Malware Defender and Matousec's latest tests

Discussion in 'other anti-malware software' started by spidey, Jul 5, 2009.

Thread Status:
Not open for further replies.
  1. spidey

    spidey Guest

    Would Malware Defender fair any better on Matousec's latest tests with customized rules or will program updates be the only way to block the attack vectors that Matousec found? I'm surprised to see Kaspersky so high this time and would like to see MD take #1!
     
  2. 1boss1

    1boss1 Registered Member

    Joined:
    Jun 26, 2009
    Posts:
    401
    Location:
    Australia
    I'm only new to MD and no malware expert, but by looking at where MD failed it appears yes the results could be improved with custom rules, and others may need updates.

    For example on this page it failed DNStealer which says:

    With MD we can decide what's trusted, so that could pass with rules. So i'm sure with a hardened rule set MD could shake the top of the charts. :)
     
  3. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    I am mystified -- WHY are Matousec's firewall tests considered valid when applied to HIPS (non-firewalls)? I hope that Xiaolin &/or Ilya or others of similar competence will comment.
     
  4. Eice

    Eice Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    1,413
    Because they're essentially HIPS tests, and have little to do with firewalls.
     
  5. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    Yes I do believe that with xtra configuration MD would do much better.

    Remember these tests are all about controlling the Behavior after the executables have been given to permission to run.

    If MD denied the creation of the executable files and denied them from running in the first place then MD would obviously pass 100 percent.


    quote
    Description: DNStester tries to determine whether the tested product filters DNS queries from an untrusted process.

    well that's easy if you are running an untrusted Process you would obviously limit its permissions like blocking it from accessing the network, but then again why would you even allow untrusted Processes to run in the first place?? so even tho Matousec's says MD fails dnstester I consider it to be a pass.
     
    Last edited: Jul 5, 2009
  6. Einsturzende

    Einsturzende Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    390
    Location:
    neubauten
    I would like to hear what Xiaolin have to say about "bugs", (I would say) cheating (pass test's specific implementation vs. failed test's technique):

     
    Last edited: Jul 5, 2009
  7. spidey

    spidey Guest

    That's true, but it's the application's rogue behavior after launch that I'm wondering if MD would alert for. On the tests that Matousec lists as a fail, was it because the appropriate choice wasn't made to deny the action or is it because MD failed to even prompt the user with regards to that particular test's post-launch rogue activity? I know some other vendors supply comments on Matousec's website and was wondering what Xiaolin's thoughts are in regards to these results.
     
  8. xiaolin

    xiaolin Registered Member

    Joined:
    Aug 11, 2008
    Posts:
    248
    The MD's firewall cannot block some low level packets, so it failed the dns and echo tests.

    I do not know why MD failed the SSS3 test, I cannot recreate it.

    Other failed tests except crash7 are related to accessing COM objects. MD implemented the COM protection using ring3 hooks. The Matousec's test will restore ring3 hooks, and any protection for the ring3 hooks will be taken as a direct attack against the test, and will fail the test. I have no plan to change the implementation of COM protection yet, so MD will not get higher score in the near future.

    Thanks :)
     
    Last edited: Jul 7, 2009
  9. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    I don't care about this. MD is more of a classical HIPS not a firewall to filter low level packets.
     
  10. mike21

    mike21 Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    416
    ^^ Agree ^^
     
  11. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    I tested SSS3 against MD 2.2.2 on XP SP3 in several scenarios and MD passes every time. Depending on the scenario, SSS3.exe will hang and do nothing after MD denies shutdown or it will terminate and generate a text file with these results:

    "Security Software Testing Suite - SSS3
    Copyright by www.matousec.com, Different Internet Experience Ltd.
    http://www.matousec.com/


    ERROR: Unable to initiate the system shutdown.
    Error code: 1115
    Error message: A system shutdown is in progress.

    YOUR SYSTEM PASSED THE TEST!"
     
  12. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    cool nick:thumb:
     
  13. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Drop each of those named test exes into the "Image File Execution Options" reg setting and use cmd or whatever as the debugger and not a single one will run.

    100% every time.
     
  14. Pliskin

    Pliskin Registered Member

    Joined:
    Feb 8, 2009
    Posts:
    341
    Are you going to add this feature and when? RTD has it.
     
  15. _kronos_

    _kronos_ Registered Member

    Joined:
    Dec 8, 2008
    Posts:
    126
    I hope so, these should be some great features;)
     
Loading...
Thread Status:
Not open for further replies.