Configuring Malware Defender The Easy Way

Discussion in 'other anti-malware software' started by arran, Sep 6, 2009.

Thread Status:
Not open for further replies.
  1. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,156
    fire fox needs internet access and dont to want to move ff inside the trusted folder. my post above is a better method.

    move them when you feel each app has had enough time in training mode, everybody has to use their own judgement as to when they get moved into the lock down folder. If any app in the locked down folder isn't working properly you can either move it back to the training folder or the better way is to look at MDs logs. and see any denied actions and right click the denied action on the logs and select create permit rule.



    I forgot to mention before that by using the trusted folder to install apps does however REDUCE the amount of pop ups.

    later on I am going to test and see how well the "Delete Stale rules" purge does at cleaning out the install rules.
     
  2. wat0114

    wat0114 Guest

    Absolutely, by more than half I'd say.

    Thank you! I may give that a try too, time permitting.
     
  3. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,156
    what it is, is this. you will always get 1 pop up being the first which is asking if explorer.exe can create a new process. after this first pop up most installers or for a lot of installers there won't be any more pop ups because when installing they only normally write to the registry and file system and those rules are already set to permit. what causes the other pop ups is some installers during the install process do things like creating new executables which needs executing, or they do things calling up system services to create new start ups. particually common when installers install things like drivers.
     
  4. demoneye

    demoneye Registered Member

    Joined:
    Dec 30, 2007
    Posts:
    1,356
    Location:
    ISRHell
    arran are u sure u mean folder not GROUP?according to facts and your pics its secure group :D
     
  5. demoneye

    demoneye Registered Member

    Joined:
    Dec 30, 2007
    Posts:
    1,356
    Location:
    ISRHell
    this one for all MD users , i used "learn mode" for 5 minutes and in this time i did all action i used to be like open winword , run firefox, save doc , run all installed software in here , and than i "import" rules to safe place , set back MD to "normal mode" . when MD pop up again if i misses any action i use to do i just handle the pop up window, u will get much more less pop ups in the way :).
    also........in this way YOU EXPOSE your system to minimum time with out protection , unlike some bad idea of MD users "leave learn mode for couple days " which is stupid

    cheers:)
     
  6. aegreen

    aegreen Registered Member

    Joined:
    Sep 8, 2009
    Posts:
    12
    Not sure that this really works. When I move applications to a group it resets all permissions to ignore. This is how its supposed to work as a group is really a permissions template. If applications retained their own settings it would defeat the object of groups. Also how would this handle exceptions that have been placed in the various tabs?

    Isn't it better just to set all permissions in an application to deny after a period of learning. That way you retain all the exceptions and the program will work but any attempt to create a new rule will be denied (would have to check that new exceptions can't be created).
     
  7. cqpreson

    cqpreson Registered Member

    Joined:
    May 18, 2009
    Posts:
    348
    Location:
    China
    I guess what he means is creating a folder in the computer and then configuring a special rule in MD to give this folder privilege.Finally installing some security apps into this folder.In this way,we can't avoid many prompts.

    But in my opinion,this approach will not so secure.Because if a installer contain a virus and put this virus into the folder.Maybe it is a little dangerous,and if the virus runs,we only can see it run without any opinion:p .
     
  8. Onur

    Onur Registered Member

    Joined:
    Aug 25, 2009
    Posts:
    25
    @arran. Thnx for this config. ;)
     
  9. wat0114

    wat0114 Guest

    No, he's created a Group folder from within MD: Right-click on an existing Group folder -> Manage Group... -> New Group -> Edit Group, type in a Group Name -> Ok
     
  10. demoneye

    demoneye Registered Member

    Joined:
    Dec 30, 2007
    Posts:
    1,356
    Location:
    ISRHell
    also i found something important that can be apply to MD configuration .
    i disabled MD "network protection" and add Comodo FW only (hips disabled) .
    the reason i do that can be more than one reason , comodo fire wall is more powerful than MD outbound only protection , and also when u install new software (md in learn mode of course) , software gain free access to network and u cant know what it is doing , in this part comodo will pick up any address/port software try to reach .
    this tip "cost" nothing since comodo is free :)

    cheers
     
  11. 1boss1

    1boss1 Registered Member

    Joined:
    Jun 26, 2009
    Posts:
    401
    Location:
    Australia
    That's the part i don't understand. I created a new group folder called "Internet Blocked" where i want to put programs that can do anything locally except access the internet.

    But the group folder doesn't appear on the main rules page, nor can i right click an application and move it to this group. I even put a test application in that group manually called "Color Schemer Studio" but on the main rules page both the folder and application don't exist.

    new-group.png

    The way the rules work just doesn't make sense to me, surely there must be something i'm missing. o_O
     
  12. demoneye

    demoneye Registered Member

    Joined:
    Dec 30, 2007
    Posts:
    1,356
    Location:
    ISRHell
    u must add rule to the group in order to see it in the list .

    cheers
     
  13. wat0114

    wat0114 Guest

    Right, and that can be done as:

    Right-click on any application or Group folder ->New Rule ->Application Rule ->click: Select an application group radio button -> from the drop-down arrow find and select the Group folder you created ->Ok

    I don't know why this has to be done, but that's how it's designed.

    Indeed, it's important to understand the rules processing order of MD. I created a thread back in February here which can hopefully help. Also, Kees1958 created an excellent found here. Along with Arran's advice there should be enough to get you going in the right direction :)
     
    Last edited by a moderator: Sep 8, 2009
  14. demoneye

    demoneye Registered Member

    Joined:
    Dec 30, 2007
    Posts:
    1,356
    Location:
    ISRHell

    right ;)
     
  15. 1boss1

    1boss1 Registered Member

    Joined:
    Jun 26, 2009
    Posts:
    401
    Location:
    Australia

    Ahhhh HUH!

    Thankyou thankyou, now this is starting to make some sense! Got it, made a "Blocked Internet" group and blocked internet, drivers and shutdown. I trust these applications, but they have no real reason to perform these actions.

    Tested the applications and got no popups, but as soon as i tried to perform one of the three blocked actions MD gave me an alert (which is what i want). So it's working perfect. :thumb:

    Great thread aaran, MD has been gathering dust just waiting for a thread like this. I will go check out the other 2 threads now this is making sense.
     
  16. wat0114

    wat0114 Guest

    Great to see you're getting the hang of it :thumb:

    It is great that arran started this thread. I'm just getting reacquainted again with MD after about a 4 month hiatus ;)
     
  17. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,156
    folder and group are the same thing. going into a different folder = going into a different group.

    when applications come onto MD's list they get given default ignore settings. when in training mode MD automatically creates permit rules on each application. when each app has finished its training time move it into the locked down folder group. the permissions on the app do not all get reset to ignore, the permit rules created while the app was in training stay there.

    yes you can set all other permissions on each app to deny instead of moving it into the locked down folder group. but it involves a lot more time consuming work.

    xiaolin has admitted before that MD doesn't filter outgoing low level packets. while it isn't on my sig yet I am using kerio 2.15 to filter low level packets.
     
  18. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,156
    LOCKING DOWN THE REGISTRY

    just like doing the network rules I explained before. create these rules as shown below.

    r1.JPG
    r2.JPG


    as per normal MD will automatically create the needed permit rules in each individual app. after each app has finished its training mode put it back into the locked down folder group.

    IMPORTANT TIPS

    1. because we have now asked MD to make registry rules for each app in training this place is no longer suitable for Trusted installers to run. because when trusted installers are running they are writing to registry in a whole lot of places all at once this will cause high CPU usage and cause system slow down. So I just move my trusted installers into the security apps folder group where all permission are set to permit.

    2. by creating registry rules for each app in training there will also be registry rules created for each system application down below. explorer.exe is will create millions of permit rules, explorer.exe is always writing to the registry here there and every where its mind boggling. lets not go there. So to stop MD creating rules for explorer create a rule as shown below in my screenie.
    And if you don't want md to create permit rules for other system apps do the same thing in each app.

    To lock the down the system apps registry rules after they have finished training simply create a deny rule at the top of the list in each app.

    r3.JPG

    3. Before you move your apps back into the locked down folder group you can tidy up the rules. like in the screenie below you will notice that all the reg keys have the same extension or are in the same place. this is another good reason to be running all your apps inside sandboxie because it makes life
    a whole lot easier when tidying up reg key rules. to tidy up this mess create a rule like I have at the top where the arrow is and delete all the rules underneath it.

    r4.JPG
     
  19. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,156
    PROTECT THIS APPLICATION FROM BEING ACCESSED BY OTHER PROCESSES

    so how many people click this box for each app? I can imagine a lot of people would because it sounds like a good thing to do. But is it really a good thing to do? No not always. if you have other security software installed it can cause conflicts. because this setting can block your other security software from doing its job properly. once upon a time I had defensewall running along side MD. and I had this setting on each app and it showed up in MD's log that it was blocking defense wall from accessing the app. So if you have other security software best not to apply this setting. I only apply the protection for security software.
     
  20. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,113
    Location:
    Sofa (left side)
    When you need to install new software if you disable File, Registry and Application protection, but leave Network protection enabled, MD will let the program install, but will alert to any attempts to connect to the network. So you don't have to lose total control over applications when you install them. At least this is how it appears to have worked on the installs I have tried :)
     
  21. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,156
    from the other thread about the recent discussion of explorer.exe file rules I decided to show how easy it is to make a near 100 percent bullet proof rule set.

    e1.JPG

    with the "ASK" rule at the top in learning mode MD is automatically creating a white list of places that explorer.exe is able to write to. there is actually not many places that explorer normally writes to. to lock down explorers file rules later on simply change the rule at the top from "ASK" to "DENY" I also have in protection for my other partitions "i" "f" and "e" so explorer can't write to them.
     
  22. aegreen

    aegreen Registered Member

    Joined:
    Sep 8, 2009
    Posts:
    12
    Thanks for your answer arran. I'll have to try it again. Having said that, is it really a good idea to leave it in learning mode? It's very easy to get infected just by having an open internet connection if your firewall fails. Try going on-line with no firewall for half an hour and see what happens. In my experience its surprisingly easy to pick up an infection that way.

    Also if Malware Defender doesn't set things to ignore when you put them in a group, isn't this a design fault? What if you allowed a few things then decided it looked dodgy so you put it in blocked applications. If the permissions are not reset you'd have some allow rules. I think you'll find something like Comodo would block everything if you made it an isolated app.
     
    Last edited: Sep 11, 2009
  23. curious george

    curious george Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    218
    I followed the steps as directed, but, once i launch an app, its denied.

    MD SEES the app within lets say the "trusted" folder, but denies it anyway...


    Thoughts?
     
  24. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    426
    visit the MalwareDefender "Logs" tab. Right-click the entry for the event in which your app launch was denied and choose "Jump to Rule". This will display the "Rules" tab and will highlight the relevant rule. Double-click the rule to examine its details & find/change the "Deny".

    In you don't see an entry logged for the event, right click the MD tray icon } Options } Logs and checkmark the "Log all denied actions", then retry the launch & recheck the Logs tab.
     
  25. curious george

    curious george Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    218
    Explorer.exe is whats denying the app from launching...

    But its set to permit in the application settings...hum.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.