Malware Defender 2.4.1 beta

Discussion in 'other anti-malware software' started by xiaolin, Oct 21, 2009.

Thread Status:
Not open for further replies.
  1. xiaolin

    xiaolin Registered Member

    Joined:
    Aug 11, 2008
    Posts:
    248
    The beta version is available for download at
    http://www.torchsoft.com/download/md_setup_2.4.1_b3.exe

    what's new?
    - Added protection against killing processes by terminating job object.
    - Added support for verifying file signature of process modules in background.
    - Added support for managing registry, shutdown and lego notify routines.
    - Fixed a bug when handling relative path.
    - Fixed a bug when displaying application rule dialog on low resolution screen.
    - Fixed a bug that cannot log denied actions when accessing protected processes.
    - Fixed a bug when scanning kernel DPC timers.
    - Fixed bugs in the hex file viewer.

    Thanks for testing. :)
     
  2. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
    Thanks Xiaolin.
     
  3. mike21

    mike21 Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    416
    Just tried it. There is bug with the tray icon (remains gray like disabled protection) so I reverted back to 2.4

    Thanks for keep updating though.
     
  4. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    Thanks xiaolin
     
  5. 0strodamus

    0strodamus Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    1,047
    Location:
    United Surveillance States
    Running great here. Thanks Xiaolin!
     
  6. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Upgraded and running well for me on XP, Vista, and 7. Thanks Xiaolin.
     
  7. tony62

    tony62 Registered Member

    Joined:
    Aug 26, 2005
    Posts:
    214
    Location:
    UK
    Excellent job.

    Thanks.
     
  8. 1boss1

    1boss1 Registered Member

    Joined:
    Jun 26, 2009
    Posts:
    401
    Location:
    Australia
    Thanks xiaolin will download and give it a spin, your beta's have always been very stable for me.

    PS. Any news on "Replace Regedit" for Registry Workshop?
     
  9. xiaolin

    xiaolin Registered Member

    Joined:
    Aug 11, 2008
    Posts:
    248
    I can't find a solution yet. :oops:
     
  10. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    406
    This post is both a bug report and a feature request.

    I wish MD provided more flexibility in establishing "logging" settings, at least to the extent that it could be set to copy the current logfile, when full, to incrementally-named (mdlog2.txt) backup files. Currently, it maintains a single fixed-size logfile and scrolls off (discards) the oldest lines of logged data.

    Bug: After I edited MD's logfile (yes, it was protected, I had to disable protection to perform the edit)... when I restarted MD's realtime protection, my system (WinXP SP3) became unstable. The misbehavior persisted, across reboots. Uninstalling and reinstalling MD "fixed" the misbehavior... but I found it difficult to believe that MD would be so brittle as to choke due to "lack of logfile integrity". So, I again edited the logfile & verified that the problem immediately returned when MD's realtime protection was re-enabled.

    Okay, I've learned it's necessary to COPY the logfile & perform edits on the copy (to munge data & remove duplicate lines) but still, MD's behavior shouldn't be dependent upon the integrity of its logfile!

    related note (feature request):
    The "logging" tab within the MD interface seems to present the logfile data in a grid-view container but, sadly, the data isn't sortable (by clicking column headers) or filterable (ala Sysinternals ProcessExplorer).
     
  11. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    406
    After reading the MD helpfile and searching MD-related discussion threads, I still cannot understand:

    What is the the purpose, and the effect, of setting "Ignore" for a given rule?

    I would like to have the ability to toggle enable/disable a given rule.
    The docs do not mention this, but I discovered that such a toggle does exist -- a rule can be toggled disabled by right-clicking its listing in the "Rules" table ("Status" column) -- so, apparently "Ignore" is a separate consideration.

    ================

    After trialing MD for 14 days, I would like to say that it provides EXCELLENT granular control... but instead, I must say that my usage has suffered from MD's inability to permit NEGATED rules. Example:

    I certainly do not want a popup at every outbound (destination port 53) attempt. However, I *do* want a popup if any process requests a DNS lookup from an IP which isn't among my known/trusted DNS providers.
    -=-
    Actually, I have disabled the Win-native DNS caching client & proxy DNS requests through DNSKong

    Similarly, I want every HOSTS file access to be logged by MD (and saved for my future examination, not scrolled off the top), every access EXCEPT those by proxomitron and/or other hand-picked apps. However, the "file access" rule(s) apparently take priority over the application-specific logging settings. As a result, the logfile is continually full of junk (uninteresting) entries.
     
  12. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    406
    The MD interface presents rules in an apparent "treeview".
    The term "group" in the MD docs suggests inheritence.
    -=-
    I have read (and am stymied by) documentation stating something like "a newly-created (still empty) custom group will not be displayed in the rules pane"... because I fail to see custom groups included in the display even after one/several applications have been subjected to (right-click) "Move to Group>"

    I have also read (within one of the Wilders threads) a statement something like "a group is actually a rule"

    At some point, I stumbled across a context menu "Copy Rule" command. This would suffice (vs creating pseudo "group" membership assignment) but, darnit, the "Copy Rule" command seems to be missing every time (in every context) where I've thought it would be useful. Only network rules can be copied? Only application rules can be copied?

    ==========================

    I want the permissions for every newly-created application rule to contain "Ask" across the board, and I haven't been able to figure out how to achieve this. (Yep, this causes the HIPS to be excessively "noisy"; I'm using the HIPS as a learning tool toward understanding and tracing process interactions.)

    From the outset, I have used normal mode, NOT learning mode.
    From the outset, I have not altered the default permission settings for the base (asterisk) application rule. Across-the-board, permissions are set to "Ask".
    However, when each application is first seen (by MD) and a generates a popup, regardless what (granular) response I elected in the popup... when I return to the "Rules tab" and view the properties pane for each newly-added application rule, I find across-the-board permissions in the application-specific rule are set to "Ignore".
     
  13. subset

    subset Registered Member

    Joined:
    Nov 17, 2007
    Posts:
    825
    Location:
    Austria
    Why don't you create global network rules for your DNS servers?
    Like outpound/UDP/DNS address/remote port 53/allow.

    This way you will only see a prompt for port 53 if an application tries to use a different server.


    But I have also a question related to the network protection.
    I currently use MD and Windows 7 Firewall together without problems.
    But is this recommended?

    Windows 7 Firewall supports IPv6 which seems to be not supported by MD, but I'm not quite sure. :oops:

    Also ICMP appear as RAW IP with MD, which is also a bit unusual for me.

    If I create rules for MD and the Windows 7 Firewall, will they coexist in peace? o_O

    Cheers
     
  14. 1boss1

    1boss1 Registered Member

    Joined:
    Jun 26, 2009
    Posts:
    401
    Location:
    Australia
    That's ok xiaolin, no need to worry over it to much. I have searched also, but not found any solution. I tried replacing all references to regedit.exe found in the registry and pointed them to RegWorkshop.exe with various arguments like "%1" and /g rebooting after each and no luck.

    It must be some API thing, because everything still calls the native regedit.

    2.4.1 b3 is going excellent also, thanks. :)
     
  15. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    I cannot reproduce any "choking" on XP SP3 when, first, editing the log file while MD is disabled, and then re-enabling MD. The logging to file continues as expected despite the edits. I see no immediate instability and none after subsequent reboots.

    On Vista SP2, however, I find that after editing the log file while MD is disabled, MD, when enabled again, no longer writes to mdlog.txt. As with XP, I see no subsequent evidence of instability on Vista.

    I do strongly support your feature request for log archiving.
     
  16. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    406
    Thanks for checking, Nick.
    After uninstalling/reinstalling MD, I retested.
    Editing the logfile while protection is disabled, then re-enabling protection now seems to have a single side-effect -- any lines above the point of edit are not displayed in the MD "Log" tab. I checked across reboots; the logfile continues to grow, but those initial (before the point of edit) lines are never displayed in the "Log" tab.

    This time 'round, "mdlog2.txt" is absent from the MD install directory. Perhaps that had been created when I installed the latest version of MD (into the existing directory).

    =============================

    ipdatabase.dat
    I am not seeing any indication that MD is actually performing IP-to-country lookups.
    Perhaps the feature is not yet active in this beta version?
     
  17. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    xiaolin you said before you would look into my request of adding an option in the log settings, to add an option to make MD only log Denied actions, can you do this?
     
  18. xiaolin

    xiaolin Registered Member

    Joined:
    Aug 11, 2008
    Posts:
    248
    MD parse each line of the log file when starting. If the data of a line have some problems, the line will be discard.
     
  19. xiaolin

    xiaolin Registered Member

    Joined:
    Aug 11, 2008
    Posts:
    248
    "Ignore" means continuing to search for lower priority rules. For a file rule, you can set "Read" permission to "Ignore", but set Write/Create/Delete permissions to "Deny".
     
  20. xiaolin

    xiaolin Registered Member

    Joined:
    Aug 11, 2008
    Posts:
    248
    MD does not support IPV6 yet. You can use MD with the Windows 7 firewall. :)
     
  21. xiaolin

    xiaolin Registered Member

    Joined:
    Aug 11, 2008
    Posts:
    248
    I have added an option to log all denied actions, but not ONLY denied actions. :)
     
  22. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139

    yes but can you add an option for "ONLY denied actions" as well ?
     
  23. xiaolin

    xiaolin Registered Member

    Joined:
    Aug 11, 2008
    Posts:
    248
    There is no space in the options dialog for additional log option. If I add this option, I need to redesign the options dialog in 8 languages. So I decide not to change it unless more peoples request this feature. :)
     
  24. xiaolin

    xiaolin Registered Member

    Joined:
    Aug 11, 2008
    Posts:
    248
    Malware Defender 2.4.1 final is released

    English version: http://www.torchsoft.com/download/md_setup.exe
    French version: http://www.torchsoft.com/download/md_setup_fra.exe
    German version: http://www.torchsoft.com/download/md_setup_deu.exe
    Italian version: http://www.torchsoft.com/download/md_setup_ita.exe
    Spanish version: http://www.torchsoft.com/download/md_setup_esn.exe
    Russian version: http://www.torchsoft.com/download/md_setup_rus.exe

    What's new?
    - Added protection against killing processes by terminating job object.
    - Added support for verifying file signature of process modules in background.
    - Added support for managing registry, shutdown and lego notify routines.
    - Fixed a bug when handling relative path.
    - Fixed a bug when displaying application rule dialog on low resolution screen.
    - Fixed a bug that cannot log denied actions when accessing protected processes.
    - Fixed a bug that may cause deadlock.
    - Fixed a bug when scanning kernel DPC timers.
    - Fixed bugs in the hex file viewer.
     
  25. subset

    subset Registered Member

    Joined:
    Nov 17, 2007
    Posts:
    825
    Location:
    Austria
    Thanks for affirmation.
    That makes things easier as there is no need for an additional FW anymore.
    At least I hope so.

    Upgraded to 2.4.1 without problems and everything is fine. :thumb:

    Cheers
     
Loading...
Thread Status:
Not open for further replies.