System Safety Monitor - Questions

I installed System Safety Monitor Free v2.0.8.584 out-of-the-box on my computer in Learn Mode.
So what NOW ? Is that enough or do I have to do something more in this very not userfriendly software.
I belong to the housewife user group, except for a few minor body differences.

Let starts with the "Application Rules". Alot of light green, alot of green and alot of "yellow" and all my applications are legitimate.
So why aren't they all green or yellow and why are some green already ? That's unlogical to me.
And what do I have to do to change yellow into green.
Good grief and this is just the beginning. Pffft.

 

When i install a fresh copy of ssm, i put it into learning mode then go thru and do all the things i normally do on my computer. I'll do a couple of restarts and let the system run for a while. Then i take it out of learning mode and i don't get bombarded with pop ups. You can also disconnect the UI if you like so your ssm config can't be changed and anything thats not specified in your rules won't be allowed.

EDIT: You'll may also want to tick the start automatically box if you haven't already done so.

 

I have no doubt that SSM is an excellent software. But my feelings are the same as your first impressions. It appears to be a software that has a much bigger than average learning curve to it and you need to spend a fair amount of time with it to get the most out of it. If you don't, how can one be sure everything is ok? (This is the same basic impression I have of the Kerio 2.x firewall. Good stuff, but to run it, you need to spend several hours learning how to use it.)

Thus the reason I went with MJ Registry Watcher over free SSM. If you have a basic understanding of the registry and file structure of a PC, you'll understand how it works in just a few minutes. (Note that I'm NOT saying that Registry Watcher provides the same type or level of protection that SSM does. Also note that Registry Watcher has gone shareware only in the last couple of weeks.)

 

Something like SSM is a really great tool for knowing what wants to run in your system Erik. Unfortunately it is not so nice since if you don't know how to run it, it can cause just problems. I am satisfied with ProcessGuard free. And I use Process Explorer from former sysinternals, now microsoft owned.
Learning mode I think offers absolutely no protection but at least you get known what is running your system, SSM logs and all.

What I recommend is Sandbox type solution, even though Sandboxie deleted your hard drive which is still a mystery and no one else but you experienced it.

HIPS is a bother to run for sure and I am always disabling PG when MS patches are installed for XP or some program update for AntiVir needs to be installed.
To be sure that PG is not causing problems for trusted installs.

I cannot much comment about other things since many here trust so much on SSM, but it is a classical hips same as PG and without the knowledge to deny bad things starting, it is of no use for security prevention and as told can cause problems.

EDIT

I strongly disagree that kerio 2.1.5 is a difficult firewall. Sure needs many hours to learn to make rules safe and hours also spent to tweak rules, but it is easy one and once it is done, it is just there running and you never know it is there. I run Comodo now and it is a much more bother same as SSM. But I can live with it.

 

LOL, I know this feeling, I will try and answer some of your questions, but keep in mind I am NO expert either in computers or this program, so some kind person may have to bail me out at some point

Ok this has relevance to the next question

Because you are in learning mode SSM has accepted that your system is clean and all running apps are legitimate and anything they try and do is legitimate. As you execute stuff SSM is busy creating rules based on what you are allowing processes and applications to do. Learning mode is no good on anything but a clean system, if you had a nasty on your machine and SSM in learning mode SSM would assume this nasty was a legitimate program and create allowing rules for whatever it was doing at the time.
So with regard to the colours, simple allowing rules are in green, one process acting on another process or carrying out one task, where one process acts with multiple other processes or conducts multiple tasks the rule becomes advanced and changes colour to yellow, at least this is my understanding.

 

Hi guys,
Before you start praising SSM into heaven, try to learn me how it works. Until now I praise SSM into hell, until I know how it works. I don't need all that glamor.

These are the very easy rules for EACH application. Read them and ask yourself how a housewife would look at these rules without staring at them forever. I count 15 rules.
And please don't call SSM userfriendly anymore, because it is NOT.

Logging : 4 rules (?) Maybe these are actions. I dunno
1. Starting application
2. Blocking the application
3. Application has been closed
4. Interprocess activity

System Control : 4 rules
1. Allow physical memory access
2. Allow process suspending and termination
3. Allow driver installation
4. Allow shutdown system

Code/DLL Injection : 3 rules
1. Allow global hooks
2. Allow remote code control
3. Allow remote data modification

Process Creation Control : 4 rules
1. Keep this process in memory
2. Allow this process to execute any unclassified program
3. Don't check MD5
4. Block for disconnected UI

Do you really understand ALL these rules ?
Any standard settings for trusted applications ?

 

ErikAlbert,

Let's make a deal. I will set up your SSM-free for free and you will give your lisence of Anti Executable to the first poster after me. By the way in the Netherlands (just over the border north of Belgium), it is common that men also do their share in the house hold. I for instance always cook dinner (because my wife faces more traffic jams). does this qualify me also (as a house-man that is).

Regards K

 

Hi, folks: If you adopt SSM, you would have to use it outside of frozen mode, otherwise everything learned will be lost upon rebooting. That is the very reason I chose Prevx over SSM (or ProSecurity etc). Prevx 's community data base will nt be affected by use of frozen state, because they are out of my box. But do'nt get me wrong here, SSM is very strong and lethal app, it will touch and kill right before your naked eyes. Just you have to overhaul the entire lineups. Is it worth ?

 

If u read 7 step tutorial in the help file, it will be be a lot easier for you. It,s better not to enable modules at the moment.

 

Never heard of re-freezing ? That's how you update SSM settings in frozen mode.
I ditched Prevx because it doesn't fit in a frozen snapshot, too many updatings.
SSM needs only program upgrades and that's why it fits in a frozen snapshot.

Because I don't get any straight answers, I assume that many SSM-users don't fully understand SSM either. No problem, but it will be a much longer learning curve for me.

 

Erik,

Since you have an "offline" and "online" FD-ISR SS. I would D/L the Full Trial Version (like Pete suggested) And run it in the Offline SS. Not in Learning Mode. "Answer" all the pop-ups. This will give you a basic idea of what instances want access to what... When / if you want to install an app, SSM has an "Install Mode" that comes in the pop-up box, drop down arrow, use this rather than turning on learning mode. If you get tired of answering pop-ups, just shut down SSM. When you first install it, do turn on learning mode, start automatically and re-boot once or twice. This will teach SSM to allow the boot process. Then turn off learning mode and proceed. This will create a tighter rule-set than using learning mode.

It's not a user friendly app by any shake of the imagination, but it's well worth using. If SSM pops up for no reason while your on the box, you can always Google the instance, or just deny and not click "make rule permanent".
After you've done all that you do on the box, you can turn off the UI. This will automatically deny anything from changing.

hth,

...screamer

 

HIPS programs was NOT designed with user-friendliness in mind. No matter how much a developer may try to make it so, the very nature of this kind of program almost always means a trade-off between ease of use and power - make it easier for the newbies, and it equates to a loss in power over control of your system. It may very well be possible for a vendor to eventually accomplish this magic goal, but none exist so far IIRC.

More or less, what you need isn't a set of sure-fire instructions on how to use SSM, or any HIPS in general, because there isn't one. What you need to do is learn more about process API activity in general, get acquainted with the structure of the Windows registry and file hierarchy, and identify how you use your PC and what kind of programs you have in general. Using HIPS programs will come naturally then. Until then, it's pretty much meaningless on asking other people on how to use SSM and what rules to set, because many times the only person who can properly answer those questions is you.

 

Eric, it can be quite easy. For SSM free, I will give very simple tips.

1- Install SSM, reboot ur PC. SSM will not start automatically with windows, by default. Start it from start menue( it starts in learning mode by default I think, if not put it in learning mode).

 

2- Select the following in Options( except for Splash screen, that,s upto u).

 

3- Right click any process in Process Monitor tab and select Trust All.

 

4- Make sure that SSM is still in learning mode and reboot ur PC twice.

5- After that do what u most often do on ur PC, like open ur browsers, e-mail software, Office documents, control panel, etc but don,t connect to internet and don,t use any media( CDs, USB) that might be infected.

Continue learning mode from fre minutes to few hours or even few days if u like. Now disable learning mode and u will get ver few popups.

Pls don,t do all this in frozen snapshot. Also don,t enable modules at the moment to avoid confusion. SSM pro should work as same.

BTW PS Free and Pro has option to make rules automatically during isntall and PS free might be more easier for u.

 

BTW if u still have trouble, ask some other users, not me.

 

Ok I have a question here, which I may already know the answer to but would rather not assume. When you take SSM out of learning mode it invariably throws a warning dialogue which says something like 'There are rules for non-existant processes. Do you want to keep them? Yes or No. What is the correct answer if any, and implications of choosing the wrong option?

 

I was one of it's beta testers before it's first release and eventually stopped at a different version which suited my PC's needs the best than always the latest updates because frankly it more than serves it's purpose very well with no bugs or issues of serious concern. (Full Version Only)
I see prompts only occasionally since configuring it to my demands, and then only on installing programs so SSM is second nature for me and a very routine security HIPS now.
All my FD-ISR snaps are covered with it & sometimes Power Shadow but only when i test malware which is not been very much lately. ATM, i have too much attention wrapped up in trying to finally narrow down a solid performing Cloning/Imaging App. That consumes a lot of time.

It has many times been said it's too complicated for the average user, but as perplexing as it appeared even to me at first, just a little time reading the manual then adding my own rules quickly eliminated those learning curves with it. I'm sure theres even more that can be done with it in adding additional rules but i've hammered it enough as-is with most all the latest Rootkits & Malware and from all my results i seen it can hold up it's end very well in what it's designed to do.

It's a very solid app and completely stable depending on which version works best for you. I'm speaking only from the Full Version standpoint so sorry i can't really comment either way on the free version's effectiveness or stability, others can.

 

I am not sure but I think it removes some rules for things that have been removed from ur PC in the mean time esopprcially dlls, drivers etc but It is not accurate in my experience, even in Pro version. However in pro version it shows u what rules it will delete and so u can know whether it,s OK or not( not sure, but may be u can selectively delete some and keep rest).

 

Thnx for that aigle.

 

Personally I think it isn't quite as complicated to use as it appears, easier to use than fully understand. For the most part once it has aquainted itself with your system it will from time to time ask if you want to allow something to start something else (oh such technical speak), if you are unsure you can a) follow the path to see the origin and destination of the request, b) can always block it once and see if it stops you from doing something you wanted to do
If it is your first day as air traffic controller and it is on your system this may be a problem but otherwise it isn't too much of a big deal.
It is a great program for learning what interacts with what on your machine. I have found it a very stable application.

 

When you get the pop-up you should click 'yes'.

This will bring up a window displaying all the apps in question. If you then decide to make no changes just click 'cancel' to exit and no harm is done.

Basically you should remove from the list all processes you have had but no longer have, since there is no point in keeping the rules for them.

However there may be one or two processes of a transient nature that are worth keeping. Just to give one example:- when ZA updates it loads an executable called patch.exe which changes old AS definitions for new ones; once the update has finished, patch.exe will be deleted. Because it no longer exists it will appear on the SSM list. If you remove it from the list you will get a pop-up every time you have an auto update. Obviously you need to keep this prog on the list to avoid having to create new rules each time.

 

This was my aforementioned assumption, that the items it referred to were temporary processes that had done their job and now were dormant, removing the rules for these would lead to popups next time they did whatever it was they had done before.
Thanx for that .