Malware Defender 2.2.0 beta

Discussion in 'other anti-malware software' started by xiaolin, May 13, 2009.

Thread Status:
Not open for further replies.
  1. xiaolin

    xiaolin Registered Member

    Joined:
    Aug 11, 2008
    Posts:
    248
    The beta version is available for download at http://www.torchsoft.com/download/md_setup_2.2.0_b1.exe

    what's new?
    - Added protection against accessing Service Control Manager.
    - Added protection against loading dynamic link libraries.
    - Added protection against accessing COM interfaces.
    - Added protection against setting hidden attribute of file or folder.
    - Added support for searching permission and comment of rules.
    - Added support for managing multiple rule files.
    - Added support for Windows 7 rc.
    - Separated "duplicate handle" permission from "access memory of other processes".
    - Improved performance when handling file reading actions.
    - Minor improvements and fixes.

    1) Since new protections are added, it's recommended to restart system in learning mode after upgrade.

    2) A user mode hook module (mdhook.dll) is added in this release to detect accessing SCM, loading DLL and accessing COM interface. The hook module will be loaded in all processes. If you find any compatible programs please tell me.

    Thanks for testing.

    Xiaolin
     
  2. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    thanks xiolin,it is working fine here;) i followed your advise:)
     
  3. tony62

    tony62 Registered Member

    Joined:
    Aug 26, 2005
    Posts:
    214
    Location:
    UK
    Most VMware ThinApp applications are not compatible with latest Beta. For applications such as Media Player Classic; DSOUND.dll will not be found, regardless of permissions throughout MD. Exiting MD is the only option.
    It would seem that MD cannot handle ThinApp's internal virtualized routines of loading Dynamic Link libraries.
     
  4. xiaolin

    xiaolin Registered Member

    Joined:
    Aug 11, 2008
    Posts:
    248
    Where can I find a VMware ThinApp application for testing?

    Thanks :)
     
  5. tony62

    tony62 Registered Member

    Joined:
    Aug 26, 2005
    Posts:
    214
    Location:
    UK
    Below is a link to Media Player Classic(open Source). Media Player Classic has been wrapped by me with a demo version of ThinApp.

    http://www.speedyshare.com/582958945.html

    Test MPC with MD beta running, then without!
     
  6. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    The beta runs great!
     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Why user mode? Will it not decrease the security?

    Thanks
     
  8. xiaolin

    xiaolin Registered Member

    Joined:
    Aug 11, 2008
    Posts:
    248
    I will test it. Thx :)
     
  9. xiaolin

    xiaolin Registered Member

    Joined:
    Aug 11, 2008
    Posts:
    248
    The new protections (accessing SCM, loading DLL and accessing COM interface) can not be implemented in kernel. And user mode hooks are unavoidable when making x64 version of MD, since kernel hooks are not allowed in 64-bit Windows.

    Malware may try to restore user mode hooks in current process, but I will add the ability to protect hooks installed by MD.
     
  10. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Really? For x32 Windows it's all possible. At least dll module loading detection is possible to implement at kernel level with API provided by MS.
     
  11. smith2006

    smith2006 Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    759
    I keep getting these application error after installing 2.2.0 beta.

    I have no issue when using 2.1.1.
     

    Attached Files:

  12. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    when you install the new beta 2.2 in learning mode?
     
  13. xiaolin

    xiaolin Registered Member

    Joined:
    Aug 11, 2008
    Posts:
    248
    Thanks for the bug report. I will fix it. :)
     
  14. spidey

    spidey Guest

    I was getting the same errors. I wasn't having any luck getting learning mode to create rules. I created rules manually to allow each process access to it's own memory which eliminated the errors.

    Here's a screenshot of a typical rule (in this case, for Excel):
    http://i39.tinypic.com/2ezlhk4.jpg
     
  15. xiaolin

    xiaolin Registered Member

    Joined:
    Aug 11, 2008
    Posts:
    248
    Many other security software (such as jetico) will install hooks at same position as MD's hooks. In next beta release, I will remove the alert of accessing own memory, and add global file rules to protect MD's hooks (more secure). But you still have to create PERMIT rules if you are using MD with jetico.
     
  16. smith2006

    smith2006 Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    759
    Yes, it was installed in learning mode.
     
  17. smith2006

    smith2006 Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    759
    No problem. :)
     
  18. xiaolin

    xiaolin Registered Member

    Joined:
    Aug 11, 2008
    Posts:
    248
    Malware Defender 2.2.0 beta2 is released.

    The beta version is available for download at http://www.torchsoft.com/download/md_setup_2.2.0_b2.exe

    what's new since beta1?
    - Fixed a bug when searching rule permissions.
    - Fixed a bug that the application rule dialog cannot be displayed properly on low resolution screen.
    - Fixed bugs in mdhook.dll.
    - Added dwm.exe to system application rule list on Windows Vista or above.
    - Changed the method for protecting hooks installed by MD. MD will not restrict accessing own memory of processes, but use new global file rules to restrict reading related dlls.

    NOTE:
    If you upgrade MD from old versions, please import the following rule file. (Rule menu -> Import)
    http://www.torchsoft.com/download/Read-Restricted_Files.dat

    It's recommended to restart system in learning mode after upgrade.
     
  19. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi Xiaolin,

    MD 2.2.0 beta 2 breaks Sandboxie 3.37.10 (beta) on Vista SP2. It is not possible to invoke a sandboxed app unless I disable MD.
     
  20. xiaolin

    xiaolin Registered Member

    Joined:
    Aug 11, 2008
    Posts:
    248
    Hi, I tested but did not find the problem. Could you try to use learning mode when invoking a sandboxed app?

    Thanks,
    Xiaolin
     
  21. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    I did not reboot as recommended. Sandboxed apps work as expected after rebooting. Sorry for the false alarm.
     
  22. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    I like it when there is competition when Vendors Pull up and correct other Vendors, Not because I like watching Flame wars if it turn out to be flame war, But because the end Result is it Produces better Security for us with having really good products. And still waiting for xiaolin to make a reply. I run
    Defense wall and Malware Defender So guys just make sure they will always run together smoothly with no conflicts.
     
  23. xiaolin

    xiaolin Registered Member

    Joined:
    Aug 11, 2008
    Posts:
    248
    Yes, I should not say "can not be implemented in kernel", there are possibilities. But I choose to implemented these functions in user mode. I think it's the right decision.
     
  24. xiaolin

    xiaolin Registered Member

    Joined:
    Aug 11, 2008
    Posts:
    248
    Malware Defender 2.2.0 beta3 is released.

    The beta version is available for download at http://www.torchsoft.com/download/md_setup_2.2.0_b3.exe

    what's new since beta2?
    - Fixed a bug that some applications cannot start when MD is running.
    - Fixed a bug that the COM interface rules of * application rule cannot be deleted.

    NOTE:
    If you upgrade MD from v2.2.0 beta1 or before, please import the following rule file. (Rule menu -> Import) http://www.torchsoft.com/download/Read-Restricted_Files.dat

    It's recommended to restart system after upgrade (not necessary in learning mode).

    Thanks,
    Xiaolin
     
  25. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,127
    Location:
    USA
    I have been thinking of trying MD and have a few questions. I am currently using KAV, Ouptpost Firewall and Prevx 3.0 (all paid/latest versions). I am now also using Ghost Security (AppDefend/RegDefend) & DiamondCS WormGuard. MD would replace these two HIPS programs.

    Is there any known conflicts with MD and KAV, Outpost or Prevx (or other security programs)? Is MD compatible with Vista or Windows 7? I am currently using XP home SP3.

    Are the default rules good protection? Also do you have to disable it to install new software. I occasionally screwed up some installs when I was using ProcessGuard. Ghost Security did not have any issues with software installation other than a lot of pop ups if you didn't disable protection first.

    Is MD as easy to use as Ghost Security and does it have a light footprint? Is there any user manual available?
     
    Last edited: May 19, 2009
Loading...
Thread Status:
Not open for further replies.