used SSM for ages now with no problems. Very good suppoty when needed and it has great functionality.
     
  17. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,040
    Irrelevant to the topic. This is supposed to be a thread about learning. It's not turning out that way.

    For example can some show how they have manually change the parent child relationships.
     
  18. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I forgot to mention this.
    Everything what happens in step #2 regarding creating rules is not a problem, because my system is clean and whatever SSM asks me to do, I will always make the right decision.

    The problem begins in step #3, when I go online and I wouldn't be so sure anymore to make the right decisions.
    Also my Sygate Personal Firewall asks questions like do you allow this inbound or this outbound ? Do I have to block all inbound and/or outbound without getting in trouble sooner or later ?
    Some of these questions are related to objects, I don't even know.
    I guess SSM will ask me similar or the very same questions. Answering the same question twice isn't really my style.
    So I consider step #3 alot more "dangerous", because my knowledge is too poor to give the right answers and guessing isn't really my style either.
    The bottom line is : how am I going to do this step in a safe way as an average user ?
     
    Last edited: Jun 21, 2008
  19. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    I would just like to add that inside System Safety Monitor lies a feature i wish many other HIPS employed, and not just for preventions against malware attacks. I'm speaking of the "keep this process in memory" feature! This is always been one of my favorites and i tested it against malware that would shutdown say your firewall or AS/AV before they hardened self-protection and it was a joy to have use of this.

    The other benefit if you're a customizer like myself, sometimes third-party windows customs apps like the ones that dress up XP to mimic the looks of Vista are sometimes subject to sudden crash-downs that require a manual restart. SSM's feature eliminates going thru that trouble and auto-starts ANY active processes that might experience this tiny but annoying flaw, so with it you get kind of the best of both world's, protection when an app is forced down maliciously and also due to unexpected crashes.

    A very welcome feature that as far as i know, SSM instituted first before any others.
     
  20. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,040
    Easter

    If you can post how you set up these features. That's where this thread needs to go.

    Pete
     
  21. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Yeah, i think some screenshots would better indicate these different features too so i'll try to put some together for us. SSM is a Multi-Faceted HIPS and that equates to meaning it's equipped with "MANY" & "SEVERAL" individual features some of which aren't that simple to find even by word descriptions.

    EASTER
     
  22. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Is EQS better than SSM and do I better spend my time on EQS, than SSM or what ? Both are unuserfriendly, so I better spend my time on the BEST.
     
  23. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    That's up to the individual user to decide i think, but i found EQS "Extremely Versatile" and IMO far more "user-friendly" with respect that once you're acquainted/familiar enough with it's RULES SECTION and how they apply to the File, Registry, plus Applications Protections sections, everything else is a piece of cake.

    I have to add however, none of this confidence would be complete without the generous assistance courtesy Alcyon with his tireless effort in fashioning his RuleSets for EQS. IMO, that made all the difference in the world and increased user-friendliness at the same time.

    SSM is no slouch by any stretch, but for me it became too overly complicated in comparison to EQS, plus EQS's gui is much more eye friendly and simpler to locate settings for some including myself.
     
  24. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    PLEASE do not do this Erik. The topic is SSM. If someone wants to debate which HIPS is best, please start a thread & do not hi-jack this one.
     
  25. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I don't see any answers regarding post #18 either.
     
Thread Status:
Not open for further replies.