Malware Defender 2.4.1 beta

The final version 2.4.1 is running fine here.

Thanks Xiaolin.

 

Malware Defender 2.4.2 final is released

English version: http://www.torchsoft.com/download/md_setup.exe
French version: http://www.torchsoft.com/download/md_setup_fra.exe
German version: http://www.torchsoft.com/download/md_setup_deu.exe
Italian version: http://www.torchsoft.com/download/md_setup_ita.exe
Spanish version: http://www.torchsoft.com/download/md_setup_esn.exe
Russian version: http://www.torchsoft.com/download/md_setup_rus.exe

What's new?
- Fixed bugs that may cause protections to be bypassed by malware.

 

Re: Malware Defender 2.4.2 final is released

Google killmdfile.rar. Xiaolin will have explain it to us in layman's terms: ProbeBypass attack techniques. The POC download link is at the end of the post.

 

Among other things, it appears to kill Malware Defender 2.4.1 (UI and service) at startup on XP SP3.

 

Malware Defender 2.4.3 final is released

English version: http://www.torchsoft.com/download/md_setup.exe
French version: http://www.torchsoft.com/download/md_setup_fra.exe
German version: http://www.torchsoft.com/download/md_setup_deu.exe
Italian version: http://www.torchsoft.com/download/md_setup_ita.exe
Spanish version: http://www.torchsoft.com/download/md_setup_esn.exe
Russian version: http://www.torchsoft.com/download/md_setup_rus.exe

What's new?
- Fixed a bug that may cause file protection to be bypassed by malware.

Sorry for the inconvenience.

 

Re: Malware Defender 2.4.3 final is released

I don't think you incremented the build number when you compiled, mine still says 2.4.2

Edit: Nah it's cool, my browser must of had it cached. I switched browsers and got 2.4.3

Thanks Xiaolin.

 

Looks like there is a 2.4.4 on its way soon, further bypasses fixed ......

 

The 3 POCs are the work of a Chinese security researcher known as mj0011. mj0011 coded the Tophet POC rootkit/bootkit last year. The English version of MD 2.4.4 beta 1 is available here: http://www.torchsoft.com/download/md_setup_2.4.4_b1.exe. It addresses the third and most recent POC.

 

You can get them here: <Snip>. Don't use Google translate. The POCs can be found in the fourth folder down.




Edit: Please don't post links even to POC malware

 

For those who are interested in bypassing MD,check <SNIP>. It's also why new versions come so frequently.

 

and the contest may go on for a while...

 

Well,I guess mj0011 will lose interest in attacking it soon. I'm not being ironical on MD though.

 

This is a good thing for MD. I want the security apps that I use to be given serious scrutiny.

 

mj0011 is doing us a good favor here, I don't think he is making pocs to give MD a bad name, instead he is making pocs to improve MD and make it better by finding security holes.

This indicates mj0011 must think very highly of MD. Its good to know we are using a product such as MD where an expert like mj0011 who also probably uses it.


Anyway why all of a sudden can't anyone post harmless pocs any more? can some one please pm me a sample?

 

I'm sure this is a dumb question, but can someone tell me what the acronym POC stands for? Thanks!

 

Proof of Concept

 

Thanks DOSawaits!

 

So far, I'm failing to understand how to use "Groups" within MalwareDefender.

I understand how to CREATE a group:
click "Rule" in the toolbar, then "Application Groups..." in its dropdown menu
then, in the window titled "Application Groups", click "New Group".
-=-
A dialog box titled "Edit Group" pops up.
an everpresent notice in the dialog box reads: "A group will not be displayed in the rule window after it is created, you must create a rule to use it."
Here you type the label name for the group
(filling the text name is the ONLY action you can perform in this dialog)
and click "Okay" close the dialog.

you must create a rule to use it
CREATE a rule? Or does this mean 'empty' groups are not displayed -- must ASSIGN/MOVE at least one application (application rule item) to cause the groupname to show up in the treeview display? OR... regardless whether a custom group is empty or not empty, custom groups are NEVER displayed in the treeview?

Right-clicking an application rule for one of the apps I wish to place in my newly-created custom group, when I hover at "Move to Group" in the context menu flyout, I DO NOT SEE MY NEW 'APPLICATION RULE GROUP' LISTED AMONG THE GROUP NAMES.

While adding the application groupname, I noticed the "New Object" button, but I hadn't added any "object" (because I had expected that I would be adding an existing "application rule" item into the group)... so I return to the "Application Groups" window and click "New Object". I'm presented with the multi-tabbed window which is used to create new rules (any rules: network, file, application) with its "General" tab preselected. Both "select an application" and "select an application group" radio buttons are grayed-out, but the "File path" textbox shows a cursor (has focus)... so I browse/assign the exe file for one of the apps I wish the group to contain, and click "OK".
-=-
The icon for this "object" exe is now displayed beneath my custom group in the "Application Groups" popup window, but the custom group STILL isn't displayed in the treeview of the main (Rules tab) window. Thinking to myself "Gee, the custom group STILL doesn't have any unique permissions set"... once again I return to "New Object" and click the "Files" tab. (In this example, the intended purpose of the group is: restrict applications listed in it from writing to my D:\ drive.) At the files tab, I enter the D:\ path and tick "files and folders"... and clicking the "OK" button has no effect.

This seems confusing and awkward. With every other similar app I've used, at this point I would expect to see an icon for the newly-created group in the treeview, and would expect to be able to drag one or several apps onto (into) the group.

What aspect of the workflow am I missing here?

 

inka, an easy way to display the new Group is to right-click -> New Rule -> Application Rule, then select the radio button: "Select an Application Group" then find your newly created Group folder from the drop-down list and select it -> <OK> You should then see it just above "Application Rules - System".

 

Yes, it worked exactly as you described. Thank you!

 

You are welcome!

 

Somewhat OT, but it appears mj0011 has turned his attention from Malware Defender to Comodo Internet Security. No POC...just a demonstration video. Something about "RING3 kill any process in CIS".

 

I think mj0011 should bring his attention back to MD. who cares about comodo lol.

Anyway as of late I have changed my way of thinking a bit. for these pocs to bypass MD you first have to allow the creation of the files, then you have to allow them to execute and run before they can actually do anything. I'm not worried as much as I used to be about controlling the behaviour of things. xiaolin once said to me a while ago in a pm convo that should malware be allowed to run there are many ways malware can bypass security apps.

 

Offtopic? This wasn't titled as an update thread, or posted to the updates subforum... so I sure hope the mods won't close the thread.

As users, we have no English-language support forum at the Torchsoft site... and xiaolin is busy, earnestly releasing patches in several languages. This (one) thread is probably easier for him to monitor. On the other hand, perhaps xiaolin doesn't favor seeing a thread bearing a non-current version in its title being bumped to top. (Hmm, thread starter can edit the title of a thread? Maybe that would be a bad idea though, messing up search engine results?)

So far, this thread has been my support lifeline (so again, thanks!) and I wonder whether y'all are reading/translating a non-English forum to learn about "antics of mj0011" and such. I haven't found discussions elsewhere & if not for the discussion here, I doubt I would have trialed MD. Wandering onto the Torchsoft site, bearing ONE measly screencap, I wondered "Is this a rogue?" and when I search for backlinks to torchsoft.com, I found VERY few of them.

 

More than just a security "app", I believe MalwareDefender represents a security "platform". Can't say/claim/advocate that it is best-in-class, because it probably isn't (er, it's current default ruleset) isn't suitable for a general audience. It would be regarded as "too noisy" by some users...

...and, for others (Hi! wave {blush}) it's powerful enough to enable the user to shoot himself in the foot. It's late, I'm tired; eek, what was that allow/deny popup I just absentmindedly clicked? I find myself often running to the "Log" pane, right-click the most recent entry, "Jump to rule" to double check.

Although I recognize many of the system executables and DLLs popping up, I'm at a loss to guess which of them merit "allow shared memory" (or whaterver) rules, so I'm too-often relegated to responding to popups with temporary "Allow" rules.

My point: Given a too-sparse default ruleset, a "strong" HIPS is subject to (and its effectiveness suffers from) cumulative user error(s) related to rule creation.