Malware Defender - New HIPS from China

Re: Malware Defender 1.2.1 beta2 is released

Running 1.2 here, do I still need to delete rules before installing 1.2.1 b2 (application and so forth) then install 1.2.1 b2 and rebuild rules again?
If so will there be some sort of fix in a newer version so MD would install a newer version overtop cleanly without having to do this?

 

Re: Malware Defender 1.2.1 beta2 is released

You do not need to delete rules. It is safe to upgrade from 1.2 to 1.2.1 b2. And the future version will be safe to upgrade from old versions too.

PS. The v1.2.1 final will be released soon.

 

Re: Malware Defender 1.2.1 beta2 is released

Thank you for the update xiaolin

 

Malware Defender 1.2.1 is released

The new version is available for download at http://www.torchsoft.com/download/md_setup.exe

what's new?
- Added protection against modifying kernel objects of known dlls.
- Added protection against duplicating handles.
- Added protection against debugging processes.
- Added several built-in file and registry rules.
- Added several search locations of autostart applications.
- Added an option to set the behavior in leaning mode when explicit "deny" rule is found.
- Added support for logging actions that trigger ASK rule in silent mode.
- Added support for Windows 7 build 6801.
- Changed all the "Ignore" to "Ask" in system application rules to avoid being affected by low prioirty rules.
- Fixed a bug that may cause BSOD when working with Jetico firewall.
- Fixed a bug when deleting files.
- Fixed a bug when detecting actions of loading kernel driver.

 

Re: Malware Defender 1.2.1 is released

Holy Moly you are like greased lightning!

 

xiaolin is very bussy even on sundays oh no i forgot it is sunday here but in china maybe is tuesday

 

Received 1.2.1 final version this AM. Installed on top of prior version. No problems -- went smooth as a baby's bum.

As to MD's system tray icon -- it's a shield, I think, but what is that symbol on it? A crossbow? A jet aircraft viewed from overhead? What?

 

Re: Malware Defender 1.2.1 beta2 is released

Thank you

Thanks again

 

the sysmbol in the shield looks lt ike a bird ,if it is a bird it is a espicie we dont see in north america

 

My guess is a Shaolin monk standing on one leg or a dim sum.

 

It is a crossbow.

 

I had been trying MD out and was very impressed. However I had an issue when upgrading to 1.2. The application appeared to 'forget' some rues and kept reverting to Learning Mode on restart. Although in Learning Mode it seemed to stop any other apps from starting.

I contacted Torchsoft and received the quickest and most detailed reply I think I've had from any software company for an unregistered trial product. Xiaolin correctly identified the problem was being caused by a duplicate driver that was probably left behind in an upgrade (most likely my error not the apps!). Accompanied with this explanation was instructions on how to identify and remove the erroneous driver and appropriate registry keys.

MD is now functioning with it's usual efficiency.

Thought I'd post so anyone who experiences similar problems knows there is a solution and to point out that one of my main concerns about moving to a standalone classical HIPS solution - lack of support from what tend to be smaller software developers has been aleviated. Very encouraging to see he is active here at Wilders as well.

Some of my hard earned will be floating Xiaolin's way at the end of the trial period me thinks.

Cheers

 

SSM has a feature "protect against termination" (of an application).

Is this available in MD?

Is it me ? I cannot find it.

 

Another feature that I am missing from SSM is its Window Filter Module:

"Window Filter module has a list of all windows created (including or not the hidden windows) in the system at the moment and allows performing various actions on windows: filter windows, hide/unhide window, enable a disabled window, close window.

To perform main actions with window:
- select a window in the list;
- popup the right-button (context) menu and select the appropriate command (Close window/Close process/Show window/Enable window/Hide window).

Using filters:
The "Filters" section contains the "black list" of window titles (captions). The process owning the window with caption contains any of the "black list" string items (filters) will be terminated automatically as soon as they are found.

Example:
If you want to prevent the Outlook Express program from running, you may add the string "exp" to the "black list". However you should take into account that the better you define the "black list" item (the longer is the substring to be found in a caption) the less probable would be unwanted blocking of programs."

 

For the application you wish to protect, Edit Rule, then check the block labelled "Protect this application from being accessed by other processes" -- it's located at the bottom of the Edit Rule form, as shown in screenie below. That will git 'er done!

 

Mahalo nui loa

 

This *feature* (sic) is not present in ANY other classical HIPS (e.g., Online Armor, Defense+, Real-time Defender, etc). Please explain how this feature is in any way a proper/vital component of a classical HIPS.

That seems a bit convoluted as a way to do a simple program block. To block any program with MD (I use the example of wuauclt.exe) simply do as shown in the screenie.

But perhaps I am missing the point? In any event, Vitali hasn't replied to forum posts in several weeks. SSM is looking more & more like abandoned-ware, sad to say.

 

I don't know about about all those other inferior (;-)) HIPS as I did not use them, but could it be one of those features that made SSM so unique and ahead of its time? I won't say that this feature is vital to any HIPS but it could be very convenient when you want to get rid of a non desired window that get automaticaly started by given programs (particularly thinking of annoying advertisements, but not only and there is not the point here as it could possibly be any other kind of similar unwanted or dangerous windows).

This given example was from the "raw" SSM's help file and I'll give you that it was not from the best wording (but I can understand it when english is not their first language as it is the same for me).

The purpose is not to block a program but to block one of its internal windows, and if you can do it with MD, I would be very happy if you could please show me. I would usualy just have to go and manualy shot down this kind of window before to be allowed to use the program anyway. I perfectly understand your/our will to not unnecessarly bloat MD but this kind of a module should not be a biggie to implement and can be kept quite simple.

See AnVir TaskManager as a good example way of doing it:

Yes, too true.

We should see what he will have to say if/when he'll respond to rickster100's question there...

 

Sorry, there is no plan to add such feature yet.

 

BTW, installed MD 1.2.1 along with PrevX and KIS 2009.

Day 2, and its still working.....



H

 

I thought it best to just ask the straight question to vitk that everyone who uses SSM is asking. File Protection is one thing SSM really lacks right now. Although current favourite is EQSecure 3.41 ill also be looking seriously at MD as a long term replacement for SSM as unfortunately the developers of EQS seem to be ignoring the needs of english speaking users with version 4.0.

I have to congratulate xiaolin for his unending committment to his MD project and I wish him every success with it. Its shaping up to be one very nice classical HIPS program, and once Alcyon makes a set of rules for it, its going to be one heck of a program [even more so than now].

 

I've started to play more deeply with MD and i'm pretty excited... With new hips comes new possibilities

One thing i haven't seen in hips yet is the implementation of regex (or similar). The HUGE advantage of such an implementation is that instead of making rules like:

svahost.exe (deny)
svbhost.exe (deny)
svdhost.exe (deny)
svehost.exe (deny)
... (let say 21 or more entries)

You could only make something like:

sv[a-bd-z0-9]host.exe (deny)
or
sv[^c]host.exe (deny)

Another example among others for a suspicious file: (([a-f][0-9])++{x}|([0-9][a-f])++{x}|?).exe

(sorry for probably not the exact syntax. I haven't played with regex or similar stuffs since approximately 2004)

This is only simple examples. There's plenty of regex tricks with NOT, AND, OR, etc. that could greatly enhance MD.

The result is more complex, more powerful rules... and extremely smaller rulesets.

I really hope to see something like that implemented in futur releases of MD.

About the registry rules: MD can scan for keys and values but not for what's inside the data [keys/values/data] (as every other hips, to my knowledge). Malwares could be more easily wiped out by being able to scan for unconventional paths, etc. residing in the data section.

This is my today's wishlist

 

Your post sums it all very well, Rickster100, and I can only agree on your picture of the classical HIPS present state of affairs

 

No need to be sorry, xiaolin, and I will simply place my hope on your yet word for a possible future surprise

 

Maybe you can team up with xiaolin? You two would make a killer combo in developing a killer HIPS