Malware Defender and Matousec's latest tests

Would Malware Defender fair any better on Matousec's latest tests with customized rules or will program updates be the only way to block the attack vectors that Matousec found? I'm surprised to see Kaspersky so high this time and would like to see MD take #1!

 

I'm only new to MD and no malware expert, but by looking at where MD failed it appears yes the results could be improved with custom rules, and others may need updates.

For example on this page it failed DNStealer which says:

With MD we can decide what's trusted, so that could pass with rules. So i'm sure with a hardened rule set MD could shake the top of the charts.

 

I am mystified -- WHY are Matousec's firewall tests considered valid when applied to HIPS (non-firewalls)? I hope that Xiaolin &/or Ilya or others of similar competence will comment.

 

Because they're essentially HIPS tests, and have little to do with firewalls.

 

Yes I do believe that with xtra configuration MD would do much better.

Remember these tests are all about controlling the Behavior after the executables have been given to permission to run.

If MD denied the creation of the executable files and denied them from running in the first place then MD would obviously pass 100 percent.


quote
Description: DNStester tries to determine whether the tested product filters DNS queries from an untrusted process.

well that's easy if you are running an untrusted Process you would obviously limit its permissions like blocking it from accessing the network, but then again why would you even allow untrusted Processes to run in the first place?? so even tho Matousec's says MD fails dnstester I consider it to be a pass.

 

I would like to hear what Xiaolin have to say about "bugs", (I would say) cheating (pass test's specific implementation vs. failed test's technique):

 

That's true, but it's the application's rogue behavior after launch that I'm wondering if MD would alert for. On the tests that Matousec lists as a fail, was it because the appropriate choice wasn't made to deny the action or is it because MD failed to even prompt the user with regards to that particular test's post-launch rogue activity? I know some other vendors supply comments on Matousec's website and was wondering what Xiaolin's thoughts are in regards to these results.

 

The MD's firewall cannot block some low level packets, so it failed the dns and echo tests.

I do not know why MD failed the SSS3 test, I cannot recreate it.

Other failed tests except crash7 are related to accessing COM objects. MD implemented the COM protection using ring3 hooks. The Matousec's test will restore ring3 hooks, and any protection for the ring3 hooks will be taken as a direct attack against the test, and will fail the test. I have no plan to change the implementation of COM protection yet, so MD will not get higher score in the near future.

Thanks

 

I don't care about this. MD is more of a classical HIPS not a firewall to filter low level packets.

 

^^ Agree ^^

 

I tested SSS3 against MD 2.2.2 on XP SP3 in several scenarios and MD passes every time. Depending on the scenario, SSS3.exe will hang and do nothing after MD denies shutdown or it will terminate and generate a text file with these results:

"Security Software Testing Suite - SSS3
Copyright by www.matousec.com, Different Internet Experience Ltd.
http://www.matousec.com/


ERROR: Unable to initiate the system shutdown.
Error code: 1115
Error message: A system shutdown is in progress.

YOUR SYSTEM PASSED THE TEST!"

 

cool nick

 

Drop each of those named test exes into the "Image File Execution Options" reg setting and use cmd or whatever as the debugger and not a single one will run.

100% every time.

 

Are you going to add this feature and when? RTD has it.

 

I hope so, these should be some great features