The beta version is available for download at http://www.torchsoft.com/download/md_setup_2.1.0_b1.exe

what's new?
- Improved log functionality.
- Added create and delete permissions to file rules.
- Added support for checking command line when a process is created. (If the create permission is PERMIT, creating new file is allowed, and writing is allowed before the file is closed)
- Added support for selecting a group as rule object in Alert dialog.
- Added support for restoring default rules.
- Added support for creating new registry value of arbitrary type.
- Added support for setting default value of registry key to arbitrary type.
- Fixed a bug that cannot search files by date.
- Fixed a bug that protection can be changed using hot keys when UI is locked.
- Fixed a bug that cause ActiveSync to fail in Vista.
- Minor improvements and fixes.

Thanks,
Xiaolin

thanks alot xiolin:thumb:

Sweet!
1, I like the log entry colors for distinguishing between file, reg, process and network.
2, The command line was definitely needed also.
3, Not too sure what this means yet - 'Added support for selecting a group as rule object in Alert dialog'.

Overall very nice, keep em coming!

This just keeps getting better :thumb:

I also have the same question as tony62 :) I can't figure it out.

Malware Defender 2.1.0 beta installed and running fine here. ;D
Great work xiaolin. :thumb:

-{ Quote: "Sweet!
1, I like the log entry colors for distinguishing between file, reg, process and network.
2, The command line was definitely needed also.
3, Not too sure what this means yet - 'Added support for selecting a group as rule object in Alert dialog'.

Overall very nice, keep em coming!" }-
Sorry for my English.

If you click the "..." button to modify the rule object, you can select a group as rule object now. :)

cant try the software.....
cos i have installed and uninstalled previous version 1.2.X several months back.

Thanks for the update, xiaolin.

It's getting better everytime :thumb: but...

There's 3 things i fail to understand with v2.1.0 beta:

- In the "Edit File Rule" window, modifying the write permission will change the create and delete permission
- The priority mechanism: rules must be made in reverse order (first rule or group of rules in last position, etc.)
- In global registry rules, there's no separate create and delete permissions (only "write" which strangely include create and delete)

-{ Quote: "cant try the software.....
cos i have installed and uninstalled previous version 1.2.X several months back." }-

anyone can help me?

-{ Quote: "Sorry for my English." }-
No problems with your English at all.
-{ Quote: "
If you click the "..." button to modify the rule object, you can select a group as rule object now. :)" }-
Yep, I've figured it out now.

Thanks xiaolin.

-{ Quote: "
- The priority mechanism: rules must be made in reverse order (first rule or group of rules in last position, etc.)" }-
This is annoying when building network rules through the Alert dialog. I have mentioned this to xiaolin here (http://www.wilderssecurity.com/showpost.php?p=1399577&postcount=11)
-{ Quote: "Also the network rules order is slightly difficult to work with. Lets say we are building rules for a P2P program e.g. uTorrent. Normally I will build my rules as prompted, this went very well using Malware Defender until my rules were complete and I needed to add the final 'Block other' network traffic rule at the end. This resulted in all rules I had created were now redundant and I had to go back into the configuration to move the 'Block all' rule to the top." }-

-{ Quote: "
- In the "Edit File Rule" window, modifying the write permission will change the create and delete permission
" }-
This design will make it easier to change write, create and delete permission together. But you can change create and delete permission to different setting.

Normally, create and delete permission should be the same as
write permission.

-{ Quote: "
- In global registry rules, there's no separate create and delete permissions (only "write" which strangely include create and delete)" }-
I think it's not necessary to distinguish write/create/delete actions of registry.

Thanks,
Xiaolin

-{ Quote: "cant try the software.....
cos i have installed and uninstalled previous version 1.2.X several months back." }-
You need to try the software on another Windows system.

I am sorry for the inconvenience.

-{ Quote: "anyone can help me?" }-


Do you have it registered or was it a trial. If a trial your out of luck. A purchase would solve your problem.

Hi xiaolin,

can you please see post #31 in this thread (http://www.wilderssecurity.com/showthread.php?t=235884&page=2). This keylogger seems to have its way even though low-level keyboard access is denied by MD. Can anyone else conform my findings?

-{ Quote: "Hi xiaolin,

can you please see post #31 in this thread (http://www.wilderssecurity.com/showthread.php?t=235884&page=2). This keylogger seems to have its way even though low-level keyboard access is denied by MD. Can anyone else conform my findings?" }-
MD can pass the first test only. There is no protection for screen/clipboard capturing yet.

-{ Quote: "MD can pass the first test only. There is no protection for screen/clipboard capturing yet." }-

Thank you for the confirmation xiaolin! This does not, btw, cause me to lose faith in this terrific program :)

-{ Quote: "MD can pass the first test only. There is no protection for screen/clipboard capturing yet." }-

I see, so is this maybe planned to be added in another release?

there are several versions till date.
how u guys have been trialing till now?

all of you bought the license?

i have tried it once before the network thingy is introduced.....

Paid version here.
Trial is time limited.

-{ Quote: "Paid version here.
Trial is time limited." }-

i see.

how is it? one of the better HIPS around ....
Thought of purchasing....

-{ Quote: "there are several versions till date.
how u guys have been trialing till now?

all of you bought the license?

i have tried it once before the network thingy is introduced....." }-

Same here. Bought multiple licenses.

-{ Quote: "i see.

how is it? one of the better HIPS around ....
Thought of purchasing...." }-


i think that MD is one of the best hips;D

-{ Quote: "i think that MD is one of the best hips;D" }-
yes indeed;D pound per pound;)

I had an older version installed also but Still have three days left on this new beta. It is a nice program.

What I would like to know & you all have heard me mention this several times before. At what point did beta software become more then that? The general rule before was until it was a released product it remained free to test. Even Microsoft now allows the public to test is OS's for free until they are released. Although back then they didn't have public beta's per say. Only a few were chosen and when the product went live, the "beta Testers" would get a free copy for all their work.

Hi everyone,

Does MD latest beta support vista x64 ?


Thanks

Regards

Rules.

-{ Quote: "I had an older version installed also but Still have three days left on this new beta. It is a nice program.

What I would like to know & you all have heard me mention this several times before. At what point did beta software become more then that? The general rule before was until it was a released product it remained free to test. Even Microsoft now allows the public to test is OS's for free until they are released. Although back then they didn't have public beta's per say. Only a few were chosen and when the product went live, the "beta Testers" would get a free copy for all their work." }-

I think it all depends on the author/publisher. They all do it differently. For a one man operation a formal beta program would be a management issue, so even the beta is either trial or paid. Up to the user to decide what he wants to do.

-{ Quote: "Does MD latest beta support vista x64 ?" }-
As per their webpage (http://www.torchsoft.com/en/md_information.html)
-{ Quote: "System Requirements
* Windows 2000 (Service Pack 4)
* Windows XP (32-bit)
* Windows 2003 (32-bit)
* Windows Vista (32-bit)
* Windows 2008 (32-bit)" }-
-{ Quote: "what's new?
- Improved log functionality.
- Added create and delete permissions to file rules.
- Added support for checking command line when a process is created. (If the create permission is PERMIT, creating new file is allowed, and writing is allowed before the file is closed)
- Added support for selecting a group as rule object in Alert dialog.
- Added support for restoring default rules.
- Added support for creating new registry value of arbitrary type.
- Added support for setting default value of registry key to arbitrary type.
- Fixed a bug that cannot search files by date.
- Fixed a bug that protection can be changed using hot keys when UI is locked.
- Fixed a bug that cause ActiveSync to fail in Vista.
- Minor improvements and fixes." }-

-{ Quote: "As per their webpage (http://www.torchsoft.com/en/md_information.html)" }-

Hi tony62,

Thanks for response:)

Regards

Rules.

-{ Quote: "Hi everyone,

Does MD latest beta support vista x64 ?


Thanks

Regards

Rules." }-


Xiaolin, the author, is thinking over to support x64 OS.

-{ Quote: "Xiaolin, the author, is thinking over to support x64 OS." }-

Hi darkwolf,

Good thing8)

Regards,

Rules.

I am working with windows 7 64bit currently and I just tried to install MD. After seeing that it does´nt work I checked here and guess what :-(

Please support 64bit version :-)

I have 6 GB of ram, I jsut need 64bit support !


Hunter42

P.S.: i used MD with vista 32 bit and I liked it a lot!

-{ Quote: "I had an older version installed also but Still have three days left on this new beta. It is a nice program.

What I would like to know & you all have heard me mention this several times before. At what point did beta software become more then that? The general rule before was until it was a released product it remained free to test. Even Microsoft now allows the public to test is OS's for free until they are released. Although back then they didn't have public beta's per say. Only a few were chosen and when the product went live, the "beta Testers" would get a free copy for all their work." }-


have u tried with the network control?
my version 1.2 expired long ago...

Seems to me that the 'AUTORUN.INF created by Panda USB and AutoRun Vaccine (http://research.pandasecurity.com/archive/Panda-USB-and-AutoRun-Vaccine.aspx) is hidden from MD's File Explorer, yet visible in Windows explorer.
Anyone else confirm this?
BTW: This was tested on a Flash stick.

Another version and the network control still doesn't work (new OS install as well). How can I check whether the network component is installed correctly? There's nothing in the properties page of my network adapter related to MD.

-{ Quote: "Seems to me that the 'AUTORUN.INF created by Panda USB and AutoRun Vaccine (http://research.pandasecurity.com/archive/Panda-USB-and-AutoRun-Vaccine.aspx) is hidden from MD's File Explorer, yet visible in Windows explorer.
Anyone else confirm this?
BTW: This was tested on a Flash stick." }-
I will test it. thx:)

-{ Quote: "Another version and the network control still doesn't work (new OS install as well). How can I check whether the network component is installed correctly? There's nothing in the properties page of my network adapter related to MD." }-
You can disable the default network rules in c:\program files\internet explorer\iexplore.exe, then try using IE to open web sites.

English version: http://www.torchsoft.com/download/md_setup.exe
French version: http://www.torchsoft.com/download/md_setup_fra.exe
Spanish version: http://www.torchsoft.com/download/md_setup_esn.exe

What's new?
- Improved log functionality.
- Added create and delete permissions to file rules.
- Added support for checking command line when a process is created. (If the create permission is PERMIT, creating new file is allowed, and writing is allowed before the file is closed)
- Added support for selecting a group as rule object in Alert dialog.
- Added support for restoring default rules.
- Added support for creating new registry value of arbitrary type.
- Added support for setting default value of registry key to arbitrary type.
- Fixed a bug that cannot search files by date.
- Fixed a bug that protection can be changed using hot keys when UI is locked.
- Fixed a bug that cause ActiveSync to fail in Vista.
- Minor improvements and fixes.

-{ Quote: "You can disable the default network rules in c:\program files\internet explorer\iexplore.exe, then try using IE to open web sites." }-

Do you mean the network tab in application rules for IE? There's nothing there because the network component doesn't work - at all. I don't get alerts for anything and no network rules are added in learning mode. How does the network component integrate into the system? There's nothing in winsock and nothing attached to my NIC. The only driver running is the main driver (pehiapnk on my system).

Hi Espresso,

if you are still running KAV 4.5, I believe it has a network component in it somewhere and it needs to be disabled otherwise it will conflict with other software firewalls.

-{ Quote: "Hi Espresso,

if you are still running KAV 4.5, I believe it has a network component in it somewhere and it needs to be disabled otherwise it will conflict with other software firewalls." }-

I only have the on-demand component of KAV installed. There is no driver installed. This is a fresh Vista installation.

-{ Quote: "I only have the on-demand component of KAV installed. There is no driver installed. This is a fresh Vista installation." }-
Are you using Vista SP1? The network protection only works on Vista SP1 or later.

I'm using Vista SP2 RC. I was using SP1 on my last system where it also didn't work.

Very strange. I turned off all protection when I went to bed and just turned it on again and I immediately start getting network access popups. So, it appears to be working fine now but it's still a mystery as to why it wasn't working before or on my previous system.

are you running malware defender and DSA at same time?thanks

-{ Quote: "are you running malware defender and DSA at same time?thanks" }-

No, just MD. I'm behind a router so I don't need a firewall.

-{ Quote: "No, just MD. I'm behind a router so I don't need a firewall." }-ah i see

The network protection appears to have stopped working again. No popups for anything anymore.

Can someone tell me whether the network component of MD is built around the Windows Base Filtering Engine (Windows Firewall) ? The only way the network control will work is if the Base Filtering Engine service is turned on. ??? It doesn't seem to matter if the Windows Firewall is enabled or not.

to protect the host file i made a rule:
read only/block write or execute;)
C:\WINDOWS\SYSTEM32\DRIVERS\ETC;host.mvp(denny write or execute/only read):)
note:every two weeks when updating my host file i have to enable the learning mode to allow the new host file update and then put it back to normal mode:)

-{ Quote: "Can someone tell me whether the network component of MD is built around the Windows Base Filtering Engine (Windows Firewall) ? The only way the network control will work is if the Base Filtering Engine service is turned on. ??? It doesn't seem to matter if the Windows Firewall is enabled or not." }-I did some quick tests and can confirm that MD's network functionality depends on Vista's Base Filtering Engine (BFE) service. The Windows Firewall (MpsSvc) service is not a factor. Given this dependency, I added a new registry rule to protect BFE from being tampered with...

-{ Quote: "I did some quick tests and can confirm that MD's network functionality depends on Vista's Base Filtering Engine (BFE) service. The Windows Firewall (MpsSvc) service is not a factor. Given this dependency, I added a new registry rule to protect BFE from being tampered with..." }-

Thanks for confirming this. I can't believe no one else noticed this or had an issue with it, considering how many people disable the built in windows firewall. It's also unusual that the dev didn't point this out as a possible cause.

MD doesn't appear to turn the service on automatically or notice when it's shut down. A serious oversight for such a critical element, IMO (unless it's only an issue on my system).

-{ Quote: "Thanks for confirming this. I can't believe no one else noticed this or had an issue with it, considering how many people disable the built in windows firewall. It's also unusual that the dev didn't point this out as a possible cause.

MD doesn't appear to turn the service on automatically or notice when it's shut down. A serious oversight for such a critical element, IMO (unless it's only an issue on my system)." }-
I will fix it in next release. thx

Hi, after extensive testing, I would like to make a request if possible:

When an alert window pops up, under create rule for this action there are 2 options:
- Permanent Rule
- Temporary rule (until process exits)

Since some process automatically re-launched, I would really like a 3rd option, like:

- Temporary rule for the next ** minutes (like RTD)
- Temporary rule which will be deleted on next system reboot

Please consider implementation, thanks.

-{ Quote: "Hi, after extensive testing, I would like to make a request if possible:

When an alert window pops up, under create rule for this action there are 2 options:
- Permanent Rule
- Temporary rule (until process exits)

Since some process automatically re-launched, I would really like a 3rd option, like:

- Temporary rule for the next ** minutes (like RTD)
- Temporary rule which will be deleted on next system reboot

Please consider implementation, thanks." }-
Thanks for the suggestion. I will think about it but the alert window is already big. You can put those processes in a special group and delete it manually later.

The beta version is available for download at http://www.torchsoft.com/download/md_setup_2.1.1_b1.exe

what's new?
- Added protection against controlling processes using DDE.
- Added support for Windows 7 build 7068.
- Added support for running in safe mode to change rules and settings.
- Moved rundll32.exe out of system applications rules.
- Changed the default initial file rules of explorer.exe to allow accessing all files.
- Fixed a bug when renaming rule group.
- Fixed a bug when verifying file signatures.

It's recommended to search rundll32.exe and delete all rundll32.exe in child applications rules. You may need to restart your system in learning mode to create new rules for rundll32.exe.

Xialin,

Would it be possible to also show the comment line when showing a pop up (of thet specific rule)

Thx

-{ Quote: "Xialin,

Would it be possible to also show the comment line when showing a pop up (of thet specific rule)

Thx" }-
Actually, the feature is implemented in this beta release. :)

-{ Quote: "Actually, the feature is implemented in this beta release. :)" }-

Thanks, but I do not see my own description in teh pop-up using beta 2.1.1 b1 at teh moment?

-{ Quote: "
- Changed the default initial file rules of explorer.exe to allow accessing all files
" }-

i think this change will fix the all hangout or cpu high load +sysytem hangout


will check for some times and see :)

-{ Quote: "
It's recommended to search rundll32.exe and delete all rundll32.exe in child applications rules. You may need to restart your system in learning mode to create new rules for rundll32.exe." }-


can u write step by step how to do it?

10x

-{ Quote: "i think this change will fix the all hangout or cpu high load +sysytem hangout


will check for some times and see :)" }-
This change is intend to reduce alerts when manipulating files with explorer.exe. It's only affect the initial rules (fresh installation or select Rule menu->Restore Default rules). If you upgrade from old versions, you can create a permit * rule in explorer.exe.

Thanks,
Xiaolin

You press "CTRL + F". Then you type "rundll32" in the searchbox and then you delete all instances found (including child applications' rules)

-{ Quote: "can u write step by step how to do it?

10x" }-
1. Edit menu -> Find Rules -> search "rundll32.exe"
2. Double click the item in the Rule Find Results to jump to the rule, if it's a child app rule, delete it.
3. Restart system in learning mode.

-{ Quote: "You press "CTRL + F". Then you type "rundll32" in the searchbox and then you delete all instances found (including child applications' rules)" }-

i did fresh install an a never installed MD before , i still found like u said "rundll32.exe" rules , so do i need to dell them all ?

Yes delete them all and then reboot and put MD in learning mode for 30 minutes and during this, do some ordinary PC jobs, including windows update

-{ Quote: "Yes delete them all and then reboot and put MD in learning mode for 30 minutes and during this, do some ordinary PC jobs, including windows update" }-

10x mate but Xiaolin says i need not if its a fresh MD install...

Question:

Does the new beta support Windows 7 x64 ? :-)

Hunter42

Running the latest beta. Smooth as silk. Cleaned the rundll32.exe schtuff easily.

MD is THE most actively maintained HIPS. Simply superb! :thumb: :thumb: :thumb:

-{ Quote: "Running the latest beta. Smooth as silk. Cleaned the rundll32.exe schtuff easily.

MD is THE most actively maintained HIPS. Simply superb! :thumb: :thumb: :thumb:" }-
Yes, thanks very much xiaolin:)

-{ Quote: "Question:

Does the new beta support Windows 7 x64 ? :-)

Hunter42" }-
MD do not support x64 yet. thx

Thanks again for the update xiaolin! BTW, can you or someone provide an example test for the DDE control?

-{ Quote: "Thanks again for the update xiaolin! BTW, can you or someone provide an example test for the DDE control?" }-
There is a DDE test in Security Software Testing Suite (http://www.matousec.com/projects/security-software-testing-suite/) found in Level 6 (http://www.matousec.com/projects/firewall-challenge/level.php?num=6) by http://www.matousec.com/
Not sure how relevant it is though???

-{ Quote: "There is a DDE test in Security Software Testing Suite (http://www.matousec.com/projects/security-software-testing-suite/) found in Level 6 (http://www.matousec.com/projects/firewall-challenge/level.php?num=6) by http://www.matousec.com/
Not sure how relevant it is though???" }-

Thank you tony! I was just curious to see how MD responds to it because the protection against it was added to this release.

-{ Quote: "Thank you tony! I was just curious to see how MD responds to it because the protection against it was added to this release." }-
Actually, it's a bug that DDE messages are not handled in previous releases. :)

Malware Defender 2.1.1 final is released.

English version: http://www.torchsoft.com/download/md_setup.exe
French version: http://www.torchsoft.com/download/md_setup_fra.exe
Spanish version: http://www.torchsoft.com/download/md_setup_esn.exe

-{ Quote: "Malware Defender 2.1.1 final is released.

English version: http://www.torchsoft.com/download/md_setup.exe
French version: http://www.torchsoft.com/download/md_setup_fra.exe
Spanish version: http://www.torchsoft.com/download/md_setup_esn.exe" }-
Always a painless upgrade. I had quite a few programs open during update, quit MD's protection and fired up the new version. Happy days8)

And not even a re-boot is required :)

Hello, i'm trialing this program it seems very good, but system slowdown is extreme for some applications that read a lot of files.

For example, when i load ObjectDock Pro with File Protection enabled, startup time is ~48sec

With file protection disabled start time is ~28sec

At this load time ObjectDock uses ~50% CPU (2.4ghz X2)

With Malware Defender shut down (real time protection disabled) time is ~6sec

I have allow * all file rules in explorer.exe and ObjectDock.

There is also a large slowdown when running my file backup program, which also has all file allowed rule.

Is it normal for this program or am i doing something wrong ?

Thank You

-{ Quote: "Thanks for your product xiaolin. I wonder if you use a similar system/programming concept to Comodo's Defense+?" }-
I think the concepts are similar.

-{ Quote: "Hello, i'm trialing this program it seems very good, but system slowdown is extreme for some applications that read a lot of files.

For example, when i load ObjectDock Pro with File Protection enabled, startup time is ~48sec

With file protection disabled start time is ~28sec

At this load time ObjectDock uses ~50% CPU (2.4ghz X2)

With Malware Defender shut down (real time protection disabled) time is ~6sec

I have allow * all file rules in explorer.exe and ObjectDock.

There is also a large slowdown when running my file backup program, which also has all file allowed rule.

Is it normal for this program or am i doing something wrong ?

Thank You" }-

Thanks for trialing MD.

If file reading actions are monitored, slowdown may occure for applications that read a lot of files. Could you try set all the read permission of file rules to permit or ignore, and do not log any file reading events?

I moved to Windows x64. Once and forever. Hopefully, MD will be ported to x64. It's a promising app.

-{ Quote: "I moved to Windows x64. Once and forever. Hopefully, MD will be ported to x64. It's a promising app." }-
I will port MD to x64. But it will take some time. :)

i gave 5 starts in download.com this app deserve 5 or more starts;)

The Russian version of MD is released. Thank STaN++ for the great work.

http://www.torchsoft.com/download/md_setup_rus.exe

I was wondering, has anyone tested if "windows automation software" can be used on a PC running MD ?

... If yes, which windows automation software are you using alongside with MD ? I am looking for a good automation software pgm which includes both a macro recorder and a "task scheduler" to replace windows task scheduler and allows a successor job to wait for the predecessor job to complete and can test the predecessor job had an exit code of zero (otherwise don't execute the succesor job *and* also have no conflicts with MD.

-{ Quote: "I was wondering, has anyone tested if "windows automation software" can be used on a PC running MD ?
... If yes, which windows automation software are using alongside with MD ? I am looking for a good automation software pgm with no conflicts with MD." }-
Hi Joseph,
i use Bat_To_Exe_Converter.exe, AutoScriptWriter.exe and AutoHotkey.exe, without any problems along with MD.
http://www.autohotkey.com/ is Freeware and very easy to use.

AutoIt v3 (http://www.autoitscript.com/autoit3/index.shtml) which is also free and probably the most powerful, however there is a steeper learning curve.

JosephB I agree with Tony above, I use AutoHotKey the last 6-7 years and I don't know what to do without it. AutoIt is very powerful but I have settled with ahk. However ahk uses windows' scheduled tasks.

-{ Quote: "Hello, i'm trialing this program it seems very good, but system slowdown is extreme for some applications that read a lot of files.

For example, when i load ObjectDock Pro with File Protection enabled, startup time is ~48sec

With file protection disabled start time is ~28sec

At this load time ObjectDock uses ~50% CPU (2.4ghz X2)

With Malware Defender shut down (real time protection disabled) time is ~6sec

I have allow * all file rules in explorer.exe and ObjectDock.

There is also a large slowdown when running my file backup program, which also has all file allowed rule.

Is it normal for this program or am i doing something wrong ?

Thank You" }-
I also had performance problems a few months ago when I tried MD. This was because I had some read file monitoring rules set. I really don't want to have to avoid certain rules due to limitations of the program. EQS does not suffer from these performance issues at all.

-{ Quote: "I also had performance problems a few months ago when I tried MD. This was because I had some read file monitoring rules set. I really don't want to have to avoid certain rules due to limitations of the program. EQS does not suffer from these performance issues at all." }-
I will try to resolve this problem in next release. Thx