Malware Defender denies installer

Hello,

I followed Arrans rules on setting up Malware defender
https://www.wilderssecurity.com/showthread.php?t=252773

The problem is installers when added to trusted list as a file, they get blocked on App* rule.

The rules still are actioned from bottom up in malware defender?
(ie nothings changed since that tutorial was devised?)

Martin

 

Can't you just add a rule to allow application group "Trusted Applications" to "Create new processes" for Application Rule *?

 

Yes, rules are still actioned from bottom up. Adding installer to trusted apps group should allow it to run. Though, I usually disable MD protection when installing software, so it doesn't interfere with installation procedure.

HQsec

 

MD has "Learning Mode"...why not use it?

 

Learning mode is useful during initial learning but IMO not so convenient when installing new software and updating system. It creates a lot of new temporary rules and fills log file. I know that most of those rules can be later deleted by "Remove stale rules" and "Remove temporary rules" commands but it was still PITA when I last used it that way. So I usually install and update software with MD disabled and then enable it after it is over.

HQsec

 

Good idea ...but if trott3r has in signature Win XP so why not to trial System Safety Monitor? I like it more than MD and it can prompt about temporay rules after enabling "Alert on changed and temporary files in Learning Mode" option

 

Yes SSM is also great. I've been using it before upgrading to Windows 7. It's less chatty than MD but still a great white-listing tool.

HQsec

 

According to the arran tutorial i shouldnt have to do that and it would defeat the object since app* is the last rule the installer should not be getting that far.

The trusted apps group is before the deny all app* group and thus should come across the installer in that group.

I was hoping that someone who had followed the tutorial might have an idea or made the same mistake as me.

 

So you dont follow the arrans tutorial/method?

Disabling will no doubt work but there must be something wrong with the way i set it up for this to not work
Dont want to store up problems for the future.

 

I am using the learning mode but in a different way.

This is what arran suggested in his method.

 

Yes I am using XP.

I chose malware defender as it supports vista and win7 which i also have on my desktop.

System safety monitor only supports xp.
It would be nice if i could use my experience from setting up my laptop to lock down the desktop as well

 

On SSM, the application prompts have an "allow once" option. Does Malware Defender have anything similar? Can it be set to anything resembling a "default-ask" mode? I'm not familiar with MD prompts or rule setup. I assume that MD does check the integrity/identity of the installer and the resulting rule is specific to that file. IMO, there's no point in making a permanent rule for any installer. You're only going to use a particular installer once. The exception might be the Windows installer, msexec.msi. SSM comes with a default rule allowing that executable that can be removed or be made command line parameter specific.

Without knowing MDs abilities and limitations, it's hard to be specific. I'd avoid learning mode for several reasons:
1, You're making permanent rules for one time use files.
2, You're restricting your ability to monitor and (if necessary) control the installation of unwanted components or additions, like bundled adware.
3, If you're not 100% certain of the integrity and source of the app you're installing, you could end up making rules that permanently allow malware to install and run, and possibly be defended by MD.

Any PC is at its most vulnerable when installing new applications or updates. It's the wrong time to disable your defenses. Assuming that you're not making rules for registry keys during the install process, most installs will only result in a few prompts, 1,2, maybe 6. There are exceptions of course, like a large office program or OS service pack where the prompts will drive you nuts.

 

No, I don't use that tutorial, I have my own system of setting rules. You should check out if Trusted apps group has option "Executed by other process" and "Create new processes" set to Permit. If this is true and Trusted apps group is bellow "Locked down apps" and "*" rule, you should be able to run installer. But if installer creates new process, which later creates another process, than second process (grandchild process) would be stopped from running (or asked to allow if in Normal mode). That's one of the reasons why installing software when MD is enabled, might be problematic.

HQsec

 

Yes you can allow execution just once without option "Create application rule".

Normal mode is similar to default-ask mode in SSM.

I also think that creating permanent rule for installer is not needed. But that's what you get if you install in Learning mode.

I totally agree with you.

Usually when I was installing software, I got a LOT of popups. MD monitors process creation, interprocess activity, access to memory, access to physical disk, drivers loading, writing all types of executable files to disk, network connections, registry activity, autostart settings... Sometimes if you don't allow actions fast enough, MD's suspension can even cause installation to fail.
That's way I always install everything with MD disabled. If I don't trust the software it will not be installed. If I want to see if there is something bundled in installer I install it first in VM.

HQsec

 

Yes the trusted has everything permitted.

The order is correct as well.

Looks like my options are to either uninstall MD and start again and hopefully get things right or to dump MD completely.

 

Sounds very much like SSM when everything is enabled. I don't use the registry rules which probably cuts the number of prompts in half. I'd imagine the biggest differences are what we're installing and how much the target OS has been stripped down.

I've wanted to check out MD on a few occasions, but all I got was BSODs. Never could get the OS to reboot after the install.

 

just wanted to jump in but noone_particular wrote it all - MD ist inferior and a critical software. i had longer talks with subset as he was active with that and all free versions after the last paid one were crappy. support was dropped long ago so why consider?

nevertheless you already run Outpost with a hips - more than one is always creating conflicts! btw v7 is also damn outdated (read your sig)

 

Yes you're right about popups. I've also whitelisted and globally allowed some options just to cut down on them. I've also experienced occasional BSODs on my laptop, so I had to remove MD. On my desktop I had no such problems so far.

HQsec