Malware Defender apparently poor detection of loaded/hidden DLLs

Discussion in 'other anti-malware software' started by peteck, Jan 11, 2010.

Thread Status:
Not open for further replies.
  1. peteck

    peteck Registered Member

    Joined:
    May 16, 2008
    Posts:
    10
    Location:
    Far Eastern Australia
    Hi Xaolin, thanks for your excellent program, I've bought a license and very glad that I did :)

    I've hoped for a while to employ your program as a general malware detector and remover (or a tool to aid in such) but haven't yet found the time to do much real world testing with it.

    Recently though I saw this:
    http://www.ntinternals.org/dll_detection_test.php

    In light of the aspiration stated on the Torchsoft website "Malware Defender is also an advanced rootkit detector. It provides many useful tools that can be used to detect and remove already installed malware."

    Will you consider improving MD's loaded DLL detection in the future ?

    Thanks.
     
  2. 1boss1

    1boss1 Registered Member

    Joined:
    Jun 26, 2009
    Posts:
    401
    Location:
    Australia
    The tested version was 2.4.3 however in 2.4.4b xiaolin changed the implementation from Ring3 to Ring0 to enhance this dll shortcoming.

    https://www.wilderssecurity.com/showpost.php?p=1576552&postcount=5

    How much better is 2.4.3 to the current 2.5? Not 100% sure exactly, but enhancements have been made since the tested version.
     
  3. peteck

    peteck Registered Member

    Joined:
    May 16, 2008
    Posts:
    10
    Location:
    Far Eastern Australia
    Hi 1boss1 thanks for that.

    I did notice that change but was unclear as to the relevance of it WRT the tests above, as the change was referred to as "Improved the ability to detect actions of loading DLLs" rather than the detection of already loaded (and possibly hidden) modules as shown in MDs Processes Tab>Modules box.

    I might drop that chap a line see if he will test the latest version.
     
  4. peteck

    peteck Registered Member

    Joined:
    May 16, 2008
    Posts:
    10
    Location:
    Far Eastern Australia
    MD 2.5.0 has been retested with no change in ability to detect the six listed methods of hiding loaded dlls
     
  5. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    as discussed before in another thread regarding this test even MD can't detect all of the loaded rootkit's it can however prevent them from loading in the first place. A good security policy is to block rootkits from installing in the first place because if you allow them to install they can do many things like evade MD's detection.
     
  6. 1boss1

    1boss1 Registered Member

    Joined:
    Jun 26, 2009
    Posts:
    401
    Location:
    Australia
    Thanks mate for passing that along, and thanks to i believe Alex Poland for retesting MD.

    I was hoping to see a couple of passes in the new test, and while it's true that blocking them in the first place is what counts detection is important. I hope this is something xiaolin can enhance in the future.

    Also surprised that SpyDllRemover come up short as well.
     
  7. peteck

    peteck Registered Member

    Joined:
    May 16, 2008
    Posts:
    10
    Location:
    Far Eastern Australia
    Oh well we can only hope that Xaolin will improve things (even more !) in time, i'm sure he/she is very busy.
     
  8. Pliskin

    Pliskin Registered Member

    Joined:
    Feb 8, 2009
    Posts:
    341
    One man ... One Desireeee...
     
  9. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    he will make better trust me on this one he may be only one man developing it but he is more bussy than jacky chan and jet lee:D combine;)
     
Loading...
Thread Status:
Not open for further replies.