System Safety Monitor
|Developer(s)||System Safety Ltd., Russia|
|Stable release||22.214.171.1245 (freeware version) / 1 May 2008|
|Operating system||Microsoft Windows|
|Type||Host Intrusion Prevention System|
SSM does not rely on signatures to detect malware, but instead monitors the system for certain types of suspicious behavior and warns the user giving him a chance to block or allow it. Like most behavior blockers or HIPS, SSM only warns you when a certain event or behavior occurs and the process that causes it. Some of these warnings might be legitimate software doing their tasks though, so it is up to the user to decide whether to allow or block the behavior.
History of SSM
SSM began as a private project in 2002  and was one of the first behavior blockers aimed at the home user market.
In April 2005, It was sold to a group of professionals who started Syssafety company  that went commercial and released the first 2.0 beta series in September 2005.
In June 2006, the series was split into 2 lines. First there was a freeware version 2.0 that has all of the features of the original 1.9 series plus some improvements. There was also a 2.1 commercial version that has some improvements over the freeware version, particularly an improved registry control (hooking as opposed to polling), low level keylogging control and better termination protection. The new 2.1 version also dropped support of Windows 98 and Windows ME.
Use of SSM and noteworthy features
SSM is similar to many products in its class and offers some termination protection, process filtering, blocking of driver installs etc. What separates it from most HIPS programs is that it offers not just process filtering but also parent-child control of processes. What this means is that instead of giving a process complete rights to start, you can specify more restrictive rules so that a given process can only be started by another specific process. For example while you might want to allow Windows explorer to start your web browser, you might not want other processes to start up your browser because they might exploit the browser to phone home. See also leak tests.
SSM can be used effectively against spyware and adware programs, as well as rootkits, trojans, keyloggers, dialers, browser hijackers, and commercial surveillance software. However this relies entirely on the user responding correctly to prompts. Beginners might be confused by the prompts and respond incorrectly. In the worst-case scenario this can lead to malware infecting the system (when allowing a dangerous activity) or system error (when blocking an activity needed by the system). SSM also offers a learning mode, where rules are automatically made when needed creating a baseline of normal operations. But this assumes the system is clean, if this is not so, SSM can learn to allow malware. Regardless of training mode, whenever any new unknown process is run, a prompt will be created, unless the user chooses to block all prompts.
||This section has an unclear citation style. (September 2009)|