Malware Defender 2.6.0 beta

Re: Malware Defender 2.6.0 final is released

Thanks Xiaolin!

 

From the help file.

"The program will not inject mdhook.dll into other processes, and the protections for accessing Service Control Manager and accessing COM interfaces will be disabled.

If an application cannot be launched when MD is running, you can try disabling mdhook.dll to resolve the problem."

Problem is, other apps also load such hook dlls into processes or don't like it, if this dll is loaded into their processes.
Outpost loads wl_hook.dll, OA loads OAwatch.dll and sooner or later there is no free RAM anymore.

No, I think its just for compatibility, to prevent "MD does not work with ..." complaints.

Apart from security software the mdhook.dll may also cause problems with copy protection and cheat protection software.
But as long as there are no problems I would always set this option back to load the mdhook.dll.

Cheers

 

i think this is a very important feature to block dll injection

 

RTFM - thank you subset.
Well - outpost is past - MD is future here.
luckyly i had no trouble between MD and anti-cheat protections for my games.

 

Hi xiaolin,

I cannot prevent executables being written across network shares. Even disabling Explorer's default permit of all files being allowed.

Scenario:

Using VirtualBox or PC to PC; create shared folder on MD protected PC, send executable file from other PC across network to shared folder where MD is alegedly protecting it.

I reset to default config & disabled explorer's default file permit rule.

Anyone else seeing this behaviour?

Thanks.

 

It will be fixed in future version

Thanks.

 

Hi xiaolin,

The network protection seems to have some serious problems in latter builds.

I have virtualbox happily surfing the internet right now, with zero network rules in my configuration.

Using Bridged networking type:

virtualbox.exe process should (in theory) be invoking network prompts from MD.

Could you look into this also?

Thank you.

EDIT: Disregard; it looks like Virtualbox does not communicate via virtualbox.exe.

 

I use NAT for all VMs and all prompts are related to virtualbox.exe.
But I only choose NAT because then there is no need to install any VirtualBox network driver.

Cheers

 

Hi subset,

For me to simulate network environments with multiple virtual machines and connect to my real network, bridged works best for me.

I still haven't figured out how Virtualbox is communicating (Process Monitor, Jetico), unless it is purely driver based.

Makes me wonder how easy it would be to tap into this and have a free ride home. A process/program could appear to have no network activities.

 

I am currently running MD 2.6.0 in learning mode. Once that is complete I would like to combine with DefenseWall 3.00. I am thinking that with DW go with default settings and with MD enabling real time protection for applications and files only. MD would alert if any applications tried to run or if any new/changed files. DW would protect registry and handle network traffic. Any thoughts?

 

no recommendation
use one - not both
my fav is MD.

 

Well, this would be my setup

MD
Process/application control
- allow everything for the all processes (*), except
- kernel protection
- low level operations (keyboard + registry_
- direct disk access
- keyboard access
- driver install

** DW will protect all internet facing programs completely, with this SYSTEM WIDE protection, you Antivirus or Hitman Pro (on demand) will allways be able to remove the nasties (the real core of you system is protected, while you do not receive pop-ups of MD)

Create a special group with your internet facing software and
- create an ask for HKEY_CURRENT_USERl registry access
- create an ask for all disk access (except your temp and download directories) of your documents or user data section

** DW will block access to HKLM and Windows + Program Files, so MD will enhance security level to user space

Choose which FW you want to use DW or MD and deselect option of the other
also trim down MD alerst of file protection (restrict that for all aps to Windows )

Regards Kees

 

I think they compliment each other except for network protection in MD may conflict with DW so I turned off. Otherwise no slow downs so far. I ran MD in learning mode for 24 hours with several reboots.

 

Thanks Kees for the suggestions. Thus far I have KAV, DW, MBAM, etc, as "permit" all. Like your ideas for Internet facing apps. I will see if I can implement.

 

There are new results for MD at Matousec.
Not that I care, but at least one result seems to be wrong.

He states that he tests with highest settings...
"The products are configured to their highest usable security settings and tested with this configuration only. We define the highest security settings as settings that the user is able to set without advanced knowledge of the operating system. This means that the user, with the skills and knowledge we assume, is able to go through all forms of the graphic user interface of the product and enable or disable or choose among several therein given options, ..."
http://www.matousec.com/projects/proactive-security-challenge/#methodology-rules

But if you take a look at the inject1 test (level 7), you can see that "Load dynamic link libraries" was not enabled.
Because with this option MD would not fail the test and you have several opportunities to stop the intrusion and pass the test.



Cheers

 

This option is where in MD? (using MD in german)

 

Anwendungsregeln > Rechte > Dynamische Bibliotheken (DLLs) laden.
You will get an awful lot of prompts, at least when you start a program for the first time.
I use this option only for a special group to monitor suspicious apps.

Cheers

 

you wrote about preset "*" ?
my bad - was set to "allow" (default i guess)
same for "COM" (COM-Schnittstelle)

thank you

 

Yes, this default rule.
It can be changed for this default rule and also for a group rule or a single application rule, which would have higher priority than the default rule.

Both are allowed by default, for COM interfaces there are a few exceptions defined in the default rule, which are set to ask.
But both can be changed for close monitoring of programs.

Cheers

 

i set COM for ask now and DLL back to allow - was a bit much to answer at least

 

Kees,
Can you elaborate a little more specifically, on what you mean by this ?

 

I'm disappointed at MD's rather poor keylogging protection (see THIS thread), as well as Xiaolin's manifest disinterest in dealing with it.

I have switched to a trial copy of Online Armor, but will keep monitoring to see if Xiaolin *repents*.

 

Is there any difference in how secure MD is if mdhook.dll is disabled? I was currently running with it disabled (default), but tested it tonight with mdhook.dll enabled and all seems to be working well. For now though I went back and disabled it and would prefer to keep it like that if there is no impact on security.

 

how about the ability to scan the whole computer to learn every file, thus alot let popups and only new things will popup.

yes i know learning mode is there but a computer scan would help look at all and build a database of known files.

 

The question is waaay beyond my limited knowledge. I suggest you email the question to Xiaolin (support at torchsoft dot com) -- he is always fast to reply, and VERY helpful.