Malware Defender - New HIPS from China

Discussion in 'other anti-malware software' started by johncage, Aug 11, 2008.

Thread Status:
Not open for further replies.
  1. wat0114

    wat0114 Guest

    Sorry, I thought you meant this one....
     

    Attached Files:

  2. bryanjoe

    bryanjoe Registered Member

    Joined:
    Feb 23, 2006
    Posts:
    380
    yes i mean that...... sorry not clear.
    i don't have it running upon startup, only when manually running it. it then appears..
    however, mdservices is running prior to it.
     
  3. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    7,339
    Location:
    Hawaii
    MD is the best, and I am solidly back in your corner. Keep up the good work! :thumb: :thumb: :thumb: :D
     
  4. wat0114

    wat0114 Guest

    Hi xiaolin,

    to let you know, MD and Jetico 2 firewall are not compatible at all under XP, SP2. A BSOD results upon login every time. I even bypassed Process Attack, Application Checksum and indirect Access in Jetico but it makes no difference :( Sorry I do not have a minidump file for you. It was not created even though I have the option enabled.

    The error was: Invalid_Process_detach_Attempt

    the stop error code was all zeros
     
  5. xiaolin

    xiaolin Registered Member

    Joined:
    Aug 11, 2008
    Posts:
    248
    Thanks. I will test it.
     
  6. Einsturzende

    Einsturzende Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    390
    Location:
    neubauten
    Sorry for OT but I need to ask, you run OP 2009 and MD together, do you have some changes in config./settings for one of them or everything is smooth OOB?
     
  7. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi,

    I was able to run some tests, grab a minidump in Safe Mode for XP SP3, and send it to Xiaolin. According to a post in the Chinese forum, Jetico + Windows 2003 may also generate a BSOD at startup. Vista SP1, for me, is not affected.

    Nick
     
  8. bryanjoe

    bryanjoe Registered Member

    Joined:
    Feb 23, 2006
    Posts:
    380
    hi, my issue has been resolved.
    Thanks....
     
  9. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hello,

    Seems very interesting and sounds extremely promising. I like the "pure HIPS" approach, without being bloated by other features. It is light and simple to use.

    However I'm a little concerned with the results of MD against Comodo Firewall Test Suite :
    https://www.wilderssecurity.com/showthread.php?t=224745

    from Subset :
    Also I have tested it under Vista 32bits SP1, and it was apparently working fine except for Mozilla Thunderbird that it never asked me to allow it's execution or not (unlike all others programs I have ran). I did check it wasn't added by the previous learning mode, but I found no trace of Thunderbird either in the rules, or in explorer.exe child applications. Might be a conflict with Kaspersky Internet Security 2009's Proactive Defense though, although I disabled it. (That was the option "allow signed applications to be run by system applications" enabled by default).

    MD passed all AKLT keylogging methods, which was fine :)

    Can we know if you will take a look at "Comodo Firewall Test Suite" ?

    Thanks.
    Regards,
    gkweb.
     
    Last edited: Nov 10, 2008
  10. wat0114

    wat0114 Guest

    Thank you Nick and thank you xiaolin for checking this out.
     
  11. wat0114

    wat0114 Guest

    All I do is disable "Host Protection" in OPFW and there are no issues.
     
  12. Einsturzende

    Einsturzende Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    390
    Location:
    neubauten
    are you able to pass DNS based leak tests with that config.?
     
  13. wat0114

    wat0114 Guest

    I don't know yet. It was only a couple days ago I tried MD with OPFW, though it did score 310/340 on the Comodo suite test under my modified power user account. I would have to try some testing later when I get a chance.
     
  14. Einsturzende

    Einsturzende Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    390
    Location:
    neubauten
    thanks, that combo is interesting one (to me), i will try it on VM...
     
  15. wat0114

    wat0114 Guest

    Okay, it passes the DNStester leak test.
     

    Attached Files:

  16. Einsturzende

    Einsturzende Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    390
    Location:
    neubauten
    great, OP responded?
     
  17. wat0114

    wat0114 Guest

    You bet!
     

    Attached Files:

  18. xiaolin

    xiaolin Registered Member

    Joined:
    Aug 11, 2008
    Posts:
    248
    Malware Defender 1.2.1 beta1 is released

    The beta version is available for download at http://www.torchsoft.com/download/md_setup_1.2.1_b1.exe

    what's new?
    - Added an option to set the behaviour in leaning mode when explicit "deny" rule is found.
    - Fixed a bug that may cause BSOD when working with Jetico firewall.
    - Fixed a bug when detecting actions of loading kernel driver.
     
    Last edited: Nov 11, 2008
  19. wat0114

    wat0114 Guest

    Great news xiaolin! :) So far so good. You may be interested in this Comodo suite test using this beta and Jetico 2 together.

    Thank you for your speedy efforts and thanks again to nick s for supplying the minidump yesterday to xiaolin :thumb:

    EDIT

    1. Sorry to rain on the parade somewhat, but I discovered a small bug with this beta:

    XP SP2, MD is in "Normal mode". I log off and when I log back in MD reverts to "Learning mode" every time. This happens in either my limited account or Admin account.

    2. one more which might be related:

    Sometimes Ad muncher does not load and the error in the ss displays.

    3. Uh-oh, one more. Log out and log in as in first bug, and MD kicks applications I placed into the Trusted group back out into Application rules - Normal. I keep moving them back into Trusted group back they end up back into Application rules after logging back in.
     

    Attached Files:

    Last edited by a moderator: Nov 11, 2008
  20. xiaolin

    xiaolin Registered Member

    Joined:
    Aug 11, 2008
    Posts:
    248
    Thanks. I will check the bug.

    3. When MD create rules automatically in learning mode, the rule priority may changed if necessary (matched rule is using wildcards). If the app in a group, it will be moved out.
     
  21. xiaolin

    xiaolin Registered Member

    Joined:
    Aug 11, 2008
    Posts:
    248
    It seems MD is blocked when writing registry. MD need to save protection settings in HKLM\SYSTEM\CurrentControlSet\Services\MalwareDefenderService.
     
  22. wat0114

    wat0114 Guest

    Thank you xiaolin. I had a feeling it wouldn't take you long to discover the cause :)
     
  23. xiaolin

    xiaolin Registered Member

    Joined:
    Aug 11, 2008
    Posts:
    248
    I can not recreate the problem yet. Is it possible that MD is blocked by jetico when writing registry?
     
  24. wat0114

    wat0114 Guest

    Maybe, but I have Process Attack filter bypassed in Jetico, so I don't see this as possible. I am having some difficulty re-installing MD, so I will restore an earlier image and try again, then let you know the results.
     
  25. wat0114

    wat0114 Guest

    It is early, however...

    I just re-stored an earlier image of XP SP2 w/latest Jetico 2 firewall, and so far everything is behaving as normal! MD's "Normal Mode" is retained after logoff/logon and apps that were moved to "Trusted group" are staying there. I don't know what happened earlier but I suspect on the earlier image because I had installed/re-installed MD and even Jetico a few times, something got corrupted, especially because I could not re-install this recent MD beta on it due to leftover files from the previous install that I could not delete. Either that or it's because of the way I answered some of the alerts on the clt.exe test, denying permanently in Jetico may have caused it to block something MD was trying to do, as you had suggested?? Who knows, but so far all is good. Thank goodness for image restore software :) My apologies as well xiaolin for the grief I must have you through. If further problems arise, I will let you know.

    To add, I left MD in "Learning mode" for a while longer than usual just to get it "in sync" with the machine's software environment. My feeling is especially with this HIPS is that this is an important initial step after installation, otherwise oddball problems can occur. Jetico 2 may also be at fault here to some extent; I know it is causing some system freezing/BSOD issues for some who are using it. We'll see how things unfold and I'll keep you updated.

    BTW, I have had no problems with your previous versions working alongside Outpost Firewall 2009.
     
    Last edited by a moderator: Nov 12, 2008
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.