Malware Defender - New HIPS from China

Discussion in 'other anti-malware software' started by johncage, Aug 11, 2008.

Thread Status:
Not open for further replies.
  1. johncage

    johncage Registered Member

    Joined:
    Aug 11, 2008
    Posts:
    70
  2. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Hi johncage, yes its new I did read something about its ark function today infact. Thanks for posting this.

    It is process, file, registry explorer/autoruns/unhooker/hips.

    Registered users

    screens
     

    Attached Files:

    Last edited: Aug 11, 2008
  3. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Lets you uncover hooks and remove them.

    SSDT hooks
    shadow SSDT hooks
    IDT hooks
    SYSENTER
    Kernel object
    Kernel notify routines
    Kernal mode code hooks
    User mode code hooks
    message hooks
    IRP hooks

    also shows attached devices.
    ____________________

    MD has file, registry and application protection and a silent no alert mode which denies all actions that are not permitted. Quite a lot of functions, has kernal thread and DPC timers tool.

    Runs on Windows 2000 (Service Pack 4), Windows XP (32-bit), Windows 2003 (32-bit), Windows Vista (32-bit) and Windows 2008 (32-bit).
     

    Attached Files:

    Last edited: Aug 11, 2008
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I did some testing on default, XP SP2, under ShadowSurfer

    KillDisk-- pass
    XP Killer -- Pass
    System Shutdown Simulator- Pass
    APT-- many terminations methods fail
    SSDT unhooker Bifrost trojan -- Pass
    File infectors -- Pass(? not so sure as I found some files infected, may be I allowed some actions)
    Autorun trojans -- pass
    AKLT- all keylogging Passed, screenshots failed
    MUK keylogger- Pass
    Phide.exe rootkit physical memory acess- pass
    ADS file creation -- Pass


    Static ARK functions:

    Phide.exe hidden process detection- Pass
    ADS files detection( Unreal) -- Pass
    Delete Volume reg test- fail

    :thumb: :thumb:

    Only drawaback:

    No network acess control :thumbd:
    Relatively poor termination protection
    No screen reading protection


    No slow downs, GUI is simple and effective. U can mark applications as trusted, untrusted, installer etc. CAn terminate processes via pop up. Overall I am impresssed. It has silent n leraning modes. Also intercepts windows messages.

    1.jpg
    2.jpg
    3.jpg
    4.jpg
    5.jpg

    Edit: against File infectors PASS is not sure
     
    Last edited: Aug 11, 2008
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    More screenshots.

    6.jpg
    7.jpg
    8.jpg
    9.jpg
    10.jpg
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Still more!!

    PS: It was a very crude testing. Results might not be so accurate.
     

    Attached Files:

    • 11.jpg
      11.jpg
      File size:
      56.7 KB
      Views:
      4,391
    • 12.jpg
      12.jpg
      File size:
      106.5 KB
      Views:
      18
    • 13.jpg
      13.jpg
      File size:
      6.1 KB
      Views:
      4,475
  7. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    I am suspicious.

    Name-- Xiaolin Zhang
    EMail-: *********@hotmail.com)
    tel --: 86-xxxxxxxxx
    org: Xiaolin Zhang
    Beijing
    Beijing,Beijing,China 100044


    Registration Service Provider:
    name: Capital&Knowledge Electronic Technology Co.,Ltd.
    tel: +1.845306xxxx
    fax: +1.845306xxxx
    web:httx://xxx/dot/bothhost/dot/com


    Xiaolin A.K.A. Shaolin is the famed martial monestary.
    Zhang translates to "palm".

    So the owner of the site is Shaolin Palm. He must be a deadly adversary.

    845 area code is Poughkeepsie, NY.

    And the registration service being provided by bothost, the name alone is scary, registered in Knoxville, TN.

    All seems a little shifty.
     
  8. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    Great work there aigle on the extensive testing and Meriadoc. :thumb:

    Seems like it does what it's supposed to do. :)

    Searching, no offence intended, but your post isn't relevant to the program and how effective it is. You, me, chinese, americans, we are all people, so lighten up dude. :D
     
  9. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    +1; I'm seriously tired with this "eeew lookie, Chinese application, must be something fishy" attitude. :rolleyes:
     
  10. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    :thumb: :thumb: Saraceno, doktornotor. Thanks for test aigle, I only had the time to have a quick look.
     
  11. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Ni hao,
    Ni hao ma Saraceno, doktornotor?
    Du ni luo mu hai.

    I am studying Manderin, how am I doing?

    I am not anti-chinese nor anti-chinese-programs. PowerShadow is cool.

    If it is reported as chinese origin, PRC, it should return relevent info.
    Shouldn't see TN or NY of USA, or invented names with transient email addys.

    As for the program, time will tell if it can maintain for any length. Its strength and weaknesses will become apparent as well as who are using/relying on the info they reveal.

    I'm one of those who wait for the concensus of reviews by the majority of the technically inclined, while my skills hover just above the level of a monkey.

    The testing info is fascinating. You have all done very well...[stumbles backwards, falling]
     
  12. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Seems very intersting.
    It seems good protection and fairly easy to configure... maybe I'll give it a try one of these days.
    Thanks aigle for all your tests.
    Thanks johncage for bringing this to Wilders.
     
    Last edited: Aug 11, 2008
  13. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,499
    How do you stop windows defender blocking it from starting up with windows ,without turning WD off in vista?.
    ellison
     
  14. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    You shouldn't use WD realtime protection with this.
     
  15. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Hi Hurst, :) although I did hear about this yesterday and would of posted, johncage kindly registered here and started the thread.
     
  16. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,499
    My mistake :( its UAC blocking it not WD.Even on silent mode UAC still blocks it loading automatically.I guess its about time i switched it off completely.I tried that smart uac but thats buggy as hell on my system.
    ellison
     
  17. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    oops, sorry, missed his post.
    Sorry johncage.
    Edited my original post.
     
  18. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,499
    How does it compare to SSM in functionaility etc?
    ellison
     
  19. Zero3K

    Zero3K Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    340
    The author lives in China. The site is in the US (Dallas, Texas to be exact) so that way it'll be faster for us than it would be if it were to be located in China.
     
  20. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    All ok. :) My post was more in reference to previous threads where people assume the worst when a program comes from a particular country. A poor product can come from anywhere.

    Anyway, I'll let others continue testing. :p
     
  21. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,499
    I had a problem with UAC stopping it autostarting in vista premium ,so emailed their support.I am pleased to say they responded within 24 hrs with a workaround fix .This is a good sign for me when product support actually answers.
    ellison
     
  22. Zero3K

    Zero3K Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    340
  23. Ohmy

    Ohmy Guest

    Should I put Malware Defender in learning mode for a while,
    and put it back to normal, so it makes the rule by itself?
    Thanks!
     
  24. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,499
    Its easier that way.You may need to grant certain apps such as avast ashserve.exe (if you use avast antivirus) full permissions in trusted .,as every time it updates it changes.
    ellison.
     
  25. xtree

    xtree Registered Member

    Joined:
    Dec 4, 2006
    Posts:
    96
    There is a useful function in MD:
    When double-clicking on a custom-made rule - at the left down corner of the pop-up page you will have an option:
    "Protect this application from being accessed by other processes."
    If you check it that particular app will be automatically protected from termination attacks and some process monitoring/killing apps will not even be able to see that protected pocess running.
    I wonder how it is possible to kill MD by APT from Diamonds when APT does not even indicate MD running (just like all the other processes protected by MD with the above method) though it senses them. The case is similar with System Explorer. However, Process Explorer can see these processes.
     
    Last edited: Aug 26, 2008
Loading...
Thread Status:
Not open for further replies.