softwarehowto.com
  Home Contacts Partners Add Software Remove Manuals
 
System safety monitor: Application rules hosted in groups when enabled executes DLL, code-injection or loads library or driver and modifies system registry
 
Introduction
System Safety Monitor
Hotkeys
   
Tutorial
Install SSM
Create Rules
Setup Logging
Enable Applications Rules
Create Rules in Learning Mode
Enable Modules
Setup Windows Filters
   
Preferences
Process Monitor
Rules
Application Rules
Library (DLL) Rules
Driver Rules
Registry Rules
Network Rules
   
Modules
INI-files Module
Start Menu Module
Services Module
Window Filter Module
Layered Service Provider Module
Hooks Module
NetStat Module
Modules Alerts Dialog
 
Buy System Safety Monitor Online! Buy System Safety Monitor Online!

Application Rules

On the Rules->Applications tab you can manage application rules: create, delete and edit rules for programs.

Application Rules

bulk texting create installer invoicing software
deleted files recovery freeware recover deleted files vista free undelete download
undelete partition free recover deleted files flash drive recover deleted files flash memory

Application rules overview

Groups

All application rules are hosted in groups. There are preset groups and groups created by user. Preset groups can not be deleted. The following groups are preset in SSM:

  • "SSM" - it is a group with System Safety Monitor components; most of the settings are read-only;
  • "System" - it is a group with critical system processes; most of the settings are read-only;
  • "Normal" - it is a preset group for allowed applications; by default this group is marked as default (see below more about default group);
  • "Blocked" - it is a preset group for blocked applications. If an application is blocked in Application Activity dialog with creating permanent blocking rule, then the rule goes here;
  • "Unregistered" - this group represents unregistered applications, i.e. applications without rules. It allows defining settings and properties for application without rules. That is why this group has a special object type: "Virtual group".

Enabling/disabling application rules

Application rules can be enabled with other type of rules ("Enable all rules" button) or individually using the button's or tab's context menu. If application rules are enabled, then every time when any program tries to start the other process, execute DLL/Code-injection or load a library or driver, modify system Registry etc. SSM intercepts this action, checks the rules list and blocks/permits its further execution in accordance with the rules set, or asks a user to make the decision about this action.

SSM icon in the system tray turns red if Application rules are disabled:

Application Rules are disabled

If Application rules are enabled, then SSM icon in the system tray is green:

Application Rules are enabled

Applications: parent/child dependencies

In this window you can define which processes can start the given application ("parent" process) and which processes can be started by the given application ("child" process). For example, when you start Internet Explorer using the shortcut on the desktop, then "parent" process will be Explorer.exe – the operating system default shell.

Also, this tab allows specifying the default action on starting the application not included in the list.

Advanced Application Rules

For each program in the list the first flag determines if this program could be started as "child" process for the given application. The second flag notes if the program in the list could be "parent" of the given application.

  • Libraries: For the given application this tab allows customising the action on injecting library (DLL). Also, this tab allows specifying the default action on injecting library not included in the list.
  • Drivers: For the given application this tab allows customising the action on loading driver. Also, this tab allows specifying the default action on loading driver not included in the list.
  • Registry: For the given application this tab allows customising the access to specific registry objects. Also, this tab specifies the access to registry objects not included in the list.

Special permissions

Rule's special permissions options have the following states:

  • "OFF" (OFF) - the option is disabled for the group/application;
  • "ON" (ON) - the option is enabled for the group/application;
  • "Ask user" (Ask user) - SSM will ask user;
  • "Inherited" (OFF, ON and Ask user accordingly) (for non-group objects only) - the value is inherited from group's value.

Logging tab

For logging options if you set then SSM will use settings from "Logging" section in "Options" tab.

  • Application start: Logs if the application was started.
  • Application finish: Logs when the application exits.
  • Interprocess activity: Logs about the application's interprocess activity (opening thread, creating remote thread, etc.).
  • System control: Logs application's system controls events.
  • Set global hook: Logs when application sets a global hook.
  • Load driver: Logs when application loads a driver.

System Control tab

System control options

  • Allow physical memory access: Allow process to have an access to the system object "\Device\PhysicalMemory". Such permission allows to get an access to all operating system environment and can be used for execution of malicious code. The access to this object is all right for some system processes (winlogon.exe and possibly some others). It is very unlikely that other legitimate applications will need it. Nevertheless, downloaded drivers may need an access to this object and can receive it in context of the random application. So information about calling module may be inadequate.
  • Allow system shutdown: Allow the application to shutdown the system.
  • Low level disk access: Allow the process to gain access to a hard disk device at low (physical)level. If allowed the process will be able to modify system critical disk regions, that in case of program errors or by intent (for malware) may destroy the structure of MBR (Master Boot Sector) or Partition Table thus making the disk unusable.
  • Low level keyboard access: Allow the process to gain low level access to the keyboard. If allowed the application even when it is not holding the input focus will be able to read/spy an active window keyboard input. This is the way keyloggers may spy user input logging passwords etc. Sometimes (rarely) legitimate applications (mostly system) may also require this level of access to the keyboard. You should enable only if you are quite confident that the program is harmless and it cannot otherwise normally work.

Code/DLL injection tab

  • Allow remote code control: This function (OpenThread API) allows to get control on the thread of an external program (process), it can be used to execute malicious code with the rights of the target process. This function is all right for debuggers and system processes. It is very suspicious if another application tries to use this function.
  • Suspend processes/threads: Allow the application to suspend other processes/threads. This function is all right for task managers, debuggers and system processes.
  • Allow remote data modification: This function (CreateRemoteThread API) allows creating a thread in an external program, it can be used to execute malicious code with rights of the target process. This function is all right for system processes (such as csrss.exe, winlogon.exe, svchost.exe and others). It is very suspicious if another application tries to use this function.
Buy System Safety Monitor Online! Buy System Safety Monitor Online!
 
Home Contacts Partners Add Software Remove Manuals