Malware Defender 2.7.3 Free and Chkdsk Issue

[Rickster100]

Hello Everyone,

I have been having a play with the latest version of Malware Defender for a few weeks now, having used SSM for many years I think its time to look for an alternative classical HIPS for my XP setup.

However, testing MD on a clean, freshly installed image of XP Pro SP3 with latest MS updates and with no security software installed I have found that even with rules created in learning mode I am unable to perform a chkdsk operation on the system drive of my PC. Subsequently removing MD and rebooting the PC allows the chkdsk operation to perform successfully.

I would assume that learning mode would create the necessary rules automatically for the chkdsk function to take place, but on this fresh image this is not happening. The MD and system logs do not appear to show the reason why chkdsk is not working. I have a second internal HD also on the PC which is able to do the chkdsk function successfully on a reboot with MD installed. Even disabling all the real-time protection modules does not solve the problem; only when MD is removed will the chkdsk commence.

If anyone who is a long term user of MD can offer any suggestions I would appreciate any advice or help you can offer. Thank you in advance.

[Scoobs72]

Strange, it should be working. It works for me on SP3 with the following log entries. Do you see all of these?

8/6/2011 21:34:05 Create new process Permitted
Process: c:\windows\explorer.exe
Target: c:\windows\system32\cmd.exe
Cmd line: "C:\WINDOWS\system32\cmd.exe"
Rule: [App]*

8/6/2011 21:34:09 Create new process Permitted
Process: c:\windows\system32\cmd.exe
Target: c:\windows\system32\chkdsk.exe
Cmd line: chkdsk
Rule: [App]*

8/6/2011 21:34:10 Read physical disk Permitted
Process: c:\windows\system32\chkdsk.exe
Target: \Device\HarddiskVolume1
Rule: [App]*

8/6/2011 21:34:35 Send message to another process Permitted
Process: c:\windows\system32\services.exe
Target: c:\windows\system32\csrss.exe
Message: WM_DEVICECHANGE
Rule: [App]c:\windows\system32\services.exe

[Rickster100]

Hello Scoobs72,

You are running "chkdsk" from the command prompt, in this case chkdsk can only READ the disk, I get similar MD log entries.

C Drive chkdsk (via command prompt) MD Log:

06/08/2011 23:58:44 c:\windows\system32\chkdsk.exe Read physical disk \Device\HarddiskVolume1 Permitted [App]*

The issue I have is when running chkdsk as a scheduled task by right clicking the C drive in My Computer -> Properties -> Tools -> Error Checking for example when you have to reboot. When you run it from the command prompt "chkdsk.exe" only READS the disk ("read only mode") as indicated in the prompt box dialogue. But when performing it on a reboot the chkdsk command uses "autochk.exe" to WRITE to the disk.

Did you also try running chkdsk /F whilst at the command prompt? That would mean forcing a chkdsk on reboot using "autochk.exe".

C Drive chkdsk /F (via command prompt) MD Log:

06/08/2011 23:31:23 c:\windows\system32\chkdsk.exe Write physical disk \Device\HarddiskVolume1 Permitted [App]*
[The log shows this entry, but autochk.exe still fails to run on the C drive on reboot].


In my case the MD logs show autochk.exe writing to my D drive because it performs the chkdsk perfectly on that drive. But I am not seeing any entries in the MD log regarding the failure of the C drive chkdsk task on reboot.

D Drive chkdsk -> "autochk.exe" MD Log:

06/08/2011 23:56:52 c:\windows\system32\autochk.exe Write physical disk \Device\HarddiskVolume4 Permitted [App]*

Can you perhaps try performing a scheduled task on your system drive to see if it will actually perform the disk check on reboot using "autochk.exe"? You can then check to see if the MD logs show any details. Also, MDs default permissions for "autochk.exe" seem correctly set for read and write access.

Thanks for your reply, I will continue to take a look at this.

[0strodamus]

I had an issue with chkdsk running on reboot and if I recall correctly it was because there was no rule allowing "c:\windows\system32\smss.exe" to launch "c:\windows\system32\autochk.exe".

I would suggest placing MD in Learning Mode, scheduling a chkdsk, and rebooting. This should ferret out the rule you're missing (assuming this is the issue). That's what helped me figure it out. Hope this helps...

[Rickster100]

Hello 0strodamus,

Thats what I was doing, I even gave full permissions to both chkdsk.exe and autochk.exe but to no avail. I will try your other suggestion for smss.exe. Yesterday I even made a brand new image of XP with only up to date MS updates and absolutely no non microsoft software installed except for MD. Didnt make any difference. Chkdsk /F still works on my other HD on this machine on reboot, its just this system drive issue! Its strange that MD isnt making the correct rules in learning mode for the system drive on my home machine. Noone else seems to be having an issue with this as they havent chimed in, but im starting to run out of ideas.

Xiaolin has been PMed, but he cannot reproduce the issue so far. Thanks for your reply. Ill have another go at it tonight when I get home from work and chime back in once I have tried your further suggestion.

Thanks.

[0strodamus]

That is strange. I know how frustrating things like this can be and I hope you figure it out soon.

[Rickster100]

Quote:

Originally Posted by 0strodamus

That is strange. I know how frustrating things like this can be and I hope you figure it out soon.

I tried granting full permissions also to smss.exe as per your suggestion but that has not worked either. It is strange and it should work at the very least on a clean image but it simply will not work for me. Maybe theres some kind of conflict going on somewhere in my setup, maybe its an MD bug but noone else is chiming in.

To summarise; MD is not allowing for "autochk.exe" write access on my system drive; on a clean fresh installation of XP Pro fully updated (nor any of my other saved images) in learning mode or by granting full permissions to chkdsk.exe and autochk.exe. Its a bit of a mystery, uninstalling MD allows the chkdsk operation to write to the system drive on a reboot completing the task.

Now I am out of ideas. Thanks for your help all the same!

[Scoobs72]

Have you got "Log all denied actions" ticked? When I try a chkdsk /f it works fine and I get:

8/11/2011 20:26:20 Write physical disk Permitted
Process: c:\windows\system32\chkdsk.exe
Target: \Device\HarddiskVolume1
Rule: [App]*

8/11/2011 20:27:00 Set registry value Permitted
Process: c:\windows\system32\chkdsk.exe
Target: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute
Data: autocheck autochk *
Rule: [Registry Group]Autostarts Locations -> [Registry]HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager; BootExecute

8/11/2011 20:27:54 Read physical disk Permitted
Process: c:\windows\system32\autochk.exe
Target: \Device\HarddiskVolume1
Rule: [App]*

8/11/2011 20:27:54 Read physical disk Permitted
Process: c:\windows\system32\autochk.exe
Target: \Device\HarddiskVolume1
Rule: [App]*

8/11/2011 20:27:54 Read physical disk Permitted
Process: c:\windows\system32\autochk.exe
Target: \Device\HarddiskVolume1
Rule: [App]*

8/11/2011 20:29:10 Read physical disk Permitted
Process: c:\windows\system32\autochk.exe
Target: \Device\HarddiskVolume1
Rule: [App]*

8/11/2011 20:29:10 Read physical disk Permitted
Process: c:\windows\system32\autochk.exe
Target: \Device\HarddiskVolume1
Rule: [App]*

8/11/2011 20:29:10 Read physical disk Permitted
Process: c:\windows\system32\autochk.exe
Target: \Device\HarddiskVolume1
Rule: [App]*

Stop torturing yourself and un-check "Run Malware Defender when Windows starts" in Options, do your chkdsk thing and re-check it.

Or far far better yet, just boot off your Windows CD and run chkdsk in the Recovery Console every few months and be done with it.
.

[Rickster100]

Quote:

Originally Posted by Scoobs72

Have you got "Log all denied actions" ticked?

With that option enabled, no denied action logs are showing with this issue.

[Rickster100]

Quote:

Originally Posted by LODBROK

Stop torturing yourself and un-check "Run Malware Defender when Windows starts" in Options, do your chkdsk thing and re-check it.

Or far far better yet, just boot off your Windows CD and run chkdsk in the Recovery Console every few months and be done with it.
.

Im certainly not "torturing myself" about this issue, I am merely curious as to why it isnt working when it should. As stated previously, the chkdsk task will only take place on the system drive when MD is uninstalled.

Its certainly not a deal closer for me as far as MD is concerned, simply saving the ruleset and uninstalling isnt such a big hassle, and as you rightly pointed out running chkdsk is something that is run every once in a while. I just wanted to share my experiences with MD regarding this particular issue with the Developer and other forum members for the record.

Thanks to all who chimed in with their suggestions.