System Safety Monitor

System Safety Monitor (SSM) allows you to track down various system activities in real-time and to prevent undesirable actions.

System Safety Monitor is a Host-based Intrusion Prevention System (HIPS) - the class of Security Software that protects MS Windows systems from various malware and spyware programs by monitoring all running programs' behavior and blocking malicious or suspicious actions. However SSM is not an anti-virus software, i.e. it does not provide means to find and to remove a particular malware program. Also it cannot be used to recover system damages caused by such programs if they were allowed to happen.

It provides you with protection against attacks that can bypass traditional firewalls, anti-virus, and other signature based security tools that can only deal with known threats already described in their signature database. SSM controls an application behavior and its access attempts to the local system resources according to the rules set by the user. This way SSM can protect critical system processes or data from both known and unknown threats. Being independent on timely signature database updates SSM is a must to have software for the machines that connect to the Internet just occasionally.

Malware and spyware programs basically use similar methods to do their job (though the implementation details may vary).

SSM's main task is to discover and block malicious actions of any application.

Functional parts

System Safety Monitor consists of several functional parts which can be enabled or disabled independently.

Process Monitor with Application Rules

Keeps track of the activity of all applications already started or being started and allows you to control:

• which application can be started;
• which application can be started by a selected one (child processes);
• which applications are allowed to start a selected one (parent processes);
• whether a selected application is allowed to start if it was modified;
• whether a selected application is allowed to install a driver;
• whether a selected application is allowed to perform code-injection or DLL-injection;
• whether a selected application can gain low level access to hard disks or keyboard.

With this subsystem you can:

• create/terminate a process (application);
• watch the list of modules(DLLs) loaded by a selected application.

Real-time Registry monitor

Intercepts Registry change attempts and thus allows specifying:

• which program can or cannot create/modify/delete a particular registry key/value;
• if a registry object (key/value) can be created/modified/deleted by any application

Real-time Network monitor

Monitors applications' network access and thus allows specifying:

• which network resources are trusted/not trusted;
• which program can or cannot access trusted/not trusted network resources.

Modules

This subsystem contains a set of modules which expand functionality of the program. At the moment the modules provide tracking and blocking of changes in the following system parts:

• drivers and services;
• INI-files;
• Startup menu group (Start\All Programs\Startup);
• application's windows;
• layered service providers;
• local and global windows hooks, WinEvent hooks;
• network activity.