System Safety Monitor - Questions

Discussion in 'other anti-malware software' started by ErikAlbert, May 20, 2007.

Thread Status:
Not open for further replies.
  1. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I installed System Safety Monitor Free v2.0.8.584 out-of-the-box on my computer in Learn Mode.
    So what NOW ? Is that enough or do I have to do something more in this very not userfriendly software.
    I belong to the housewife user group, except for a few minor body differences.

    Let starts with the "Application Rules". Alot of light green, alot of green and alot of "yellow" and all my applications are legitimate.
    So why aren't they all green or yellow and why are some green already ? That's unlogical to me.
    And what do I have to do to change yellow into green.
    Good grief and this is just the beginning. Pffft.
     
  2. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
    When i install a fresh copy of ssm, i put it into learning mode then go thru and do all the things i normally do on my computer. I'll do a couple of restarts and let the system run for a while. Then i take it out of learning mode and i don't get bombarded with pop ups. You can also disconnect the UI if you like so your ssm config can't be changed and anything thats not specified in your rules won't be allowed.

    EDIT: You'll may also want to tick the start automatically box if you haven't already done so.
     
    Last edited: May 20, 2007
  3. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,080
    Location:
    USA
    I have no doubt that SSM is an excellent software. But my feelings are the same as your first impressions. It appears to be a software that has a much bigger than average learning curve to it and you need to spend a fair amount of time with it to get the most out of it. If you don't, how can one be sure everything is ok? (This is the same basic impression I have of the Kerio 2.x firewall. Good stuff, but to run it, you need to spend several hours learning how to use it.)

    Thus the reason I went with MJ Registry Watcher over free SSM. If you have a basic understanding of the registry and file structure of a PC, you'll understand how it works in just a few minutes. (Note that I'm NOT saying that Registry Watcher provides the same type or level of protection that SSM does. Also note that Registry Watcher has gone shareware only in the last couple of weeks.)
     
  4. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,188
    Something like SSM is a really great tool for knowing what wants to run in your system Erik. Unfortunately it is not so nice since if you don't know how to run it, it can cause just problems. I am satisfied with ProcessGuard free. And I use Process Explorer from former sysinternals, now microsoft owned.
    Learning mode I think offers absolutely no protection but at least you get known what is running your system, SSM logs and all.

    What I recommend is Sandbox type solution, even though Sandboxie deleted your hard drive which is still a mystery and no one else but you experienced it.

    HIPS is a bother to run for sure and I am always disabling PG when MS patches are installed for XP or some program update for AntiVir needs to be installed.
    To be sure that PG is not causing problems for trusted installs.

    I cannot much comment about other things since many here trust so much on SSM, but it is a classical hips same as PG and without the knowledge to deny bad things starting, it is of no use for security prevention and as told can cause problems.

    EDIT
    I strongly disagree that kerio 2.1.5 is a difficult firewall. Sure needs many hours to learn to make rules safe and hours also spent to tweak rules, but it is easy one and once it is done, it is just there running and you never know it is there. I run Comodo now and it is a much more bother same as SSM. But I can live with it.
     
    Last edited: May 20, 2007
  5. tradetime

    tradetime Registered Member

    Joined:
    Oct 24, 2006
    Posts:
    1,000
    Location:
    UK
    LOL, I know this feeling, I will try and answer some of your questions, but keep in mind I am NO expert either in computers or this program, so some kind person may have to bail me out at some point :)

    Ok this has relevance to the next question
    Because you are in learning mode SSM has accepted that your system is clean and all running apps are legitimate and anything they try and do is legitimate. As you execute stuff SSM is busy creating rules based on what you are allowing processes and applications to do. Learning mode is no good on anything but a clean system, if you had a nasty on your machine and SSM in learning mode SSM would assume this nasty was a legitimate program and create allowing rules for whatever it was doing at the time.
    So with regard to the colours, simple allowing rules are in green, one process acting on another process or carrying out one task, where one process acts with multiple other processes or conducts multiple tasks the rule becomes advanced and changes colour to yellow, at least this is my understanding.
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,052
    Erik

    First of all if you really want to evaluate SSM I'd use the paid version. The free version is watered down by comparison. If you download the trial version, let me know. I'll do a clean SSM install and then send you the config file. After that I just run it about 2 or 3 days in learning mode and then turn off learning mode.

    This may not be using it's full power, but it sure will catch anything new that trys to run. Same for installing new software, I turn on learning mode, then exit SSM. Do the install and reboot. Then run the program once, and turn off learning mode.

    Pete
     
  7. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Hi guys,
    Before you start praising SSM into heaven, try to learn me how it works. Until now I praise SSM into hell, until I know how it works. I don't need all that glamor.

    These are the very easy rules :rolleyes: for EACH application. Read them and ask yourself how a housewife would look at these rules without staring at them forever. I count 15 rules.
    And please don't call SSM userfriendly anymore, because it is NOT.

    Logging : 4 rules (?) Maybe these are actions. I dunno
    1. Starting application
    2. Blocking the application
    3. Application has been closed
    4. Interprocess activity

    System Control : 4 rules
    1. Allow physical memory access
    2. Allow process suspending and termination
    3. Allow driver installation
    4. Allow shutdown system

    Code/DLL Injection : 3 rules
    1. Allow global hooks
    2. Allow remote code control
    3. Allow remote data modification

    Process Creation Control : 4 rules
    1. Keep this process in memory
    2. Allow this process to execute any unclassified program
    3. Don't check MD5
    4. Block for disconnected UI

    Do you really understand ALL these rules ?
    Any standard settings for trusted applications ?
     
    Last edited: May 20, 2007
  8. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    ErikAlbert,

    Let's make a deal. I will set up your SSM-free for free and you will give your lisence of Anti Executable to the first poster after me. By the way in the Netherlands (just over the border north of Belgium), it is common that men also do their share in the house hold. I for instance always cook dinner (because my wife faces more traffic jams). does this qualify me also (as a house-man that is).

    Regards K
     
  9. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi, folks: If you adopt SSM, you would have to use it outside of frozen mode, otherwise everything learned will be lost upon rebooting. That is the very reason I chose Prevx over SSM (or ProSecurity etc). Prevx 's community data base will nt be affected by use of frozen state, because they are out of my box. But do'nt get me wrong here, SSM is very strong and lethal app, it will touch and kill right before your naked eyes. Just you have to overhaul the entire lineups. Is it worth ?
     
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    If u read 7 step tutorial in the help file, it will be be a lot easier for you. It,s better not to enable modules at the moment.
     
  11. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Never heard of re-freezing ? That's how you update SSM settings in frozen mode.
    I ditched Prevx because it doesn't fit in a frozen snapshot, too many updatings.
    SSM needs only program upgrades and that's why it fits in a frozen snapshot. :)

    Because I don't get any straight answers, I assume that many SSM-users don't fully understand SSM either. No problem, but it will be a much longer learning curve for me.
     
  12. screamer

    screamer Registered Member

    Joined:
    Apr 14, 2006
    Posts:
    921
    Location:
    Big Apple USA
    Erik,

    Since you have an "offline" and "online" FD-ISR SS. I would D/L the Full Trial Version (like Pete suggested) And run it in the Offline SS. Not in Learning Mode. "Answer" all the pop-ups. This will give you a basic idea of what instances want access to what... When / if you want to install an app, SSM has an "Install Mode" that comes in the pop-up box, drop down arrow, use this rather than turning on learning mode. If you get tired of answering pop-ups, just shut down SSM. When you first install it, do turn on learning mode, start automatically and re-boot once or twice. This will teach SSM to allow the boot process. Then turn off learning mode and proceed. This will create a tighter rule-set than using learning mode.

    It's not a user friendly app by any shake of the imagination, but it's well worth using. If SSM pops up for no reason while your on the box, you can always Google the instance, or just deny and not click "make rule permanent".
    After you've done all that you do on the box, you can turn off the UI. This will automatically deny anything from changing.

    hth,

    ...screamer
     
  13. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    HIPS programs was NOT designed with user-friendliness in mind. No matter how much a developer may try to make it so, the very nature of this kind of program almost always means a trade-off between ease of use and power - make it easier for the newbies, and it equates to a loss in power over control of your system. It may very well be possible for a vendor to eventually accomplish this magic goal, but none exist so far IIRC.

    More or less, what you need isn't a set of sure-fire instructions on how to use SSM, or any HIPS in general, because there isn't one. What you need to do is learn more about process API activity in general, get acquainted with the structure of the Windows registry and file hierarchy, and identify how you use your PC and what kind of programs you have in general. Using HIPS programs will come naturally then. Until then, it's pretty much meaningless on asking other people on how to use SSM and what rules to set, because many times the only person who can properly answer those questions is you.
     
  14. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Eric, it can be quite easy. For SSM free, I will give very simple tips.

    1- Install SSM, reboot ur PC. SSM will not start automatically with windows, by default. Start it from start menue( it starts in learning mode by default I think, if not put it in learning mode).
     

    Attached Files:

  15. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    2- Select the following in Options( except for Splash screen, that,s upto u).
     

    Attached Files:

  16. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    3- Right click any process in Process Monitor tab and select Trust All.
     

    Attached Files:

    • ss.jpg
      ss.jpg
      File size:
      164.1 KB
      Views:
      369
  17. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    4- Make sure that SSM is still in learning mode and reboot ur PC twice.

    5- After that do what u most often do on ur PC, like open ur browsers, e-mail software, Office documents, control panel, etc but don,t connect to internet and don,t use any media( CDs, USB) that might be infected.

    Continue learning mode from fre minutes to few hours or even few days if u like. Now disable learning mode and u will get ver few popups.

    Pls don,t do all this in frozen snapshot. Also don,t enable modules at the moment to avoid confusion. SSM pro should work as same.

    BTW PS Free and Pro has option to make rules automatically during isntall and PS free might be more easier for u.
     
  18. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    BTW if u still have trouble, ask some other users, not me.:D :D
     
  19. tradetime

    tradetime Registered Member

    Joined:
    Oct 24, 2006
    Posts:
    1,000
    Location:
    UK
    Ok I have a question here, which I may already know the answer to but would rather not assume. When you take SSM out of learning mode it invariably throws a warning dialogue which says something like 'There are rules for non-existant processes. Do you want to keep them? Yes or No. What is the correct answer if any, and implications of choosing the wrong option?
     
  20. EASTER.2010

    EASTER.2010 Guest

    I was one of it's beta testers before it's first release and eventually stopped at a different version which suited my PC's needs the best than always the latest updates because frankly it more than serves it's purpose very well with no bugs or issues of serious concern. (Full Version Only)
    I see prompts only occasionally since configuring it to my demands, and then only on installing programs so SSM is second nature for me and a very routine security HIPS now.
    All my FD-ISR snaps are covered with it & sometimes Power Shadow but only when i test malware which is not been very much lately. ATM, i have too much attention wrapped up in trying to finally narrow down a solid performing Cloning/Imaging App. That consumes a lot of time.

    It has many times been said it's too complicated for the average user, but as perplexing as it appeared even to me at first, just a little time reading the manual then adding my own rules quickly eliminated those learning curves with it. I'm sure theres even more that can be done with it in adding additional rules but i've hammered it enough as-is with most all the latest Rootkits & Malware and from all my results i seen it can hold up it's end very well in what it's designed to do.

    It's a very solid app and completely stable depending on which version works best for you. I'm speaking only from the Full Version standpoint so sorry i can't really comment either way on the free version's effectiveness or stability, others can.
     
  21. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I am not sure but I think it removes some rules for things that have been removed from ur PC in the mean time esopprcially dlls, drivers etc but It is not accurate in my experience, even in Pro version. However in pro version it shows u what rules it will delete and so u can know whether it,s OK or not( not sure, but may be u can selectively delete some and keep rest).
     
  22. tradetime

    tradetime Registered Member

    Joined:
    Oct 24, 2006
    Posts:
    1,000
    Location:
    UK
    Thnx for that aigle.
     
  23. tradetime

    tradetime Registered Member

    Joined:
    Oct 24, 2006
    Posts:
    1,000
    Location:
    UK
    Personally I think it isn't quite as complicated to use as it appears, easier to use than fully understand. For the most part once it has aquainted itself with your system it will from time to time ask if you want to allow something to start something else (oh such technical speak), if you are unsure you can a) follow the path to see the origin and destination of the request, b) can always block it once and see if it stops you from doing something you wanted to do
    If it is your first day as air traffic controller and it is on your system this may be a problem but otherwise it isn't too much of a big deal.
    It is a great program for learning what interacts with what on your machine. I have found it a very stable application.
     
  24. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    When you get the pop-up you should click 'yes'.

    This will bring up a window displaying all the apps in question. If you then decide to make no changes just click 'cancel' to exit and no harm is done.

    Basically you should remove from the list all processes you have had but no longer have, since there is no point in keeping the rules for them.

    However there may be one or two processes of a transient nature that are worth keeping. Just to give one example:- when ZA updates it loads an executable called patch.exe which changes old AS definitions for new ones; once the update has finished, patch.exe will be deleted. Because it no longer exists it will appear on the SSM list. If you remove it from the list you will get a pop-up every time you have an auto update. Obviously you need to keep this prog on the list to avoid having to create new rules each time.
     
  25. tradetime

    tradetime Registered Member

    Joined:
    Oct 24, 2006
    Posts:
    1,000
    Location:
    UK
    This was my aforementioned assumption, that the items it referred to were temporary processes that had done their job and now were dormant, removing the rules for these would lead to popups next time they did whatever it was they had done before.
    Thanx for that .
     
Thread Status:
Not open for further replies.