ok, now I know that you're really familiar with ssm. Indeed it does not prevent a program's termination, but it restarts it when it's stopped, by you or anyone else, or anything else. I find that already important. Once I was trying to dowload a program (Messenger Plus). The program was known, from software like MS antispy at the time,(now Defender),to be a big source of spam and spyware. I tried to download it anyway. And as the download just began, my MS anti-spy was suddenly automatically neutralized, stopped! and SSM would have restarted it again, which would have prevented my desktop from being suddenly crowded with adds about gambling and all that sh**...well that's just an example.
This merely shows you the failure of SSM! It should have being able to protect MS antispyware from being shut down in the first place!! The current version of SSM is much better against termination attacks, handling WM_QUIT, WM_CLOSE and other advanced kill methods. There is no way in which any process can get shut down without your permission man.
the only thing to be carefull with concerning that feature of SSM is that you MUST disable it fo each program set to be protected, before you reboot. Otherwise SSM would keep restarting them, well you know what I mean...
That is why this is a lousy feature. Also In the couple of seconds that it takes SSM to poll (which is memory intensive) and realise that the process is shut down, the malicious process could have taken out half your system.
What kind of stuff do you use to check MD5 on files?
I know what a md5 hash is, but I'm not quite sure what you are asking. I have a small program (script actually) that modifies the context menu of explorer, so i can right click a file can choose between crc.md5 and sha1 functions and it will calculate the hash value. Is that what you mean?
Also SSM free records the md5 hash of all executables no? BTW md5 hash (and to some extent sha1) is a bit outdated and in some crypto contexts it is broken already. though I think chances of someone exploiting the flaw to force a hash collison of 2 specially prepared files is rather small.
Still in theory it is possible for someone to prepare 2 files with the exact same md5 hash, one safe, one malicious. You use the safe one and ssm adds it to the safe list, and the bad guy then runs the unsafe one which ssm allows because it has the same hash function and ssm thinks it the same file.....
That's why most modern HIPS are slowly moving towardsa SHA256 or some completely different hash function like Tiger or whirlpool.
Poll
Author