Malware Defender + GeSWall experiences after a month

Okay,

I posted a first impression of Malware Defender. Originally I used LUA + SRP to contain internet facing applications. On top of that I had constructed a Contained Applications group (sort of blocked with a few allow exceptions for Outlook Express, InternetExplorer, LimeWire and Iron) with Malware Defender.

After some time this contained group seemed to be to complex in daily use for other family members, so I installed GeSWall 2.8.3 again to handle all internet facing applications (no: I am not disappointed in DefenseWall, I have given the lisence to my Mother of 75, because DW is so easy to use).

GeSWall 2.8 also has internet control, but when you want to go for the full monty, it has teh disadvantage that it does not has a learning mode (off course not it is a policy Sandbox) and that it does not throw a pop-up at you. So allowing trusted application is pain staking. I decided to go for the next best option: set Network in GW at confidential: this will block al internet access for untrusted (files and applications). Each untrusted application you would like to give Internet access: add a rule to Allow Network *.

Now back to Malware Defender.
I am not a clasiscal HIPS lover, but some HIPS (like EQS) are useable by less tech savvy users. Malware Defender is even easier to configure for average users. This is how you do it.

A) Balancing File and Registry protection (first pic)
B) Application protection and Allow network access and (second pic)

 

Balancing File and Registration protection (few pop-ups - good protection)

First you want to set at the options that when in learning mode, explicit deny's are not overruled (this is to deal with the Avira free nag screen application which is in the blocked applications group).

As you can seen I have added some file protection (XP file names in root directory) and disabled the ALL executables (file group) rule.

I also added some extra Startup protection keys (these are very static so do not expect pop-ups for it in normal operation) and disabled the IE Registry protection (simply because GeSWall takes care for that OR DefenseWall OR Sandboxie or SafeSpace).

NB click on the picture to enlarge

 

Application protection and Allow network access

As you can see I have ignored for all programs (= * see right window pop up in picture)
- execution control (is the most used Windows action)
- startup of process (also a 'normal'operation)
- access data of other process (not very commen, less used than sending messages, still many old programms use this)
- sending of mesages

All others are set to ASK. Note that the network tab also contains an * ASK So with below interface lock I am protected aginst all others = silent serious problems prevention. See pop-up right below from system tray Malware Defender icon.

I run Malware Defender in LEARNING mode with the USER INTERFACE LOCKED (see pop-up richt under). This effectively blocks all ASK operations silently. When encountering a problem, I just unlock th euser unterface and repeat the sequence of events in Learning and I have added a new rule.

Allow network Access
As you can see I have added a group named Allow network Access. This is only for ease of overview. After I have run a program in Learning mode (and have given it access to network) I move it to this group. Only for P2P programs you have to generalise teh network rule (setting from specific ports and IP addresses to any address and any port, while deleting all other rules created by learning mode of network).

Note: for Internet Explorer and Outlook Express I have selected the option "protect this application from being access by other" in the general tab (to stop unwanted spawning of browser/e-mail).

Trusted Applications
I enter all my security and maintenance aps in this sections. Be ware that you leave Malware Defender in Learning mode (after installation) until you have the windows verification programs visible or put them in by youself = Mapi, Rstrui and wgatray).

Conclusion
As shown by the pic I have very FEW extra rules added after running Malware Defender for a month now. This means that I also have encountered very few pop-ups while using a classical HIPS

There is no HIPS with limited firewall which runs so light!

Overall as this post shows https://www.wilderssecurity.com/showpost.php?p=1382577&postcount=1 the combo of a policy Sandbox (in this post DefenseWall, but GesWall is nearly as good) and Avira (I have check at write only with heuristics high) protects well against Zero Day malwares.

Malware Defender in this setup is another layer which protects against unauthorised network and all serious intrusions.

NOTE:
In this setup you can also swop GeSWall for DefenseWall (with total untrusted file control, without outbound control for now) or Sandboxie or SafeSpace (when you would like to flush the toilet after browsing)

njoy

 

Kees1958,

A few questions,

1) I noticed that in your current screen example that you have the Global File "*" rule set to Read - Ignore and Write - Permit, whereas your screen snapshot example in your previous MD Tips thread, the Global File "*" rule set to Read - Ignore and Write - Ignore. What is difference between Write - Ignore vs Permit, when Write: Ignore is placed on the Global File "*" rule, instead of Permit


also, since, I am still new to learning about all the advanataged of classical HIPS, Policy HIPS, etc protection concepts, could you answer the following questions to clear things up for me:

2) Does MD provide alerting to "drive by downloads" exploits without adding the additional policy hips based pgms of Defnesewall or GESWall that you suggest adding in this thread ?

3) Also, what could malware do via an Internet Facing application (IE, outlook express) that MD couldn't alert to or stop that you feel that it is necessary to add one of these policy based hips of Defensewall or Gesall to a setup mix with MD ?

Just want to completly understand.
Thanks.

 

Second time I had the rule disabled, first time I made sure MD did not spend any attetion to it (ignore), but had the rule enabled. Ignore means no checking with this rule, Permit means check and allow.

Well yes, can be done in several ways
a) only allow your internet facing applications to download in a specific directory
b) check for executable like downloads.

Policy HIPS/Sandboxes and behavioral blockers are my favourites, In this context it is quite a feat of Malware Defender to gain my preferences.

Policy based security layers (like GeSWall and DefenseWall) protect you against the majority of malwares. They paralise malware in both files and executables. They require very little knowledge.

The combo with policy hips cuts down the need level of control withing Malware Defender, initially. Running Malware Defender for a while now I COULD EVEN SET "ACCESS DATA OF OTHER PROCESSES" To ASK . The Policy HIPS will halt all the bad ones, so UNLOCKING USER INTERFACE OF MD and runing in LEARNING mode is a no-brainer. So it is only for ease of use. When you congiure Malware Defender properly, you won't need anything else besides an Anti Virus

 

Kees,

Okay, things are getting clearer for me now. Thanks for those explanations.

.... Now, just one last thing, to determine if I understand everything .....

1) I assume by setting MD up properly, (when not using an additional policy hips pgm alongside with it), that you still mean configure properly as in your first Tips thread:

A) By placing your "Internet Facing Applications" in a "Containment Group".

B) Running the "Internet Facing Applications" thru the "StripMyRights - Pgm" to run them as a Limited User Access.


2) And the reason for running them (internet facing apps), as a Limted User Access would be as a second layer of defense to protect against future exploits that may possibily find a way to bypass a classical hips pgm existing protction ??


P.S.

 

Yep, this would mean for normal programs set everything (except program launch + execution permoition) to ask. Set the contained internet facing aps to deny all, plus alllow for some explitely named (registry + files + other program hooks/calls). Policy protection is a free feature, why not use it? Malware Defender also warns for rights elevation (set time).

Well you have to make sure that program interaction to print drivers works ok. I had forgotten that print spool server is a system process, overriding my allow to be called in the contained group. SO my wife could not print from e-mail. It is a three minute fix, but I accomplish the same in a no-btainer way with GeSWall.

Well I am really no AV expert, but there are two main idealogy groups
a) One that wants to check as much incoming data streams as early as possible. For those the proxy is an improvement (scanning before execution of web content)
b) The other that says, it really does not matter as long as the basic (the file driver intercepting disk I/O) does its job as intended.

When having zero day protection in place, I recon the forward checking of (a) becomes less important and just (b) will do.

Cheers Kees

 

One more question about your current the MD screen picture configuration shown at top of thid thread:

....I was wondering why you ... "Disabled the "?:\ write(ask) rule" and then created the extra system file group (with autoexec.bat, etc).

... I would think that by having the "?:\ write(ask)" rule "En-abled" that new files can *not* be wriiten to C:\ (without an alert) and that under normal use of one's PC that applications should *not* be writing to the C:\ (except for the windows system, itself).

Therefore, I would think that there should *not* be much noise (or alerts) by using the "?:\ rule enabled". .... Or, am I overlooking something basic here ?

P.S.
With the rule enabled you also gain with additional protection from malware that attempts to create either an "autorun.inf" or maalware version of "explorer.exe" in the C:\ . (Of course these entries could be added to extra system file group, when using the ?:\ rule dis-abled).

 

You are completely right.

Some HIPS automatically apply a rule for all subdirectories, but this can be explicitely configured with MD, so that is my mistake.

Cheers