SYSTEM SAFETY MONITOR

Publié le par Kareldjag aka Michel




System Safety Monitor







System Safety Monitor is another russian product which is considered by its author as an application firewall.

System Safety Monitor does not only provide the ability to control activities on the system.

It's an exhaustive product which can protect the registry, Ini-files, services and IE.






System Safety Monitor has also the ability to filter opening windows on the system or on the web word by word (in this last case, it works like a parental control soft).









One of the major quality and feature of System Safety Monitor is that it takes a fingerprint of the system (programs, start up entries, installed service/drivers) and try to keep its configuration and integrity.


The last version (1.96.2 beta) is free until december 2005.



As it was confirmed to me by Max B. (the programmer of SSM), the rights of the soft have been sold to a private firm which is established in the USA by russian businessmen (the name of the campany is not official yet).

Thenceforwards Sytem Safety Monitor is being rewritten for perhaps a more simple and easy to use approach.







Therefore System Safety Monitor will surely be a shareware in 2006.







TEST:


Configuration:



- all plugins are enabled with rules by default,

-System Safety Monitor process is protected and has all privileges.










***Execution control with Leaktests:



System Safety Monitor detects them all and has the ability to block them.



SSM is the winner.





***Process termination:



SSM detects the attack and allow us to permit or block the action.

If we permit the termination, any other launched application will crash the system .







I consider that System Safety Monitor is the winner.


NB. With specific rule like "keep this process in memory", any terminated application is launched again (this rule can be helpful against some worms which target AV).








***DLL injection/implant:



SSM is the winner against Zapass and Copycat.



***Process Hijacking:



System Safety Monitor is the winner.



***API Manipulation:



-with APISpy: if we allow the action, any API manipulation is possible.



But we can't launch another instance of SSM.



System Safety Monitor is the winner against APISpy32.

NB. With specific a rule, SysSafe.exe can be configured to be only run by the Windows explorer.




-with ExecuteHook: SSM detects the global hook and the Notepad's one




SSM is the winner.



-with Kapimon: SSM failed.



System Safety Monitor is the winner against API manipulation tests.





***Finjan Tests:



-F.Demo: SSM failed (detects nothing).



-F.VBS: SSM detects the windows host scripting but not the creation of the folder.


SSM failed.




-F.JPG: SSM detects the packager and its action (on Temp files) but not the access to folders: System Safety Monitor failed.






System Safety Monitor failed against Finjan tests.





***Registry Tests:



-with Regtest 1: SSM failed.

-with Regtest 2: SSM detects the attempt to the key but can't stop the reboot.

SSM failed.



-with Scoundrel Simulator: SSM detects the two registry keys and the change of IE start page. SSM is the winner (3/5).




-with RegtickPro: SSM failed.


-with RegHide: SSM failed.



I consider that System Safety Monitor failed against Registry Tests.


NB. It's possible to add registry keys to monitor.








***Simulate a trojan with Trojan Simulator:



SSM is the winner.



***Memory Manipulation:



-with UH: SSM detects the action but can't prevent it without the user's answer.


System Safety Monitor failed for prevention but is the winner for detection.

 






-with Physmem: SSM failed for prevention but is the winner for detection.




System Safety Monitor is the winner against Memory manipulation.




***Data Theft with Trojan Demo:



SSM failed (just detects that calc.exe is launched).





***Service Manipulation:



-installation: SSM is the winner.




-service termination: (with SSM running as a service): SSM failed.




System Safety Monitor works automatically as a service on Adminis. mode (and can also works as a service on user mode).






Then when we try to "kill" the service (with APT or ProcX for instance), the result is a crash and a reboot of the system.

If we stop the service from running with EkinX, there is no system's crash.


I don't consider that as a bug or a weakness, but more as a good point: if any malware try to bypass the protection by disabling the service, the crash of the system is a sign which can alert the user about a suspect activity.



System Safety Monitor is the winner.



-driver modification: SSM failed.






-unloading a driver: SSM is the winner.









I consider that System Safety Monitor is the winner against service/driver manipulation.




***CDROM autorun:



SSM is the winner.






***Fakes/jokes Test:



-open/close the CDRom drive: SSM is the winner.





-launch several applications at the same time: SSM is the winner.







System Safety Monitor is the winner against Jokes tests.




***Buffer/Heap Overflow:



SSM failed against all tets (can just detect files executions).




***Deactivation Methods:



-trashcan: SSM detects the attack and could only put into trashcan if we answer "allow".




-blacklisting: SSM detects the attack but can also be removed if we allow the action.



System Safety Monitor failed for prevention but is the winner for detection.






CONCLUSION:









***The Pros:




-multi-layered protection (registry, ini files, memory etc),



-effective as an application firewall (.exe monitoring/filtering),



-can run as a service,





-quality of alerts: answer by default ("allow the action only at this time"), kind of attack, description (the application X wants to ...the application Y loacated in...), hot keys,



-secure mode (administrator) to prevent unauthorized execution,



-MD5 integrity control,





-very intuitive,



-very impressive possibilities of advanced rules and configurations for powered and experienced users: possibility to configure each permission and privileges for any application (which is notify with a color code), even which dll module has to be unloaded or not, and even the time (ms) while alerts can be seen etc,





NB. The image above is just an example, not real rules.










-quality of the log files (html, colors, details...),



-"pro package" for a free product (easy set up, help file...),



-english, spanish and french languages (and others ones).





***The cons:




-only advanced users could really take advantage of features and options,



-takes too much time to configure (rules and permissions for each application),



-the driver (and then Sytem Safety Monitor) can be easily disabled (by many files which traverse the kernel)






-minor instability,



-more detection than prevention protection.





COMMENTS:





System Safety Monitor is really an effective product for the user:



- who wants to keep his System's configuration as stabilized as possible,

-control activities on his system,

-restrict rights and privileges for users and applications.



Experienced users can surely enjoy all the possibilities provided by SSM.

But in the other hand, System Safety Monitor is not recomended for classicals users and beginners who could be really pertubed by alerts.



System Safety Monitor is an impressive product as an Host Intrusion Detection Syetem because it detects exactly the majority of attacks.

But by default, SSM is quite poor for prevention features and often requires the intervention of the user: for a high degree of prevention, it could take time to configure rules to maximum, and this job requires to be knowledgeable about attacks and Windows process rights.


In all case, System Safety Monitor is one of the most interesting and powerful product that a home user can integrate on his line defense.






COMMENTAIRES:



System Safety Monitor est un logiciel russe qui a pour vocation d'être une veritable tour de contrôle du systeme.

Contrôleur d'activités par exellence, System Safety Monitor demeure un produit gratuit jusqu'en décembre 2005, date aprés laquelle il devrait devenir partagiciel (donc payant) via une société privée (basée auw USA et crée par des russes).

Il en est actuellement à sa version 1.96. beta 2 et dispose-fait rare pour ne pas être souligné-d'un pack de langues incluant le francais.


System Safety Monitor offre une protection multi-niveaux et des foctions trés complétes: surveillance des applications, des clefs importantes du registre, du fichier Ini, des services et drivers...

Il dispose également d'un module de filtrage des fenêtres Windows avec gestion par mots clefs, pouvant donc étre utilisé comme du filrage parental.

L'atout majeur de System Safety Monitor réside dans la protéction de l'intégrité du systeme.

En effet, lors de son installation, System Safety Monitor prend une empreinte du systeme (applications en cours, clefs de démarrage, services installés etc) et tente par la suite d'en préserver l'intégrité et la stabilité.

De plus, ces alertes sont d'une grand précision quant à la typologie des attaques (injection de code, tuer une application etc) et au large éventail de réponses qui s'offrent à l'utilisateur.

System Safety Monitor offre une grande variété de configuration et de paramètrage puisqu'il permet des jeux de régles avancées: l'utilisateur peut allouer des droits pour chaque application et peut également restreindre les priviléges des utilisateurs (mode administrateur/utilisateur).

Au final, System Safety Monitor est un logiciel puissant qui offre un trés bon niveau de protection.

Mais seul l'utilisateur expérimenté peut réellement en explorer toutes les possibiltés afin de s'assurer d'une protection optimum.

Demandant ainsi du temps et de l'experience, System Safety Monitor apparaît bien plus comme un outil précis et avancé de détection que comme un logiciel de pure prevention.

Et c'est là mon principal regret.



NB. Max B., l'auteur de System Safety Monitor m'a confirmé par e-mail la rumeur qui pretend que SSM sera un produit payant (partagiciel) en 2006.

Il a en effet vendu ses droits à une société récemment établie aux USA par des hommes d'affaires russes, et le programme est en train d'être remodelé afin d'en simplifier l'usage.






RATING: 9/10









Commenter cet article