Malware Defender 2 beta

It a toughy but I now think this is now my favourite hips...a see-saw with EQS.

Xaolin, thanks for all the obvious hard work you've been putting into this project

 

I installed it to test it out and I don't have the high cpu/crashing problems anymore.

The only problem I am seeming to have when in normal mode when removing a folder with lots of contents it keeps nagging about explorer.exe trying to delete a file.

There's no option to allow Explorer.exe to delete something in general or something alike.

 

Nice and fast job indeed.

 

That is one of MD's protective features. Note you can modify the rules to allow more of a liberal change, but you should be careful not to allow too much in the wrong (critical) areas. See ss fore example.

 

Well I had that window and pressed the "..." and Created a permanent rule... but the next item in line to be deleted showed me another message and for 50 or so more XD

 

So far, no more fwpkclnt.sys-related BSODs here on Vista. Thanks for the fix and keep up the great work.

Nick

 

Hi,

Testing the new MD2 beta...I have it in normal mode. My autostart applications won't start when I reboot computer. Any help on how to remedy this? Thanks.

 

Hi Yasha,

yes, put MD in "Learning mode" for at least a day, preferably two. After putting it back to "Normal mode" check the logs at the bottom every now-and-again. If you see "Deny" entries that should be permitted, right-click them and choose "create permt rule" to fix it. MD is tough as nails and very unrelenting on anything that has not got all the permit rules necessary for it in place to allow it to do everything required.

 

Hi Wat,

Thanks for the tip! That solved it.

 

You're welcome! Just play safe while in "Learning mode" , since everything you do will be permitted by MD.

 

I must admit that I start to like (and actually use) MD. It may become a very nice piece of software. It somehow reminds me of good 'ol Tiny Personal Firewall 4/5. But MD has a better GUI and, hopefully, will have less bugs.

With MD 2b2 the rule window reliably pops-up (i.e., the previously reported bug that MD freezes the machine does not show up anymore).

Here is another small bug: Go to application rules. Right mouse click. You will see arrow up (decrease priority)/arrow down (increase priority). This is wrong. Arrow up means to increase the priority.

And another comment: I would like to download AND SAVE the MS Kernel symbols so that I can make an offline installation of MD. Moreover, I do not like to download the kernel symbols again if I uninstall and reinstall MD. What happens if MS does not offer these symbols anymore or screws up the genuine advantage check?

 

I have another proposal for MD. The proposal relates to the creation of file rules.

1.
The reason for the proposal is as follows: I consider the creation of file rules too complicated. A few security freaks will understand it. But the normal user will not. Consequently, there is the risk that MD will not become a commercial success. See System Safety Monitor. See also Tiny Personal Firewall.

2.
In my opinion, the creation of granular file rules is nice because it allows you to control/monitor everything going on. Please do not remove this feature. However, for the average joe a simpler (but also quite effective) strategy may be more appropriate.

In my opinion, it is necessary to restrict file access mainly in respect of applications having network access ("Internet Applications").

It should be possible to EASILY move ( = 1 mouse click) any applications for which network rules were created into a the group Internet Applications. Per default, such Internet Applications should only have access to their own program directory, the windows directory, the desktop directory, and certain other commonly used directories (like my files etc.). Additional allow rules can be created on demand (e.g., if the browser uses a plug in from a different application like Quick Time).

It should be possible to create deny rules in a very simple manner: It should be sufficient to drag & drop confidential folders or entire partitions / hard drives with your mouse into a MD windows called something like "Prohibited Folders". This procedure would have to be very easy and intuitive.

3.
The reason for the above concept is as follows: There are only a few file infecting virii left. The main danger is that an Internet Application is infected (code infection, dll infection etc.). In such case, it is important to restrict the file (read) access of the Internet Application to ordinary windows folders. By contrast, Internet Applications should not have access to your personal data (pictures, word documents, movies, game keys, serial numbers, mail directory, chat/instant messenger logs etc.), the autostart folder, or the folders of other applications.

 

Totally agree.

 

xiaolin, I was noticing I was creating the same rules over again. This happened after I reduced the permissions on the Program Files directory and everything below it in my Power User account to: Read & Execute; List folder contents; Read. I would create a Permanent rule, but then the rule would disappear after logging out/logging in again. If I created the rule under my administrative account, they stayed as expected. To fix the problem I modified the Malware Defender folder to add permissions: Modify; Write.

So it seems at least with this version, rules created intended as Permanent do not stay if the directory for MD's installation is overly limited.

 

I think it is right in its current function. Taken from the Help file:

Application rules have highest priority. In other words, MD checks rules from the bottom->up - I believe. Someone will hopefully clarify this. It seems to me kees posted this somewhere but I can't find it

*EDIT* yes, Kees1958 did post this here. check the screenshot in his first post. I'm sure he's right.

 

@wat

I am not talking about priorities between different groups. I am talking about priorities within the same group ( = Application Rules - Normal). Next to the status column there is a priority column. If you move up (arrow up) an application, the priority actually increases (let's say from 10 to 9). However, the text next to the arrow says that the priority decreases. This is contradictory.

 

This is how to reliably crash MD 2b2 with the help of a stress test:

1.
Switch all global file rules to ASK. Enable MD learning mode.

2.
Take various directories with several thousands of small files (e.g., a 2 gig Adobe Lightroom 2 Preview Catalogue).

3.
Delete this catalogue via windows explorer with right mouse clicke; delete.

4.
The catalogue will be very slowly deleted. After a while MD will crash. I could repeat this bug three times.

5.
MD dump report says:

malwaredefender caused an Access Violation (0xc0000005)
in module C:\programme\malware defender\malwaredefender.exe at 0x7c80b142.

FunctionName: GetVersionExW FunctionDisplacement: 0x24c

Windows XP (5.1.2600) Service Pack 3
2 processor(s), type 586.

***Modules***

***CallStack***

FrameNumber: 1
ReturnAddress: 0x7c80b141
ModuleName: C:\WINDOWS\system32\kernel32.dll
FunctionName: GetVersionExW FunctionDisplacement: 0x24c

FrameNumber: 2
ReturnAddress: 0x7c80a498
ModuleName: C:\WINDOWS\system32\kernel32.dll
FunctionName: CompareStringW FunctionDisplacement: 0xaa

FrameNumber: 3
ReturnAddress: 0x77f46a46
ModuleName: C:\WINDOWS\system32\SHLWAPI.dll
FunctionName: Ordinal45 FunctionDisplacement: 0x3b

FrameNumber: 4
ReturnAddress: 0x77f91c83
ModuleName: C:\WINDOWS\system32\SHLWAPI.dll
FunctionName: PathCompactPathExW FunctionDisplacement: 0x191

FrameNumber: 5
ReturnAddress: 0x77f91d30
ModuleName: C:\WINDOWS\system32\SHLWAPI.dll
FunctionName: Ordinal466 FunctionDisplacement: 0x3f

FrameNumber: 6
ReturnAddress: 0x77f91e7d
ModuleName: C:\WINDOWS\system32\SHLWAPI.dll
FunctionName: PathUnExpandEnvStringsW FunctionDisplacement: 0x14

FrameNumber: 7
ReturnAddress: 0x4f4e7f
ModuleName: C:\programme\malware defender\malwaredefender.exe

FrameNumber: 8
ReturnAddress: 0x4f4ee2
ModuleName: C:\programme\malware defender\malwaredefender.exe

FrameNumber: 9
ReturnAddress: 0x4f6bf9
ModuleName: C:\programme\malware defender\malwaredefender.exe

FrameNumber: 10
ReturnAddress: 0x4f4b06
ModuleName: C:\programme\malware defender\malwaredefender.exe

FrameNumber: 11
ReturnAddress: 0x102f3

FrameNumber: 12
ReturnAddress: 0x47d7de
ModuleName: C:\programme\malware defender\malwaredefender.exe

FrameNumber: 13
ReturnAddress: 0x33565350

 

You may be right but I think it depends on the weight being given to the value. Does a higher number mean higher priority or lower priority? Look at the Application Rules - System and they are all assigned "57" (highest number) in my setup.

 

@wat Maybe you are right. It's just a little bit confusing. Normally, you would expect that priority no. 1 means highest priority. This is also indicated by the "arrow up" which makes you believe that the priority goes up. But apparently it is the other way round with MD. This is not intuitive. Not for the average joe.

I agree, however, that it is not extremely important to change this behaviour.

 

It is confusing because I usually think of up as higher priority, but it seems to be the way xiaolin has ordained the rules hierarchy, where things are processed by the bottom->up. He'll hopefully clarify.

BTW, was it the the two rules in the ss you changed to "Ask" in your crash test?

 

@wat

Yes. And also for the sub groups like autostarts locations.

@all

I noticed another strange behaviour. At least, it's somewhat hard to understand/cumbersome. This time MD ran in normal mode. I tried to empty the recycle bin with a mouse click.

Constantly, the permit/deny window popped up and asked me to create allow rules for a path like c:\recycler\s-1-5-21-1844237615-823518204-682003330-500\*

However, this does not work. You still get dozens of allow/deny requests. I had to manually create the following rule in order to stop MD from asking:

c:\recycler\*
read: permit/ write: permit

The rule assistant did not offer the possibility to easily create such a "normal" rule for the recycle bin.

 

I understand your method of procedure in stress testing MD, but in its default protective settings, MD is already very militant against any and all application/file influences on the system configuration. I believe with all those "Ask" permissions in place, MD goes absolutely berserk trying to handle every possible scenario conceivable when you deleted that directory.

However, I will admit I'm puzzled why it would have crashed in your first test, because you placed it in "learning mode", unless you had the option: "in learning mode, if an explicit "deny" rule is found..." enabled, and this specific rule was causing MD to go berserk. Maybe some other rule(s) over-rode the learning mode?

on a side note regarding your test, it is possible to protect individual folders and their contents by creating a "File rule" and placing specific "Read" or "Write" restrictions on its contents.

 

"unless you had the option: "in learning mode, if an explicit "deny" rule is found..." enabled, and this specific rule was causing MD to go berserk. Maybe some other rule(s) over-rode the learning mode?"

Nope.

 

Xiaolin,

I just wanted to let you know that I have noticed again with the v2.0.0 beta 2 release that I am having problems running a pre-boot chkdsk. I get an error that says something along the lines of insufficient space to complete operation although the disk has 118Gb free. The only way to get chkdsk to complete successfully is to disable Malware Defender from starting with Windows and reboot.

Spidey

 

You are right, the rules are processed from bottom to top. I will add description in the help file.