The beta version is available for download at http://www.torchsoft.com/download/md_setup_2.2.0_b1.exe

what's new?
- Added protection against accessing Service Control Manager.
- Added protection against loading dynamic link libraries.
- Added protection against accessing COM interfaces.
- Added protection against setting hidden attribute of file or folder.
- Added support for searching permission and comment of rules.
- Added support for managing multiple rule files.
- Added support for Windows 7 rc.
- Separated "duplicate handle" permission from "access memory of other processes".
- Improved performance when handling file reading actions.
- Minor improvements and fixes.

1) Since new protections are added, it's recommended to restart system in learning mode after upgrade.

2) A user mode hook module (mdhook.dll) is added in this release to detect accessing SCM, loading DLL and accessing COM interface. The hook module will be loaded in all processes. If you find any compatible programs please tell me.

Thanks for testing.

Xiaolin

thanks xiolin,it is working fine here;) i followed your advise:)

Most VMware ThinApp applications are not compatible with latest Beta. For applications such as Media Player Classic; DSOUND.dll will not be found, regardless of permissions throughout MD. Exiting MD is the only option.
It would seem that MD cannot handle ThinApp's internal virtualized routines of loading Dynamic Link libraries.

-{ Quote: "Most VMware ThinApp applications are not compatible with latest Beta. For applications such as Media Player Classic; DSOUND.dll will not be found, regardless of permissions throughout MD. Exiting MD is the only option.
It would seem that MD cannot handle ThinApp's internal virtualized routines of loading Dynamic Link libraries." }-
Where can I find a VMware ThinApp application for testing?

Thanks :)

-{ Quote: "Eliminate Installation Conflicts with Application Virtualization

Application virtualization encapsulates the applications from the OS and each other; eliminating costly regression testing and conflicts from badly behaving applications. Just plug in an .MSI or .EXE file to deploy a virtual system environment, including registry keys, DLLs, third-party libraries, and frameworks without requiring any installation of agents or applications on the underlying operating system." }-
Below is a link to Media Player Classic(open Source). Media Player Classic has been wrapped by me with a demo version of ThinApp.

http://www.speedyshare.com/582958945.html

Test MPC with MD beta running, then without!

The beta runs great!

-{ Quote: "
2) A user mode hook module (mdhook.dll) is added in this release to detect accessing SCM, loading DLL and accessing COM interface. The hook module will be loaded in all processes. If you find any compatible programs please tell me." }-

Why user mode? Will it not decrease the security?

Thanks

-{ Quote: "Below is a link to Media Player Classic(open Source). Media Player Classic has been wrapped by me with a demo version of ThinApp.

http://www.speedyshare.com/582958945.html

Test MPC with MD beta running, then without!" }-
I will test it. Thx :)

-{ Quote: "Why user mode? Will it not decrease the security?

Thanks" }-
The new protections (accessing SCM, loading DLL and accessing COM interface) can not be implemented in kernel. And user mode hooks are unavoidable when making x64 version of MD, since kernel hooks are not allowed in 64-bit Windows.

Malware may try to restore user mode hooks in current process, but I will add the ability to protect hooks installed by MD.

-{ Quote: "The new protections (accessing SCM, loading DLL and accessing COM interface) can not be implemented in kernel." }-
Really? For x32 Windows it's all possible. At least dll module loading detection is possible to implement at kernel level with API provided by MS.

I keep getting these application error after installing 2.2.0 beta.

I have no issue when using 2.1.1.

-{ Quote: "I keep getting these application error after installing 2.2.0 beta.

I have no issue when using 2.1.1." }-when you install the new beta 2.2 in learning mode?

-{ Quote: "I keep getting these application error after installing 2.2.0 beta.

I have no issue when using 2.1.1." }-
Thanks for the bug report. I will fix it. :)

I was getting the same errors. I wasn't having any luck getting learning mode to create rules. I created rules manually to allow each process access to it's own memory which eliminated the errors.

Here's a screenshot of a typical rule (in this case, for Excel):
http://i39.tinypic.com/2ezlhk4.jpg

-{ Quote: "I was getting the same errors. I wasn't having any luck getting learning mode to create rules. I created rules manually to allow each process access to it's own memory which eliminated the errors.

Here's a screenshot of a typical rule (in this case, for Excel):
http://i39.tinypic.com/2ezlhk4.jpg" }-
Many other security software (such as jetico) will install hooks at same position as MD's hooks. In next beta release, I will remove the alert of accessing own memory, and add global file rules to protect MD's hooks (more secure). But you still have to create PERMIT rules if you are using MD with jetico.

-{ Quote: "when you install the new beta 2.2 in learning mode?" }-

Yes, it was installed in learning mode.

-{ Quote: "Thanks for the bug report. I will fix it. :)" }-

No problem. :)

Malware Defender 2.2.0 beta2 is released.

The beta version is available for download at http://www.torchsoft.com/download/md_setup_2.2.0_b2.exe

what's new since beta1?
- Fixed a bug when searching rule permissions.
- Fixed a bug that the application rule dialog cannot be displayed properly on low resolution screen.
- Fixed bugs in mdhook.dll.
- Added dwm.exe to system application rule list on Windows Vista or above.
- Changed the method for protecting hooks installed by MD. MD will not restrict accessing own memory of processes, but use new global file rules to restrict reading related dlls.

NOTE:
If you upgrade MD from old versions, please import the following rule file. (Rule menu -> Import)
http://www.torchsoft.com/download/Read-Restricted_Files.dat

It's recommended to restart system in learning mode after upgrade.

-{ Quote: "Malware Defender 2.2.0 beta2 is released.

The beta version is available for download at http://www.torchsoft.com/download/md_setup_2.2.0_b2.exe

what's new since beta1?
- Fixed a bug when searching rule permissions.
- Fixed a bug that the application rule dialog cannot be displayed properly on low resolution screen.
- Fixed bugs in mdhook.dll.
- Added dwm.exe to system application rule list on Windows Vista or above.
- Changed the method for protecting hooks installed by MD. MD will not restrict accessing own memory of processes, but use new global file rules to restrict reading related dlls.

NOTE:
If you upgrade MD from old versions, please import the following rule file. (Rule menu -> Import)
http://www.torchsoft.com/download/Read-Restricted_Files.dat

It's recommended to restart system in learning mode after upgrade." }-
Hi Xiaolin,

MD 2.2.0 beta 2 breaks Sandboxie 3.37.10 (beta) on Vista SP2. It is not possible to invoke a sandboxed app unless I disable MD.

-{ Quote: "Hi Xiaolin,

MD 2.2.0 beta 2 breaks Sandboxie 3.37.10 (beta) on Vista SP2. It is not possible to invoke a sandboxed app unless I disable MD." }-
Hi, I tested but did not find the problem. Could you try to use learning mode when invoking a sandboxed app?

Thanks,
Xiaolin

-{ Quote: "Hi, I tested but did not find the problem. Could you try to use learning mode when invoking a sandboxed app?

Thanks,
Xiaolin" }-
I did not reboot as recommended. Sandboxed apps work as expected after rebooting. Sorry for the false alarm.

-{ Quote: "
-{ Quote: "The new protections (accessing SCM, loading DLL and accessing COM interface) can not be implemented in kernel. " }- Really? For x32 Windows it's all possible. At least dll module loading detection is possible to implement at kernel level with API provided by MS." }-

I like it when there is competition when Vendors Pull up and correct other Vendors, Not because I like watching Flame wars if it turn out to be flame war, But because the end Result is it Produces better Security for us with having really good products. And still waiting for xiaolin to make a reply. I run
Defense wall and Malware Defender So guys just make sure they will always run together smoothly with no conflicts.

-{ Quote: "I like it when there is competition when Vendors Pull up and correct other Vendors, Not because I like watching Flame wars if it turn out to be flame war, But because the end Result is it Produces better Security for us with having really good products. And still waiting for xiaolin to make a reply. I run
Defense wall and Malware Defender So guys just make sure they will always run together smoothly with no conflicts." }-
Yes, I should not say "can not be implemented in kernel", there are possibilities. But I choose to implemented these functions in user mode. I think it's the right decision.

Malware Defender 2.2.0 beta3 is released.

The beta version is available for download at http://www.torchsoft.com/download/md_setup_2.2.0_b3.exe

what's new since beta2?
- Fixed a bug that some applications cannot start when MD is running.
- Fixed a bug that the COM interface rules of * application rule cannot be deleted.

NOTE:
If you upgrade MD from v2.2.0 beta1 or before, please import the following rule file. (Rule menu -> Import) http://www.torchsoft.com/download/Read-Restricted_Files.dat

It's recommended to restart system after upgrade (not necessary in learning mode).

Thanks,
Xiaolin

I have been thinking of trying MD and have a few questions. I am currently using KAV, Ouptpost Firewall and Prevx 3.0 (all paid/latest versions). I am now also using Ghost Security (AppDefend/RegDefend) & DiamondCS WormGuard. MD would replace these two HIPS programs.

Is there any known conflicts with MD and KAV, Outpost or Prevx (or other security programs)? Is MD compatible with Vista or Windows 7? I am currently using XP home SP3.

Are the default rules good protection? Also do you have to disable it to install new software. I occasionally screwed up some installs when I was using ProcessGuard. Ghost Security did not have any issues with software installation other than a lot of pop ups if you didn't disable protection first.

Is MD as easy to use as Ghost Security and does it have a light footprint? Is there any user manual available?

I'm using Malware Defender and I'm also using
- antivir
- Outpost Pro
- Defensewall

My operating system is Window Vista. I have problems with MD beta 2 and MD beta 3. MD affects my wireless connections: I can use mail programs but I can't use any brower. I can' t understand the reason.
I didn't have this problem with MD 2.1 and MD 2.2 beta 1.

Any suggestions?

Thanks in advance.

-{ Quote: "I'm using Malware Defender and I'm also using
- antivir
- Outpost Pro
- Defensewall

My operating system is Window Vista. I have problems with MD beta 2 and MD beta 3. MD affects my wireless connections: I can use mail programs but I can't use any brower. I can' t understand the reason.
I didn't have this problem with MD 2.1 and MD 2.2 beta 1.

Any suggestions?

Thanks in advance." }-
Thanks for the bug report. The browser cannot be started? Could you try the learning mode?

If you cannot resolve the problem with learning mode, could you try disable the "Read-Restricted Files" rule group?

Thank you xiaolin my wireless connection work now.

MD confilcts with Outpost HIPS?

-{ Quote: "Thank you xiaolin my wireless connection work now.

MD confilcts with Outpost HIPS?" }-
I tested MD with OP, but do not find problems. It's complicate to use multiple security softwares.

Hi xiaolin

A question and a request.

First the question. Is there any significance to having a program in the trusted group in terms of how it's treated.

The request. On Stale rules clean up. An option somewhere to permenantly remove something from the list. I have a couple of things like Microsofts Hive clean up service that always shows up there and I don't want to delete the rules. That is shows up is not a bug in MD, as this happens with all other security software also. Just be nice to have a way to tell MD to ignore this on the stale rule clean up.

Pete

-{ Quote: "I tested MD with OP, but do not find problems. It's complicate to use multiple security softwares." }-

OK thank for your help xiaolin

-{ Quote: "Hi xiaolin
The request. On Stale rules clean up. An option somewhere to permenantly remove something from the list. I have a couple of things like Microsofts Hive clean up service that always shows up there and I don't want to delete the rules. That is shows up is not a bug in MD, as this happens with all other security software also. Just be nice to have a way to tell MD to ignore this on the stale rule clean up.
Pete" }-
Yes, I also have some programs on USB sticks which appear on a stale rule clean up. I think that it would be a good idea to have some sort of ignore list.

-{ Quote: "Hi xiaolin

A question and a request.

First the question. Is there any significance to having a program in the trusted group in terms of how it's treated.

The request. On Stale rules clean up. An option somewhere to permenantly remove something from the list. I have a couple of things like Microsofts Hive clean up service that always shows up there and I don't want to delete the rules. That is shows up is not a bug in MD, as this happens with all other security software also. Just be nice to have a way to tell MD to ignore this on the stale rule clean up.

Pete" }-
Hi Pete,

Having a program in the trusted group is the easy way to resolve problems when MD is conflict with other security softwares. Normally, using learning mode will resolve such conflict. But sometimes the conflicted action does not execute when MD is in learning mode.

The ignore list will be added in next release. :)

Thanks xiaolin. Appreciate the quick response.

Pete

Malware Defender 2.2.0 final is released.

English version: http://www.torchsoft.com/download/md_setup.exe
French version: http://www.torchsoft.com/download/md_setup_fra.exe
Spanish version: http://www.torchsoft.com/download/md_setup_esn.exe
Russian version: http://www.torchsoft.com/download/md_setup_rus.exe

What's new?
- Added protection against accessing Service Control Manager.
- Added protection against loading dynamic link libraries.
- Added protection against accessing COM interfaces.
- Added protection against setting hidden attribute of file or folder.
- Added support for searching permission and comment of rules.
- Added support for managing multiple rule files.
- Added support for Windows 7 rc.
- Separated "duplicate handle" permission from "access memory of other processes".
- Improved performance when handling file reading actions.
- Minor improvements and fixes.

NOTE:
If you upgrade MD from v2.2.0 beta2 or before, please restart system in learning mode after upgrade.

If you upgrade MD from v2.2.0 beta1 or before, please import the following rule file. (Rule menu -> Import) http://www.torchsoft.com/download/Read-Restricted_Files.dat

-{ Quote: "NOTE:
If you upgrade MD from v2.2.0 beta2 or before, please restart system in learning mode after upgrade." }-Installed & running smoothly!

Why restart in learning mode? How long should I remain in that mode?

Currently trying the latest version of MD. The only problems I have had so far is a pop up saying that MD can't register the following hot key: ctrl+shift+alt+P.
so i disabled hot keys in MD. Perhaps a conflict with Adobe Photoshop or Canon Digital Photo Professional? Also I cannot open Dr. Web CureIt (free scanner) because of its self extracting files. It will run if I disable protection in MD first.

Otherwise seems to be running smoothly with all my other programs. I ran it in Learning Mode for awhile opening and running all my programs and doing several reboots.

-{ Quote: "Installed & running smoothly!

Why restart in learning mode? How long should I remain in that mode?" }-
It may not necessary to restart in learning mode. You can switch to normal mode after restarted. :)

-{ Quote: "Currently trying the latest version of MD. The only problems I have had so far is a pop up saying that MD can't register the following hot key: ctrl+shift+alt+P.
so i disabled hot keys in MD. Perhaps a conflict with Adobe Photoshop or Canon Digital Photo Professional? Also I cannot open Dr. Web CureIt (free scanner) because of its self extracting files. It will run if I disable protection in MD first.

Otherwise seems to be running smoothly with all my other programs. I ran it in Learning Mode for awhile opening and running all my programs and doing several reboots." }-
You can change the hot key or clear the specific hot key.

If you encounter conflict problems, you can try using learning mode or grant full permissions to the corresponding application rule.

-{ Quote: "Malware Defender 2.2.0 final is released..." }-
Running well so far on Windows 7 RC, Vista SP2, and XP SP3. Thanks as always for the improvements.

-{ Quote: "Why restart in learning mode? How long should I remain in that mode?" }-Given the new protections, I would recommend staying in learning mode for a session or two of normal usage. For me, that spanned about two days. Depending on the OS or installed apps, you may otherwise have to respond to quite a few alerts.

After several years with Ghost Security I have changed over and purchased a license for Malware Defender 2.2.0. I have enjoyed AppDefend/RegDefend, but development seemed to stop in March of 2008 and several E-Mails to Jason recently went unanswered. Although he continues to sell the products it looks like support has also ended.

I have been trialing MD for a day and after all seemed to go well I went ahead and purchased it. Is the default protection adequate. I am still learning the program and haven't started tweaking it yet. Also, does it respond at all to scripts/worms. I have DiamondCS WormGuard installed and am wondering do I still need it.

hi xiaolin.

MD is such an excellent HIPS, Keep up the good work, I hope MD lives forever.

was wondering can you in one of the later versions add a rule which prevents the reading of the registry??

lets say for arguments sake if a hacker gained access to your pc, how would you stop him from reading thru the registry? How would you prevent Internet facing app's from sending out registry information to remote servers??

It may not be a security issue but it is a privacy issue as the registry holds a lot of valuable information.

what are peoples thoughts on this?

Xioalin,

I have a small change request. Currently the default of the system group the is ask. Could you change this to ignore. Reason for asking is that ignoe defaults to the * general application rule. So when I have ask or deny in the * application default, this is not overruled with ask, due to the higher priority of the system group.

Thanks

Xiaolin, PC Magazine published startup cop pro4, on the website they have a list of keys which they protect, have a look at it, please.

-{ Quote: "
The ignore list will be added in next release. :)" }-
Thank you:)

-{ Quote: "If you are using Windows Vista, Malware Defender may be blocked by Windows Defender on startup, you need to start Malware Defender manually.
" }-


I am still yet to test, but has anyone else tested on how fast MD loads during boot up. MD should be the very first thing or one of the first to load during boot up. So as other programs can submit to MD's authority not MD submit to other authority. Because if some one got malware which started during boot up we all know what the end result could be eh. So xiaolin can MD be advanced forward during boot up?

-{ Quote: "Xioalin,

I have a small change request. Currently the default of the system group the is ask. Could you change this to ignore. Reason for asking is that ignoe defaults to the * general application rule. So when I have ask or deny in the * application default, this is not overruled with ask, due to the higher priority of the system group.

Thanks

Xiaolin, PC Magazine published startup cop pro4, on the website they have a list of keys which they protect, have a look at it, please." }-
Hi Kees,

I have changed the default permissions of the system app rules from ignore to ask to avoid being affected by low priority rules. For example, if you set some permissions to DENY in the * app rule, the system may work improperly, or even may not be able to start.

But you can change the permission to ignore manually. :)

-{ Quote: "I am still yet to test, but has anyone else tested on how fast MD loads during boot up. MD should be the very first thing or one of the first to load during boot up. So as other programs can submit to MD's authority not MD submit to other authority. Because if some one got malware which started during boot up we all know what the end result could be eh. So xiaolin can MD be advanced forward during boot up?" }-
Are you talking about driver load time or user interface (tray icon) load time? MD's protections are generally kernel driver based and in place before you see the logon screen.

-{ Quote: "hi xiaolin.

MD is such an excellent HIPS, Keep up the good work, I hope MD lives forever.

was wondering can you in one of the later versions add a rule which prevents the reading of the registry??

lets say for arguments sake if a hacker gained access to your pc, how would you stop him from reading thru the registry? How would you prevent Internet facing app's from sending out registry information to remote servers??

It may not be a security issue but it is a privacy issue as the registry holds a lot of valuable information.

what are peoples thoughts on this?" }-
Hi arran,

It will reduce the system performance if add the feature to detecting registry read actions.

I think the network protection can prevent sending out registry information. :)

-{ Quote: "Malware Defender 2.2.0 final is released." }-
Hi Xiaolin,

I have "Use random name for Malware Defender driver" enabled, but the driver name has been the same at every startup since installing 2.2.0. Tested on Vista SP2 and XP SP3.

-{ Quote: "Hi Xiaolin,

I have "Use random name for Malware Defender driver" enabled, but the driver name has been the same at every startup since installing 2.2.0. Tested on Vista SP2 and XP SP3." }-
Hi nick,

The last used driver name is saved in registry. MD will change driver name only if cannot open the driver with last name. So normally, the driver name will be changed after upgrade.

The old versions have same behaviour too.

-{ Quote: "Hi nick,

The last used driver name is saved in registry. MD will change driver name only if cannot open the driver with last name. So normally, the driver name will be changed after upgrade.

The old versions have same behaviour too." }-Thanks for the explanation. I checked my bootlogs and see now how the driver naming works.

-{ Quote: "Are you talking about driver load time or user interface (tray icon) load time? MD's protections are generally kernel driver based and in place before you see the logon screen." }-


I am talking about driver load time. as you can see in the screen shot defense wall and eqsecure drivers starts a bit before MD. the one marked at the top AEinput is Anti-executable by faronics driver. Is it possible to move MD's driver further up? is there such a program that will do this? or can only xiaolin do this with the way MD is written?

-{ Quote: "Hi arran,

It will reduce the system performance if add the feature to detecting registry read actions.

I think the network protection can prevent sending out registry information. :)" }-


that's ok we don't want to add features if it means sacrificing system performance.

Well congratulations from me too xiaolin, MD is excellent, I hope you won't abandon development too. Its kind of expensive for hips and I had to pay around 20% VAT additionally, via regnow, but since the license is lifetime, it is definitely worth it.

Hello,

What is the difference between the following two rules :

209177

209178

Thanks.

-{ Quote: "Hello,

What is the difference between the following two rules :

209177

209178

Thanks." }-
The permission on the Permissions page (first picture) is the default value. If the list(second picture) is empty or the permission of matched rule in the list is IGNORE, then the load dll permission on the Permissions page will be used.

-{ Quote: "Well congratulations from me too xiaolin, MD is excellent, I hope you won't abandon development too. Its kind of expensive for hips and I had to pay around 20% VAT additionally, via regnow, but since the license is lifetime, it is definitely worth it." }-
The update speed may slow down after MD become mature. But I will not abandon the development. Thank you. :)

-{ Quote: "The update speed may slow down after MD become mature. But I will not abandon the development. Thank you. :)" }-MD's "Lifetime License" concerns me as to your long-term financial soundness. I suggest that you exclude/grandfather folks who NOW have lifetime license, and switch to something like Ilya uses for Defense Wall Hips (http://www.softsphere.com/registration/). I quote Ilya's license terms as follows...

-{ Quote: "The DefenseWall HIPS program license is Lifetime, however updates, email notifications and first-queue support expire after 1 year unless you renew (extend, prolongate) your license." }-

Another option might be to offer 1-year licenses for (say) $12, and also retain the option for buying a lifetime license at the price you now charge.

I hope that others will chime in with their comments. I do want MD to remain financially successful for a long long time!

-{ Quote: "MD's "Lifetime License" concerns me as to your long-term financial soundness. I suggest that you exclude/grandfather folks who NOW have lifetime license, and switch to something like Ilya uses for Defense Wall Hips (http://www.softsphere.com/registration/). I quote Ilya's license terms as follows...



Another option might be to offer 1-year licenses for (say) $12, and also retain the option for buying a lifetime license at the price you now charge.

I hope that others will chime in with their comments. I do want MD to remain financially successful for a long long time!" }-
I will think about it. But even I will change the license, the promises for users that already paid will not changed.

Thank you.

The lifetime license is nice but at $40 USD I can get a whole suite if I wanted one (more comprehensive but not lifetime). I really like MD but it's not really for non-technical users as far as usability goes.

-{ Quote: "I am talking about driver load time. as you can see in the screen shot defense wall and eqsecure drivers starts a bit before MD. the one marked at the top AEinput is Anti-executable by faronics driver. Is it possible to move MD's driver further up? is there such a program that will do this? or can only xiaolin do this with the way MD is written?" }-
I compared MD 2.2.0 and DW 2.55 driver loading on XP SP3, Vista SP2, and Windows 7 RC, and see that, for me, MD's driver lags DW's dwall.sys only on Windows 7...

XP SP3:

Loaded driver \??\c:\windows\system32\drivers\ncmebaaa.sys
Loaded driver \SystemRoot\system32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\System32\Drivers\Fips.SYS
Loaded driver \SystemRoot\System32\Drivers\dwall.sys

Vista SP2:

Loaded driver \??\c:\windows\system32\drivers\majpohid.sys
Loaded driver \SystemRoot\System32\Drivers\dwall.sys

Windows 7 RC:

Loaded driver \SystemRoot\System32\Drivers\dwall.sys
Loaded driver \SystemRoot\System32\drivers\discache.sys
Loaded driver \SystemRoot\system32\drivers\csc.sys
Loaded driver \SystemRoot\System32\Drivers\dfsc.sys
Loaded driver \SystemRoot\system32\DRIVERS\blbdrive.sys
Loaded driver \??\c:\windows\system32\drivers\bednigeg.sys

You can generally change a driver's start value to 0 (boot) using regedit. It may or may not work. MD 2.2.0 blocks tampering with the start value. Even if it did work, I'm not sure you would gain anything. These are issues best left for the devs to shed light on.

Does MD forget the rules in limited user account?

I used to run MD and Prevx 3.0 Free in LUA, but I noticed that MD forget some rules... even if during the popup i select Create permanent rule for that application (without the command line):doubt:

I think you are right. It forgot some of my rules too, but I don't remember if it was before or after registration but I am sure that it was previous version than 2.2.0

-{ Quote: "I think you are right. It forgot some of my rules too, but I don't remember if it was before or after registration but I am sure that it was previous version than 2.2.0" }-

Not restricted to LUA. I am also suspecting it's forgetting stuff. Also I do something in learning mode, and then later still get pop up's

-{ Quote: "Not restricted to LUA. I am also suspecting it's forgetting stuff. Also I do something in learning mode, and then later still get pop up's" }-

Only being using MD for a short time, and I am running the latest version 2.2.0, but have not experienced that problem with rules reverting. I just tried changing the a permission for CCleaner from "ignore" to "ask" then changed MD from silent to learning mode, ran CCleaner closed the program changed MD back to silent and the permission was still "ask" (create new process). Only a simple test. I moved KAV and Outpost to "trusted" mode and they are still in that category after a few days and reboots.Maybe Xiaolin could check on this.

-{ Quote: "Does MD forget the rules in limited user account?

I used to run MD and Prevx 3.0 Free in LUA, but I noticed that MD forget some rules... even if during the popup i select Create permanent rule for that application (without the command line):doubt:" }-
I reviewed the source code but did not find problems. If anyone have more details information to reproduce the problem, please send email to me.

Thanks,
Xiaolin

-{ Quote: "Only being using MD for a short time, and I am running the latest version 2.2.0, but have not experienced that problem with rules reverting." }-I have been running MD for a fairly long time -- always the latest version -- & also have not experienced any problem with rules reverting. I'm not saying it doesn't happen -- but it hasn't happened to me.

This Malware Defender is a HIPS lovers Dream come true.

Especially the file and folder rules which makes it so so Powerful.

Malware Defender 2.2.1 final is released. :)

English version: http://www.torchsoft.com/download/md_setup.exe
French version: http://www.torchsoft.com/download/md_setup_fra.exe
Spanish version: http://www.torchsoft.com/download/md_setup_esn.exe
Russian version: http://www.torchsoft.com/download/md_setup_rus.exe

What's new?
- Fixed a bug when handling file path in Vista or above.
- Fixed a bug in mdhook.dll.
- Fixed the problem that the priority of logging event is not the same as the prioiry of rule.


Thanks,
Xiaolin

Downloaded and installed over the existing version with no problems. Rebooted in learning mode just to be sure. Also backed up my existing rules before the install. Everything seems to be running smooth. The new install did not affect my existing rules. Thanks Xiaolin.

-{ Quote: "Downloaded and installed over the existing version with no problems." }-Ditto. Ding Hao! Support for MD is amazingly superb, as always.

-{ Quote: "This Malware Defender is a HIPS lovers Dream come true.

Especially the file and folder rules which makes it so so Powerful." }-

Yes added a custom rule for a single file. Lock the User Interface and its in a vault. Great program MD.

I have a question for Xiaolin,

Before purchasing, I would like to know if I'm allowed to install MD on a multi-boot system, ie : installing it on my XP SP3 partition, and on my Vista SP2 partition ?

Thanks in advance !

from the help file

-{ Quote: "Registered version
One registered copy of Malware Defender may either be used by a single person who uses the software personally on one or more computers, or installed on a single workstation used non-simultaneously by multiple people, but not both. You may access the registered version of Malware Defender through a network, provided that you have obtained individual licenses for the software covering all workstations that will access the software through the network" }-

Pete

Thanks pete !

Malware Defender 2.2.2 final is released.

English version: http://www.torchsoft.com/download/md_setup.exe
French version: http://www.torchsoft.com/download/md_setup_fra.exe
Spanish version: http://www.torchsoft.com/download/md_setup_esn.exe
Russian version: http://www.torchsoft.com/download/md_setup_rus.exe

What's new?
- Improved support for Windows 7 rc.
- Fixed a bug when downloading kernel symbols in Windows 7 rc.
- Fixed a bug that does not convert short file name path of dynamic link library to long file name path.
- Changed the status of "Read-Restricted Files" file group to disable for fresh installation.

NOTE:
There may be a lot of alerts of reading restricted files when running MD with other security software. If you upgrade MD from old versions, you can disable the "Read-Restricted Files" file group manually.

I've updated to 2.2.2, no problems thus far. Thanks Xiaolin.

hi

i just notice something , when i create a rule for application which access the net (add ports:ips to network rules) and i del the rule and than recreate , its remember all the ips:ports from old/previous rule , is that ok??

-{ Quote: "hi

i just notice something , when i create a rule for application which access the net (add ports:ips to network rules) and i del the rule and than recreate , its remember all the ips:ports from old/previous rule , is that ok??" }-
Hi demoneye,

I cannot reproduce the problem. Could you describe the problem more precisely? Did you create the rule in the "Edit Application Rule" dialog?

Thanks,
Xiaolin

-{ Quote: "Hi demoneye,

I cannot reproduce the problem. Could you describe the problem more precisely? Did you create the rule in the "Edit Application Rule" dialog?

Thanks,
Xiaolin" }-

yes in "Edit Application Rule" dialog.
seems file svchost.exe some how remember the software ips:ports after del/re add action...

i test it on foobar2000 player after add some radio link in "add location", MD ask for each new ip:port try to axx net (fine and ok) but after del all "foobar" rules using "find rules" to del / re add the issue appear

Xiaolin,

When I create a new file (for exemple c\new file.txt), I create a new permanent rule "create file" but "Read, Write, Create and Delete" are on "Permit" and not only "Create".
Is it a bug, by design or ...?

Thanks.

209512

-{ Quote: "yes in "Edit Application Rule" dialog.
seems file svchost.exe some how remember the software ips:ports after del/re add action...

i test it on foobar2000 player after add some radio link in "add location", MD ask for each new ip:port try to axx net (fine and ok) but after del all "foobar" rules using "find rules" to del / re add the issue appear" }-
MD monitors network connections, but not all the packets. The network connection will not be affected if you change the network rule after the connection is created.

-{ Quote: "Xiaolin,

When I create a new file (for exemple c\new file.txt), I create a new permanent rule "create file" but "Read, Write, Create and Delete" are on "Permit" and not only "Create".
Is it a bug, by design or ...?

Thanks.

209512" }-
Hi,

The default Read permission is permit. And MD set same permissions for Write, Create and Delete when creating rule in Alert window. But you can change Write, Create and Delete permissions manually.

-{ Quote: "Malware Defender 2.2.2 final is released.


- Improved support for Windows 7 rc.
- Fixed a bug when downloading kernel symbols in Windows 7 rc.
" }-

Hi xiaolin,

thanks again for the new release and your hard work :) Would you recommend it's okay to install on Win 7 RC x64, as long as it's installed in the "Program files x86" folder?

-{ Quote: " - Changed the status of "Read-Restricted Files" file group to disable for fresh installation.

NOTE:
There may be a lot of alerts of reading restricted files when running MD with other security software. If you upgrade MD from old versions, you can disable the "Read-Restricted Files" file group manually." }-

I have most of my security applications as "Trusted Applications" in MD and have had no alerts.

-{ Quote: "Hi xiaolin,

thanks again for the new release and your hard work :) Would you recommend it's okay to install on Win 7 RC x64, as long as it's installed in the "Program files x86" folder?" }-
Sorry, MD does not support x64 version of Windows yet.

I just reinstalled Windows on my Asus EEEPC 1000HE net book. I am installing GesWall and Malware Defender. I'm looking for a light secure setup and I think they will play nice.

good start:)

-{ Quote: "Sorry, MD does not support x64 version of Windows yet." }-

Heaven Help I hope there is going to be 64bit for windows 7 ??

please don't make me have to choose between 16GB Ram and Malware Defender with only 4GB Ram.

xiaolin can you make it a Priority??

-{ Quote: "Heaven Help I hope there is going to be 64bit for windows 7 ??

please don't make me have to choose between 16GB Ram and Malware Defender with only 4GB Ram.

xiaolin can you make it a Priority??" }-
I will implement the 64-bit version of MD when 64-bit Windows become popular. The code signing certificate for 64-bit driver is a big trouble.

Thanks,
Xiaolin

Can anyone confirm that my understanding about MD file protection filters is correct? I am a bit confused witH Write filter. Thanks

Read- reading any file
Write- creating a brand new file? or modifying an already present file?
Create- creating a brand new file that doesn,t exist before
Delete- deleting an already present file completely

-{ Quote: "Can anyone confirm that my understanding about MD file protection filters is correct? I am a bit confused witH Write filter. Thanks

Read- reading any file
Write- creating a brand new file? or modifying an already present file?
Create- creating a brand new file that doesn,t exist before
Delete- deleting an already present file completely" }-
the denny for writting is for present and or new introduce files

-{ Quote: "I will implement the 64-bit version of MD when 64-bit Windows become popular." }-1) Two groups of computer users come to mind:

Group X: Folks who now use 64-bit PLUS folks who are likely to switch to 64-bit early on.

Group Z: Folks who are interested in stand-alone classic HIPS.

2) My OPINION: A high percentage of folks who are in Group X are also in Group Z. And vice versa.

-{ Quote: "1) Two groups of computer users come to mind:

Group X: Folks who now use 64-bit PLUS folks who are likely to switch to 64-bit early on.

Group Z: Folks who are interested in stand-alone classic HIPS.

2) My OPINION: A high percentage of folks who are in Group X are also in Group Z. And vice versa." }-
+1
I find it a pity that also Tallemu don't spend (many or any?) ressources on 64 bit support. I guess it would result in a noticeable customer increase.

-{ Quote: "+1
I find it a pity that also Tallemu don't spend (many or any?) ressources on 64 bit support. I guess it would result in a noticeable customer increase." }-

The problem is you in what you said. "I guess" Go to the sandboxie forum, and read why Tzuk won't do 64bit, and it raises some interesting questions.

Then answer this. There would appear to be loads of people asking for 64bit OA, but what would they be willing to pay for it.

Pete

-{ Quote: "I will implement the 64-bit version of MD when 64-bit Windows become popular. The code signing certificate for 64-bit driver is a big trouble.

Thanks,
Xiaolin" }-

I think that most people who will be getting windows 7 would be getting 64-bit because they would also want to upgrade the Ram. we can't stay on 4GB of Ram Forever while everything else is be upgraded. I'm sure if we create a poll when Windows 7 comes most people would be on 64-bit.

I wouldn't mind if you increased the price for a 64-bit version.

MD is the only decent classical HIPS around with decent file and folder rules.

-{ Quote: "I think that most people who will be getting windows 7 would be getting 64-bit because they would also want to upgrade the Ram. we can't stay on 4GB of Ram Forever while everything else is be upgraded. I'm sure if we create a poll when Windows 7 comes most people would be on 64-bit.

I wouldn't mind if you increased the price for a 64-bit version.

MD is the only decent classical HIPS around with decent file and folder rules." }-agree 100%:thumb:

but this thread isn't about sandboxie. And I really don't care what happens with Sandboxie.

But more importantly Xiaolin said today " will implement the 64-bit version of MD when 64-bit Windows become popular" so there will be a MD 64-bit version later.

When 64-bit Windows becomespopular which isn't to far away now, Venders are going to have to start producing 64-bit versions or they will go out of business.

xiolin is a one man developer that really works hard,well he probably drinks alot of coffee:argh:

-{ Quote: "the denny for writting is for present and or new introduce files" }-
Sorry I could not understand. Can you explain a bit more pls? Thanks

if you run a new file or a file that was saved and if you have the denny rules write/delete/modiffy then the action will be denny cause of the rule(denny)doesnt matther is the file is new to system or if you saved it and then run it,it will be block for any changes;D sorry for my bad english:)

-{ Quote: "And I really don't care what happens with Sandboxie." }-
You should because tzuk and xiaolin face the same PatchGuard hurdle. Can 64-bit versions of MD or Sandboxie (or any HIPS/sandbox app) be as effective as their 32-bit versions? Apparently not, based on my reading of a recent post by tzuk in the Goodbye Sandboxie (http://www.sandboxie.com/phpbb/viewtopic.php?t=5718) thread (emphasis mine):

"I don't hate 64-bit. I tried to support 64-bit a few years ago but then Microsoft revised 64-bit Windows to be even more restrictive towards security software.

So at that point I needed to decide if I'm going to be like many security software makers who silently disable some (or a lot) of the security features in their 64-bit products, just so I can still offer and sell Sandboxie on the new platform.

And I decided against that. Instead I'm saying that it's not right to restrict the Windows platform this way, and that I'm not going to support that. If you're not part of the solution then you're part of the problem, right?

Another reason is that I don't want to be in the position that I offer a security product which can be easily circumvented, and I can tell you that this is absolutely going to happen with 64-bit Sandboxie, because all these new restrictions prevent Sandboxie from being able to monitor/supervise some very important things.

I know this does happen with anti-virus products (and has been happening for years) that they are disabled by viruses, and is accepted as a fact of life. But I'm not going to put my name on a product that ends up being a joke.

If I do end up having to port Sandboxie to 64-bit then it will be under a different name so it doesn't taint the Sandboxie brand with promises about security that it can't possibly deliver.

Of course, if the restrictions are removed, then I will be happy to resume full support for the 64-bit edition of Windows."

interesting. there are already a couple of other security products with 64-bit versions which I am interested in. which are Deep Freeze and Kaspersky 2010 with its HIPS and Sandbox. So it is possible to have 64-bit security product versions in the market.

If it is true about Microsoft making all these restrictions on 64-bit operating systems making it harder for security products to work properly, then I wonder how well Kaspersky 2010 is working with its hips and sandbox?? I think we maybe need to test it. Kaspersky 2010 could end up being later on the one and only Best HIPS and Sandbox for windows 7 64-bit lol. But I would'nt have any file and folder rules:'(

-{ Quote: "So it is possible to have 64-bit security product versions in the market." }-
But did you compare protection strength of their 32 and 64-bit versions? Why do you think it's the same?

It kinda looks like I will be stuck with 3.5-4 GB Ram through out all Eternity >:(

-{ Quote: "This is probably the reason why Defense+ fails on some leak tests on 64-bit, but passes on 32-bit." }-
The developer have to use user mode hooks to implement some protections. There may be no way to protect these protections from being bypassed by malware.

hi xioalin any new updates?thanks

for sure not signiture updates

-{ Quote: "I will implement the 64-bit version of MD when 64-bit Windows become popular. The code signing certificate for 64-bit driver is a big trouble.

Thanks,
Xiaolin" }-

From this poll it looks like 64-bit version will be more popular as soon as windows 7 arrives.
http://www.wilderssecurity.com/showthread.php?t=246329


-{ Quote: "But did you compare protection strength of their 32 and 64-bit versions? Why do you think it's the same?" }-




-{ Quote: "The developer have to use user mode hooks to implement some protections. There may be no way to protect these protections from being bypassed by malware." }-

xiaolin can you elaborate on what RULES in MD will be weakened in strength
in a 64 bit version?

Ilya Rabinovich and other vendors feel free to post, I want to know how windows 64 bit is going to weaken security products in terms of what abilities
they will be limited to.

For example is security products still going to be able to block Root kits installations?

are they still going to be able to block programs from Executing??

Hi xiaolin

1. Is Malware Defender able to detect FUD keylogger, Trojan and so on?
2. Is Malware Defender able to protect users from stealer program such as iStealer?

Thanks

For those who haven't read tzuk's (SandBoxie developer) take on 64 bit, here it is:

-{ Quote: "I don't hate 64-bit. I tried to support 64-bit a few years ago but then Microsoft revised 64-bit Windows to be even more restrictive towards security software.

So at that point I needed to decide if I'm going to be like many security software makers who silently disable some (or a lot) of the security features in their 64-bit products, just so I can still offer and sell Sandboxie on the new platform.

And I decided against that. Instead I'm saying that it's not right to restrict the Windows platform this way, and that I'm not going to support that. If you're not part of the solution then you're part of the problem, right?

Another reason is that I don't want to be in the position that I offer a security product which can be easily circumvented, and I can tell you that this is absolutely going to happen with 64-bit Sandboxie, because all these new restrictions prevent Sandboxie from being able to monitor/supervise some very important things.

I know this does happen with anti-virus products (and has been happening for years) that they are disabled by viruses, and is accepted as a fact of life. But I'm not going to put my name on a product that ends up being a joke.

If I do end up having to port Sandboxie to 64-bit then it will be under a different name so it doesn't taint the Sandboxie brand with promises about security that it can't possibly deliver.

Of course, if the restrictions are removed, then I will be happy to resume full support for the 64-bit edition of Windows.

* * *

What I don't appreciate is people who have made the decision to switch to a platform where Sandboxie is known to not work, and then become upset about the loss of Sandboxie, so they come here to state that I should expect the imminent end of my business.

Whatever the intentions, I've had so much of it, that by now I see it as a kind or harassment of trolling. My view now is that reasonable people understand there are [arbitrary, but real] technical limitations to 64-bit Sandboxie. And even if they do decide to switch to 64-bit Windows, they accept the consequence of giving up Sandboxie. Life is about choices and this is one of the smaller choices you would ever have to make. It is only the unreasonable people who come here to "discuss" the lack of 64-bit support, or actually I will say, to complain about it. Sorry if that offends you.

* * *

Now I hope I've done a good job of explaining my position so perhaps we can end the discussion at this point." }-

The guy is not simply ranting over nothing. Clearly he is brilliant on technical matters concerning Windows security, so these statements carry a lot of merit. If you read what xiaolin posted earlier, one could conclude there is a correlation to tzuk's statements citing similar concerns about the limitations of 64 bit Windows on security software.

-{ Quote: "Ilya Rabinovich and other vendors feel free to post, I want to know how windows 64 bit is going to weaken security products in terms of what abilities
they will be limited to." }-
It, mostly, depends on the ways vendors use to bypass PatchGuard limitations. Many are using application-level hooks can be easily bypassed.

-{ Quote: "
If I do end up having to port Sandboxie to 64-bit then it will be under a different name so it doesn't taint the Sandboxie brand with promises about security that it can't possibly deliver.
" }-

:thumb:

Brand integrity will pay off in the long run

I think you should change product name. It sounds like too much of another rogue security product called Malware Defender:
http://www.bleepingcomputer.com/virus-removal/remove-malware-defender-2009

you mean malware defender2009;D

-{ Quote: "you mean malware defender2009;D" }-
Yep and I have a bad feeling it will release Malware Defender v3 soon.

ah i see:)

this malware defender2009 Rouge annoys me, it is an insult to MD.

I have Been giving MD a little exercise today and testing it with some Kill Disk Trojans Maymoons sent me. as expected MD did a good job. One of them I tested was the one which bypassed Returnil Pro and according to virus total only 7 out of 40 AV's detect it lol.

-{ Quote: "I have Been giving MD a little exercise today and testing it with some Kill Disk Trojans Maymoons sent me. as expected MD did a good job. One of them I tested was the one which bypassed Returnil Pro and according to virus total only 7 out of 40 AV's detect it lol." }-
I also witnessed Returnil being bypassed by a few KillDisk / Klone malware in other tests.
What about Defensewall and Sandboxie? Do you test them too if it's possible?

-{ Quote: "I also witnessed Returnil being bypassed by a few KillDisk / Klone malware in other tests.
What about Defensewall and Sandboxie? Do you test them too if it's possible?" }-

No but others have tested sandboxie so it passes.

I haven't tested defense wall either But I think it would pass.

I have only tested MD and Deep Freeze.

-{ Quote: "No but others have tested sandboxie so it passes.

I haven't tested defense wall either But I think it would pass.

I have only tested MD and Deep Freeze." }-
did MD passed your test?thanks

-{ Quote: "did MD passed your test?thanks" }-

Yes and deep freeze also passed my 3 Kill disk tests.

-{ Quote: "Yes and deep freeze also passed my 3 Kill disk tests." }-
cool;) i knew it:) it will passed;D