Configuring Malware Defender The Easy Way

Discussion in 'other anti-malware software' started by arran, Sep 6, 2009.

Thread Status:
Not open for further replies.
  1. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    OK here is the instructions that everyone was asking about before. This is a ZERO POPUP setup making it more user friendly. There is probably other MD users who already know about this. With this strategy of my setup you can have some apps locked down while at the same time have other apps in learning mode with Zero Poups. the main advantage of this is to be able to install new apps and install updates with zero pop ups without compromising system security by having to disable MD and put every thing back in learning mode. MD is the only HIPS that I know of that allows you to do this. Its quite simple really.

    after you first install MD Tick these 2 box's shown in the screenies below.

    in learning mode.JPG
    log all dined actions.JPG

    then in the default applications create a new group called locked down apps or something similar, like I have done below.

    LD.JPG

    Then set all rules to deny except for bottom 2 like I have done below.

    LD1.JPG

    Ok so that's that setup. When apps first appear you will notice that by default they all have their rules to ignore . DO not change them Leave them all on Ignore for every app. when you feel each app has had enough time in training mode simply move each app 1 by 1 into the Locked down apps group. MD won't permit and create rules for apps in the locked down. Any permit rules which were not created during the apps training period will be default denied and logged inside the locked down folder.
     
  2. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    Re: Configuring MD The Easy Way

    BLOCKING ALL OTHER UNKNOWN EXECUTABLES AND SCRIPT EXECUTABLES FROM RUNNING.
    select deny in both boxes shown below. if you install new apps after this to allow them to run you will need to add them to the white list
    by selecting new rule, appilication rule and set it up in there. Or you can go into the logs and right click create permit rule. The create new process
    setting is to deny all apps in training as well as all system apps from creating and process.

    ex.JPG

    you will notice that by default like in the screenie below in each system app child process is set to ignore
    DO NOT change that because if you set it to ask or permit they will be able to execute new processes which is what we don't want.
    Its kinda interesting how xiaolin has set these to default ignore.

    ig.JPG

    now nothing else can execute and run.
     
  3. wat0114

    wat0114 Guest

    Re: Configuring MD The Easy Way

    Hi arran,

    thanks for the info. It's been a long time since I last used MD extensively so I've got it installed in VBox and playing about with it, trying to jog my memory. The rules you've applied to your "Locked Down Apps" folder are fine as long as the individual apps within that folder do not have rules that contradict those of the folder, because those apps rules take precedence over that of the folder's. It is all part of the rules processing hierarchy MD uses, working from the bottom (beginning with: "Application Rules - System" rules first). Rules applied to individual applications take precedence over rules applied to the Group folder's rules those applications reside in.. Otherwise, your setup may work fine.
     
  4. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    Re: Configuring MD The Easy Way

    yea true MD works from bottom going up. The individual apps inside the locked down folder will only either have "Ignore" or "Permit" if it is permit then the action will be permitted. if it is ignore then it goes up to the locked down folder rules which is Deny.

    The permit rules are the ones MD created automatically while the individual app was in training mode.
     
  5. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
    Re: Configuring MD The Easy Way

    Hi arran, how is your approach significantly different from just running MD in silent mode, with all denied actions logged so you can just create a permit rule if you need to? Thx
     
  6. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    Re: Configuring MD The Easy Way

    because you can't have any apps in training mode while MD is set to silent mode.
     
  7. wat0114

    wat0114 Guest

    Re: Configuring MD The Easy Way

    That should be fine then, as long as the individual app's permit rules don't contradict those of the Group folder's rules.

    To get a better understanding, I did some experimenting and this looks to be correct. If the individual app has "Ask" while MD is in learning mode, it will automatically get changed to "Permit" if that particular action is attempted by the app.
     
    Last edited by a moderator: Sep 6, 2009
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,049
    Re: Configuring MD The Easy Way

    I have to play around with this, but another excellent concept from Arran for sure.

    Thanks so much,


    Pete
     
  9. Boost

    Boost Registered Member

    Joined:
    Feb 2, 2007
    Posts:
    1,293
    Re: Configuring MD The Easy Way

    :thumb: Will try this setup out~!
     
  10. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    Re: Configuring MD The Easy Way

    To tidy up my main default app training mode list. I also create another folder called security apps with all permissions set to permit. And move all my security programs in there. Less work for MD to do because permit rules won't be automatically created for each security app, all actions will automatically be permitted so as each security app can perform properly with no conflict issues.
     

    Attached Files:

    Last edited: Sep 6, 2009
  11. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,049
    Re: Configuring MD The Easy Way

    Hi Arran

    Are you saying you can give the folder all permissions, and then whatever you put there, inherits those permissions?

    Pete
     
  12. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    Re: Configuring MD The Easy Way


    yes what ever app inside a folder inherits the folder permissions. PROVIDING each individual apps rules are are set to Ignore. if any individual apps have ask rules on them then they will not inherit the folder permissions.
     
  13. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,049
    Re: Configuring MD The Easy Way

    Hmm. I am slowly beginning to realize just how powerful this is. Wow.

    Pete
     
  14. 1boss1

    1boss1 Registered Member

    Joined:
    Jun 26, 2009
    Posts:
    401
    Location:
    Australia
    Re: Configuring MD The Easy Way

    Too powerful in fact, i got lost on step 3 and couldn't even create a folder called "Locked Down Apps" or "Security Apps" and had to reset everything lol.

    I don't think i could ever use this for protection, even after 3 months these rules etc are all well beyond me. But.. If you work out how to use it, i don't think much would come close in terms of protection.
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,049
    Hi Arran

    Another question. My trusted folder has all the permission allowed which of course makes sense. I am sure most of the programs contained in it, have rules which is fine.

    Now I am going to install a new piece of software which comes from a trusted source and is completely trusted.

    A) if I can run the installer in the trusted folder, would that eliminate the pop up's of installing, and B) how would I do that. Didn't see an easy way off hand.

    Thanks,

    Pete

    PS, this thread has been added to the sticky recommendations .
     
  16. cqpreson

    cqpreson Registered Member

    Joined:
    May 18, 2009
    Posts:
    348
    Location:
    China
    Wow,so cool.

    In my opinion,using learning mode and running all applications once,then let MD establish rule,finally modifying them.In this way,we can set right rule for each application.But this way is so cockamamie.Your approach is set some groups,and put similar applications into those group.It is good:) ,thank you.
     
  17. demoneye

    demoneye Registered Member

    Joined:
    Dec 30, 2007
    Posts:
    1,356
    Location:
    ISRHell
    @peter

    i did try to install fresh software to "all permit" group but pop ups appear , lets ask arran this , maybe there is a way :D

    my question is same as peter . can u make a new software install with out any popups? also with out disable MD , that the point.

    cheers
     
  18. cqpreson

    cqpreson Registered Member

    Joined:
    May 18, 2009
    Posts:
    348
    Location:
    China
    In my mind,MD doesn't have a mode which is like comodo's installing mode.
     
  19. demoneye

    demoneye Registered Member

    Joined:
    Dec 30, 2007
    Posts:
    1,356
    Location:
    ISRHell
    @arran

    nice post u made , i got some to add maybe , u can add this rule to the "lock down apps" of yours , coz without it , outbound communication can be done with out your knowing.
    also another remark , in "lock apps" u cant add your browser (fire fox crashes in my case) , actually i don't think using "lock folder" method is good , only using "security apps" and llet all "permit" is wize

    cheers
     

    Attached Files:

  20. apathy

    apathy Registered Member

    Joined:
    Dec 10, 2004
    Posts:
    461
    Location:
    9th Circle of Hell(Florida)
    I've been waiting for a good ruleset to be designed.
    Time to install MD on my Win 7 box. Btw is there a method
    to lockdown all access to the internet and allow only select apps
    or is that something that already exists?
     
  21. demoneye

    demoneye Registered Member

    Joined:
    Dec 30, 2007
    Posts:
    1,356
    Location:
    ISRHell

    look at my comment above your post , its the key for doing it :)

    move all application u trust to "trusted application" and edit it , add the line in the picture and all set ;)
     

    Attached Files:

    Last edited: Sep 7, 2009
  22. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    well the programs in it wouldn't need their own rules because remember they inherit the folder rules if all the programs rules are set to ignore.

    If you used my strategy of always leaving MD in training mode There wouldn't be any pop ups there is never any pops ups while MD is in training mode.

    PS remember how I was saying before about creating a folder called security apps you can actually instead just rename the trusted app folder.

    but for argument sake if you had MD in normal mode yes you can install from in the trusted folder and no there would not be any pop ups because all the rules are set to permit. here is 3 screenies in 3 steps of how to get an installer in the trusted app folder.

    EDIT POST my bad, you do still get pop ups while MD is in normal mode, I can't see any way to avoid installation pop ups. Unless you apply my strategy and leave MD in learning mode.

    lets say I want to install cc cleaner for example.
     

    Attached Files:

    • st1.JPG
      st1.JPG
      File size:
      88.1 KB
      Views:
      20
    • st2.JPG
      st2.JPG
      File size:
      42.7 KB
      Views:
      1,926
    • step3.JPG
      step3.JPG
      File size:
      56.3 KB
      Views:
      1,930
    Last edited: Sep 7, 2009
  23. apathy

    apathy Registered Member

    Joined:
    Dec 10, 2004
    Posts:
    461
    Location:
    9th Circle of Hell(Florida)
    Hey Arran,

    I installed MD and setup the application groups and rules
    should I stay in learning mode or just start moving the apps
    in the right categories?
     
  24. wat0114

    wat0114 Guest

    I agree. Experimenting in VBox there was no way to avoid pop-ups when installing something, even when I chose to place the setup.exe and subsequent application executable in the Trusted folder. As you mention, Training mode will work, but that unfortunately creates a ton of unnecessary rules that need to be cleaned up later. However, I think selecting the option "Delete Stale rules" later on might help purge at least most of those rules. If MD ever gets an "Installation mode" feature, it will be perfect.
     
    Last edited by a moderator: Sep 7, 2009
  25. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    yes I know about that I was going to add this in later, I was trying to explain to people just 1 step at a time so as every one would first get the general idea of training apps up first and then putting them in the lock down folder.
    for net work rules. like the screenies below add these rules in. while the app is in training mode like all the other rules MD will automatically create the permit needed networks rules.

    n1.JPG
    n2.JPG

    should be no reason why it would crash, did you train up firefox first before you moved it into the locked down folder??

    yes you have basic understanding of it, you are slowly locking down each app 1 by 1. instead of having to keep on switching in and out of learning mode. you can install new apps and have them in training while at the same time have other apps Permanently locked down.
     
Loading...
Thread Status:
Not open for further replies.