Malware Defender 2.4.1 beta

[smith2006]

The final version 2.4.1 is running fine here.

Thanks Xiaolin.

[xiaolin]

English version: http://www.torchsoft.com/download/md_setup.exe
French version: http://www.torchsoft.com/download/md_setup_fra.exe
German version: http://www.torchsoft.com/download/md_setup_deu.exe
Italian version: http://www.torchsoft.com/download/md_setup_ita.exe
Spanish version: http://www.torchsoft.com/download/md_setup_esn.exe
Russian version: http://www.torchsoft.com/download/md_setup_rus.exe

What's new?
- Fixed bugs that may cause protections to be bypassed by malware.

[nick s]

Quote:

Originally Posted by ssj100

Could you please provide any further details on that? Thanks.

Google killmdfile.rar. Xiaolin will have explain it to us in layman's terms: ProbeBypass attack techniques. The POC download link is at the end of the post.

[nick s]

Among other things, it appears to kill Malware Defender 2.4.1 (UI and service) at startup on XP SP3.

[xiaolin]

English version: http://www.torchsoft.com/download/md_setup.exe
French version: http://www.torchsoft.com/download/md_setup_fra.exe
German version: http://www.torchsoft.com/download/md_setup_deu.exe
Italian version: http://www.torchsoft.com/download/md_setup_ita.exe
Spanish version: http://www.torchsoft.com/download/md_setup_esn.exe
Russian version: http://www.torchsoft.com/download/md_setup_rus.exe

What's new?
- Fixed a bug that may cause file protection to be bypassed by malware.

Sorry for the inconvenience.

[1boss1]

Quote:

Malware Defender 2.4.3

I don't think you incremented the build number when you compiled, mine still says 2.4.2

Edit: Nah it's cool, my browser must of had it cached. I switched browsers and got 2.4.3

Thanks Xiaolin.

[Scoobs72]

Looks like there is a 2.4.4 on its way soon, further bypasses fixed ......

[nick s]

Quote:

Originally Posted by ssj100

Where are these bypasses suddenly coming from?

The 3 POCs are the work of a Chinese security researcher known as mj0011. mj0011 coded the Tophet POC rootkit/bootkit last year. The English version of MD 2.4.4 beta 1 is available here: http://www.torchsoft.com/download/md_setup_2.4.4_b1.exe. It addresses the third and most recent POC.

[nick s]

Quote:

Originally Posted by ssj100

Thanks for the information. Any chance we can get our hands on those POCs?

You can get them here: <Snip>. Don't use Google translate. The POCs can be found in the fourth folder down.




Edit: Please don't post links even to POC malware

[bonedriven]

For those who are interested in bypassing MD,check <SNIP>. It's also why new versions come so frequently.

[nick s]

Quote:

Originally Posted by bonedriven

It's also why new versions come so frequently.

and the contest may go on for a while...

Quote:

This is the third issued a breakthrough MD file protection code, all current attacks are directed at treatment of MD right NtCreateFile hook, while the rest of the hook MD Department are about 3,40 ~ just NtCreateFile, at least there are five kinds of The attack left

[bonedriven]

Quote:

Originally Posted by nick s

and the contest may go on for a while...

Well,I guess mj0011 will lose interest in attacking it soon. I'm not being ironical on MD though.

[nick s]

Quote:

Originally Posted by bonedriven

I'm not being ironical on MD though.

This is a good thing for MD. I want the security apps that I use to be given serious scrutiny.

[arran]

Quote:

Originally Posted by bonedriven

Well,I guess mj0011 will lose interest in attacking it soon. I'm not being ironical on MD though.

mj0011 is doing us a good favor here, I don't think he is making pocs to give MD a bad name, instead he is making pocs to improve MD and make it better by finding security holes.

This indicates mj0011 must think very highly of MD. Its good to know we are using a product such as MD where an expert like mj0011 who also probably uses it.


Anyway why all of a sudden can't anyone post harmless pocs any more? can some one please pm me a sample?

[0strodamus]

I'm sure this is a dumb question, but can someone tell me what the acronym POC stands for? Thanks!

[DOSawaits]

Quote:

Originally Posted by Derelict_NY

I'm sure this is a dumb question, but can someone tell me what the acronym POC stands for? Thanks!

Proof of Concept

[0strodamus]

Thanks DOSawaits!

[inka]

So far, I'm failing to understand how to use "Groups" within MalwareDefender.

I understand how to CREATE a group:
click "Rule" in the toolbar, then "Application Groups..." in its dropdown menu
then, in the window titled "Application Groups", click "New Group".
-=-
A dialog box titled "Edit Group" pops up.
an everpresent notice in the dialog box reads: "A group will not be displayed in the rule window after it is created, you must create a rule to use it."
Here you type the label name for the group
(filling the text name is the ONLY action you can perform in this dialog)
and click "Okay" close the dialog.

you must create a rule to use it
CREATE a rule? Or does this mean 'empty' groups are not displayed -- must ASSIGN/MOVE at least one application (application rule item) to cause the groupname to show up in the treeview display? OR... regardless whether a custom group is empty or not empty, custom groups are NEVER displayed in the treeview?

Right-clicking an application rule for one of the apps I wish to place in my newly-created custom group, when I hover at "Move to Group" in the context menu flyout, I DO NOT SEE MY NEW 'APPLICATION RULE GROUP' LISTED AMONG THE GROUP NAMES.

While adding the application groupname, I noticed the "New Object" button, but I hadn't added any "object" (because I had expected that I would be adding an existing "application rule" item into the group)... so I return to the "Application Groups" window and click "New Object". I'm presented with the multi-tabbed window which is used to create new rules (any rules: network, file, application) with its "General" tab preselected. Both "select an application" and "select an application group" radio buttons are grayed-out, but the "File path" textbox shows a cursor (has focus)... so I browse/assign the exe file for one of the apps I wish the group to contain, and click "OK".
-=-
The icon for this "object" exe is now displayed beneath my custom group in the "Application Groups" popup window, but the custom group STILL isn't displayed in the treeview of the main (Rules tab) window. Thinking to myself "Gee, the custom group STILL doesn't have any unique permissions set"... once again I return to "New Object" and click the "Files" tab. (In this example, the intended purpose of the group is: restrict applications listed in it from writing to my D:\ drive.) At the files tab, I enter the D:\ path and tick "files and folders"... and clicking the "OK" button has no effect.

This seems confusing and awkward. With every other similar app I've used, at this point I would expect to see an icon for the newly-created group in the treeview, and would expect to be able to drag one or several apps onto (into) the group.

What aspect of the workflow am I missing here?

[wat0114]

inka, an easy way to display the new Group is to right-click -> New Rule -> Application Rule, then select the radio button: "Select an Application Group" then find your newly created Group folder from the drop-down list and select it -> <OK> You should then see it just above "Application Rules - System".

[inka]

Yes, it worked exactly as you described. Thank you!

[wat0114]

Quote:

Originally Posted by inka

Yes, it worked exactly as you described. Thank you!

You are welcome!

[nick s]

Somewhat OT, but it appears mj0011 has turned his attention from Malware Defender to Comodo Internet Security. No POC...just a demonstration video. Something about "RING3 kill any process in CIS".