Two issues with SSM

Discussion in 'other anti-malware software' started by aigle, Feb 17, 2007.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I want to ask about two issues I noted with SSM free 2.0.8.583. According to SSM help file,
    I did an experiement. See the advanced settings for Internet Explorer( IE) on my system( See Pic1). I tried to launch chile process Media Player Classic( mplayerc.exe) via IE and according to he settings it should be allowed to run but I get a pop up from SSM (See Pic 2). Am I missing something?

    2- It happened once on my system that SSM was unsbale to lacate a child process while it was present on my system. Seems a bug. See Pic3

    I have posted on their forum but stil waiting for reply.

    Thansk for any replies.
     

    Attached Files:

    • 1.jpg
      1.jpg
      File size:
      102.4 KB
      Views:
      281
  2. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Here is the second snapshot, related to first issue.
     

    Attached Files:

    • 2.jpg
      2.jpg
      File size:
      79.7 KB
      Views:
      282
  3. herbalist

    herbalist Guest

    I'm assuming that "mplayerc" is a process that's already permitted by rule. If a rule doesn't exist yet for C:\pasted software\mplayerc.exe, you'll get that prompt. If the rule exists, check the advanced properties for mplayerc.exe. What are its parent settings?

    In the situation you describe, the alert often applies to the child process as often as it does to the parent.
    Rick
     
  4. herbalist

    herbalist Guest

    I have run into instances when both apps, parent and child, are set in the manner shown in your screenshot, but I'd still get prompted. If this is one of those instances, check the child box for mplayerc on the Internet Explorer advanced screen. That should result in the matching "parent" box being checked on the rule for mplayerc.

    Could I make you a suggestion? I'd change that child setting for Internet Explorer to "ask", then go thru the child list and check off the processes that are normally started by Internet Explorer, such as your media player, PDF viewer, DDHelp, etc. Allowing Internet Explorer to start any other process is a very risky setting. More than any other process, Internet Explorer needs its activities controlled.
    Rick
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks for the reply. BTW it,s rather confusing. On my system I can,t guess any situition where defualt parent child rule( ?) is fired. Infact when I tested this, before that I removed all application rules, so there was no other rule at all for mplayerc.exe( the snapshot was however taken from my regular SSM installation that is showing many rules).
    I agree that IE should not be allowed to start any child by default but my point is that in SSM free edition, this setting is not being applied. Infact with these settings, I get alert each time IE starts a totally new child process even for the first time. That means this defult rule is not being applied practically.
    Can anybody confirm it?
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    See I tried to run Online Armor install exe via IE and got prompt( that I should not get with my settings as this exe has no rules on my system).
    Another interesting point I noted in adavnced settings of SSM most of child processes are allowed to run by default and parent is set to ask user.
     

    Attached Files:

    • 1.jpg
      1.jpg
      File size:
      99.4 KB
      Views:
      231
  7. cprtech

    cprtech Registered Member

    Joined:
    Feb 26, 2006
    Posts:
    335
    Location:
    Canada
    Regarding your first ss, maybe the “?” in the “Child” checkbox next to mplayerc.exe takes precedence over your “Open” command. Why not place a checkmark in the “Child” box next to mplayerc.exe, allowing Iexplore.exe to act as a Parent on it? The same idea would apply to any other apps you trust as a parent influence on mplayerc.exe.
     
  8. herbalist

    herbalist Guest

    I noticed that too, and didn't like it. On mine, they both got changed to "ask" for almost all processes.
    I believe that is part of what is giving you problems. I'll try to separate the 2 scenarios.
    1. No rule exists for the child process.
      Your last screenshot is displaying the proper behavior for SSM. When a rule doesn't exist for a specific child process, such as that installer, SSM should alert you. In the instance shown in your last screenshot, no rule exists for \OnlineArmor_Setup_Trial.exe. It's unknown to SSM, so it prompts, which is as it should be.
    2. Rule exists for the child process.
      When rules already exist for both the parent and child processes, the settings for both processes still have to be met in order for one to launch the other without getting an alert. The problem isn't the child settings for Internet Explorer. It's the parent settings of the child process you're being prompted about.
    I just ran a little test on my box using Internet Explorer. I set its default child settings to "allow", then tried to lauch two other processes with it.
    The first was an installer for which no rule existed. SSM prompted regardless of the parent child settings made in IE6 because the child process (the installer) wasn't a permitted process. The only way I could launch that installer with IE6 and not see an alert was to check the "allow this process to execute any unclassified program" option on the process creation control tab for IE6. Horribly insecure setting!!

    I then tried to launch Solitaire with Internet Explorer. Even with the IE6 child settings set to "allow", SSM prompted because Internet Explorer isn't a specified parent process for Solitaire. Solitaire's default parent setting was "ask". If I changed it to "allow" or checked Internet Explorer as an allowed parent, then there's no prompt from SSM.

    Hope this helps. If not, let me know.
    Rick
     
  9. herbalist

    herbalist Guest

    Regarding CPRTech's suggestion, that also works, but for a slightly different reason. Using Internet Explorer as the example, on its advanced properties screen, if you checked a box in the child column, specifying Internet Explorer as an allowed parent for a specific process, on that child process's advanced properties screen, Internet Explorer will be checked as an allowed parent.
    As far as I can tell, whenever you check a box allowing a process as a parent or child of another, the matching box on the other process gets checked automatically. The default parent and child drop boxes don't function that way, only the specific check boxes.
    Rick
     
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks cprtech and herbalist for exlanation.

    @herbalist
    I think it,s a bit complicated as every process may be the child or even parnt
    of some other process. That is the thing that made em confuse. I understand it a bit now.
    So I think even with these default settings, the chance for any child
    to run without ur permission( using default permission of Allow for most child proceses) is less as usually the
    parent will cause the pop up. Am i right?

    So do you suggest to change all parents/ childs to ask user instaed of default settings?
    I am faraid it might give rise to so many new popups? Or should I do it for selective proceses? Does it realy neeeded?
    Thanks.
     
  11. herbalist

    herbalist Guest

    With the default settings (child-allow, parent-ask), most of the popups will be caused by the starting of the child process. They usually result from one of these 2:
    1. No rule exists for the child process.
    2. The parent process isn't specified as an allowed parent for that child process.
    Regarding changing all the parent and child settings to ask, this would result in a large increase increase in popups. Controlling what each parent process is allowed to start does enhance how well SSM can protect your system, but it's not absolutely necessary.

    Instead of changing all of them to "ask", you could do this one process at a time and take your time with it. If I was going to edit the rules in this manner, I'd start with the browser, then the mail handler. These 2 are targeted the most and both connect to the web. I don't have access to an XP unit at the moment so I can't give you a listing of what to check as allowed child processes for Internet Explorer, but the allowed child list would include items like your media player, Adobe Acrobat viewer, your mail handler, DDhelp, executables associated with printing such as spool32.exe, etc. If you have toolbars or plug-ins for other software added to your browser, you might need to add those. Example, on mine, IE6 has an icon for Yahoo IM on the toolbar. For that icon to work, IE6 has to be an allowed parent for Yahoo. I also have Star Downloader integrated into IE6, so it also needs to be an allowed child process for it.

    It is a bit more work to manually specify everything that a process like internet explorer is allowed to run, but there are advantages too. Besides the security gain that comes from not letting Internet Explorer start processes it doesn't need to use, ones it could be potentially be used to exploit, manually selecting the allowed child processes on the Internet Explorer advanced screen results in Internet Explorer being set as an allowed parent on those would-be child processes advanced screen. This over-rides the default settings in the parent and child drop boxes.

    If you work on one process at a time, there shouldn't be many popups. Just treat the ruleset as a work in progress. For items like the Online Armor install in your screenshot, don't bother making rules for things that will only be used once, installers, updates, etc. Just allow those once.
    Rick
     
  12. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Here is more what I understood of SSM free version.

    1- All applications with CUSTOMIZED rules have child set to Allow and Parent to Ask User by default.

    2- All applications with SIMPLE ALLOWED rules have child and parent both set to Allow by default.

    In my opinion in advanced properties there is absolutely no need to set both child and parent to Ask User in the default rules. If u set child to Allow and parent to Ask User by default, u are secure as absolutely no application can run without pop up by these rules.
    So I have changed all SIMPLE application rules( which were approx 30% of total rules on my system) to this( coverting them to customized rules).

    Any comments?

    Another thing, I suspect while in learning mode SSM makes some rules as CUSTOMIZED and others as SIMPLE but I can,t confirm it, just my guess. I gusessed so as
    hardly ever I make SIMPLE ALLOW rules while I found many such rules on my system that were probably made during learning period of SSM. Any thoughts?
     
  13. cprtech

    cprtech Registered Member

    Joined:
    Feb 26, 2006
    Posts:
    335
    Location:
    Canada
    I would say the same diligence could be applied to other common MS processes such as svchost.exe, explorer.exe, and ctfmon.exe. They, too, seem to have tremendous influence as parent processes on child apps.

    Yes, excellent idea. My approach is even more paranoid than that. I change all parent and child settings to “?”, then configure everything on a pop-up by pop-up basis. I don’t like how SSM has so many of these liberal settings by default. I also like this approach because it affords me a better understanding of what is going on under the hood of my rig :)
     
  14. ggf31416

    ggf31416 Registered Member

    Joined:
    Aug 20, 2006
    Posts:
    314
    Location:
    Uruguay
    IIRC the learning mode create simple allow rules for processes that are already running when learning mode is enabled, if there are not rules for these processes. For new programs that start while learning mode is enabled SSM creates advanced rules.
     
  15. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks for explanation.
     
  16. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I think it does not make u more safer than my settings( parent ask user and child allowed).
     
  17. herbalist

    herbalist Guest

    For most purposes, the amount of protection isn't that much different between the 2 approaches. It's almost a user preference question. One mine not including the hard coded rules, no app has its default parent setting as "allow". Only one app has an "allow" on the child setting and that app is blocked when the UI is disconnected. It might be an excercise in futility, but I try to look at the ruleset from the perspective of attacking that system, picking the points to be targeted, then limiting what is allowed for those apps as much as possible. Much easier to do on a 98 box than it is on XP.
    Definitely. I just named the browser and mail handler first as those are internet apps on all PCs. There's a lot of priority processes that should be addressed first, beginning with those that can connect to the net, followed by those that handle content obtained from external sources, like image viewers, office software, Microsoft Word. :gack: Definitely add media players to that list. Start with the file types they're putting malicious code into and go straight to the apps that handle them. Lately, that's been document formats. Earlier it was code hidden in JPGs, and of course, .wmf's.

    Looking at it from that perspective, it almost seems hopeless to try to keep pace, but it's not. No matter how many ways they find to exploit a format or an application, on your own system, there are a very limited number of targetable apps, those that connect to the net and those that handle files that originate elsewhere. Limit what those targeted apps can do, what other processes they can start, block hooks originating from them, etc. As much as possible, isolate those target apps from the rest of your system. When a vulnerability is found in that app or it's filetype, there isn't much they can do with it because that app can't access the more critical areas of your system.
    This kind of approach might be an overkill on a new system, but for those of us using older unsupported systems, those rules and limitations have to compensate for the patches we don't get anymore. Then again, when vulnerabilities are being fixed 20 at a time, maybe it's not so paranoid after all.
    Rick
     
Thread Status:
Not open for further replies.