MALWARE DEFENDER SETUP TIPS

i found comodo with d+ very easy to configure and strong love it

 

agree Jmonge, but out of respect for kees,I will stay on kees topic of malware defender set up and not get into the comodo thing but thank you.

 

Thank you Kees-sensei. It's a beautiful, scholarly job as always.

I adopted all the suggested settings in your posts #1 & 2, as well as some of those in your subsequent posts.

All my "internet facing apps" automatically run in Sandboxie. Thus, I don't need "containment." Further, I have been using MD for 2 months (since early Oct 200 & have never been bothered by excessive pop-ups. I fully trained MD (in learning mode) for a few days, then put it into normal mode. Since that time, pop-ups are very rare, and MD's alerts are always limited to reporting those activities which are significant &/or unexpected. So I have not found MD to be a hassle but, instead, a valuable watchdog & security advisor.

However, I must note that I disable MD while installing. Of course I only install after taking several precautions including (for example): (1) installing in shadow mode, (2) pre-installation imaging, & -- MOST IMPORTANT -- (3) throwing salt over my left shoulder 3 times while facing east & wiggling my ears.

 

Yes, the latter is the most important IMO.

Maybe Xiaolin can provide such a containment group by default. Scary thing about HIPS in learning mode is that you allow everything. With the general rule preventing against the worst things and the containment application group, new MD user can be sure of a 'safe' learning time.

I have now set the file groups to default deny
- system files
- system configuration files
- system executable files

Also for the registry groups (default) deny)
- Auto start locations
- System settings
- Start Extra
- Network settings

Cheers Kees

 

With OA Paid you are fine, use the "do not warn" in combination with "run safer". Also because Tony Klein helped Mike out with start up entries protection (Tony was once a power user providing configs for RegDefend).

About Paragon pop-ups: Yes, most classical HIPS (like D+) have hierarchical rule setups seperating file, registry and application protecction. MD truly has a matrix based rule granularity.

Regards K

 

matrix base like netchina

 

I will.

And thanks for the tips.

 

Yes, the system silently denies rules which have an ASK option.

 

Thx I found out when testing, may be you can sharpen the help text. Reason fo asking so is that PERMIT is also an option.

"When using silent mode, Malware Defender will not ask user, all the actions that are not permitted will be denied"

into

"When using silent mode, Malware Defender will not ask user, it will silently deny rules which have an ASK option"


I also found out that when you asign a password and unlock the user interface, it will be locked again after next re-boot. This is not wrong, only to get it back into booting in another mode again I had to erase the password. This was not clear to me immediately.

Great program, I hope/wish you will financially manage with a life time lisence proposition in the HIPS market.

Cheers Kees

 

Great!

Containment of threat gates and outbound protection are the way to go for Classical HIPS to allow them to cross over into larger market segments of the security industry. It will also make you product suitable for a larger public.

Cheers Kees

 

Yep, Netchina claimed the term, but Malware Defender has a more sophisticated matrix on File - Registry - Application level. Netchina has an advantage on an other area, because it is a hybrid FW + HIPS (a good + fast FW also), my guess is that Xiaolin is working on that (FW) also!

 

Ok,I see know what your saying thanks

 

cool i cant wait

 

Kees1958,

Please excuse my newbie questions, (and unfamiliarity with MD), but just as a clarification for me, I have a few questions about the MD setup example you provided:

RE: Setup Tips example:

1. Into which folder(s) did you add "Extra file protection" entries to under "Global File Rules" or did you create a folder for it and perhaps placed it as the last folder under the Global File Rules ?

2. Same question, as above, for "Extra registry protection". Which folder(s) did you add these entries into ?

3. Also, where you indicated "c:\programs \*;*.bat", I was wondering shouldn't this be "c:\Program Files\*;*.bat", ... etc. ?

4. In Malware Defenders, File rules box, you show file access Read, Write; but where is access "Delete". Does MD have a Delete protection or is Delete action included in the "Write" action ?


..... RE: MD in General:

5. BTW, ... Does MD have an option for monitoring dll loading ? If not, is it not needed because:
a) File Rules for system folders or application folders would alert on an attempt to modify or replace an existing dll ?
b) Or does MD checksum existing exe's and dll's and alert if their checksums changed, due to being replaced with a modified version of the same file ?

6. Does the General permission of "Access data of other processes" cover attempts of process modification by means of code injection ?


Thanks in advance, for my newbie basic questions !

 

Let me answer some questions.

Create and delete actions are included in the Write actions.

I will seperate the create/delete from write action in future version.

MD cannot monitor dll loading, and no checksum verifying feature.

I will consider adding such features. The exe and dll files can be protected by the file rules now.

Access data of other processes - write memory of other processes, change memory attributes of other processes, or duplicate handle from/to other processes.

Control other processes and threads - create remote threads, terminate/suspend/modify threads, terminate/suspend processes, or debug processes.

You can find these information in the help file.

Thx.

 

I'm satisfied with this approach. It fits my risk profile. It's proactive...existing legitimate dll/exe/other system files are protected while new dll/exe/other system files are prohibited from being written to disk without permission. Depending on file hash monitoring is reactive because the damage (file creation) has been done.

Nick

 

In fact, MD can be configured to protect any and all file extensions that I want to protect (not just dll & exe). Also, MD can be configured to protect any & all files &/or file folders that I choose to protect. Shazam!

 

I have added pictures in post 1 and 2, Yes I created new groups.

You are absolutely right

Cheers Kees

 

Xiaolin,

I have a few feature requests

1. Add the containment application group (you already promised)
2. Have a look at my extra registry protection group and decide what to
move to System settings or Auto start registry group or skip it

3. Provide the contained application group with the following features
a) Run applications in Group with limited rights
b) Roll back (Undo) any autostart changes after programs closes
c) Roll back (Undo) any registry changes after program closes


I am starting to like MD more and more The temporary rules created for executions in TEMP directory is a geat solution for not polluting your rules set.

 

Thanks for the suggestions.

I will.

This is something like sandbox. I will do some research after the network protection feature is finished.

 

Hey guys, I am giving malware defender a try, and have run into some problems. During normal mode, I ran proxomitron, whreupon MD asked for permission - I made a pemanent rule to allow proxomitron.exe, but it never came up. Then I looked in process explorer and saw that proxomitron was running, but had no window nor did it show up in the system tray, definitely something is wrong there. Also, when I used process explorer to kill a task, MD asked for permission, but once I gave process explorer permission to kill a task, my system locked up and I had to do a hard reboot- again, something wrong there.

Anyone have any ideas as to what may be wrong? All software doesn't work on all systems, and this may just be a case of incompatibility.

thanks in advance

 

Ok last Night I deceided to give malware Defender a run again at its defaults settings.What I did this time left in the learning Mode and openned or ran my most frequently used apps I have,then i switched back to normal Mode and No popups like my first run with MD.I guess I must have switched to normal mode to soon the first time around and did not give enough time for MD to learn my system and is why the pop ups where over whelming.That said its quiet know I like it. I assume the defaults settings are good enough or is there anything that should be changed.

 

It could be incompatibility or...

...you may need to run in Learning mode for a while. From my so far brief expereience with MD, I have found more than with any other HIPS I've used, this step is so important with MD in avoiding problems similar to what you've described. Hopefully this can work for you.

 

wat, i understand what you're saying, but even after using learning mode, sometimes things are gonna come up that weren't dealt with in learning mode, they're gonna occur during normal mode - what it looks like to me is that malware defender doesn't do well with applications that it doesn't already have rules for i mean if i go and run an application that i didn't run during learning mode, malware defender is gonna cause a system lockup ?

 

Fair enough; I have found MD to be tough on some actions it has no rules for yet. One other fix you could attempt is to check MD's logs at the bottom after this happens, look for "Denied" entries, then right-click it and choose: "Create a permit rule" for this action, (or something to that effect as I'm not at a pc with MD on it atm).