SystemSafetyMonitor

Discussion in 'other security issues & news' started by iceni60, Jul 7, 2004.

Thread Status:
Not open for further replies.
  1. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    hello.i just installed ssm and was hopeing you could tell me if ive installed it correctly.at the moment ive created rules for most applications,(by pressing F1,should it have been F3?)and when i select a program i havent created a rule for i get something like the attached image.should i just run it when im on the internet,or always?thank you
     

    Attached Files:

    • ssm1.jpg
      ssm1.jpg
      File size:
      32.5 KB
      Views:
      578
  2. notageek

    notageek Registered Member

    Joined:
    Jun 3, 2002
    Posts:
    1,601
    Location:
    Ohio
    Well it all depends on you. If you only want programs to run in Admin mode than hit f3. Me myself I press f1 so my wife can use the programs I use when she needs them. :) If you have others that use the computer and there's a chance for them to use the programs press f1. But it's your choice not remember the explore.exe needs to be allowed for all or your comupter might not work in quest accounts or non admin accounts. It's always a good idea to read the readme file and help files that come with the program you're using. :) HTH.
     
  3. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    thanks,notageek.its family computer,so im glade you put me straight.i did read readme,but tried installing PG before i needed to and my head got in a spin.thank you.
     
  4. notageek

    notageek Registered Member

    Joined:
    Jun 3, 2002
    Posts:
    1,601
    Location:
    Ohio
    You're welcome. The on thing I forgot to say is SSM is a sanbox like program and it's their to tell you what programs are trying to run on your computer. It's a lot easier to cacth spyware or other junk that's trying call home or run. Just make sure you know programs you're allowing to run and what you're not. I would suggest to google the programs exe to see what's what. HTH
     
  5. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    got it ,thanks
     
  6. notageek

    notageek Registered Member

    Joined:
    Jun 3, 2002
    Posts:
    1,601
    Location:
    Ohio
    you're welcome.
     
  7. tImEwArP

    tImEwArP Guest

    I wouldn't let it run, but that's just me. If you don't know what the program is just don't let it run, if you then have problems you'll know to let it run next time. If you don't have any problems by stopping it, then why let it run next time.

    To me the whole idea of having a sandbox is to stop things from running that you don't want running or just don't need running. After a while you'll learn what is friendly and what may not be, or just not needed. Hth.
     
  8. notageek

    notageek Registered Member

    Joined:
    Jun 3, 2002
    Posts:
    1,601
    Location:
    Ohio
    SO let me see is I understand you timewarp. You say if you don't know what it is don't let it run? OK what if it's something that this person don't know about but needs it to run? What about if one this person family member is on the computer and SSM pops up asking to allow something they just installed? It's matter of perfrence I guess. I like to know what's running so I let SSM tell me what is trying to run.
     
  9. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    if i come across a dll i dont know ill look it up.but other people infrequently use this computer like today.quote-do you have to connect to the internet to get email?and the general rule is allow all popups.as im sure notageek seems to understand;theres nothing else i can do.
     
  10. tImEwArP

    tImEwArP Guest

    I guess what i was trying to say is, i wouldn't let it run on my system, because i know what normally runs on my system. Looking at the name- MSNgaming\windows\rvsevn.exe, there's no way i would let that run. And it doesn't look like any essential system process, so i doubt it would cause any harm in not letting it run.

    Whenever i see a program popup, i don't need to google it because i pay attention to what is running normally, and any new programs are simply not allowed. Unless i've just loaded in something new.


    If you pay attention to what your letting run after a while you will get to know the regular programs that do run, and you would then know if this program should run or not. When you load in new programs, pay attention to what's going on, and you'll again know what to allow and what not to allow.
     
  11. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    thanks tImEwArP,it would have been a help if my computer could handle ssm;but i causes the sasser system shutdown,too much buffer overflow i think.thanks
     
  12. Hyperion

    Hyperion Registered Member

    Joined:
    Sep 29, 2003
    Posts:
    302
    This is a common problem,happened to my system too. Also the older version seems to have a handles leak in my pc.
     
  13. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
  14. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    thanks for the link,Tassie
    (its supposed to be a koala,im not 100% sure if its appropriate for you?(Tasmania))

    @(*o*)@
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    Hi,

    I'm playing a bit with SSM on Win98 SE, and let met get this straight, can this app actually protect you from flaws in IE? So if a malicious website tries to run code on your system it will not be allowed?

    And is there a SSM guide anywhere where all functions are explained, for example what is the window filter thing? And what is the polling interval for the plugins? I'm planning to use this app only when connected to the net, a good idea?
     
  16. Ronin

    Ronin Guest

    Like all such questions, the answer is It depends.

    Besides on your old system, SSM might be a drag.

    >So if a malicious website tries to run code on your system it will not be allowed?

    That's the gist of it, if you set up SSM right and the permissions right. For example if IE is given permission to start child processes then forget it.
     
  17. Long Beard

    Long Beard Guest

    I only use SSM while online. Also there is a help menu within SSM that explains a lot about SSM.
     
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    Yes my bad, there is a help file, but what I wonder about is why can't you just make it monitor IE for example? Because it's kind of annoying to make rules for every app/process, what if I could just deny IE access to other apps?

    And how exactly will it stop people from exploiting holes in IE? With some holes people can take control of your PC, I guess they have full system access. So what does this mean, can they take control only via IE?
     
  19. Ronin

    Ronin Guest

    Sure. Make sure "Ask me when program will try to start iexplore.exe" and "Ask me when iexplorer.exe will try to start other program". Simple.

    That way, nothing can start iexplorer without you noticing, and vice versa.


    Huh? I don't understand your second question. Of course, "they"
    can take "control" via other means than just your browser.

    As for the first, it's obvious,think a bit about how SSM works.....
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    I mean I still don't exactly know how people can take control over your PC. You go to a hostile webpage and then what? Can someone take control of your PC immediately? But how do they do that? Or do they need to place a trojan on your system first?

    And about my first question, with SSM it seems that you have to have a rule for every process, you can't just deny IE access to other apps, if you have "watch apps activity" enabled, it will prompt you about every app that is trying to load. Does Process Guard also work this way btw?
     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    ^^^^^^^^^^

    So I guess no one has a clue of how certain (remote control) attacks really work?
     
  22. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Hi Rasheed,

    So far from what I've learned, all website based (remote control) attacks require some form of mobile code (activeX, Java, Javascript) to execute. That execution leads to downloading and execution of other trojans, malware, exploits, etc.
    Most of these can be blocked by blocking mobile code completely within the browser and using a browser other than IE.
     
  23. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    There are two sets of options here:
    1. Active Content - ActiveX controls can do anything on your system - reboot it, delete files, add files. So a hostile ActiveX control could compromise your system by downloading a trojan and modifying your system settings so that it is run on system startup. Java and Javascript are far more limited but bugs in the browser or Java Virtual Machine can allow a similar approach. These attacks will go through a firewall (since it will be configured to allow browser traffic) so the only way to stop them is to restrict Active Content either via browser settings or a third party filter.
    2. Buffer Overflow - The most popular way to compromise a system. If you have any programs that request data (e.g. a web browser asking for a page, an Instant Messaging client picking up a message), they will usually have limits as to how much data they can accept (for example, a simple IM client could be restricted to messages of 255 characters or less). An attacker would try to exceed this limit (sending a message of 256 or more characters in this case). Now what happens to the excess data is that it can, with certain systems like Windows, overwrite pointers used to determine where code is run from. So if the attacker chooses the overflow values carefully, they can cause the system to run arbitrary code of their choice (this does need Assembly language knowledge) which can then adjust system settings, install a trojan, etc. A firewall can provide a partial defence (by blocking access to vulnerable services running on your PC like Windows' RPC/DCOM service) but any application allowed access through the firewall could be targetted by this exploit - therefore it is necessary to check for security updates.
    For more information on buffer overflows (I keep typing "bugger" here, a Freudian slip?), check out the Cult of the Dead Cow's Tao of Buffer Overflows.
    SSM is an Application firewall, not an Internet Explorer firewall so it will intercept all inter-application calls and prompt you for action. If you want something to restrict IE only then you need to look elsewhere (perhaps Finjan's SurfinGuard) - but SSM should do the job well once the rules are set up - and can also intercept DLL injection, Windows hooks (used by keyboard loggers as well as legitimate software like keyboard function key drivers or mouse drivers) and (in the 1.9.5 beta) driver installation.

    Process Guard works in a similar fashion but is simpler to use (in my view) while offering less granularity in its settings (e.g. with SSM you could allow application X to install driver Y, with PG you have to allow application X to install any driver). PG's main purpose is process protection though and it seems to have the lead over SSM here.
     
  24. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Great info!!

    Thanks Paranoid2000. :)
     
  25. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    Yes P2k ~ clapping ~, you are granted a " Karma Cookie ".

    GF
     
Thread Status:
Not open for further replies.