Malware Defender 2.7.3 Free and Chkdsk Issue

Discussion in 'other anti-malware software' started by Rickster100, Aug 6, 2011.

Thread Status:
Not open for further replies.
  1. Rickster100

    Rickster100 Registered Member

    Joined:
    Sep 29, 2005
    Posts:
    152
    Location:
    United Kingdom
    Hello Everyone,

    I have been having a play with the latest version of Malware Defender for a few weeks now, having used SSM for many years I think its time to look for an alternative classical HIPS for my XP setup.

    However, testing MD on a clean, freshly installed image of XP Pro SP3 with latest MS updates and with no security software installed I have found that even with rules created in learning mode I am unable to perform a chkdsk operation on the system drive of my PC. Subsequently removing MD and rebooting the PC allows the chkdsk operation to perform successfully.

    I would assume that learning mode would create the necessary rules automatically for the chkdsk function to take place, but on this fresh image this is not happening. The MD and system logs do not appear to show the reason why chkdsk is not working. I have a second internal HD also on the PC which is able to do the chkdsk function successfully on a reboot with MD installed. Even disabling all the real-time protection modules does not solve the problem; only when MD is removed will the chkdsk commence.

    If anyone who is a long term user of MD can offer any suggestions I would appreciate any advice or help you can offer. Thank you in advance.
     
  2. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,113
    Location:
    Sofa (left side)
    Strange, it should be working. It works for me on SP3 with the following log entries. Do you see all of these?

    8/6/2011 21:34:05 Create new process Permitted
    Process: c:\windows\explorer.exe
    Target: c:\windows\system32\cmd.exe
    Cmd line: "C:\WINDOWS\system32\cmd.exe"
    Rule: [App]*

    8/6/2011 21:34:09 Create new process Permitted
    Process: c:\windows\system32\cmd.exe
    Target: c:\windows\system32\chkdsk.exe
    Cmd line: chkdsk
    Rule: [App]*

    8/6/2011 21:34:10 Read physical disk Permitted
    Process: c:\windows\system32\chkdsk.exe
    Target: \Device\HarddiskVolume1
    Rule: [App]*

    8/6/2011 21:34:35 Send message to another process Permitted
    Process: c:\windows\system32\services.exe
    Target: c:\windows\system32\csrss.exe
    Message: WM_DEVICECHANGE
    Rule: [App]c:\windows\system32\services.exe
     
  3. Rickster100

    Rickster100 Registered Member

    Joined:
    Sep 29, 2005
    Posts:
    152
    Location:
    United Kingdom
    Hello Scoobs72,

    You are running "chkdsk" from the command prompt, in this case chkdsk can only READ the disk, I get similar MD log entries.

    C Drive chkdsk (via command prompt) MD Log:

    06/08/2011 23:58:44 c:\windows\system32\chkdsk.exe Read physical disk \Device\HarddiskVolume1 Permitted [App]*

    The issue I have is when running chkdsk as a scheduled task by right clicking the C drive in My Computer -> Properties -> Tools -> Error Checking for example when you have to reboot. When you run it from the command prompt "chkdsk.exe" only READS the disk ("read only mode") as indicated in the prompt box dialogue. But when performing it on a reboot the chkdsk command uses "autochk.exe" to WRITE to the disk.

    Did you also try running chkdsk /F whilst at the command prompt? That would mean forcing a chkdsk on reboot using "autochk.exe".

    C Drive chkdsk /F (via command prompt) MD Log:

    06/08/2011 23:31:23 c:\windows\system32\chkdsk.exe Write physical disk \Device\HarddiskVolume1 Permitted [App]*
    [The log shows this entry, but autochk.exe still fails to run on the C drive on reboot].


    In my case the MD logs show autochk.exe writing to my D drive because it performs the chkdsk perfectly on that drive. But I am not seeing any entries in the MD log regarding the failure of the C drive chkdsk task on reboot.

    D Drive chkdsk -> "autochk.exe" MD Log:

    06/08/2011 23:56:52 c:\windows\system32\autochk.exe Write physical disk \Device\HarddiskVolume4 Permitted [App]*

    Can you perhaps try performing a scheduled task on your system drive to see if it will actually perform the disk check on reboot using "autochk.exe"? You can then check to see if the MD logs show any details. Also, MDs default permissions for "autochk.exe" seem correctly set for read and write access.

    Thanks for your reply, I will continue to take a look at this.
     
    Last edited: Aug 6, 2011
  4. 0strodamus

    0strodamus Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    1,058
    Location:
    United Surveillance States
    I had an issue with chkdsk running on reboot and if I recall correctly it was because there was no rule allowing "c:\windows\system32\smss.exe" to launch "c:\windows\system32\autochk.exe".

    I would suggest placing MD in Learning Mode, scheduling a chkdsk, and rebooting. This should ferret out the rule you're missing (assuming this is the issue). That's what helped me figure it out. Hope this helps...
     
  5. Rickster100

    Rickster100 Registered Member

    Joined:
    Sep 29, 2005
    Posts:
    152
    Location:
    United Kingdom
    Hello 0strodamus,

    Thats what I was doing, I even gave full permissions to both chkdsk.exe and autochk.exe but to no avail. I will try your other suggestion for smss.exe. Yesterday I even made a brand new image of XP with only up to date MS updates and absolutely no non microsoft software installed except for MD. Didnt make any difference. Chkdsk /F still works on my other HD on this machine on reboot, its just this system drive issue! Its strange that MD isnt making the correct rules in learning mode for the system drive on my home machine. Noone else seems to be having an issue with this as they havent chimed in, but im starting to run out of ideas.

    Xiaolin has been PMed, but he cannot reproduce the issue so far. Thanks for your reply. Ill have another go at it tonight when I get home from work and chime back in once I have tried your further suggestion.

    Thanks.
     
  6. 0strodamus

    0strodamus Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    1,058
    Location:
    United Surveillance States
    That is strange. I know how frustrating things like this can be and I hope you figure it out soon.
     
  7. Rickster100

    Rickster100 Registered Member

    Joined:
    Sep 29, 2005
    Posts:
    152
    Location:
    United Kingdom
    I tried granting full permissions also to smss.exe as per your suggestion but that has not worked either. It is strange and it should work at the very least on a clean image but it simply will not work for me. Maybe theres some kind of conflict going on somewhere in my setup, maybe its an MD bug but noone else is chiming in.

    To summarise; MD is not allowing for "autochk.exe" write access on my system drive; on a clean fresh installation of XP Pro fully updated (nor any of my other saved images) in learning mode or by granting full permissions to chkdsk.exe and autochk.exe. Its a bit of a mystery, uninstalling MD allows the chkdsk operation to write to the system drive on a reboot completing the task.

    Now I am out of ideas. Thanks for your help all the same!
     
  8. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,113
    Location:
    Sofa (left side)
    Have you got "Log all denied actions" ticked? When I try a chkdsk /f it works fine and I get:

    8/11/2011 20:26:20 Write physical disk Permitted
    Process: c:\windows\system32\chkdsk.exe
    Target: \Device\HarddiskVolume1
    Rule: [App]*

    8/11/2011 20:27:00 Set registry value Permitted
    Process: c:\windows\system32\chkdsk.exe
    Target: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute
    Data: autocheck autochk *
    Rule: [Registry Group]Autostarts Locations -> [Registry]HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager; BootExecute

    8/11/2011 20:27:54 Read physical disk Permitted
    Process: c:\windows\system32\autochk.exe
    Target: \Device\HarddiskVolume1
    Rule: [App]*

    8/11/2011 20:27:54 Read physical disk Permitted
    Process: c:\windows\system32\autochk.exe
    Target: \Device\HarddiskVolume1
    Rule: [App]*

    8/11/2011 20:27:54 Read physical disk Permitted
    Process: c:\windows\system32\autochk.exe
    Target: \Device\HarddiskVolume1
    Rule: [App]*

    8/11/2011 20:29:10 Read physical disk Permitted
    Process: c:\windows\system32\autochk.exe
    Target: \Device\HarddiskVolume1
    Rule: [App]*

    8/11/2011 20:29:10 Read physical disk Permitted
    Process: c:\windows\system32\autochk.exe
    Target: \Device\HarddiskVolume1
    Rule: [App]*

    8/11/2011 20:29:10 Read physical disk Permitted
    Process: c:\windows\system32\autochk.exe
    Target: \Device\HarddiskVolume1
    Rule: [App]*
     
  9. LODBROK

    LODBROK Guest

    Stop torturing yourself and un-check "Run Malware Defender when Windows starts" in Options, do your chkdsk thing and re-check it.

    Or far far better yet, just boot off your Windows CD and run chkdsk in the Recovery Console every few months and be done with it.
    .
     
  10. Rickster100

    Rickster100 Registered Member

    Joined:
    Sep 29, 2005
    Posts:
    152
    Location:
    United Kingdom
    With that option enabled, no denied action logs are showing with this issue.
     
  11. Rickster100

    Rickster100 Registered Member

    Joined:
    Sep 29, 2005
    Posts:
    152
    Location:
    United Kingdom
    Im certainly not "torturing myself" about this issue, I am merely curious as to why it isnt working when it should. As stated previously, the chkdsk task will only take place on the system drive when MD is uninstalled.

    Its certainly not a deal closer for me as far as MD is concerned, simply saving the ruleset and uninstalling isnt such a big hassle, and as you rightly pointed out running chkdsk is something that is run every once in a while. I just wanted to share my experiences with MD regarding this particular issue with the Developer and other forum members for the record.

    Thanks to all who chimed in with their suggestions.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.