Malware Defender - Possible Leak!

I see nothing wrong with this rule. In the file module, if explorer.exe allows all operations (create, read , modify & delete) then the unconventional/suspicious parent operations on explorer (related with the file AND application modules) should give a prompt or be blocked. I haven't played with MD since ages so i don't remember if it's the case with the default rules.

 

hi there Xiaolin

problem solved , removed file rule

 

Do you get the same result after you restore the default rules (Rule > Restore Default Rules) and delete/disable the default File rule for explorer.exe? If you don't, then you have a rule problem.

 

this way its work ! BUT i didnt add / modify any rules ! i just put MD in learn mode , after the switch it like u all did to normal and problem accrue .


any way , now its working even with my "old" ( 3 days rules)
does removing the file rule from explorer.exe makle MD weaker? or what is the consequence of disable/delete it?

cheers

 

Not weaker. Possibly more noisy. You might see some alerts for a while or you may see none (which is my experience). It depends on your usage. Learning Mode, for you, obviously created some rule that led to what you saw.

 

after having another look at wat0114 screenie from the first post and having an understanding of how md works I can now see a picture of what basically happened.

wat0114 attempts to change the file name. explorer.exe allows it to be changed because explorer has default permit rules.

Windows File Protection kicks in ie winlogon.exe attempts to change it back, on MD winlogon.exe doesn't have any file rules. "MD works from bottom going up"

winlogon.exe doesn't have any file rules so it works its way up. wat0114 obviously doesn't have any file rules on the default applications group. so it goes up to the system executable files which have an "ASK" rule so a popup will appear. wat0114 doesn't realise that winlogon.exe is trying to repair the damage so he clicks deny on the pop up.

 

,does that mean winlogon.exe has a function which repairs other system files?

But the rule of explorer.exe in MD need configuring by users.It is a difficult and onerous job

 

no its not its very easy to configure explorer.exe file rules.

 

Nice detective work arran You are right, no file rule for winlogon.exe - it is only a target application of svchost.exe. And now I understand what nick s was alluding to in his post #3:

Even though in admin account it is possible to rename the protected file, winlogon somehow is instrumental in creating another copy of the original file name. I tried again this time with MD disabled and renaming xcopy.exe. Screenshot below of results.

 

Clarified already

I don't see this behaviour by winlogon.exe because WFP is disabled on my setup.