Malware Defender and Matousec's latest tests

#1 July 5th, 2009, 12:09 AM

Would Malware Defender fair any better on Matousec's latest tests with customized rules or will program updates be the only way to block the attack vectors that Matousec found? I'm surprised to see Kaspersky so high this time and would like to see MD take #1!

1boss1 · #2 July 5th, 2009, 01:07 AM

I'm only new to MD and no malware expert, but by looking at where MD failed it appears yes the results could be improved with custom rules, and others may need updates.

For example on this page it failed DNStealer which says:

Quote:

Description: DNStester tries to determine whether the tested product filters DNS queries from an untrusted process.

With MD we can decide what's trusted, so that could pass with rules. So i'm sure with a hardened rule set MD could shake the top of the charts.

bellgamin · #3 July 5th, 2009, 01:07 AM

Quote:

Originally Posted by spidey

Would Malware Defender fair any better on Matousec's latest tests with customized rules or will program updates be the only way to block the attack vectors that Matousec found? I'm surprised to see Kaspersky so high this time and would like to see MD take #1!

I am mystified -- WHY are Matousec's firewall tests considered valid when applied to HIPS (non-firewalls)? I hope that Xiaolin &/or Ilya or others of similar competence will comment.

Eice · #4 July 5th, 2009, 01:17 AM

Quote:

Originally Posted by bellgamin

I am mystified -- WHY are Matousec's firewall tests considered valid when applied to HIPS (non-firewalls)? I hope that Xiaolin &/or Ilya or others of similar competence will comment.

Because they're essentially HIPS tests, and have little to do with firewalls.

arran · #5 July 5th, 2009, 02:54 AM

Yes I do believe that with xtra configuration MD would do much better.

Remember these tests are all about controlling the Behavior after the executables have been given to permission to run.

If MD denied the creation of the executable files and denied them from running in the first place then MD would obviously pass 100 percent.

quote
Description: DNStester tries to determine whether the tested product filters DNS queries from an untrusted process.

well that's easy if you are running an untrusted Process you would obviously limit its permissions like blocking it from accessing the network, but then again why would you even allow untrusted Processes to run in the first place?? so even tho Matousec's says MD fails dnstester I consider it to be a pass.

Einsturzende · #6 July 5th, 2009, 05:04 AM

I would like to hear what Xiaolin have to say about "bugs", (I would say) cheating (pass test's specific implementation vs. failed test's technique):

Quote:

Further notes
Malware Defender passes Kernel2 test because the user has a chance to block the attack in a popup window,
which contains the name of the driver to be loaded. However, the information provided in the popup window
by Malware Defender may mislead the user because verified Microsoft system application ”services.exe” is mentioned
as the source process. However, Malware Defender fails NewClass when its code is slightly modified not to use
“cmd.exe” to run “explorer.exe” but to run Internet Explorer directly. In this case, Malware Defender does not protect
against the test's technique but it fights only its specific implementation. Similarly, Malware Defender fails Schedtest2.

#7 July 6th, 2009, 12:40 AM

Quote:

Originally Posted by arran

If MD denied the creation of the executable files and denied them from running in the first place then MD would obviously pass 100 percent.

That's true, but it's the application's rogue behavior after launch that I'm wondering if MD would alert for. On the tests that Matousec lists as a fail, was it because the appropriate choice wasn't made to deny the action or is it because MD failed to even prompt the user with regards to that particular test's post-launch rogue activity? I know some other vendors supply comments on Matousec's website and was wondering what Xiaolin's thoughts are in regards to these results.

xiaolin · #8 July 6th, 2009, 09:16 PM

Quote:

Originally Posted by spidey

That's true, but it's the application's rogue behavior after launch that I'm wondering if MD would alert for. On the tests that Matousec lists as a fail, was it because the appropriate choice wasn't made to deny the action or is it because MD failed to even prompt the user with regards to that particular test's post-launch rogue activity? I know some other vendors supply comments on Matousec's website and was wondering what Xiaolin's thoughts are in regards to these results.

The MD's firewall cannot block some low level packets, so it failed the dns and echo tests.

I do not know why MD failed the SSS3 test, I cannot recreate it.

Other failed tests except crash7 are related to accessing COM objects. MD implemented the COM protection using ring3 hooks. The Matousec's test will restore ring3 hooks, and any protection for the ring3 hooks will be taken as a direct attack against the test, and will fail the test. I have no plan to change the implementation of COM protection yet, so MD will not get higher score in the near future.

Thanks

arran · #9 July 6th, 2009, 09:54 PM

Quote:

Originally Posted by xiaolin

The MD's firewall cannot block some low level packets, so it failed the dns and echo tests.

I don't care about this. MD is more of a classical HIPS not a firewall to filter low level packets.

mike21 · #10 July 7th, 2009, 02:46 AM

^^ Agree ^^

nick s · #11 July 8th, 2009, 01:32 AM

Quote:

Originally Posted by xiaolin

I do not know why MD failed the SSS3 test, I cannot recreate it.

I tested SSS3 against MD 2.2.2 on XP SP3 in several scenarios and MD passes every time. Depending on the scenario, SSS3.exe will hang and do nothing after MD denies shutdown or it will terminate and generate a text file with these results:

"Security Software Testing Suite - SSS3
Copyright by www.matousec.com, Different Internet Experience Ltd.
http://www.matousec.com/

ERROR: Unable to initiate the system shutdown.
Error code: 1115
Error message: A system shutdown is in progress.

YOUR SYSTEM PASSED THE TEST!"

jmonge · #12 July 8th, 2009, 02:58 AM

Quote:

Originally Posted by nick s

I tested SSS3 against MD 2.2.2 on XP SP3 in several scenarios and MD passes every time. Depending on the scenario, SSS3.exe will hang and do nothing after MD denies shutdown or it will terminate and generate a text file with these results:

"Security Software Testing Suite - SSS3
Copyright by www.matousec.com, Different Internet Experience Ltd.
http://www.matousec.com/

ERROR: Unable to initiate the system shutdown.
Error code: 1115
Error message: A system shutdown is in progress.

YOUR SYSTEM PASSED THE TEST!"

cool nick

Franklin · #13 July 8th, 2009, 03:44 AM

Quote:

Originally Posted by xiaolin

so MD will not get higher score in the near future.

Drop each of those named test exes into the "Image File Execution Options" reg setting and use cmd or whatever as the debugger and not a single one will run.

100% every time.

Pliskin · #14 September 22nd, 2009, 01:51 PM

Quote:

Originally Posted by xiaolin

The MD's firewall cannot block some low level packets, so it failed the dns and echo tests.

Are you going to add this feature and when? RTD has it.

_kronos_ · #15 September 22nd, 2009, 04:03 PM

Quote:

Originally Posted by Pliskin

Are you going to add this feature and when? RTD has it.

I hope so, these should be some great features

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search