Malware Defender Customized Rules

tony62,
That's quite a bit of activity! Thanks for taking the time to run the test. It is good to know that MD can support this level of protection. I am constantly impressed with the capability and flexibility of MD. This is truly an excellent program !!! Thanks again tony62 and wat0014 for your explanations and testing, I have learned a lot from your posts.

 

Okay, now I thought I'd post some shots of a registry object alert of Internet Explorer triggering an alert under the Registry Group: "Internet Explorer Settings".

I have included shots of some of the available options when finalizing the rule.

First, the main alert including a shot of the window where the granularity of the rule can be edited...

 

Second, shots of a few of the available options...

 

wat0114,

Superb tutorial of registry alerts/rules !

I want to ask your advice about the execute permissions rule, do you feel that it is best to set it as permit or ask ?

P.S. Side question, what software do you use to capture those screenshots which allows one to mark with red framing and arrows ?

 

Thank you JosephB!

I use Snagit for screen captures.

For "Application rules - System" I leave it at "Permit". For Application Rules - Normal I changed the default from "Ignore" to "Ask" for tightening things up a bit, though do keep in mind that pretty much all, if not all, of your applications are going to be a "Child" of one of your system apps, especially explorer.exe, so the "Ask" rule further up the ladder (lower priority) will not get triggered in this case.

I just consider the possibility some form of malware may not need one of the trusted system apps as a parent to launch. This possibility may be remote but you never know. I just want to make sure the "Execute" rule will trigger early if that is going to be the case.

 

Thanks for this thread

As a MD newcomer I'm currently playing with the rule system.
Are there handy rules or possibilities to stop Gpcode for example?

Regards from Germany

 

The addition of an Install mode has been discussed often regarding MD, so I have decided to try to design a basic one using a custom Application Rule, keeping it disabled except when a program needs to be installed.

Please note this is a work in progress and I'm no expert at choosing the best rules and permissions; I am only interested in choosing a ruleset that will afford some protection against malware behaviour with minimal pop-ups, so I have experimented extensively in VBox using Wireshark/Winpcap as the test installation program, selected because it will generate tons of pop-ups in MD without an Install mode. Every time I made a change to the rules, I exported the configuration, then reverted to VBox'es current snapshot, imported the the configuration, then started over again re-installing the program on the clean snap shot.

The screen shots essentially show its settings.

• First, I created an Application Rule and placed it at the very bottom of Application Rules - Normal
• On the Permissions tab I have chosen "Ask" in key areas where malware might target.
• Under the File tab I have selected two File groups
• Under the Registry tab I have selected two Registry groups.
• Under the Network tab any network access attempts will trigger an alert

Note the permissions I have given to these groups, quite liberal overall, yet some restrictiveness, in order to reduce the pop-ups while installing programs.

The results so far are as follows:

MD pop-ups generated with full install of Wireshark/Winpcap:

1. With the custom Program install mode Application rule disabled: 141 pop-ups
   
2. With the custom Program install mode Application rule enabled: 10 pop-ups

That is quite a huge difference. This way there is at least some degree of protection in the event of an unintended launching of a rogue program, without the barrage of annoying pop-ups that would occur without a toned down Application rule such as the one I created but better than simply disabling MD before installing a program where there is not 100% certainty in its trustworthiness.

Any suggestions are both encouraged and welcomed

 

Finally a screen shot of the Network tab settings:

 

Setting "Access Keyboard in Low Level" to "Ask" causes endless pop-ups for me as soon as this rule is enabled. Is this setting correect?

 

regarding installing new unknown software for the first time, I have always recommended in these forums to first install on a backed up image or on VM before you install on your real system to see if it is clean and see how well it behaves, and to see if you like the software.

After a quick test. I have found that using the "Remove Stale Rules" option does indeed remove all the installation rules for MOST software.

Its really only when you install software which during the install process calls up system apps to make system modifications to install things like start up drivers etc.

 

Yes, it's correct. What program is causing all those alerts, and are you enabling the Application rule only for installing a program?

A nice option, for sure, but not everyone wants to go this route.

That's good to know. Thank you for checking it out

Do you mean this is malicious behaviour when installing programs? I'm attempting to cover at least most areas with my custom Application rule to alert on malicious behaviour during a new program install, so I'm hoping you and others can offer suggestions on what could be added or deleted to the rules. Ultimately, I'm hoping xiaolin can pipe up with some suggestions or announce he will eventually addd an "Install mode" for MD

 

It's a couple of processes relating to mouse and ATA drivers. I've placed them below the new rule in the list and that seems to have solved the problem.