| View previous topic :: View next topic |
| Author |
Message |
Stem
Junior Member
Joined: 18 Feb 2006
Last Visit: 12 Jul 2006
Posts: 19
Location: UK
|
 Posted: Sat Jul 01, 2006 10:51 am Post subject: System Safety Monitor (Free Edition) |
 |
|
Hello all,
Just thought it may be worth a mention,..
There is now a "Free Edition" of SSM, based on its "Full 2.0.8.574 version, with all features for that version"
Protection (summary below)
| Quote: |
Free edition:
* Driver Loading
* Program Execution
* NT Services Installation and State Change
* Program State and Memory Modification
* Thread and Process Suspension and Termination
* Direct Physical Memory Access
* Global Hooking
* System Registry Modification
* Window Opening |
|
|
| Back to top |
|
 |
hornet777
Warrior Guru
Joined: 28 Oct 2005
Last Visit: 20 Oct 2009
Posts: 458
|
| Posted: Sat Jul 01, 2006 1:58 pm Post subject: |
|
|
| Just as one might assume that we DOS-based Win users were yet again being abandoned, the SSM-team comes through again. |
|
| Back to top |
|
|
mikey
Malware Expert
Joined: 12 Feb 2004
Last Visit: 03 Sep 2012
Posts: 1061
Location: CenTex
|
|
| Back to top |
|
|
bob30880
Warrior
Joined: 24 May 2005
Last Visit: 18 Aug 2011
Posts: 116
|
| Posted: Mon Jul 03, 2006 6:41 am Post subject: |
|
|
Any opinions on how this compares to Process Guard?
I've been using the licensed version of PG for a couple of years now and swear by it.
_________________
DYSLEXIC'S UNTIE! |
|
| Back to top |
|
|
mikey
Malware Expert
Joined: 12 Feb 2004
Last Visit: 03 Sep 2012
Posts: 1061
Location: CenTex
|
| Posted: Mon Jul 03, 2006 7:48 am Post subject: |
|
|
OK IMO it isn't a matter of quality when comparing those two products. SSM is just more robust. It has been in dev for many years. I tend to think SSM users want more understanding and control of how they are protected. Both are great tools.
As a SOHO admin, my personal choice is AbtrusionProtector.
BTW There are also several other good tools for process filtering around.
For those who don't yet know;
'Why do I need this layer in my defenses? Because you can't be infected if the infection can't initiate.'
_________________
-
W2K/2K3/XP/2K8/Vista/W7/RHE/DEBIAN/SUSE
Spyware/Adware is NOT freeware, it costs all of us dearly.
Mikey's Stuff
Fiddler and friends...essential web diagnostic, forensic, & development tools.
- |
|
| Back to top |
|
|
fcukdat
Warrior Addict
Joined: 01 Jan 2005
Last Visit: 08 Apr 2009
Posts: 757
Location: Yeovil,England.
|
| Posted: Mon Jul 03, 2006 9:00 am Post subject: |
|
|
| bob30880 wrote: |
Any opinions on how this compares to Process Guard?
I've been using the licensed version of PG for a couple of years now and swear by it. |
Nope but if it ain't broke i would'nt try fixin it 
Mikey here's one to pick ya wisdom 
| Quote: |
| Because you can't be infected if the infection can't initiate.' |
Ok with that and taking the number of tweaks out of the equation do the likes of PG free version or Winsonar or AP free not have the bases covered since they all need configuring(rule granted etc) for unknown executables to initiate ?
If this is the case then are not all the other functions just windowdressing/g33k fodder
_________________
Malware hunter....Got Bot ?
MIRT Handler >>>
http://www.castlecops.com/c55-MIRT.html |
|
| Back to top |
|
|
Stem
Junior Member
Joined: 18 Feb 2006
Last Visit: 12 Jul 2006
Posts: 19
Location: UK
|
| Posted: Mon Jul 03, 2006 12:12 pm Post subject: |
|
|
| bob30880 wrote: |
| Any opinions on how this compares to Process Guard? |
I have full licence for both PG and SSM.
PG is an excellent product, I used it for quite a while, but found SSM has more options (parent=>child / driver loading per app etc) and a wider range of protection. |
|
| Back to top |
|
|
Stem
Junior Member
Joined: 18 Feb 2006
Last Visit: 12 Jul 2006
Posts: 19
Location: UK
|
| Posted: Tue Jul 04, 2006 9:47 am Post subject: |
|
|
System Safety Monitor Free Edition was released, build 2.0.8.575
What's new:
* added several language updates. |
|
| Back to top |
|
|
bob30880
Warrior
Joined: 24 May 2005
Last Visit: 18 Aug 2011
Posts: 116
|
| Posted: Wed Jul 05, 2006 7:39 am Post subject: |
|
|
| Stem wrote: |
| bob30880 wrote: |
| Any opinions on how this compares to Process Guard? |
I have full licence for both PG and SSM.
PG is an excellent product, I used it for quite a while, but found SSM has more options (parent=>child / driver loading per app etc) and a wider range of protection. |
I decided to give SSM a try....and you're right about the options, I like the wider range of control.
I've now given PG the boot.
I suppose I could go to SSM's site and look but what are the advantages of the licensed version compared to the free version?
_________________
DYSLEXIC'S UNTIE! |
|
| Back to top |
|
|
Stem
Junior Member
Joined: 18 Feb 2006
Last Visit: 12 Jul 2006
Posts: 19
Location: UK
|
| Posted: Wed Jul 05, 2006 8:35 am Post subject: |
|
|
Hi bob30880,
Really, at this time, the advantage of the "Full Version" is "NT Services Installation and State Change (significantly improved)" the adding of "Low level disk access" protection (killdisk), and the upgrade of the "registry protection", which is now a "registry monitor" (I would describe this as a "Registry firewall", as there are registry application rules that can be entered (registry rules per application)). |
|
| Back to top |
|
|
Stem
Junior Member
Joined: 18 Feb 2006
Last Visit: 12 Jul 2006
Posts: 19
Location: UK
|
| Posted: Wed Jul 05, 2006 9:01 am Post subject: |
|
|
Hi bob30880,
I forgot to mention, if you did decide to purchase the full version of SSM, due to you having a full licence for PG,.. you could claim "Competitive Upgrade 50% Off Discount" |
|
| Back to top |
|
|
bob30880
Warrior
Joined: 24 May 2005
Last Visit: 18 Aug 2011
Posts: 116
|
| Posted: Wed Jul 05, 2006 9:56 am Post subject: |
|
|
| Stem wrote: |
Hi bob30880,
I forgot to mention, if you did decide to purchase the full version of SSM, due to you having a full licence for PG,.. you could claim "Competitive Upgrade 50% Off Discount" |
Thanks for the info Stem....I had seen the upgrade offer on the site when I grabbed the free version.
I'm going to look into it, I do like this app.
_________________
DYSLEXIC'S UNTIE! |
|
| Back to top |
|
|
Stem
Junior Member
Joined: 18 Feb 2006
Last Visit: 12 Jul 2006
Posts: 19
Location: UK
|
| Posted: Fri Jul 07, 2006 10:12 am Post subject: |
|
|
System Safety Monitor 2.0.8.576 Free Edition was released
What's new:
* now all executable files (PE) are signed with the System Safety Limited software publisher certificate;
NOTE: Windows 9x users may not be able to verify the digital signature due to the absence of the appropriate cryptographic provider.
Bugs fixed:
* Sometimes SSM did not catch physical memory access attempts. |
|
| Back to top |
|
|
mikey
Malware Expert
Joined: 12 Feb 2004
Last Visit: 03 Sep 2012
Posts: 1061
Location: CenTex
|
| Posted: Fri Jul 07, 2006 2:59 pm Post subject: |
|
|
| fcukdat wrote: |
| Quote: |
| Because you can't be infected if the infection can't initiate.' |
Ok with that and taking the number of tweaks out of the equation do the likes of PG free version or Winsonar or AP free not have the bases covered since they all need configuring(rule granted etc) for unknown executables to initiate ?
If this is the case then are not all the other functions just windowdressing/g33k fodder |
Windowdressing? No, I don't think so. While it is true that process filtering will stop the initiation and thereby the infection, it still isn't the end of the story. I've been working on a piece that I just don't seem to find time to finish. The draft may explain my thinking better than a post; http://www.voiceofthepublic.com/firewalling/firewalling.html
They can give the concept of firewalling all kinds of new names like HIPS or whatever the current catch phrase is now but it's still the same concepts & things we've known for many years.
It really makes me angry that so many years have been WASTED on obsoletion by the money grubbing anti-malware industry that has sold out users for a buck.
_________________
-
W2K/2K3/XP/2K8/Vista/W7/RHE/DEBIAN/SUSE
Spyware/Adware is NOT freeware, it costs all of us dearly.
Mikey's Stuff
Fiddler and friends...essential web diagnostic, forensic, & development tools.
- |
|
| Back to top |
|
|
aBenG
Warrior
Joined: 06 Apr 2006
Last Visit: 28 Feb 2012
Posts: 297
Location: Darkest UK
|
| Posted: Sat Jul 08, 2006 8:38 am Post subject: |
|
|
Looks like a really useful article mikey. Hope you can find the time to complete it soon - and let us know when you have. Thanks.
_________________
Inperfect. |
|
| Back to top |
|
|
fcukdat
Warrior Addict
Joined: 01 Jan 2005
Last Visit: 08 Apr 2009
Posts: 757
Location: Yeovil,England.
|
| Posted: Sat Jul 08, 2006 1:54 pm Post subject: |
|
|
 Thanks Mikey for the informative link
I would like to say that a was'nt having a swipe at the layered security approach model but was purely aimed at process filtering software part of a good layered solutio
.
Not to thread Hijack,will start a new topic to carry on with this soon hopefully since i think there some good quality info to come yet
_________________
Malware hunter....Got Bot ?
MIRT Handler >>>
http://www.castlecops.com/c55-MIRT.html |
|
| Back to top |
|
|
mikey
Malware Expert
Joined: 12 Feb 2004
Last Visit: 03 Sep 2012
Posts: 1061
Location: CenTex
|
| Posted: Sun Jul 09, 2006 4:12 pm Post subject: |
|
|
| Quote: |
| It really makes me angry that so many years have been WASTED on obsoletion... |
Since PG is already a part of this thread, I would mention that Wayne from DCS explained that the popular TDS being discontinued and the advent of PG are both related to the obsoletion and perpetual signature dev of malware scanners.
I believe they were the first malware scanning outfit to publically denounce the flawed and obsolete concept. Tho they definitely have not been as long into firewalling as some of the other outfits, they make a good show. Others are starting to catch on too. Perhaps things are finally starting to change.
_________________
-
W2K/2K3/XP/2K8/Vista/W7/RHE/DEBIAN/SUSE
Spyware/Adware is NOT freeware, it costs all of us dearly.
Mikey's Stuff
Fiddler and friends...essential web diagnostic, forensic, & development tools.
- |
|
| Back to top |
|
|
voltz
Newbie
Joined: 10 Jul 2006
Last Visit: 17 Jan 2007
Posts: 6
|
| Posted: Mon Jul 10, 2006 2:03 pm Post subject: |
|
|
[quote="bob30880"]
I decided to give SSM a try....and you're right about the options, I like the wider range of control.
I've now given PG the boot.
[/quote]
That would make an excellent testimonial! :)
SSM has really improved since I last tried it back in its early development.
I'm still testing its capabilities, but so far I'm impressed. |
|
| Back to top |
|
|
fcukdat
Warrior Addict
Joined: 01 Jan 2005
Last Visit: 08 Apr 2009
Posts: 757
Location: Yeovil,England.
|
| Posted: Tue Jul 11, 2006 11:13 am Post subject: |
|
|
Ok i said i would'nt thread hijack but after the last post it seems that PG is very much part of this thread so i'll take that back.
Ok's Mikey and other learned members following or posting on this topic your wisdom is required since i am still learning and maybe not a 100% correct in my interpretations 
1st point
SSM offers more tweaks(control points/checks) than PG,all good if you have the sans to understand them  but PG is more user freindly to someone new to process filtering/control ?
2nd point and this comes from my own experience(using PG free version)whilst collecting/testing malware and not from any POC's or proven code and is with reguards process filtering/control on code execution and specific to any software that ensnares this modis operandi.
I have yet after visiting hundreds of exploit laiden urls,activeX downloads,archived malware launching from CD or PC hard drive encountered one instance where the execution protection of PG has not captured and foiled by my instruction the malware attempt to execute by alerting to it
I have yet to find installers that can drop global hooks,load drivers or DLL inject without the initial code being allowed to execute.
With that i admit i am a hobbyist and no expert so beyond POC's that i have not encountered am i correct in assuming that if code is prevented from executing all/any of its effects are nullified ?
If it cannot execute,it cannot deploy and infect ?
Mikey this is what i was referring to the rest of the check points being g33k fodder(ie PG free versus PG paid)
With that how important is execution protection to a layered and effective security approach
_________________
Malware hunter....Got Bot ?
MIRT Handler >>>
http://www.castlecops.com/c55-MIRT.html |
|
| Back to top |
|
|
herbalist
Warrior Addict
Joined: 28 Aug 2004
Last Visit: 25 Jun 2008
Posts: 726
Location: northern Michigan
|
| Posted: Tue Jul 11, 2006 4:02 pm Post subject: |
|
|
| Quote: |
| With that how important is execution protection to a layered and effective security approach |
It's becoming more important all the time. I assume you've seen the viruses that kill AVs and firewalls. If one of these wasn't detected by the AV and was allowed to execute, there might not be much of a security system left. We've already seen one example of a high speed virus that can spread over the entire net in a very short time. Sooner or later, someone is going to combine those two and use it to strike down the "more typical" security packages used by most PCs, then follow it with something worse. I'm suprised something like that hasn't already happened. With the average security system still hopelessly reliant on signatures, definitions, or reference files, the PCs relying on those apps would have no chance. I wholly expect to see the day that the internet, and the millions upon millions of hopelessly vulnerable, underprotected Winows PCs that are connected to it 24/7, get harnessed as a weapon of war or terrorism.
IMO, application firewalling has to be at the core of a security package, not just viewed as a layer. Signature based software needs to be relegated to a secondary role like file and e-mail scanning. It's just not fast or reliable enough against modern threats.
| Quote: |
I would mention that Wayne from DCS explained that the popular TDS being discontinued and the advent of PG are both related to the obsoletion and perpetual signature dev of malware scanners.
I believe they were the first malware scanning outfit to publically denounce the flawed and obsolete concept....
Perhaps things are finally starting to change. |
I'd like to think so. On the other hand, we have M$ getting into the anti-spyware business and now, into antivirus as well. I can't imagine them doing any better with this than they did with a firewall. IMO, when M$ decides to enter, and eventually control a market, AV/AS in this instance, it's past time to move to something better, like HIPS, application firewalling, process control, or whatever the particular vendor wants to call it. As for which one to use or which is better, they're all getting better pretty quickly. Which is best will end up depending on who released a new version last. SSM has very much impressed me with the rate they're developing and improving this program and how fast they respond to bugs and feature requests. That aside, the degree of configurability and the control that gives would make them my choice, even if all the others worked on Win98 as well.
Rick |
|
| Back to top |
|
|
mikey
Malware Expert
Joined: 12 Feb 2004
Last Visit: 03 Sep 2012
Posts: 1061
Location: CenTex
|
| Posted: Wed Jul 12, 2006 4:53 am Post subject: |
|
|
Maybe after I've had some coffee I'll respond here about the issues but for now I just wanted to throw my laughter out;
| Quote: |
| when M$ decides to enter...it's past time to move to something better |
LOL
NW says 'amen'.
_________________
-
W2K/2K3/XP/2K8/Vista/W7/RHE/DEBIAN/SUSE
Spyware/Adware is NOT freeware, it costs all of us dearly.
Mikey's Stuff
Fiddler and friends...essential web diagnostic, forensic, & development tools.
- |
|
| Back to top |
|
|
mikey
Malware Expert
Joined: 12 Feb 2004
Last Visit: 03 Sep 2012
Posts: 1061
Location: CenTex
|
| Posted: Wed Jul 12, 2006 11:41 am Post subject: |
|
|
| Quote: |
| but PG is more user freindly to someone new to process filtering/control ? |
That was once true but I don't really think there is much diff in the user friendliness now. Have you looked at SSM lately? SSM has many friendly features now including the 'learning mode'. It also gives very friendly and informative alerts. Additionally, all the many venues for gaining information are explained for easy use. One such venue is the 'full log'; http://www.voiceofthepublic.com/RenderedLogs/2006_7_12.HOME@Administrator.ssm.xml
| Quote: |
I have yet to find installers that can drop global hooks,load drivers or DLL inject without the initial code being allowed to execute.
|
Your comments make me think that you think process control is the 'be all...end all' of security. Well, reg manipulation and injections are definitely a reality for a process that is given permissions. But for the most part, you are quite right. As Rick said, "application firewalling has to be at the core of a security package".
In this regard, it makes me no diff which product users decide on, as long as it does the job. The ones mentioned here do. Since there are free versions of most of the process firewalls, users are good to leisurely try each for comfort level & ability.
Anyway, so much for my opinion.
_________________
-
W2K/2K3/XP/2K8/Vista/W7/RHE/DEBIAN/SUSE
Spyware/Adware is NOT freeware, it costs all of us dearly.
Mikey's Stuff
Fiddler and friends...essential web diagnostic, forensic, & development tools.
- |
|
| Back to top |
|
|
fcukdat
Warrior Addict
Joined: 01 Jan 2005
Last Visit: 08 Apr 2009
Posts: 757
Location: Yeovil,England.
|
| Posted: Wed Jul 12, 2006 12:54 pm Post subject: |
|
|
| Mikey wrote: |
| Your comments make me think that you think process control is the 'be all...end all' of security |
 Not the info i ment to convey,more like i consider it to be very important(Core) software in my layered security model.
 If i thought it was the mythical silver bullet then i would'nt have Winpatrol & kerio FW giving additional layers....
Anyhow thanks guys for your feedback
_________________
Malware hunter....Got Bot ?
MIRT Handler >>>
http://www.castlecops.com/c55-MIRT.html |
|
| Back to top |
|
|
Moore
Moderator
Joined: 31 May 2004
Last Visit: 05 Jan 2011
Posts: 758
Location: °°.MooreLand.°°
|
| Posted: Wed Jul 26, 2006 3:31 am Post subject: |
|
|
| bob30880 wrote: |
Any opinions on how this compares to Process Guard?
I've been using the licensed version of PG for a couple of years now and swear by it. |
Simply ProcessGuard offers protection at the kernel-mode level , SSM protects at user-mode level , or did last I used it. Although SSM has a lot more options , nothing I've tested has ever gotten past PG on its own so far.
I havent used SSM lately , anyone know if they have stepped up to kernel mode protection yet. ?
_________________
| Stop Malvertising | Outpost | Blocklist Pro | Hosts | |
|
| Back to top |
|
|
mikey
Malware Expert
Joined: 12 Feb 2004
Last Visit: 03 Sep 2012
Posts: 1061
Location: CenTex
|
|
| Back to top |
|
|
Moore
Moderator
Joined: 31 May 2004
Last Visit: 05 Jan 2011
Posts: 758
Location: °°.MooreLand.°°
|
| Posted: Thu Aug 03, 2006 5:45 pm Post subject: |
|
|
Thanks Mikey..
Looks like safemon.sys has about 200 + kernel hooks. The current free version is really a lot better experience than the last version I tried , I almost gave up on it forever. I'm actually liking it again.
Processguard catches files executing before SSM / Abtrusion Protector catches any files though.
Probably doesnt mean much as the files will probably still be caught by SSM regardless if PG wasnt there.
SSM alerts are a bit more informative :
I have all three running at the same time at the moment , and Outpost 4 which also has some similar new protection features that are working nicely to prevent malware entering the system too.
Well anyway , SSM free gets a thumbs up from me 
_________________
| Stop Malvertising | Outpost | Blocklist Pro | Hosts | |
|
| Back to top |
|
|
mikey
Malware Expert
Joined: 12 Feb 2004
Last Visit: 03 Sep 2012
Posts: 1061
Location: CenTex
|
| Posted: Fri Aug 04, 2006 4:58 am Post subject: |
|
|
Technically speaking, the higher the load, the more control you have over the entire sys. However, IMO, it doesn't really matter much as all of these products will stop any foriegn initiation and thereby stopping any infection dead.
All three of the products mentioned in this thread are now simple enough for any user to learn and there is no excuse for anyone to ever suffer any unwanted ware ever again.
If a user combines a little content filtering along with this process filtering, he should not even ever need see anything unwanted. For example, the only time I ever see a third party ad is when I drop my shields in order to see/study raw source.
============
As noted in that LoadOrder report, I've tried doing simultaneous comparisons but found the results conflicting. I found a better comparison by using event snapshots to capture identical routines on separate appliances.
_________________
-
W2K/2K3/XP/2K8/Vista/W7/RHE/DEBIAN/SUSE
Spyware/Adware is NOT freeware, it costs all of us dearly.
Mikey's Stuff
Fiddler and friends...essential web diagnostic, forensic, & development tools.
- |
|
| Back to top |
|
|
mikey
Malware Expert
Joined: 12 Feb 2004
Last Visit: 03 Sep 2012
Posts: 1061
Location: CenTex
|
| Posted: Sun Aug 06, 2006 9:38 am Post subject: |
|
|
| mikey wrote: |
As noted in that LoadOrder report, I've tried doing simultaneous comparisons but found the results conflicting. I found a better comparison by using event snapshots to capture identical routines on separate appliances. |
A bit OT but for those who might be technically inclined can easily monitor the routines in real time. I use a multitude of monitors when studying any routine. The monitoring tools from Sysinternals are quite handy. FileMon and RegMon are great to monitor the calls. Also, TDImon is great for studying the loopback. Also, a user can run the processs thru his fav debug profiler like Olly or DependencyWalker. Additionally, I also like to make sys change snapshots using InCtrl5(follows a reboot) and InstallSpy. All of these monitoring tools can run simultaneously durring the run of a routine in a tool being benchmarked or studied and will give a pretty accurate picture of exactly what happens and most are timestamped for easy comparison. Most are freewares. You really don't have to be a coder or an analyst in order to see for yourself whether a tool is doing what it claims to be doing.
Sorry, you can look up your own links.
_________________
-
W2K/2K3/XP/2K8/Vista/W7/RHE/DEBIAN/SUSE
Spyware/Adware is NOT freeware, it costs all of us dearly.
Mikey's Stuff
Fiddler and friends...essential web diagnostic, forensic, & development tools.
- |
|
| Back to top |
|
|
mikey
Malware Expert
Joined: 12 Feb 2004
Last Visit: 03 Sep 2012
Posts: 1061
Location: CenTex
|
| Posted: Fri Aug 11, 2006 7:51 am Post subject: |
|
|
Another OT on monitoring;
I forgot to mention the obvious. Folks testing should of course also monitor the usage. Resources can be monitored easily with freebies such as ProcessExplorer also from Sysinternals or FaberToys.
Again you can look up the links.
_________________
-
W2K/2K3/XP/2K8/Vista/W7/RHE/DEBIAN/SUSE
Spyware/Adware is NOT freeware, it costs all of us dearly.
Mikey's Stuff
Fiddler and friends...essential web diagnostic, forensic, & development tools.
- |
|
| Back to top |
|
|
Moore
Moderator
Joined: 31 May 2004
Last Visit: 05 Jan 2011
Posts: 758
Location: °°.MooreLand.°°
|
|
| Back to top |
|
|
mikey
Malware Expert
Joined: 12 Feb 2004
Last Visit: 03 Sep 2012
Posts: 1061
Location: CenTex
|
|
| Back to top |
|
|
|
