Malware Defender 2.4.1 beta

The beta version is available for download at
http://www.torchsoft.com/download/md_setup_2.4.1_b3.exe

what's new?
- Added protection against killing processes by terminating job object.
- Added support for verifying file signature of process modules in background.
- Added support for managing registry, shutdown and lego notify routines.
- Fixed a bug when handling relative path.
- Fixed a bug when displaying application rule dialog on low resolution screen.
- Fixed a bug that cannot log denied actions when accessing protected processes.
- Fixed a bug when scanning kernel DPC timers.
- Fixed bugs in the hex file viewer.

Thanks for testing.

 

Thanks Xiaolin.

 

Just tried it. There is bug with the tray icon (remains gray like disabled protection) so I reverted back to 2.4

Thanks for keep updating though.

 

Thanks xiaolin

 

Running great here. Thanks Xiaolin!

 

Upgraded and running well for me on XP, Vista, and 7. Thanks Xiaolin.

 

Excellent job.

Thanks.

 

Thanks xiaolin will download and give it a spin, your beta's have always been very stable for me.

PS. Any news on "Replace Regedit" for Registry Workshop?

 

I can't find a solution yet.

 

This post is both a bug report and a feature request.

I wish MD provided more flexibility in establishing "logging" settings, at least to the extent that it could be set to copy the current logfile, when full, to incrementally-named (mdlog2.txt) backup files. Currently, it maintains a single fixed-size logfile and scrolls off (discards) the oldest lines of logged data.

Bug: After I edited MD's logfile (yes, it was protected, I had to disable protection to perform the edit)... when I restarted MD's realtime protection, my system (WinXP SP3) became unstable. The misbehavior persisted, across reboots. Uninstalling and reinstalling MD "fixed" the misbehavior... but I found it difficult to believe that MD would be so brittle as to choke due to "lack of logfile integrity". So, I again edited the logfile & verified that the problem immediately returned when MD's realtime protection was re-enabled.

Okay, I've learned it's necessary to COPY the logfile & perform edits on the copy (to munge data & remove duplicate lines) but still, MD's behavior shouldn't be dependent upon the integrity of its logfile!

related note (feature request):
The "logging" tab within the MD interface seems to present the logfile data in a grid-view container but, sadly, the data isn't sortable (by clicking column headers) or filterable (ala Sysinternals ProcessExplorer).

 

After reading the MD helpfile and searching MD-related discussion threads, I still cannot understand:

What is the the purpose, and the effect, of setting "Ignore" for a given rule?

I would like to have the ability to toggle enable/disable a given rule.
The docs do not mention this, but I discovered that such a toggle does exist -- a rule can be toggled disabled by right-clicking its listing in the "Rules" table ("Status" column) -- so, apparently "Ignore" is a separate consideration.

================

After trialing MD for 14 days, I would like to say that it provides EXCELLENT granular control... but instead, I must say that my usage has suffered from MD's inability to permit NEGATED rules. Example:

I certainly do not want a popup at every outbound (destination port 53) attempt. However, I *do* want a popup if any process requests a DNS lookup from an IP which isn't among my known/trusted DNS providers.
-=-
Actually, I have disabled the Win-native DNS caching client & proxy DNS requests through DNSKong

Similarly, I want every HOSTS file access to be logged by MD (and saved for my future examination, not scrolled off the top), every access EXCEPT those by proxomitron and/or other hand-picked apps. However, the "file access" rule(s) apparently take priority over the application-specific logging settings. As a result, the logfile is continually full of junk (uninteresting) entries.

 

The MD interface presents rules in an apparent "treeview".
The term "group" in the MD docs suggests inheritence.
-=-
I have read (and am stymied by) documentation stating something like "a newly-created (still empty) custom group will not be displayed in the rules pane"... because I fail to see custom groups included in the display even after one/several applications have been subjected to (right-click) "Move to Group>"

I have also read (within one of the Wilders threads) a statement something like "a group is actually a rule"

At some point, I stumbled across a context menu "Copy Rule" command. This would suffice (vs creating pseudo "group" membership assignment) but, darnit, the "Copy Rule" command seems to be missing every time (in every context) where I've thought it would be useful. Only network rules can be copied? Only application rules can be copied?

==========================

I want the permissions for every newly-created application rule to contain "Ask" across the board, and I haven't been able to figure out how to achieve this. (Yep, this causes the HIPS to be excessively "noisy"; I'm using the HIPS as a learning tool toward understanding and tracing process interactions.)

From the outset, I have used normal mode, NOT learning mode.
From the outset, I have not altered the default permission settings for the base (asterisk) application rule. Across-the-board, permissions are set to "Ask".
However, when each application is first seen (by MD) and a generates a popup, regardless what (granular) response I elected in the popup... when I return to the "Rules tab" and view the properties pane for each newly-added application rule, I find across-the-board permissions in the application-specific rule are set to "Ignore".

 

Why don't you create global network rules for your DNS servers?
Like outpound/UDP/DNS address/remote port 53/allow.

This way you will only see a prompt for port 53 if an application tries to use a different server.


But I have also a question related to the network protection.
I currently use MD and Windows 7 Firewall together without problems.
But is this recommended?

Windows 7 Firewall supports IPv6 which seems to be not supported by MD, but I'm not quite sure.

Also ICMP appear as RAW IP with MD, which is also a bit unusual for me.

If I create rules for MD and the Windows 7 Firewall, will they coexist in peace?

Cheers

 

That's ok xiaolin, no need to worry over it to much. I have searched also, but not found any solution. I tried replacing all references to regedit.exe found in the registry and pointed them to RegWorkshop.exe with various arguments like "%1" and /g rebooting after each and no luck.

It must be some API thing, because everything still calls the native regedit.

2.4.1 b3 is going excellent also, thanks.

 

I cannot reproduce any "choking" on XP SP3 when, first, editing the log file while MD is disabled, and then re-enabling MD. The logging to file continues as expected despite the edits. I see no immediate instability and none after subsequent reboots.

On Vista SP2, however, I find that after editing the log file while MD is disabled, MD, when enabled again, no longer writes to mdlog.txt. As with XP, I see no subsequent evidence of instability on Vista.

I do strongly support your feature request for log archiving.

 

Thanks for checking, Nick.
After uninstalling/reinstalling MD, I retested.
Editing the logfile while protection is disabled, then re-enabling protection now seems to have a single side-effect -- any lines above the point of edit are not displayed in the MD "Log" tab. I checked across reboots; the logfile continues to grow, but those initial (before the point of edit) lines are never displayed in the "Log" tab.

This time 'round, "mdlog2.txt" is absent from the MD install directory. Perhaps that had been created when I installed the latest version of MD (into the existing directory).

=============================

ipdatabase.dat
I am not seeing any indication that MD is actually performing IP-to-country lookups.
Perhaps the feature is not yet active in this beta version?

 

xiaolin you said before you would look into my request of adding an option in the log settings, to add an option to make MD only log Denied actions, can you do this?

 

MD parse each line of the log file when starting. If the data of a line have some problems, the line will be discard.

 

"Ignore" means continuing to search for lower priority rules. For a file rule, you can set "Read" permission to "Ignore", but set Write/Create/Delete permissions to "Deny".

 

MD does not support IPV6 yet. You can use MD with the Windows 7 firewall.

 

I have added an option to log all denied actions, but not ONLY denied actions.

 

yes but can you add an option for "ONLY denied actions" as well ?

 

There is no space in the options dialog for additional log option. If I add this option, I need to redesign the options dialog in 8 languages. So I decide not to change it unless more peoples request this feature.

 

Malware Defender 2.4.1 final is released

English version: http://www.torchsoft.com/download/md_setup.exe
French version: http://www.torchsoft.com/download/md_setup_fra.exe
German version: http://www.torchsoft.com/download/md_setup_deu.exe
Italian version: http://www.torchsoft.com/download/md_setup_ita.exe
Spanish version: http://www.torchsoft.com/download/md_setup_esn.exe
Russian version: http://www.torchsoft.com/download/md_setup_rus.exe

What's new?
- Added protection against killing processes by terminating job object.
- Added support for verifying file signature of process modules in background.
- Added support for managing registry, shutdown and lego notify routines.
- Fixed a bug when handling relative path.
- Fixed a bug when displaying application rule dialog on low resolution screen.
- Fixed a bug that cannot log denied actions when accessing protected processes.
- Fixed a bug that may cause deadlock.
- Fixed a bug when scanning kernel DPC timers.
- Fixed bugs in the hex file viewer.

 

Thanks for affirmation.
That makes things easier as there is no need for an additional FW anymore.
At least I hope so.

Upgraded to 2.4.1 without problems and everything is fine.

Cheers