Malware Defender denies installer

Discussion in 'other firewalls' started by trott3r, Jan 23, 2014.

Thread Status:
Not open for further replies.
  1. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    830
    Location:
    UK
    Hello,

    I followed Arrans rules on setting up Malware defender
    https://www.wilderssecurity.com/showthread.php?t=252773

    The problem is installers when added to trusted list as a file, they get blocked on App* rule.

    The rules still are actioned from bottom up in malware defender?
    (ie nothings changed since that tutorial was devised?)

    Martin
     
    Last edited: Jan 23, 2014
  2. 0strodamus

    0strodamus Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    1,047
    Location:
    United Surveillance States
    Can't you just add a rule to allow application group "Trusted Applications" to "Create new processes" for Application Rule *?
     
  3. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,079
    Yes, rules are still actioned from bottom up. Adding installer to trusted apps group should allow it to run. Though, I usually disable MD protection when installing software, so it doesn't interfere with installation procedure.

    HQsec
     
  4. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,486
    Location:
    Poland - Cracow
    MD has "Learning Mode"...why not use it?
     
  5. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,079
    Learning mode is useful during initial learning but IMO not so convenient when installing new software and updating system. It creates a lot of new temporary rules and fills log file. I know that most of those rules can be later deleted by "Remove stale rules" and "Remove temporary rules" commands but it was still PITA when I last used it that way. So I usually install and update software with MD disabled and then enable it after it is over.

    HQsec
     
  6. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,486
    Location:
    Poland - Cracow
    Good idea :)...but if trott3r has in signature Win XP so why not to trial System Safety Monitor? I like it more than MD :) and it can prompt about temporay rules after enabling "Alert on changed and temporary files in Learning Mode" option

    SSM 5.jpg
     
  7. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,079
    Yes SSM is also great. I've been using it before upgrading to Windows 7. It's less chatty than MD but still a great white-listing tool. :thumb:

    HQsec
     
  8. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    830
    Location:
    UK
    According to the arran tutorial i shouldnt have to do that and it would defeat the object since app* is the last rule the installer should not be getting that far.

    The trusted apps group is before the deny all app* group and thus should come across the installer in that group.

    I was hoping that someone who had followed the tutorial might have an idea or made the same mistake as me.
     
  9. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    830
    Location:
    UK
    So you dont follow the arrans tutorial/method?

    Disabling will no doubt work but there must be something wrong with the way i set it up for this to not work :(
    Dont want to store up problems for the future.
     
  10. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    830
    Location:
    UK
    I am using the learning mode but in a different way.

    This is what arran suggested in his method.
     
  11. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    830
    Location:
    UK
    Yes I am using XP.

    I chose malware defender as it supports vista and win7 which i also have on my desktop.

    System safety monitor only supports xp.
    It would be nice if i could use my experience from setting up my laptop to lock down the desktop as well :)
     
  12. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    On SSM, the application prompts have an "allow once" option. Does Malware Defender have anything similar? Can it be set to anything resembling a "default-ask" mode? I'm not familiar with MD prompts or rule setup. I assume that MD does check the integrity/identity of the installer and the resulting rule is specific to that file. IMO, there's no point in making a permanent rule for any installer. You're only going to use a particular installer once. The exception might be the Windows installer, msexec.msi. SSM comes with a default rule allowing that executable that can be removed or be made command line parameter specific.

    Without knowing MDs abilities and limitations, it's hard to be specific. I'd avoid learning mode for several reasons:
    1, You're making permanent rules for one time use files.
    2, You're restricting your ability to monitor and (if necessary) control the installation of unwanted components or additions, like bundled adware.
    3, If you're not 100% certain of the integrity and source of the app you're installing, you could end up making rules that permanently allow malware to install and run, and possibly be defended by MD.

    Any PC is at its most vulnerable when installing new applications or updates. It's the wrong time to disable your defenses. Assuming that you're not making rules for registry keys during the install process, most installs will only result in a few prompts, 1,2, maybe 6. There are exceptions of course, like a large office program or OS service pack where the prompts will drive you nuts.
     
  13. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,079
    No, I don't use that tutorial, I have my own system of setting rules. You should check out if Trusted apps group has option "Executed by other process" and "Create new processes" set to Permit. If this is true and Trusted apps group is bellow "Locked down apps" and "*" rule, you should be able to run installer. But if installer creates new process, which later creates another process, than second process (grandchild process) would be stopped from running (or asked to allow if in Normal mode). That's one of the reasons why installing software when MD is enabled, might be problematic.

    HQsec
     
  14. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,079
    Yes you can allow execution just once without option "Create application rule".
    Normal mode is similar to default-ask mode in SSM.
    I also think that creating permanent rule for installer is not needed. But that's what you get if you install in Learning mode.
    I totally agree with you.
    Usually when I was installing software, I got a LOT of popups. MD monitors process creation, interprocess activity, access to memory, access to physical disk, drivers loading, writing all types of executable files to disk, network connections, registry activity, autostart settings... Sometimes if you don't allow actions fast enough, MD's suspension can even cause installation to fail.
    That's way I always install everything with MD disabled. If I don't trust the software it will not be installed. If I want to see if there is something bundled in installer I install it first in VM.

    HQsec
     
  15. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    830
    Location:
    UK
    Yes the trusted has everything permitted.

    The order is correct as well.

    Looks like my options are to either uninstall MD and start again and hopefully get things right or to dump MD completely.
     
  16. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Sounds very much like SSM when everything is enabled. I don't use the registry rules which probably cuts the number of prompts in half. I'd imagine the biggest differences are what we're installing and how much the target OS has been stripped down.

    I've wanted to check out MD on a few occasions, but all I got was BSODs. Never could get the OS to reboot after the install.
     
  17. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,734
    just wanted to jump in but noone_particular wrote it all - MD ist inferior and a critical software. i had longer talks with subset as he was active with that and all free versions after the last paid one were crappy. support was dropped long ago so why consider?

    nevertheless you already run Outpost with a hips - more than one is always creating conflicts! btw v7 is also damn outdated (read your sig)
     
  18. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,079
    Yes you're right about popups. I've also whitelisted and globally allowed some options just to cut down on them. I've also experienced occasional BSODs on my laptop, so I had to remove MD. On my desktop I had no such problems so far.

    HQsec
     
    Last edited: Jan 24, 2014
Thread Status:
Not open for further replies.