System Safety Monitor Learning Thread

First, you will probably get an answer if you stop speaking in meaningless and context free hypotheticals that go in circles and decide to focus in on actual details. How about you provide some specific examples that you are concerned about? You appear concerned about guessing on answers - have you verified that this is the case? Bear in mind that context if governed and informed by your prior usage of the product.

Second, stay on the thread topic.

Blue

 

I know already, there won't be any answer to my question in post #18.
SSM, like any other HIPS and Firewalls with HIPS, is NOT for average users, because they don't have the required background knowledge. You can't learn SSM or handle SSM, unless you have that background knowledge already.
SSM is unsafe in the hands of an average users, because he doesn't know the right answers and that means that his SSM will be collection of right and wrong rules.
There is NO userfriendliness in SSM and if some posters claim it is, then they don't know the true meaning of userfriendliness.
Average users need something else, than gambling with their security.
SSM is nothing but a software for a very small group of users, like members of Wilders.

 

So why ask the question? Are you trying to make some point? If so, at least be upfront about it.

While I agree in generalities, i.e. users need to understand how to approach this type of software to use it productively, that's the point of this thread. How does one optimally "teach" a product like this to function. It can be done and does not require an advanced degree in Computer Science.

User friendliness is in the eye of the beholder. I hate to break this to you, but I don't believe that your the designated arbiter of user friendliness for the planet.

Sort of like another application that seems near and dear to your heart.., yes? There is nothing wrong with someone finding a path to use and deciding to use it. That's what it is all about. You seem all to focused on the path people choose, not the final result. In other words, you've completely missed the point.

Now - let's get this thread back on target - SSM configuration/usage.

Blue

 

Yes do that, the OP will need it and I wish him good luck. Certainly not my choice of safe security.

 

You appear to have a bizarre notion that one size fits all and that if it's not right for you, it's not right for any casual user. Depending on the needs and capabilities of a user, any given approach may work or fail, including your preferred approach. The specific machine implementation is only one piece of a larger picture. Appreciating that requires an understanding of nuance, which seems beyond the scope of your worldview.

Blue

 

I hope to post my screenshots in the next few days on certain particular features in System Safety Monitor that i find in no other HIPS atm. I always like to know also, WHEN, a driver is been unloaded and SSM can alert to this along with path/filename. Otherwise, i have to rely on AutoRuns drivers/services TAB to check and/or manually remove a driver that should been auto-built into the code where when certain apps close that launch their drivers to work, equally they also remove their drivers.

As for EricAlbert, so as not to go to far Off-Topic here since theres already been some detours noted, somewhat like myself perhaps, he seems to be trying the waters of SECURITY PROGRAMS in an effort to maybe ween off temporarily from ISR-boot-to-restore to see "IF" it's at all possible (like i'm testing right now), to rely soley on certain security solutions and in his case, how these methods stack up in relationship to his boot-to-restore methods.

System Safety Monitor does cover a wide-field of prevention techniques, and NO, it's not for an average user IMO, but those who do spend time "Learning" it can benefit, but you absolutely have to accept that IT WILL ALWAYS REQUIRE USER INTERACTION, thats the chief purpose for them to begin with IMHO, for a user to get involved into what exactly is communicating within their own system and with time understand the differences when a "Red Flag" comes up.

SSM is like any other security programs IMO. There is a stretch of releases that seem to do all a user expects from it and sometimes more, and newer versions don't always equate to better, but that's up to the individual user to determine in the end.

 

Probably correct, but could also be the same for any classic HIPS. I thought that was the reason for the thread, to learn and make correct choices/ settings. Being permantly negative of the available security of an application based on user knowledge is actually being obstructed for those who want to learn, by your intervention of un-needed, un-wanted comments.

I am certainly willing to contribute to the thread, I will start from the initial installation and show how I react to popups from SSM if that would help.

Learning is good, those that just want to post to thread without reason/off topic, simple, dont post.

 

I have been using SSM for a couple of years now. I am by no means an expert. I was reasonably sure when I installed it, that my system was malware free.

I just put it in learning mode for a few days, and that was it. I still get popups, but that goes with the territory. I basically like the program.

However, it does throw up the occasional curly one, ie see attached screenshot which relates to the Sygate firewall that I have been using for a long time. I had never see this one before, until a few days ago. I blocked it without any ill effect. BTW, I am hoping for some good contributions from some with more advanced knowledge.....always wanting to learn!

 

To the OP or anyone else using SSM for the first time, the "Technical information" shown in Tarnak's ss is achieved by clicking the "Details" button. By default, this information is not shown on alerts.

Also, if using SSM with a software fw, I would disable the "Network rule" in SS, simply because I see no point in having two apps alert on network access.

Also, two of the most important and frequently used right-click functions in SSM are under: Rules->Applications

Screenshots are attached.

I'll try to offer more as time permits.

 

Thanks wat0114, I had that disabled.....I knew it was illogical to have SSM "Network rule" enabled too!

 

Rules->Applications, click on application you want to change the parent/child relationships on, in this case svchost.exe, right-click->Advanced properties->Applications.

In the Parent and Child colums, the checkboxes can be changed by clicking in them to select "Ask (?)" "Allowed (green checkmark)" or "blocked (Red circle w/line)".

Hopefully the ss explains the details of this functionality.

No problem, though it was actually intended to answer an earlier post in this thread regarding Sygate

 

And note that wat has the default parent and child for the group normal as ask, so this is applied as default for all programs inside the groups (you will be alerted).
As you answer the alerts, the boxes will change to allow or block according to your answer, per application (in the screenshot, services.exe, defrag.exe..).

Those will be the rules applied. If there are no rules (set to ask), you will be prompted. If there's a rule, allow or block, that is applied.

 

You are welcome Pete. I see a very labor/time-intensive task to post everything I would like to about this product, because there is so much to it that I don't want to leave out anything important. However, I will forge ahead posting a little bit when I can. Probably tonight I can post some more.

Thank you Pedro because you have reminded me that SSM Pro has the odd propensity of automatically placing checkmarks (Allow) in the Parent & Child boxes for the group name "Normal". I have on several occasions found the need to change them back to "Ask (?)". It seems to be a bug.

 

As promised:

This is a screenshot pinpointing the very useful feature (IMO) of restarting important or even not so important processes if terminated by any means, crash or forced by another means. I hope to expound more on SSM's features along with pictures to better help clarify exactly where these security features reside and the purpose of their use.

Be advised however pls, this SSM version is (Full) but stands at 2.3.0612. I preferred this one for the time being.

More to come, hope it helps.

 

Now to add a registry rule for a given application, in this example "cmd.exe" will be used:

Of note, there are 15 (numbered 0-14) built-in default registry object rules for SSM Pro.

1. Select the application and right-click to bring up the context menu
2. Select "Advanced Properties"
3. Select the Registry tab then right-click in the blank window and select "Add rule...
4. From this window you can select either a Registry object" (Group) from the left pane or an individual Registry key from the right pane, then select the corresponding "Add rule" button
5. Finally, you highlight the new rule, then select the "Access" and "Logging" options from below

**EDIT**
I should have called the Registry objects in the left pane Registry groups

 

Now a pictorial example of creating a new Registry Group with a new Hivekey added to it.

BTW, I'm focusing on the Registry objects first because I'm trying to take a similar approach to the way chess is often taught, from the end game first I believe if someone can master this area of SSM, considered by many to be the most difficult, the rest should be pretty straight forward.

**EDIT**
Please swap the first two screenshots around; they are in reverse order

 

Quote. All definitely right.

 

I also have a regular SSM License and I'm a strong supporter too. EqSecure not only - as said in a previous post - " places 99% of the configuration load on the user ", but sometimes it is too slow in new- exe apps detecting, and his alerts in these events are lated.

 

I'm flabbergasted seeing people having SSM in learning-mode for a few days. Install on a clean PC, put it in learning mode while NOT on the internet and open/close your software. Reboot and disable learning mode. Then answer the occasional popups.

 

Wooo, all that looks so complicated, how on earth could a regular user who never used it before possibly get a handle on all that, and so the reason for my own transition. It takes boo coo time, plenty of it to learn it.

It's a solid performer, but even member herbalist brought this up to their support forum staff a long long time ago, apparently in vain.

 

@Easter: Is your post in response to mine? I don't think so, because my post wasn't describing a complicated method, but i might be wrong, so please elaborate if that's the case.