Malware Defender 2.0.2 is released

@xiaolin

just test the new build 2.0.5 like crazy , trying make it use 100-90% of CPU , but so far nada ....it doesn't bring back the "demoneye bug" loll

 

Ruleset? Ruleset? Don't need no steenking ruleset!

Set Learning mode for a few days & MD will do the job for you.

Or not.

 

Hmmm, i'll have to give it another spin then. tHANKS

EASTER

 

Kinda off-topic but here goes. After the demise of SSM I was ISO another hips. I decided to try MD. Thing is, I don't know how to use it.
I put it in "Learning Mode" for two weeks and then into "Normal". I've never had a pop-up. I don't really know if it's working or not. Hmmm I've RTFM but it's kinda generic so it doesn't help a whole hellovalot.

Is there any one particular test I can do to prove to me it's actually working?

...screamer

 

I only do one reboot in Learning Mode, then I switch into Normal Mode. Two weeks sounds too long to keep it in learning mode. A lot of the file prompts can be overcome using wild cards.

You could copy NOTEPAD.EXE from your windows directory to your desktop and execute it. If you are prompted 'Create New Process' then that's good, if not then you have a rule in your rules tab permitting it. If this is the case then I'd seriously consider rebuilding your rule set.

EDIT: Beaten by Peter

 

Hey Pete,

Not sure what you mean here. I've D/L'd apps and installed w/ no pop-ups. Actually there were pop-ups but from AnVir Task Mngr asking if I will allow to auto start. Never a pop-up from MD. Hmmm?

...screamer

 

I'll give this a try and report back

 

Run a new app as suggested by Peter or myself, then do a search in the rules tab for that app. Your result should appear in the logs, double click the log entry to bring up the rule for that app.

 

Nope, notepad.exe opened directly. Now the question, how do I rebuild my ruleset?

Perhaps just re-install MD and not put it in "Learning mode"? I don't mind pop-ups for a while as long as I have a strong rule-set. this is the way I used to configure SSM. While it was a pain for a while. It definately paid off in the end

thanks guys

...screamer

 

You do not need to uninstall it, just shut down MD, browse to the MD's folder and delete rules.dat and rules.bak

 

Great, thanks tony

 

Under Application Rules - Normal, double click the first rule * and have a look at the Permissions tab. The create new processes should be 'ask'.

 

Ahh, great. I never thought I'd be happy to see pop-ups hehehe

...screamer

 

Agreed! Two days maybe -maximum- but two weeks is way too long.

 

A- Waaay to go, Screamer. I applaud your persistence.

B- Some folks try a HIPS then give up at the first sign of complexity. Thus, they cut themselves out from having the added protection that HIPS give -- a degree of added protection that is well beyond the protection afforded by signature-based antivirus programs.

C- HIPS are especially valuable in protecting us against 0-day threats (malwares that are so new that antivirus programs do not yet have signatures that cover them.)

D- Malware is getting increasingly sophisticated, with new types of threats appearing almost daily such as polymorphics & (even worse) metamorphics.

E- Thus, signature-based security applications need help because they can't usually handle 0-day threats & are struggling to keep up with new threat techniques (morphing stuff etc). HIPS applications are an added security layer than can help protect against 0-day stuff & the new wave of threats.

F- Sadly, there is not yet any HIPS that can be considered a truly "Smart HIPS." Thus, much of the burden for answering alerts (permit? deny? quarantine? etc?) still remains with the user. This is true for Malware Defender (MD) and is equally true for all other HIPS that I know of.

G- As of this moment, I consider MD to be THE best of all HIPS because:
(1) Support is superb! Xiaolin quickly responds to requests for help which can be submitted by direct email to <support at torchsoft.com>, &/or (just a tad slower) by posting to this forum.

(2) This forum offers a friendly and helpful community of fellow-users of MD, many of whom are fairly adept at technical matters. Best of all, the proponent of MD (Xiaolin himself) monitors & posts to this forum. There is also an active forum in the Chinese language at THIS website which, thanks to THIS translation site (& others) can be translated into English or other languages.

H- Even so, it is my opinion that even a good HIPS such as MD won't be enough protection if someone is a "risky surfer", or has a computer set-up where infection would be a job-threatening catastrophe. In such circumstances, I believe that NO single security application will be sufficient.

I- In light of this situation, the security layers that I now use (in order of priority) are as follows...

1- My first line of protection is an imaging program. I image to an external Hard Drive at least twice weekly as well as just prior to making any major change to my computer (such as installing software, partitioning, defragging, registry cleaning, etc). I always retain about 2 months of the most recent images.

2- Incoming firewall (a router with Stateful Packet Inspection)

3- SandboxIE for all internet-facing apps.

4- Malware Defender (This HIPS also provides Network Protection which supplants the need for having an outgoing firewall.)

5- Antivirus

J- In any event, my main point is this -- a HIPS is an essential security application. Until "smart HIPS* come along (and I feel sure that they WILL come), I believe it is the wise user who will take the little bit of time and effort needed to master use of one of the current crop of HIPS. For reasons given above, my choice is Malware Defender. Your mileage may vary.

K- Forgive me for preaching to the choir and for being long-winded to boot. It's a topic that fascinates me & sometimes I get carried away.

Aloha from Hawaii,
bellgamin

 

xiaolin,

1) Is the next version of MD, going to be the version where you plan on enhancing the File Rules - Write access to have the option :

..... Of choosing whether to speicfy a rule to apply to any type of Write access (as current version) - or - optionally, specifying a rule to apply to the separated Write accesses of Create, Modify, Delete ??


2) Have you decided or are you considering the enhancement of adding an "option" to the Application Rules, panel where one could "optionally" check on that this patricular application should run with LUA Rights ?

 

Yes, the next version will separate file Write access to Create, Write, Delete.

If the Create action is allowed, the following write actions will be allowed before the file is closed.

Thanks for the suggestion. I will think about it.

 

I've been trying out MD 2.0.5 under Vista, but no success here.
I've let it run in learning mode for a couple of reboots.
Everything works fine as long as it is running in learning mode,
but as soon as it is in normal mode and I do something for which no rule
has been created yet, MD locks up completely and takes my whole OS into a stall. Nothing left than a hard reset. So, I had high hopes of having a replacement for SSM under Vista, but for me it is completely useless

 

Hard to tell what the problem might be without more details. Some things to look at...

1. Does your system freeze when MD's alert pops up? If it does, do MD's hot keys still work?

2. Are you logging in as a limited user?

3. What other security apps are running?

4. Are you running any shell customization like WindowBlinds or even custom mouse/keyboard drivers and software (like Logitech or Synaptics)?

5. Have you tried a clean install of MD after deleting the contents of \Program Files\Malware Defender and followed that by a thorough learning mode? A couple of reboots is not sufficient to build a comprehensive ruleset. I usually stay in learning mode for about 48 hours of normal usage.

I've been running MD, including all betas, on three different Vista systems for more than six months and have seen only a few minor (and quickly fixed) bugs. My security setup is lean: MD + Sandboxie + SRP.

 

How well does MD run in a LUA environment?
I want to use it as a firewall.

 

Problem seems to be gone after an (easy, great !) uninstall and re-install.

This tool behaves great ! I would say it has already surpassed SSM, enormous props to xiaolin, will register when trial period ends !

 

Based on some quick testing, I saw no problems running MD under a Vista LUA/Standard account. The user interface (MalwareDefender.exe) is not available when you first log in. MD's rules are enforced silently. That's normal behavior since the user interface requires admin privileges. You need to execute it manually and provide an admin password. Once the interface is available, you can interact with MD as you would under an admin account.

 

Hi,

I have a question for xiaolin, I've come to the attention that the default permissions are all on "Ignore" by default, as seen in the screenshot.

Is that a wise default setting, and if not, how can we make the default to be set to "Ask" for all current and upcomming rules please ?

Screenshot

 

Hi DOSawaits,

check your main rule: "Application Rules - Normal"; by default should be set to "Ask" except, if I remember, "Execute Permission" is set to "Permit".