http://www.torchsoft.com/download/md_setup_2.4.4_b2.exe

what's new?
- Added protection against changing security permissions of files and registry keys.
- Fixed bugs when parsing file paths.
- Minor improvements and fixes.

Thanks for testing. :)
xiaolin

Hi xiaolin,

-{ Quote: "- Added protection against changing permissions of files and registry keys." }-

Is this for NTFS Permissions or built in MD File & Registry protection?

Also, I believe that the comment column of the rules window should contain a brief note on what each rule actually does.

Thanks for all your hard work.

-{ Quote: "Hi xiaolin,



Is this for NTFS Permissions or built in MD File & Registry protection?
" }-
It's NTFS permissions for files and folders, and registry security permissions for registry keys.

Thanks,
xiaolin

The beta is running well here! :)

The beta version is available for download at http://www.torchsoft.com/download/md_setup_2.4.4_b3.exe

what's new since beta2?
- Improved the ability to detect actions of loading DLLs. (changed the implementation from RING3 to RING0)


NOTE: If you upgrade MD from old versions, it's recommended to restart system after upgrade.

-{ Quote: "T
- Improved the ability to detect actions of loading DLLs. (changed the implementation from RING3 to RING0)" }-:thumb: :thumb:

-{ Quote: "The beta version is available for download at http://www.torchsoft.com/download/md_setup_2.4.4_b3.exe

what's new since beta2?
- Improved the ability to detect actions of loading DLLs. (changed the implementation from RING3 to RING0)


NOTE: If you upgrade MD from old versions, it's recommended to restart system after upgrade." }-

Good job!

occasional bug:

sometimes when an MD popup appears, the [Deny] button is disabled (grayed-out)

When this occurs, ticking the "Create permanent rule" box causes the [Deny] button to become enabled, and it remains enabled even if the "Create permanent rule" box is clicked again (to untick the selection).

I'm saying the bug is the initial grayed-out status of [Deny].

Does MD recognize/verify an executable file by hash, or simply by its path?

If by path alone, that would seem like a "weak" protection mechanism.

-{ Quote: "Does MD recognize/verify an executable file by hash, or simply by its path?

If by path alone, that would seem like a "weak" protection mechanism." }-it is by path;D

-{ Quote: "Does MD recognize/verify an executable file by hash, or simply by its path?

If by path alone, that would seem like a "weak" protection mechanism." }-
I already asked Xiaolin to incorporate this (like System Safety Monitor does) but the response was that it will slow things down, calculation the hash for every process start. The weird thing is, SSM didn't slow anything down on my system while still giving this strong layer of protection against process modification.

Within threads from back when people were begging to have MD include regkey protection, I read the same response ("that would slow things down").

It's not a frivolous feature request. Authors of competing security apps understand that it's a meritworthy feature & they include hash-checking functionality.

The installation default could leave the option unchecked & display a note stating that enabling the feature may impact system performance.
If "enforce hash checking" were an option, I would choose to enable it.

How much hash are we seeking? CRC32? MD5? SHA-1? Or... what?

I have heard that the stronger the hash (i.e., more complex algorithm), the greater the system impact and the greater the difficulty of mimicry/collision. And vice versa. Thus, CRC32, for instance, is relatively light in terms of system impact - or so I have heard - but it is weaker than, say, SHA-1.

P.S. I have no idea what I am talking about. :blink:

I expect CRC would be sufficient.

There are so many different versions/builds of various components that it's a stretch to imagine malware carrying a payload of all known versions & custom-replacing the original with a same-sized file, but... on the fly, the unloaded dll (or ocx or exe) could be padded to match the filesize of the target file.

For me, the hashing feature request isn't *just* with concern toward MALware. I've too often seen problems arise due to signed/trusted installers (Adobe) or even MS service packs silently overstepping their bounds in replacing shared components.

-{ Quote: "

Thanks for testing. :)
" }-

usability pain point:
While working in MD's main "Rules" tab, both the dialog window titled "Edit File Rule" and the dialog window titled "Edit Registry Rule" fail to remember the MRU (most recently used) location. User is forced to click/expand from root location each time.

(The other dialogs -- "Edit Dynamic Link Library Rule", "Edit Child Application Rule", etc -- *do* consider MRU, so I hope the behavior of the odd cases is just an oversight.)

simple NirSoft freeware utility called "InsideClipboard":
http://www.nirsoft.net/utils/inside_clipboard.html

MalwareDefender does not recognize this app's clipboard monitoring as a "hook". No hook listed in the MD Hooks tab, no ASK popup when the utility retrieves the clipboard metadata. Okay, if clipboard content (by design) can be retrieved by any app, and the action of this utility is just a "paste" operation (no hook required)...

...how to accomplish a "restricted application group" rule which denies access to the clipboard content?

I searched to find "what COM object" should I restrict access to, but read:
http://www.apriorit.com/case-studies/clipboard-protection.html
that clipboard content can be retrieved by various methods, including by kernel mode low-level functions.

At this point, I'm at a loss. I can't envision how to effect such protection via MD.

Perhaps the developer intends to limit MD's scope, concentrating on offering anti-hook and anti-rookit protection... and we need to look to other supplementary security apps to achieve "leak protection"?

bug, or at least undesirable behavior:

While trying to determine whether the absence of a popup warning of the actions by InsideClipboard is a product of my current ruleset (vs the MD default ruleset) I exported my current ruleset, then restored the default ruleset.

When I again imported "my_current_ruleset.dat", a dialog warned that "rules with the same name will be overwritten". Yeah, okay, whatever...

...execpt NOW 56 rules are present. Prior to the export/import, only 55 existed.
Conclusion: I apparently disagreed with the presence of one of the default rules, so had deleted it... and now it's back again. Aaaargh, I'm gonna have to stay home from bingo tonight; I'll be stuck sitting here hunting for which rule to RE- delete.

Also, when MD imported my "current" ruleset, the rule *status* for each of "Trusted Network Rules" was not respected.
(previously disabled rules are once again status=enabled)

Yes, I understand why those Microsoft/Verisign rules are present in the default set.
No, the eternal presence of those rules is not welcome ON MY SYSTEM.
Yes, I had previously deleted the Microsoft/Verisign rules, and...
yes, I discovered that MD attempts to prevent user from "shooting himself in the foot" by recreating those rules at each startup if they are not present.
I thought I had achieved a tolerable middle ground, by setting status=disabled for those rules. That way, MD didn't disturb/revert them at startup.

Also, following the export / restore defaults / import operation, I now have conflicting rules for some previously-trusted applications (resided within "Trusted Applications" group at time of export) -- rules for identical apps are now present as "Application Rules" entries as well (not assigned to a group).

What must I do to really REALLY return to my "current" ruleset?
I'll try Booting to safe mode, delete ~MD\rules.dat, replace it with a renamed copy of my exported *.dat file.
If that doesn't work, if I can't fully trust that a tediously handcrafted ruleset can be saved/restored... goodbye MD, hello bingo parlor.

-{ Quote: "I expect CRC would be sufficient.

There are so many different versions/builds of various components that it's a stretch to imagine malware carrying a payload of all known versions & custom-replacing the original with a same-sized file, but... on the fly, the unloaded dll (or ocx or exe) could be padded to match the filesize of the target file.

For me, the hashing feature request isn't *just* with concern toward MALware. I've too often seen problems arise due to signed/trusted installers (Adobe) or even MS service packs silently overstepping their bounds in replacing shared components." }-
It's not enough to check the hash of .exe files. All executable files (.dll, .sys, .ocx, .cpl, .msc ...) can be infected.

I will think about adding a feature to compare snapshot of important files. But it will not be implemented in near future.

Thanks,
xiaolin

-{ Quote: "simple NirSoft freeware utility called "InsideClipboard":
http://www.nirsoft.net/utils/inside_clipboard.html

MalwareDefender does not recognize this app's clipboard monitoring as a "hook". No hook listed in the MD Hooks tab, no ASK popup when the utility retrieves the clipboard metadata. Okay, if clipboard content (by design) can be retrieved by any app, and the action of this utility is just a "paste" operation (no hook required)...

...how to accomplish a "restricted application group" rule which denies access to the clipboard content?

I searched to find "what COM object" should I restrict access to, but read:
http://www.apriorit.com/case-studies/clipboard-protection.html
that clipboard content can be retrieved by various methods, including by kernel mode low-level functions.

At this point, I'm at a loss. I can't envision how to effect such protection via MD.

Perhaps the developer intends to limit MD's scope, concentrating on offering anti-hook and anti-rookit protection... and we need to look to other supplementary security apps to achieve "leak protection"?" }-
MD does not have the feature to protect against clipboard monitoring yet.

-{ Quote: "bug, or at least undesirable behavior:

While trying to determine whether the absence of a popup warning of the actions by InsideClipboard is a product of my current ruleset (vs the MD default ruleset) I exported my current ruleset, then restored the default ruleset.

When I again imported "my_current_ruleset.dat", a dialog warned that "rules with the same name will be overwritten". Yeah, okay, whatever...

...execpt NOW 56 rules are present. Prior to the export/import, only 55 existed.
Conclusion: I apparently disagreed with the presence of one of the default rules, so had deleted it... and now it's back again. Aaaargh, I'm gonna have to stay home from bingo tonight; I'll be stuck sitting here hunting for which rule to RE- delete.

Also, when MD imported my "current" ruleset, the rule *status* for each of "Trusted Network Rules" was not respected.
(previously disabled rules are once again status=enabled)

Yes, I understand why those Microsoft/Verisign rules are present in the default set.
No, the eternal presence of those rules is not welcome ON MY SYSTEM.
Yes, I had previously deleted the Microsoft/Verisign rules, and...
yes, I discovered that MD attempts to prevent user from "shooting himself in the foot" by recreating those rules at each startup if they are not present.
I thought I had achieved a tolerable middle ground, by setting status=disabled for those rules. That way, MD didn't disturb/revert them at startup.

Also, following the export / restore defaults / import operation, I now have conflicting rules for some previously-trusted applications (resided within "Trusted Applications" group at time of export) -- rules for identical apps are now present as "Application Rules" entries as well (not assigned to a group).

What must I do to really REALLY return to my "current" ruleset?
I'll try Booting to safe mode, delete ~MD\rules.dat, replace it with a renamed copy of my exported *.dat file.
If that doesn't work, if I can't fully trust that a tediously handcrafted ruleset can be saved/restored... goodbye MD, hello bingo parlor." }-
It will merge rules when importing a rule file. You can try the rule files managing feature (Rule menu -> Manage rule files).

Thank you. "Manage Rules --} Set as Active" achieves the desired result.

I had fully read the helpfile, but it does not mention "Manage Rules".
Perhaps import/export should be removed from the dropdown (these commands are available within the ManageRules dialog window). At a minimum, the helpfile should state "When performing import command, rules with same name will be overwritten. Consider using the 'Set As Active' command instead."

usability issue:

When maintaining application rules (by double-clicking a line item to open the modal window titled "Edit Application Rule")
many sub-operations are performed via a secondary window
(e.g. [Child Applications] click "Add" raises a window titled "Edit Child Application Rule").

The view is immediately updated as each add/edit/copy/paste/delete operation is performed...
HOWEVER, any changes performed are not "committed" until user closes the secondary window
and clicks the [OK] button of the "Edit Application Rule" window.
-=-
In other words:
After closing the secondary window, UNLESS user clicks the [OK] button of the "Edit Application Rule" window, all sub-operation changes are discarded.


desired behavior:
When user performs ANY change in a secondary window, the app should alert the parent "Edit Application Rule" window (set a flag, mark 'dirty', whatever) so that a confirmation warning is later raised if user attempts to close the parent window without first clicking the [OK] button.

-{ Quote: "usability issue:

When maintaining application rules (by double-clicking a line item to open the modal window titled "Edit Application Rule")
many sub-operations are performed via a secondary window
(e.g. [Child Applications] click "Add" raises a window titled "Edit Child Application Rule").

The view is immediately updated as each add/edit/copy/paste/delete operation is performed...
HOWEVER, any changes performed are not "committed" until user closes the secondary window
and clicks the [OK] button of the "Edit Application Rule" window.
-=-
In other words:
After closing the secondary window, UNLESS user clicks the [OK] button of the "Edit Application Rule" window, all sub-operation changes are discarded.


desired behavior:
When user performs ANY change in a secondary window, the app should alert the parent "Edit Application Rule" window (set a flag, mark 'dirty', whatever) so that a confirmation warning is later raised if user attempts to close the parent window without first clicking the [OK] button." }-
Thanks for the suggestions. :)

English version: http://www.torchsoft.com/download/md_setup.exe
French version: http://www.torchsoft.com/download/md_setup_fra.exe
German version: http://www.torchsoft.com/download/md_setup_deu.exe
Italian version: http://www.torchsoft.com/download/md_setup_ita.exe
Spanish version: http://www.torchsoft.com/download/md_setup_esn.exe
Russian version: http://www.torchsoft.com/download/md_setup_rus.exe

What's new?
- Added protection against changing security permissions of files and registry keys.
- Improved the ability to detect actions of loading DLLs.
- Fixed bugs when parsing file paths.
- Fixed a bug when importing rules.
- Fixed a bug when removing stale rules.
- Minor improvements and fixes.


NOTE: If you upgrade MD from old versions, it's recommended to restart system after upgrade.

Thanks,
xiaolin

Thanks xiaolin keep up the great work! :)

xiaolin,

First, thanks for your great work and v2.4.4 final is working great here. By the way, you said earlier, in an other tread, that you "cannot find a solution yet" about replacing windows registry by Registry Workshop. If it is always the case, and simply for your info, maybe would you be interested to check how the author of "Total Uninstall" achieved this beautifully a while ago (there is also this other tread (http://www.martau.com/forums/unattended-install+compatibility-with-registry-workshop-t356.html) in their own forum that elaborated a bit on their solution, see the first 2 posts there). If need be, you could also discuss with TU's author Gavrila Martau (supportATmartauDOTcom). I hope this could be of some use for you. MD & RW are so much indispensable apps for me that I would be delight if they were walking hand in hand together! :)

Ciao.

Upgraded to current version without problems.

BTW I found out that if I block network events with MD, then this blocked events appear in the Windows Firewall log like any other DROP event.

Cheers

problem / bug / design flaw:

If, in response to popups, you create permanent rules for a given application while the "Edit Application Rule" for that application is open... when you later click [OK] to close the "Edit Application Rule", the application overwrites the popup-initiated rules.

This "collision" scenario has often caused frustration for me. "Dammit! I'm positive I already (recently) created a rule for suchandsuch! Where is the existing rule? Why am I still getting a popup for suchandsuch?"

The problem occurs in "Normal Mode". I haven't checked, but I suspect the same collision scenario would occur during "learning" or "silent" mode as well.

feature request: customizable options for popup template

Requesting an additional
tray icon -> context menu -> "Options..."
dialog containing checkboxes for the following options:

[ ] display the "comment" text of the relevant rule in each popup
Ideally, a HIPS app would be "smart" enough to suggest the degree of severity, or potential risk, associated with a given popup event, or target component. Some HIPS attempt to convey degree of severity by colorizing popups (red, orange, yellow)... but I think displaying the 'comment' field could (eventually) be more informative. Future versions of MD could contain default rules which are "more fully commented" and, in the interim, user-supplied self reminders in the comment field could provide welcome visual cues.

[ ] remember popup last-used screen location & dimensions
As is, MD doesn't "remember" window metrics across sessions.

[ ] include "launch browser window to research the target object" link(s) in each popup
-=-
Competing security apps feature a contextual "more info" link within popups. The link raises a window to display either context-sensitive db helptext stored locally (in a db installed with the app)... or launches a browser window to display a relevant web page on the vendor's site.
-=-
For MD, I'm suggesting (requesting) a user-configurable commandline %1 option.
The default value would launch an MSIE (or Firefox) window to Google search, with %1 in the querystring
-=-
For popups involving protected regkeys, %1 would be the full target path.
For popups involving files or named COM interfaces, MD would create %1 by trimming the path string.
-=-
Link would be represented as an icon; "launch browser window to research the target object" as tooltip text


[ ] Application Rule popups: "Create application rule for this application" PREselected (checkmarked) by default
Perhaps include a "NOT RECOMMENDED" disclaimer for this option...
...and I applaud the current UNselected default, but having this option enabled during certain sessions would certainly eliminate a huge amount of repetitive / tedious clicking. Thankfully, within a session, MD already seems to "remember" last choice & preselects the temporary/permanent radio button.

Settings for each rule currently accommodate Permit/Deny/Ask ...and Log.
As is, I find myself leaving many permanent rules set to "Ask" because the "Log" option alone doesn't provide real-time notification.

I'm requesting an an additional option to "play a sound" (sound an alarm, provide an audible cue) when a rule is triggered.

Really, what I would like is the option to specify a "custom command line" per rule... but I won't ask for the whole cookie jar

MD installation would include a siren.wav file (or beep.wav).
-=-
If the sound option is enabled for a given rule, MD "plays" ~\MalwareDefender\siren.wav
-=-
If user prefers a short beep vs a long siren (or whatever), he overwrites the supplied sound file

-{ Quote: "problem / bug / design flaw:

If, in response to popups, you create permanent rules for a given application while the "Edit Application Rule" for that application is open... when you later click [OK] to close the "Edit Application Rule", the application overwrites the popup-initiated rules.

This "collision" scenario has often caused frustration for me. "Dammit! I'm positive I already (recently) created a rule for suchandsuch! Where is the existing rule? Why am I still getting a popup for suchandsuch?"

The problem occurs in "Normal Mode". I haven't checked, but I suspect the same collision scenario would occur during "learning" or "silent" mode as well." }-
This is a known issue. Sorry for the inconvenience.

-{ Quote: "
[ ] display the "comment" text of the relevant rule in each popup
" }-
The rule comment is displayed in the tooltip of triggered rule.

-{ Quote: "
[ ] remember popup last-used screen location & dimensions
As is, MD doesn't "remember" window metrics across sessions.
" }-
MD should remember the position and size of the alert window. Could you verify this issue again? Which version of Windows are you using?

-{ Quote: "
[ ] include "launch browser window to research the target object" link(s) in each popup
" }-
I will think about. For now you can jump to the object in other MD tab and then use the search functions related to the object.

The latest version is running great here. Thanks Xiaolin!

-{ Quote: "The rule comment is displayed in the tooltip of triggered rule." }-

Sorry, I was unclear.
The existing tooltip is helpful, but the additional functionality would be
(if the tray icon -> context menu -> "Options..." checkbox is ticked)
to display comment field as an additional EDITABLE input field, inline within the popup.
-=-
If "create a rule" checkbox is selected, text typed into comment field during popup is written to the rule.

As is, while working with (for instance) an app which is supposedly a "portable app", I might type "why?" as a comment when responding to a popup if the app initiated a regkey write operation... and go back later to investigate (searching rules for "why" to find loose ends), rather than stoppping in my tracks to immediately research why.
-=-
Another example: dealing with a strange/new popup for an existing app, I might want to mark the comment "why?" or I may want to enter a notation indicating the popup appeared when I clicked suchandsuch ~~ a detail I'm unlikely to remember later. By the way, USING "JUMP TO RULE" ON SUCH OCCASIONS (AND NEGLECTING TO CLOSE THE "EDIT APPLICATION RULE" WINDOW AFTER TYPING THE COMMENT) IS HOW I DISCOVERED THE FREQUENT "COLLISION" EVENTS WERE OCCURRING.

Are an identical set of default registry rules created for every MalwareDefender installation, or are they tailored to suit the O/S of the installation environment?

-{ Quote: "Which version of Windows are you using?" }-WinXP SP3

-{ Quote: "xiaolin,

First, thanks for your great work and v2.4.4 final is working great here. By the way, you said earlier, in an other tread, that you "cannot find a solution yet" about replacing windows registry by Registry Workshop. If it is always the case, and simply for your info, maybe would you be interested to check how the author of "Total Uninstall" achieved this beautifully a while ago (there is also this other tread (http://www.martau.com/forums/unattended-install+compatibility-with-registry-workshop-t356.html) in their own forum that elaborated a bit on their solution, see the first 2 posts there). If need be, you could also discuss with TU's author Gavrila Martau (supportATmartauDOTcom). I hope this could be of some use for you. MD & RW are so much indispensable apps for me that I would be delight if they were walking hand in hand together! :)

Ciao." }-

Yes i stumbled across that a few months back and applied it to TU and it works a treat.. So i even went through my registry trying to replace all calls to regedit with it to force other programs to do the same but no such luck.

Xiaolins Reg Workshop is the best registry editor that ever existed, forcing everything to use it would be icing on the cake.

-{ Quote: "Xiaolins Reg Workshop is the best registry editor that ever existed" }-I'm curious to know why you prefer it over the Resplendence app
http://resplendence.com/registrar_features
but we're posting to a MalwareDefender thread...

...so I'm reminded to mention that I have found MD's "registry search" feature to be RIDICULOUSLY slow (35-40 seconds).

The Torchsoft site boasts "scans in about ten seconds" for RegistryWorkshop, which is comparable to the search speed I'm accustomed to when using 4Dev RegistryCrawler. In comparison, MD's "registry search" performance has been a real disappointment for me.

-{ Quote: "MD should remember the position and size of the alert window. Could you verify this issue again?" }-Across reboots, popup position is remembered but height/width reverts to default.

"File" tab
Search doesn't seem to be working reliably.
As a test, I tried this:
----------------------------------
"search files" is checkmarked
all other checkboxes are UNticked

"search in" = C:\

"all or part of a filename" = autoexec
----------------------------------
Press the Find button & the search dialog window displays
"searching for files..."
and you see names of subdirectory paths displayed as the search scours the entire drive.

This seems to indicate two faults with the search function:
Fails to first search the contents of immediate directory
and
Ignores (unchecked "Folders" box) directive







Overall, the MD "Files" tab adds little value. It is a nuisance, a hinderance.
It would be preferable for the "Jump to Rule" command to launch a native windows explorer instance, passing the path string in the commandline. Conversely, from within the native Explorer, a "MD: Edit File Rule" context menu shell extension would raise the MD "Edit File Rule" dialog.

-{ Quote: "Overall, the MD "Files" tab adds little value. It is a nuisance, a hinderance." }-

I will have to respectfully disagree with you on this one. One thing the file tab is especially useful for is deleting locked files.

Honestly with the amount of criticism that you have for Malware Defender, I'm surprised you are still using it.

-{ Quote: "

Overall, the MD "Files" tab adds little value. It is a nuisance, a hinderance. " }- I disagree. It is a useful addition and allows you to continue working within MD without swapping to different outside applications. If you don't like it, then don't use it. Nobody is forcing you to.

-{ Quote: "I will have to respectfully disagree with you on this one. One thing the file tab is especially useful for is deleting locked files." }-Agree.

-{ Quote: "Honestly with the amount of criticism that you have for Malware Defender, I'm surprised you are still using it." }-Doubly Agree!

-{ Quote: "Honestly with the amount of criticism that you have for Malware Defender, I'm surprised you are still using it." }-Sigh. Right on schedule, here comes the fanboi parade.

I am quite possibly one of MD's biggest fans.
Feedback posts here saying "Way to go!" and "Working fine here 110!1" accomplish little in nudging the development forward. As a tester, I believe my criticism has been both constructive and warranted.

At this juncture I'm compelled to mention that when I initially installed MD, I had high expectations regarding "Detects and removes". Upon discovering, rather quickly, that any REMOVAL depends on user intervention... I discounted the elevenfold bulleted "Detects and removes" anti-hook marketing claims as representing awkward bumps in language translation, and pressed on.
-{ Quote: "ref: http://torchsoft.com/en/md_information.html
Hooks detector screen shot

* Detects and removes system service table hooks (SSDT hooks).
* Detects and removes Win32k service table hooks (shadow SSDT hooks).
* Detects and removes interrupt descriptor table hooks (IDT hooks).
* Detects and removes SYSENTER handler hook.
* Detects and removes kernel object hooks.
* Detects and removes kernel notify routines.
* Detects and removes kernel mode code hooks.
* Detects and removes user mode code hooks.
* Detects and removes global message hooks.
* Detects attached devices.
* Detects hooked driver dispatch routines (IRP hooks)." }-

Across various discussions, I've read that MD is not a full "firewall" solution, nor does it represent a robust "leak prevention" solution (does not monitor outbound for all protocols, and "does not have the feature to protect against clipboard monitoring yet").

-{ Quote: "For now you can jump to the object in other MD tab and then use the search functions related to the object." }-I'm unsure the dev is aware of the features, GUIs, and functionality of competing products. Although I want to like MD well enough to purchase it... for now MD, priced at $40 as of its 2 point 4.x release, fails to provide an outstanding "solution".


-{ Quote: "I will have to respectfully disagree with you on this one." }-This is fine. Toward considering a change, or feature addition, the dev needs to hear feedback from multiple users.

-{ Quote: "If you don't like it, then don't use it. Nobody is forcing you to." }--{ Quote: "Doubly Agree!" }-This is not fine. Chiming in to state a truism and provoke a fellow user amounts to cyberbullying.
Far too much of this sort of crap goes on here in the Wilders forums.
Thank you, please drive thru

-{ Quote: "

This is not fine. Chiming in to state a truism and provoke a fellow user amounts to cyberbullying.
Far too much of this sort of crap goes on here in the Wilders forums.
Thank you, please drive thru" }-

Yes it is fine.

compared to other forums I have seen on the internet there is actually very little cyberbullying on Wilders, Personally I think the mods and admins here are a good group of mature guys. You have to allow for some freedom of speech on forums, So if you criticize a good security product such as Malware Defender then you can expect others to attack and Bash you. and it is justified.

Malware Defender is one of a very few classical HIPS on the internet. For classical HIPS other than maybe EQS you really can't get any better than Malware Defender. So stop your moaning and whining .

And inka I get the impression that you not know how to use it properly, MD is more for technical users, if you can't learn how to use it then maybe you should use something else instead?

And xiaolin thanks for the update version.

inka if you find MalWare Defender to hard to use then i advise you to give DefenSeWall Hips a try,it is very easy to use out of the box ready for you;)
http://www.softsphere.com/

Regarding the firewall subject. Malware Defender wasn't created and made to be a outbound firewall with robust outbound protection, it was made to be a classical HIPS. MD's firewall is just an add on bonus. And seen how MD prevents your pc from getting infected then why would you need robust outbound protection? if there is no such malware on your pc trying to make any out going connections why would you need robust outbound protection?

-{ Quote: "Regarding the firewall subject. Malware Defender wasn't created and made to be a outbound firewall with robust outbound protection, it was made to be a classical HIPS. MD's firewall is just an add on bonus. And seen how MD prevents your pc from getting infected then why would you need robust outbound protection? if there is no such malware on your pc trying to make any out going connections why would you need robust outbound protection?" }-in fact this is very real if no malware is introduce or infect your system then there will not be any malware trying to connect to the net:) agree with you:thumb:

-{ Quote: "if there is no such malware on your pc trying to make any out going connections why would you need robust outbound protection?" }-Perhaps because I'm a gray hat (tinfoil hat) privacy fanatic... and hopefully not because I'm a micromanaging control freak, heh heh.

Now, moving forward (pretty please) tonight I'm comparing the degree of granularity offered by Comodo Defense+ which, on a per-app basis, enables user to specifically block discreet COM components (e.g "Microsoft.CLRAdmin.CCommandHistory", a class withnin a .Net Assembly) rather than applying a broader block against an app reading the entire file (mscormmc.dll)
-=-
MD similarly enables per-app blocking of a given component, identified by CLSID
( e.g {E07A1EB4-B9EA-3D7D-AC50-2BA0548188AC} )
but (feature request) I find myself wishing that, within the MD "Browse for COM Interfaces" window, I could either search or the list would at least scroll to "M" (when Description column is controlling the sort order) if I type "M"... so that I could review what other classes are contained in the component, toward assessing the risk vs merit in blocking the component.
-=-
While here, in the "Browse for COM Interfaces" window, I have found (and am dutifully reporting) a bug:
Click any item in the list (to set focus the item). When you click a column header (changing sort order), focus shifts away from the selected item.

ping. pong.

Torchsoft has no support forum and the dev is single-handedly churning out builds in 6 languages. Rather than supplying feedback via email, I have accepted the dev's public invitation to test & post feedback here at Wilders.

-{ Quote: "several of inka's posts can hardly be viewed as constructive in my opinion" }-Okay, duly noted -- I'll try to maintain a more constructive tone in future posts.

-{ Quote: "

Okay, duly noted -- I'll try to maintain a more constructive tone in future posts." }-

Problem solved :) Back on topic now.

I may be going OT, but what do you MD users do when you have new Windows Updates ready to be installed ?

I find it extremely hard for not heaving some clever installation mode like SSM had. It's a never ending clickfest.

It's a shame I will uninstall it, and get over to Comodo Firewall & Defense+ since it's so much more cleverly adjusting to the user's input of flagging something as Trusted, and having a temporary install mode, with MD it keeps on popping up ad infinitum, which leads to the well known "Oh well, lets start clicking allow on every popup" .... In the end, you silently end up giving EVERY dangerous process (eg. svchost.exe etc...) more and more freedom, and ultimately you start to wonder if there's something left that you don't want to allow....

In the meantime, I actually forgot if the license I have is a 1-year or a lifetime one, if it's the latter, I hope to some day get back with MD.:(

never updates widows;D ;) so no problem here about that:)

-{ Quote: "when you have new Windows Updates ready to be installed ?" }-
Both MalwareDefender and Defense+ have a learning/training mode.
In the default D+ policy set, wuauclt and wupdmgr are members of 'installers' group.
(In case user forgets to switch modes? So that updates can silently occur in the background, without popups, while still in normal mode?)
-=-
For MD, operating in training mode should yield a popup-free WinUpdates session; because MD doesn't perform hash-checking, I would just temporarily disable its protection, though (and perform two post-update restarts before re-enabling it).

-{ Quote: "I will uninstall it, and get over to Comodo Firewall & Defense+ since" }-since *nothing*
The two apps coexist peacefully (for me, under WinXP Pro SP3).
tip: D+ severely bogs my sandboxied browser operations. MD does not.

-{ Quote: "with MD it keeps on popping up ad infinitum" }-
Both MalwareDefender and Defense+ enable you to adjust their settings so that they are as visible (intrusive) or transparent as you wish... and both create reasonably granular (vs too permissive) rulesets if you initially (across several restarts, and open/close your various frequently-used apps) operate them in learning mode.

-{ Quote: "start clicking allow on every popup" .... In the end, you silently end up" }-Be careful when using D+ (think carefully before clicking Allow/NoRule)
Unlike MD, the non-permanent D+ allow isn't ALLOW ONCE; it's analagous to the MD option to "create a temp rule which will be automatically deleted when the process exits".

-{ Quote: "I find it extremely hard for not heaving some clever installation mode like SSM had. It's a never ending clickfest." }-I used SSM for several years, beginning shortly after Max Burmistrov made it available for slooooow download in 2002. I was an early registrant when SSM went commercial in 2006.

I still have several old SSM tutorials in my archives. Here is an extract from one of them as pertains to install mode...

-{ Quote: "Install Mode - This feature allows installing any program with SSM running, but without SSM continuing to issue pop-ups during that installation. The ASSUMPTION is that you fully trust the program being installed. When you first launch the desired setup file, you will be alerted by SSM. Just select the drop-down arrow beside "Allow", then choose, "Install mode." You will then not be alerted any further during the installation of the selected program." }-

During the time that SSM was in install mode, it provided basically "zero protection" from any anomalies of the program being installed.

In other words, in order to suspend pop-ups during install, SSM suspended protection.

You can accomplish more or less the same thing with MD by putting it into learning mode during an installation.

BL: a substantial part of the protection offered by a HIPS is engendered by its pop-up *alerts* whenever it detects suspicious &/or intrusive behavior. Reducing or turning off alerts must, of necessity, reduce the HIPS protective effectiveness. AFAIK the only way A HIPS' protective effectiveness can be maintained, while (at the same time) reducing alert frequencies, is by use of emulators, virtualizers or sandboxes.

(Herbalist -- where are you when we need you?)

it makes sense;)

-{ Quote: ".

(Herbalist -- where are you when we need you?)" }-

I hope everything is well with him, have not seen him on Wilders for long time.

I confess I didn't have a MD license until today, have always be restoring OS images due to software testing and what not. But now today I thought I had better get a license and have done.

-{ Quote: "(Herbalist -- where are you when we need you?)" }-
:thumb:
-{ Quote: "I hope everything is well with him, have not seen him on Wilders for long time." }-
I believe he left quite awhile ago.

-{ Quote: "

During the time that SSM was in install mode, it provided basically "zero protection" from any anomalies of the program being installed.

In other words, in order to suspend pop-ups during install, SSM suspended protection.

You can accomplish more or less the same thing with MD by putting it into learning mode during an installation.
" }-

Or, you can check posts #32 & #33 in this thread (http://www.wilderssecurity.com/showthread.php?t=233728) and use a similar approach, where you will get far fewer pop-ups but MD will still guard and alert against common (this is the idea, anyway) malware entry points. I've tested it thoroughly in a vm and it works. All you need to do is enable the "Install mode" rule before launching the unknown app, then disable it when done.

I'm not trying to boast, only trying to illustrate it's possible to configure MD to work for you, rather than against you when installing unknwon apps.

-{ Quote: "enable the "Install mode" rule before launching the unknown app" }-MD currently has 3 "modes": normal, learning, and silent.
-=-
After connecting the dots, I see that you are referring to your post #32 "custom Program Install Mode application rule"
and I agree this is preferable to switching to "Learning Mode" during an install.
After the install, I wouldn't bother moving the installer's rule though; instead, I would just delete the rule.

Ah, different ways to skin the same cat.
I don't understand the merit in creating another 'custom' rule to handle installers. By editing the "Installers and Updaters group" rule (once) to suit your permission(s) preference regarding installer apps, handling each new installer only requires:

Create an application rule (pointing to the path of yet-unknown app),
then right-click the newly created rule and "Move to Group" -} "Installers and updaters" group

-{ Quote: "in this thread (http://www.wilderssecurity.com/showthread.php?t=233728") ..." }-Do the Feb 2009 posts still accurately reflect your ruleset strategy, wat0114?
If not, what significant changes have you made to your ruleset since then?

According to your screenshot annotations, "Internet Access Applications" and "Microsoft Applications" were custom groups you added.
What magic did you use?
I've been under the impression that custom groups cannot / will not display in the "Rules" treeview.

-{ Quote: "
Ah, different ways to skin the same cat.
I don't understand the merit in creating another 'custom' rule to handle installers. By editing the "Installers and Updaters group" rule (once) to suit your permission(s) preference regarding installer apps, handling each new installer only requires:

" }-

It was experimental, basically to give a bit more protection against unknown, or as yet to be proven installers. The idea was to allow once, rather than create permanent rules that had to be deleted later. At the time, I was testing some malware samples just for interest sake. If you also look at post 33 you will see I've even got alerts for network access attempts - something a lot of malware will attempt during installs, as well as even some "safe" installers ;) I have not used MD for a few months, so I can't really say my startegy would be the same or different now, only that because it was experimental, it's certainly open for modification.

-{ Quote: "According to your screenshot annotations, "Internet Access Applications" and "Microsoft Applications" were custom groups you added.
What magic did you use?
I've been under the impression that custom groups cannot / will not display in the "Rules" treeview." }-

No magic. The customized groups don't show up until you add a rule to them after you create them. It's one of the few "quirky" things about MD :)

custom groups

I have even tried uninstalling/reinstalling MD but the "custom groups" do not show in the treeview.

Rule -} "Application Groups..."
click [New Group]
I've added a group, but the only way to add an application into the group is via the [New Object] button. Even after I do add an application object in this manner, the custom group does not display in the treeview. Additionally, when I right-click an existing application rule -} Move To Group... the flyout does not list any custom group as a possible destination.

FWIW, I get the identical no-show behavior after creating (and populating it with at least one object) file / reg / network group.

Try: Right-click-> New rule-> File rule...then check out the screenshot for further procedure. The Group you created earlier should show up in the tree view after this method. BTW, i'm just taking a quick look at this latest version in the vm (VBox)

wat0114, Thanks !!!!

usability issue:

MSIE 8
google.com homepage
typing into AJAX search-as-you-type text field causes MD to alert "low level keyboard access".
Perhaps correct behavior for MD, but the user faces a problematic choice:
deny (permanent rule) and forever forego search-as-you-type convenience
or
permit (permanent rule) and forever worry, knowing the barn door is open

(or temporarily suspend MD protection, or visit the permissions tab for the application rule & change... but I'm disregarding these as non-desirable options)

In the MD popup, the option to create a temporary rule is grayed-out.

What it basically comes down to is you trust IE8 or you don't.

I've dropped MD for Windows 7 64bit.

Yes, I feel free from the burden, as I know from so many years of not getting any malware, how light personal computer actually is!!

Don't get me wrong, I love the control, but I also like not having to answer to my always legitimate system.

I still use virtual machines for testing though. Was VB, now Windows XP Mode

Never been so good.

-{ Quote: "I've dropped MD for Windows 7 64bit.

Yes, I feel free from the burden, as I know from so many years of not getting any malware, how light personal computer actually is!!

...Never been so good." }-

I've done the same tony, also using Win 7 x64. Even ditched the software fw in favor of the built-in two way in Window, with my own ruleset. The lifted burden and increased speed is astonishing :)

-{ Quote: "What it basically comes down to is you trust IE8 or you don't." }-Basically... whether or not you or I trust IE8 is irrelevant.

-{ Quote: "I feel free from the burden, as I know from so many years of not getting any" }-Ah, that explains it...
;)

I run IE8 in sandboxie and let sandboxie do 99 percent of containment and Isolation, so much easier this way. for me MD is a back up and for system wide protection.

-{ Quote: "I run IE8 in sandboxie and let sandboxie do 99 percent of containment and Isolation, so much easier this way. for me MD is a back up and for system wide protection." }-

Exactly the same here.

-{ Quote: "I run IE8 in sandboxie" }-
FWIW, I seldom use internet explorer. I discovered the reported issue after one of my apps launched IE (apparently with disregard for "default browser" setting).

Before reporting the "issue", I did test a sandboxed instance. Same result.

You are reporting that you tested and were not able to reproduce what I described?

-{ Quote: "Basically... whether or not you or I trust IE8 is irrelevant.

Ah, that explains it...
;)" }-
I'm glad.

xiaolin, perhaps you have discussed a Malware Defender feature roadmap on non-English-language forums, but the description offered on your English-language site truly is leading people to believe MD is something other than a policy-based HIPS application.

-{ Quote: "ref: http://torchsoft.com/en/md_information.html

Hooks detector

* Detects and removes system service table hooks (SSDT hooks).
* Detects and removes Win32k service table hooks (shadow SSDT hooks).
* Detects and removes interrupt descriptor table hooks (IDT hooks).
* Detects and removes SYSENTER handler hook.
* Detects and removes kernel object hooks.
* Detects and removes kernel notify routines.
* Detects and removes kernel mode code hooks.
* Detects and removes user mode code hooks.
* Detects and removes global message hooks.
* Detects attached devices.
* Detects hooked driver dispatch routines (IRP hooks)." }-

Malware Defender has been mentioned, described as an "anti-rootkit", here:
"Actual 2009 Antirootkits" thread
http://forum.sysinternals.com/forum_posts.asp?TID=20007

and has been subjected to testing alongside 50 other "anti-rookits" here:

Hidden Dynamic-Link Library Detection Test
http://www.ntinternals.org/dll_detection_test.php

and here:

Hidden Process Detection Test
http://www.ntinternals.org/process_detection_test.php

with the test author reporting that Malware Defender, as an anti-rootkit, "couldn't (even) detect process hidden by oldest process hiding methods including PspCidTable manipulation".

-{ Quote: "Malware Defender has been mentioned, described as an "anti-rootkit", here:
"Actual 2009 Antirootkits" thread
" }-
I don't think that MD contains a fully featured ARK, like e.g. RkU is.
IMHO it's a first-rate HIPS with a lot of very useful system tools.

The catch phrase "advanced rootkit detector" from the website is maybe too much of a good thing.
I think "advanced system tools" would be also a hat to suit, wouldn't add fuel to the expectations and also prevent to be the only HIPS in an ARK test.
However, I didn't find any other HIPS there and I doubt that they would have scored better, even they also state to detect hidden processes and rootkits etc.

Practically I doubt that MD would run as trouble free as it does now if it would have a driver like most of this dedicated super-duper ARK tools.

Cheers

-{ Quote: "I doubt that MD would run as trouble free as it does now if it would have a driver like" }-What sort of (different) driver?
mdservice is a kernel-level driver, right?
Driver-wise, the only difference I've noticed between the MD driver and some other HIPS / ARK apps is that the MD driver loads as a service (post-winlogin) vs loading via BootExecute. Although the latter arguably affords a greater degree of protection, except for impacting startup loadtime (logged in and desktop visible) I don't understand how it would it would be less "trouble free"...

...aside from the potential scenario of "locking yourself out" by installing a new app (or windows update) and neglecting to ensure the HIPS is in learning mode during the post-install reboot.

im really impressed by this program to bad it cant detect and remove malware.

is the firewall strong?

you can remove malware manually if you want i tested againts braviax.exe virus and i removed it with MD;)

-{ Quote: "you can remove malware manually if you want i tested againts braviax.exe virus and i removed it with MD;)" }-


very true :) Thanks

just find the file with malware defender and delete it,also can block any running processes make a rule for it and then find the rule and with a mouse click place any files in blocking mode and when in blocking mode restrick it not to start:thumb:

-{ Quote: "is the firewall strong?" }-As mentioned earlier in this thread and elsewhere, MD doesn't act as a stateful firewall. It just monitors outbound TCP/UDP requests; it doesn't marshall all protocols.

-{ Quote: "
Driver-wise, the only difference I've noticed between the MD driver and some other HIPS / ARK apps is that the MD driver loads as a service (post-winlogin) vs loading via BootExecute. Although the latter arguably affords a greater degree of protection, except for impacting startup loadtime (logged in and desktop visible) I don't understand how it would it would be less "trouble free"..." }-
Are most of these ARK tools really designed to run on every boot? I doubt that.
Most are just start-scan-fix-close tools.

However, apart from their great detection capabilities most of these tools have also great capabilities to crash a system or raise incompatibilities and wouldn't pass any quality assurance.

They are very useful in specific situations, but you will hardly find any of these tools implemented in a real-time protection software.

Cheers

feature request:

Beyond * and ? wildcards, it would be real helpful to have additional regex available in the search -- especially negation

[^\]system32\whatever
[^\]internet

In some instances, the "Match whole string" option is helpful. More often though, beginning-of-string matching is desirable rather than exact match.

point of confusion -- GUI discrepancy

In the MD "Rules" tab treeview, "Application Rules - Normal" and "Application Rules - System" are displayed as top-level siblings.

However, applications within the "Application Rules - System" group are affected by the [App]* asterisk rule (which is displayed as a child of "Application Rules - Normal")

question / suggestion:

MD "Autoruns" tab does not display (as far as I can tell) entries for codecs

Do codecs represent a significant malware vector? (IMO they do)
Should the autoruns coverage be expanded to include codecs?

bug report:

I've encountered a consistently repeatable bug, such that the MD GUI hangs/freezes.
I will post a followup to provide specific details "how to reproduce".
In the meantime, if you're using MD please try this:

view the "Hooks" tab in the MD GUI
click the left-column "User Mode Code Hooks"

and reply _IF_ you discover that your GUI starts scanning (dialog box) but hangs

(If it doesn't hang, no need to reply.)

-{ Quote: "bug report:MD please try this:

view the "Hooks" tab in the MD GUI
click the left-column "User Mode Code Hooks" (If it doesn't hang, no need to reply.)" }-You said "no need to reply" not "do NOT reply". Ergo, I did as you suggested & it worked just fine. Didn't hang. :shifty:

Doesn't hang here. inka - Win7??

-{ Quote: "Doesn't hang here. inka - Win7??" }-
Even with Windows 7 it doesn't hang here.

Cheers

-{ Quote: "point of confusion -- GUI discrepancy

In the MD "Rules" tab treeview, "Application Rules - Normal" and "Application Rules - System" are displayed as top-level siblings.

However, applications within the "Application Rules - System" group are affected by the [App]* asterisk rule (which is displayed as a child of "Application Rules - Normal")" }-

Can you think of a better way to display this? It's not really very confusing. To 'simplify' the display you'd have to add an extra tree:
- Application rules
_____*
_____ Normal
________Installers and Updaters...etc
_____System
________C:\windows\explorer.exe......etc

...and that would make things awkward as you now have an extra tree. Labelling * as "Default rules for normal and system application rules" would resolve the 'confusion'.

A better way? Yes, perhaps a top-level "Global Application Rules" node should be added
(matching the convention used for registry, network, and file rules).

In the meantime:
a rule apparently belonging to NodeA affecting a children of nodeB
is a discrepancy and a potential source of confusion.

If you care to further 'argue about' this factual observation... {crickets}

-{ Quote: "A better way? Yes, perhaps a top-level "Global Application Rules" node should be added
(matching the convention used for registry, network, and file rules).

In the meantime:
a rule apparently belonging to NodeA affecting a children of nodeB
is a discrepancy and a potential source of confusion.

If you care to further 'argue about' this factual observation... {crickets}" }-

Here's a factual observation - your observation is petty, picky and unecessary. There is no source of confusion once brain is engaged. I have proposed an alternative and explained why that would have its own downfall. Hence the current solution is most likely the best one. Criticism needs to be constructive to be of real value. Otherwise...{insert sarcastic comment}

Hi,

I can not save Alternate Data Streams to a file under Windows 7.
Anyone else with this problem?

Cheers

The beta version is available for download at http://www.torchsoft.com/download/md_setup_2.5.0_b1.exe

what's new?
- Added support for filtering logs.
- Added support for pausing protection for a period of time.
- Fixed a bug when handling files on FAT32 partition.
- Fixed a bug that cannot stop displaying alert for creating registry link even if the protection is disabled.
- Fixed a bug that cannot save Alternate Data Streams to a file.

Thanks for testing.
Xiaolin

-{ Quote: "
- Fixed a bug that cannot save Alternate Data Streams to a file." }-
Just tested this with 2.5.0 beta1 and it works now for me.

Cheers