system safety monitor

Does anyone know anything about SSM (system safety monitor) from syssafety.com? How necessary is in in addition to usual security sw (AV, FW, ASW, etc)? Sorry if this isn't the correct location for this post - please feel free to move it if necessary just so I get notices of posts.
Thx

 

i do not consider HIPS such as system safety monitor a necessity, but if it makes u feel safer then by all means go ahead and use one.

 

I use System Safety Monitor and have been a beta tester for them since Syssafety took over its development. HIPS (host intrusion prevention systems) like SSM do not rely on sigantures or reference files. They are one of the only ways to stop zero-day exploits (exploits unknown to signature based security-ware like AVs). Their biggest advantage is that they give the user total control over all executables and what they're allowed to do. The main disadvantage is that the user has to know their system, the executables on it, and what they do. SSM doesn't differentiate between system executables, 3rd party software, or malware. The user has to make those decisions. SSMs ability to defend and control your system is extensive, but is only as good as the user configuring it. I trust it enough that I no longer run a resident AV, not a practice I'd recommend to anyone who doesn't know their system and software completely. The learning mode helps with the initial setup, but is not a substitute for user knowlege. It's also important to make sure the PC it's being installed on is completely clean and free of virus/malware infection before installing SSM. Although the newest versions contain a firewall component, a good firewall is still a necessity. IMO a good firewall and HIPS software should be the core of a good security system. As for anti-spyware apps, if your system is clean to start with, your SSM ruleset is good, and you don't allow anything you shouldn't, your anti-spyware apps won't have much to do.
If you're a knowlegable user, SSM is a powerful addition to your security package. If you're a casual user with no real knowlege about how your system and software works, SSM will likely seem confusing and intrusive to you. Take a good, long look at the screenshots posted at their site and be honest with yourself about how well you understand what you see. If you don't and can't invest the time it takes to learn your system in detail, SSM might not be a good choice for you. IMO, SSM is ideal for power users in its present form but is not ready for the average user.
Rick

 

Hi herbalist, thanks. That was the impression I was getting from studying the SSM website and what related information I was able to find (not much). It is interesting that you are confident that it can take the place of an antivirus. However it is clearly not suitable for a home computer with mostly non-expert users, and even though I consider myself an advanced user I do not feel confident to always give the correct answers to SSM. BTW I have been writing to several forums to try and understand SSM but your post is the first one that really helped clear things up for me. I also saw wyrmrider's post in spyware warrior http://spywarewarrior.com/viewtopic.php?p=137505#137505 that was a nice pat on the back for you.
Many thanks.

 

R2B,
I'm no expert by any means. I've just been involved with SSM thru most of its development. The only way to really tell if SSM will work for you is to try it. The free version is quite good and is one of a very few such apps that run on 98 or ME. I haven't heard of any uninstall problems with it so you've nothing to lose but some time, and maybe some aggravation! Just take your time with it and Google what you don't understand. If you're an advanced user, it may be easier than you expect.

I trust SSM to capably replace a resident AV, not an AV scanner, which I still have 2 on board. Nearly all malicious code is a process in its own right, as are the installers that install them. The same applies to rootkits. Some process has to install them. If all unknown processes are blocked, installers don't run, not unless you specifically permit it. If SSM has a weakness, it's that it requires the user to know or find out exactly what that unknown process is. The process behavior doesn't always tell you. SSM for example detects new drivers and system hooks. Malware, legitimate software, and even windows components do these things, so an alert saying that something.exe wants to set a hook tells you nothing unless you know what something.exe actually is. Malware often tries to imitate system files by using names that are very close. Sometimes they use the actual name, but don't install in the normal location of that file. If a user mistakenly alows it, the HIPS software can't defend you. The end result is that SSM gives you total control of your system. Your system can only do what the SSM ruleset allows. How secure that is depends on what you allow.
Rick

 

The latest versions of SSM (now in advanced beta status) can now be configured to protect important applications from being wrongly terminated. I now have SSM providing this type of essential protection to all my security programs.

As to the need to be a computer *power user* in order to get the most out of SSM -- I agree to a point. I am most definitely NOT a power user, but I rarely find it difficult to determine whether to "allow" or "block" when SSM asks me about something. SSM's pop-ups give a goodly amount of information on the pop-up notice. Also, I just do a Google search of unfamiliar stuff & have an answer within seconds.

Using SSM when I was clueless wasn't all that difficult. Plus, the more I used SSM, the better informed I became as to what was on my computer, what it did, & why. In other words, SSM is a *good teacher* as well as a superb security tool.

I have several layers of security programs but -- if I could only have ONE --- SSM would be it.

 

I initially found it quite intimidating, but then Maxs early versions weren't nearly as convenient to configure. But in regards to SSM being a good teacher, I couldn't agree more. Those alerts can teach you a lot about the different system components, what they do, and what is normal behavior for them. If I was limited to one security app, it would be close, but SSM would probably be it, with my firewall being a close second. Hard to say which is more important as both are critical to system security.

It just keeps getting better. Unfortunately for me, that beta doesn't run on my old box, Win98. Even so, SSM has always had the "keep process in memory" option on the free version, which comes close to offering the same protection. I use it for my firewall and a few other items. If something does manage to terminate the firewall, SSM immediately restarts it. While that's not quite as good as preventing it from being terminated in the first place, there isn't much an attacker can do to you in such a short time when SSM is still preventing undesired activity from happening.

 

How does SSM compare to ProcessGuard?

 

Used to use SSM in the early days when it was simpler. It has now morphed into a 'bigger' product than PG and therefore more complicated. PG covers just the processes on your PC (IMHO it does this very well) whilst SSM also covers the protection of key Registry Keys, etc.

SSM covers more but is more complex to set up use IMHO. PG is simpler and therefore easier to use...again IMHO. I now use PG with KIS6's Proactive Defense covering the Registry aspects.

 

i have not tried it yet, but from the screenshots i kind of dont like the GUI for some reason. Maybe i will bang it on a vmware and give it a test drive

 

I think SSM's GUI is not too bad, considering the amount of features it supports.

The new registry guard interface though is pretty difficult to use though IMHO.

 

SSMs rule screen and avdanced properties screen are nicely laid out. Most of screens are pretty good. I don't see too many ways to make the interface for the registry module better. The more of the registry it covers, the more there will be on the screen. They're very open to GUI suggestions. If you have one, post it at their site. They've made many user suggested changes.
Rick

 

SSM is good. If you want a HIPS it's functional and fairly easy.

HIPS is not totally needed, especially if you'll just blindly allow everything to make it work. It really only is effective if you know what'd your allowing.

 

I use it as well. One of the things I like about SSM is that it generates a report/log that I can review and, from there, research/correct/modify how applications are run on my system. So far so good. I do find one thing that can be improved: it does some times repeat a request for which I've previously marked: always allow this application to run.

 

Indeed its "memory" isn't that good.

 

While not always true, sometimes there are reasons for it's asking again. Possibilities include:
1, The process is being launched by a different application that isn't specified as an allowed parent.
2, The parent application has changed or is updated, changing its MD5 signature. SSM will treat as a new parent process.
3, The signature for the app being launched has changed. One program I use creates a temporary executable, which has a different signature every time. Using the "Don't check MD5" option solves this one, usually.
4, If the rule for the application was manually added or edited, and the "apply" button isn't used, the changes aren't saved.
Quite often, one of these will explain being asked again, but not always. I have run into that same thing when an app is started via the "Send To" menu.
On my system, this is less of a problem than it used to be, but still happens once in a while.
Rick

 

The latest SSM version 2.1.15.588 has made a lot of changes and bug fixing. SSM is getting better and better.

 

Same here.
I don't find the program difficult at all ( I consider my knowledge of computers on the intermediate level), and SSM gets userfriendlyer with every update. When I want more info to decide "allow" or "block" I use this site:
http://www.processlibrary.com/

I agree when you want to bring out SSM's full potential you have to be a knowledgeable user, but when you are just a little bit interested in computers this program will give you no problems to provide terrific protection.

 

The idea of Googling up info for something on one of the alerts that's unknown to the user is good, but there is a problem with doing that at times. I'm not sure if XP behaves the same way or not, but on my 98 box, if the process being asked about was launched by the browser, the browser won't be allowed to go to Google until that alert is answered. I tested that idea on my box by removing the browser as an allowed parent process for Acrobat reader, then went to a site with PDFs and tried to launch one with the browser. I got the alert asking if I wanted to allow it, which I'd expected. The problem was that I couldn't go to Google with the browser until I responded yes or no. It worked this way with both Mozilla and IE6 on my unit. From what I can tell, whenever an alert is displayed about a new process or behavior, the parent process for that new process is effectively locked from doing anything else until the alert is responded to. I just repeated the same test with Windows Explorer and Notepad, unchecking Explorer as an allowed parent for Notepad, then trying to launch it. Got the alert as expected, but was unable to launch my browser with Explorer until I replied to the alert. A lot of alerts for new processes could have the browser as the parent process, making it impossible for the user to search for info, unless they have more than one browser. If the new process is started via windows explorer, the user might not have use of the browser unless it was already running. From what I can see, there are a lot of instances where the user would be unable to search for info on what an alert may display, leaving them to their own devices, which I hope would be a default-deny mentality. Hopefully this evening I'll be able to check on an XP unit with SSM and see if it also behaves this way.
Rick

 

What, you only have ONE browser?!

 

Yes, I have 2 browsers, but the typical user usually doesn't. Most have just IE6. Then again, the typical user isn't running SSM. I didn't get a chance to check it out completely, but XP does behave differently in the afore mentioned situations than a 9X box. When I repeated the same IE6 starting Acrobat Reader and made it wait for an answer, I could get to Google with IE6 on the XP unit. Same with opening a process with Windows Explorer. I could launch the browser while it waited for an answer to a process launched by windows explorer. Completely opposite on 9X boxes. In one way, I like the idea of being able to still use the browser to search Google for process info, but I'm wondering if there are other security implications with this behavior difference, or if this behavior is unique to my configuration. Anyone else here using SSM on a 9X or ME system? If there is, could you take a few minutes and see which way your system responds in the above described scenarios?
Rick