Malware Defender - New HIPS from China

Sorry, I thought you meant this one....

 

yes i mean that...... sorry not clear.
i don't have it running upon startup, only when manually running it. it then appears..
however, mdservices is running prior to it.

 

MD is the best, and I am solidly back in your corner. Keep up the good work!

 

Hi xiaolin,

to let you know, MD and Jetico 2 firewall are not compatible at all under XP, SP2. A BSOD results upon login every time. I even bypassed Process Attack, Application Checksum and indirect Access in Jetico but it makes no difference Sorry I do not have a minidump file for you. It was not created even though I have the option enabled.

The error was: Invalid_Process_detach_Attempt

the stop error code was all zeros

 

Thanks. I will test it.

 

Sorry for OT but I need to ask, you run OP 2009 and MD together, do you have some changes in config./settings for one of them or everything is smooth OOB?

 

Hi,

I was able to run some tests, grab a minidump in Safe Mode for XP SP3, and send it to Xiaolin. According to a post in the Chinese forum, Jetico + Windows 2003 may also generate a BSOD at startup. Vista SP1, for me, is not affected.

Nick

 

hi, my issue has been resolved.
Thanks....

 

Hello,

Seems very interesting and sounds extremely promising. I like the "pure HIPS" approach, without being bloated by other features. It is light and simple to use.

However I'm a little concerned with the results of MD against Comodo Firewall Test Suite :
https://www.wilderssecurity.com/showthread.php?t=224745

from Subset :

Also I have tested it under Vista 32bits SP1, and it was apparently working fine except for Mozilla Thunderbird that it never asked me to allow it's execution or not (unlike all others programs I have ran). I did check it wasn't added by the previous learning mode, but I found no trace of Thunderbird either in the rules, or in explorer.exe child applications. Might be a conflict with Kaspersky Internet Security 2009's Proactive Defense though, although I disabled it. (That was the option "allow signed applications to be run by system applications" enabled by default).

MD passed all AKLT keylogging methods, which was fine

Can we know if you will take a look at "Comodo Firewall Test Suite" ?

Thanks.
Regards,
gkweb.

 

Thank you Nick and thank you xiaolin for checking this out.

 

All I do is disable "Host Protection" in OPFW and there are no issues.

 

are you able to pass DNS based leak tests with that config.?

 

I don't know yet. It was only a couple days ago I tried MD with OPFW, though it did score 310/340 on the Comodo suite test under my modified power user account. I would have to try some testing later when I get a chance.

 

thanks, that combo is interesting one (to me), i will try it on VM...

 

Okay, it passes the DNStester leak test.

 

great, OP responded?

 

You bet!

 

Malware Defender 1.2.1 beta1 is released

The beta version is available for download at http://www.torchsoft.com/download/md_setup_1.2.1_b1.exe

what's new?
- Added an option to set the behaviour in leaning mode when explicit "deny" rule is found.
- Fixed a bug that may cause BSOD when working with Jetico firewall.
- Fixed a bug when detecting actions of loading kernel driver.

 

Great news xiaolin! So far so good. You may be interested in this Comodo suite test using this beta and Jetico 2 together.

Thank you for your speedy efforts and thanks again to nick s for supplying the minidump yesterday to xiaolin

EDIT

1. Sorry to rain on the parade somewhat, but I discovered a small bug with this beta:

XP SP2, MD is in "Normal mode". I log off and when I log back in MD reverts to "Learning mode" every time. This happens in either my limited account or Admin account.

2. one more which might be related:

Sometimes Ad muncher does not load and the error in the ss displays.

3. Uh-oh, one more. Log out and log in as in first bug, and MD kicks applications I placed into the Trusted group back out into Application rules - Normal. I keep moving them back into Trusted group back they end up back into Application rules after logging back in.

 

Thanks. I will check the bug.

3. When MD create rules automatically in learning mode, the rule priority may changed if necessary (matched rule is using wildcards). If the app in a group, it will be moved out.

 

It seems MD is blocked when writing registry. MD need to save protection settings in HKLM\SYSTEM\CurrentControlSet\Services\MalwareDefenderService.

 

Thank you xiaolin. I had a feeling it wouldn't take you long to discover the cause

 

I can not recreate the problem yet. Is it possible that MD is blocked by jetico when writing registry?

 

Maybe, but I have Process Attack filter bypassed in Jetico, so I don't see this as possible. I am having some difficulty re-installing MD, so I will restore an earlier image and try again, then let you know the results.

 

It is early, however...

I just re-stored an earlier image of XP SP2 w/latest Jetico 2 firewall, and so far everything is behaving as normal! MD's "Normal Mode" is retained after logoff/logon and apps that were moved to "Trusted group" are staying there. I don't know what happened earlier but I suspect on the earlier image because I had installed/re-installed MD and even Jetico a few times, something got corrupted, especially because I could not re-install this recent MD beta on it due to leftover files from the previous install that I could not delete. Either that or it's because of the way I answered some of the alerts on the clt.exe test, denying permanently in Jetico may have caused it to block something MD was trying to do, as you had suggested?? Who knows, but so far all is good. Thank goodness for image restore software My apologies as well xiaolin for the grief I must have you through. If further problems arise, I will let you know.

To add, I left MD in "Learning mode" for a while longer than usual just to get it "in sync" with the machine's software environment. My feeling is especially with this HIPS is that this is an important initial step after installation, otherwise oddball problems can occur. Jetico 2 may also be at fault here to some extent; I know it is causing some system freezing/BSOD issues for some who are using it. We'll see how things unfold and I'll keep you updated.

BTW, I have had no problems with your previous versions working alongside Outpost Firewall 2009.