Malware Defender 2.2.0 beta

[xiaolin]

The beta version is available for download at http://www.torchsoft.com/download/md_setup_2.2.0_b1.exe

what's new?
- Added protection against accessing Service Control Manager.
- Added protection against loading dynamic link libraries.
- Added protection against accessing COM interfaces.
- Added protection against setting hidden attribute of file or folder.
- Added support for searching permission and comment of rules.
- Added support for managing multiple rule files.
- Added support for Windows 7 rc.
- Separated "duplicate handle" permission from "access memory of other processes".
- Improved performance when handling file reading actions.
- Minor improvements and fixes.

1) Since new protections are added, it's recommended to restart system in learning mode after upgrade.

2) A user mode hook module (mdhook.dll) is added in this release to detect accessing SCM, loading DLL and accessing COM interface. The hook module will be loaded in all processes. If you find any compatible programs please tell me.

Thanks for testing.

Xiaolin

[jmonge]

thanks xiolin,it is working fine here i followed your advise

[tony62]

Most VMware ThinApp applications are not compatible with latest Beta. For applications such as Media Player Classic; DSOUND.dll will not be found, regardless of permissions throughout MD. Exiting MD is the only option.
It would seem that MD cannot handle ThinApp's internal virtualized routines of loading Dynamic Link libraries.

[xiaolin]

Quote:

Originally Posted by tony62

Most VMware ThinApp applications are not compatible with latest Beta. For applications such as Media Player Classic; DSOUND.dll will not be found, regardless of permissions throughout MD. Exiting MD is the only option.
It would seem that MD cannot handle ThinApp's internal virtualized routines of loading Dynamic Link libraries.

Where can I find a VMware ThinApp application for testing?

Thanks

[tony62]

Quote:

Eliminate Installation Conflicts with Application Virtualization

Application virtualization encapsulates the applications from the OS and each other; eliminating costly regression testing and conflicts from badly behaving applications. Just plug in an .MSI or .EXE file to deploy a virtual system environment, including registry keys, DLLs, third-party libraries, and frameworks without requiring any installation of agents or applications on the underlying operating system.

Below is a link to Media Player Classic(open Source). Media Player Classic has been wrapped by me with a demo version of ThinApp.

http://www.speedyshare.com/582958945.html

Test MPC with MD beta running, then without!

[bellgamin]

The beta runs great!

[aigle]

Quote:

Originally Posted by xiaolin

2) A user mode hook module (mdhook.dll) is added in this release to detect accessing SCM, loading DLL and accessing COM interface. The hook module will be loaded in all processes. If you find any compatible programs please tell me.

Why user mode? Will it not decrease the security?

Thanks

[xiaolin]

Quote:

Originally Posted by tony62

Below is a link to Media Player Classic(open Source). Media Player Classic has been wrapped by me with a demo version of ThinApp.

http://www.speedyshare.com/582958945.html

Test MPC with MD beta running, then without!

I will test it. Thx

[xiaolin]

Quote:

Originally Posted by aigle

Why user mode? Will it not decrease the security?

Thanks

The new protections (accessing SCM, loading DLL and accessing COM interface) can not be implemented in kernel. And user mode hooks are unavoidable when making x64 version of MD, since kernel hooks are not allowed in 64-bit Windows.

Malware may try to restore user mode hooks in current process, but I will add the ability to protect hooks installed by MD.

[Ilya Rabinovich]

Quote:

Originally Posted by xiaolin

The new protections (accessing SCM, loading DLL and accessing COM interface) can not be implemented in kernel.

Really? For x32 Windows it's all possible. At least dll module loading detection is possible to implement at kernel level with API provided by MS.

[smith2006]

I keep getting these application error after installing 2.2.0 beta.

I have no issue when using 2.1.1.

[jmonge]

Quote:

Originally Posted by smith2006

I keep getting these application error after installing 2.2.0 beta.

I have no issue when using 2.1.1.

when you install the new beta 2.2 in learning mode?

[xiaolin]

Quote:

Originally Posted by smith2006

I keep getting these application error after installing 2.2.0 beta.

I have no issue when using 2.1.1.

Thanks for the bug report. I will fix it.

I was getting the same errors. I wasn't having any luck getting learning mode to create rules. I created rules manually to allow each process access to it's own memory which eliminated the errors.

Here's a screenshot of a typical rule (in this case, for Excel):
http://i39.tinypic.com/2ezlhk4.jpg

[xiaolin]

Quote:

Originally Posted by spidey

I was getting the same errors. I wasn't having any luck getting learning mode to create rules. I created rules manually to allow each process access to it's own memory which eliminated the errors.

Here's a screenshot of a typical rule (in this case, for Excel):
http://i39.tinypic.com/2ezlhk4.jpg

Many other security software (such as jetico) will install hooks at same position as MD's hooks. In next beta release, I will remove the alert of accessing own memory, and add global file rules to protect MD's hooks (more secure). But you still have to create PERMIT rules if you are using MD with jetico.

[smith2006]

Quote:

Originally Posted by jmonge

when you install the new beta 2.2 in learning mode?

Yes, it was installed in learning mode.

[smith2006]

Quote:

Originally Posted by xiaolin

Thanks for the bug report. I will fix it.

No problem.

[xiaolin]

Malware Defender 2.2.0 beta2 is released.

The beta version is available for download at http://www.torchsoft.com/download/md_setup_2.2.0_b2.exe

what's new since beta1?
- Fixed a bug when searching rule permissions.
- Fixed a bug that the application rule dialog cannot be displayed properly on low resolution screen.
- Fixed bugs in mdhook.dll.
- Added dwm.exe to system application rule list on Windows Vista or above.
- Changed the method for protecting hooks installed by MD. MD will not restrict accessing own memory of processes, but use new global file rules to restrict reading related dlls.

NOTE:
If you upgrade MD from old versions, please import the following rule file. (Rule menu -> Import)
http://www.torchsoft.com/download/Re...cted_Files.dat

It's recommended to restart system in learning mode after upgrade.

[nick s]

Quote:

Originally Posted by xiaolin

Malware Defender 2.2.0 beta2 is released.

The beta version is available for download at http://www.torchsoft.com/download/md_setup_2.2.0_b2.exe

what's new since beta1?
- Fixed a bug when searching rule permissions.
- Fixed a bug that the application rule dialog cannot be displayed properly on low resolution screen.
- Fixed bugs in mdhook.dll.
- Added dwm.exe to system application rule list on Windows Vista or above.
- Changed the method for protecting hooks installed by MD. MD will not restrict accessing own memory of processes, but use new global file rules to restrict reading related dlls.

NOTE:
If you upgrade MD from old versions, please import the following rule file. (Rule menu -> Import)
http://www.torchsoft.com/download/Re...cted_Files.dat

It's recommended to restart system in learning mode after upgrade.

Hi Xiaolin,

MD 2.2.0 beta 2 breaks Sandboxie 3.37.10 (beta) on Vista SP2. It is not possible to invoke a sandboxed app unless I disable MD.

[xiaolin]

Quote:

Originally Posted by nick s

Hi Xiaolin,

MD 2.2.0 beta 2 breaks Sandboxie 3.37.10 (beta) on Vista SP2. It is not possible to invoke a sandboxed app unless I disable MD.

Hi, I tested but did not find the problem. Could you try to use learning mode when invoking a sandboxed app?

Thanks,
Xiaolin

[nick s]

Quote:

Originally Posted by xiaolin

Hi, I tested but did not find the problem. Could you try to use learning mode when invoking a sandboxed app?

Thanks,
Xiaolin

I did not reboot as recommended. Sandboxed apps work as expected after rebooting. Sorry for the false alarm.

[arran]

Quote:

Originally Posted by Ilya Rabinovich

Quote:

Really? For x32 Windows it's all possible. At least dll module loading detection is possible to implement at kernel level with API provided by MS.

I like it when there is competition when Vendors Pull up and correct other Vendors, Not because I like watching Flame wars if it turn out to be flame war, But because the end Result is it Produces better Security for us with having really good products. And still waiting for xiaolin to make a reply. I run
Defense wall and Malware Defender So guys just make sure they will always run together smoothly with no conflicts.

[xiaolin]

Quote:

Originally Posted by arran

I like it when there is competition when Vendors Pull up and correct other Vendors, Not because I like watching Flame wars if it turn out to be flame war, But because the end Result is it Produces better Security for us with having really good products. And still waiting for xiaolin to make a reply. I run
Defense wall and Malware Defender So guys just make sure they will always run together smoothly with no conflicts.

Yes, I should not say "can not be implemented in kernel", there are possibilities. But I choose to implemented these functions in user mode. I think it's the right decision.

[xiaolin]

Malware Defender 2.2.0 beta3 is released.

The beta version is available for download at http://www.torchsoft.com/download/md_setup_2.2.0_b3.exe

what's new since beta2?
- Fixed a bug that some applications cannot start when MD is running.
- Fixed a bug that the COM interface rules of * application rule cannot be deleted.

NOTE:
If you upgrade MD from v2.2.0 beta1 or before, please import the following rule file. (Rule menu -> Import) http://www.torchsoft.com/download/Re...cted_Files.dat

It's recommended to restart system after upgrade (not necessary in learning mode).

Thanks,
Xiaolin

[G1111]

I have been thinking of trying MD and have a few questions. I am currently using KAV, Ouptpost Firewall and Prevx 3.0 (all paid/latest versions). I am now also using Ghost Security (AppDefend/RegDefend) & DiamondCS WormGuard. MD would replace these two HIPS programs.

Is there any known conflicts with MD and KAV, Outpost or Prevx (or other security programs)? Is MD compatible with Vista or Windows 7? I am currently using XP home SP3.

Are the default rules good protection? Also do you have to disable it to install new software. I occasionally screwed up some installs when I was using ProcessGuard. Ghost Security did not have any issues with software installation other than a lot of pop ups if you didn't disable protection first.

Is MD as easy to use as Ghost Security and does it have a light footprint? Is there any user manual available?