MALWARE DEFENDER SETUP TIPS

Discussion in 'other anti-malware software' started by Kees1958, Dec 3, 2008.

Thread Status:
Not open for further replies.
  1. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    On request of a few Wilders Members I played with Malware Defender.

    Monday night I installed 1.2.1 and after a few looks at this application I thought: when SSM and Antihook would be able to produce a baby, it would be Malware Defender.

    This is a mission impossible to find some balance between ease of use and security. Malware Defender is the geek's dream. I uninstalled the program, because it has little use allowing pop ups because the average user does not has a clue what the impact of the message is. Also the rules monitor and switching from monitor to groups is a little less straight forward as for example EQ Secure. Another thing was the description of the silent mode: it says that actions not permitted are denied without asking the user. I assumed this includes denial of ASK rules (the system silently denies rules which have an ASK option). Xiaolin please elaborate. Went to bed to late.

    Because Bellgamin asked and I can't stand quitting, I decided to gave it another try. Good thing was that version 1.2.2. was available, so I down loaded the latest version.

    New plan of approach

    1. After initial installation, I would add some extra protection

    2. After making sure in LEARNING mode that the system worked well, I would change some settings: DENYING the worst intrusions while keeping MD in learning mode.

    3. Set up a strict containment of a few internet facing programs, to assure (together with DENY of worst threats) that the average user could keep using the system in learning mode for a long time (say a month or so), to establish a user behavioral baseline which would tackle all or nearly all pop-ups.

    4. Those contained programs would be launched by StripMyRights (in /LN mode = normal user mode), to include spawned processes as well.

    5. In the training period the user can always switch to SILENT mode when doing dodgy internet browsing or delicate internet transactions

    And guess what >>> malware defender impressed me!


    (Please wait with replies until finished, thanks)
     

    Attached Files:

    • 1.JPG
      1.JPG
      File size:
      214.2 KB
      Views:
      133
    Last edited: Dec 3, 2008
  2. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Please note that experienced users, just can add my extra protections
    (see below) and implement the containment fo internet facing software.


    1 Install Malware defender, import the attached rules, make sure they are set to ASK

    Edit import does not seem to work: here are the entries

    Extra file protection
    C:\Autoexec.bat
    C:\boot.ini
    c:\config.sys
    c:\io.sys
    c:\msdos.sys
    c:\ntdetect.com
    c:\ntldr


    Extra registry protection (; plus name means registry value)
    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows;Programs
    HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Policies\Explorer; DisallowRun
    HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Policies\Explorer;NoRun
    HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Policies\Explorer;RistrictRun
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store; Database Distribution Units
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ras
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\Utility Manager
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GinaDLL
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WOW\boot
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WOW\nonwindowsapp
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WOW\standard
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App;Paths
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
    HKEY_LOCAL_MACHINE\SOFTWARE\Mirabilis\ICQ\Agent\Apps\IcqWinCfg
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00?\Control\Session Manager\Environment;ComSpec
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment;ComSpec
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment;Path
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BDEADF00-C265-11d0-BCED-00A0C90AB50F}

    NOTE YOU HAVE TO CLICK ON A REGISTRY GROUP TO GO TO THE REGISTRY GROUPS,

    DITTO FOR THE FILE GROUP CHANGE
     

    Attached Files:

    Last edited: Dec 6, 2008
  3. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    2 After making sure the system works well, and opening your favourite applications (including internet facing applications).

    Go to options, select protection, MD should be in learning mode, also select "In Learning mode, if explicit "deny" rule is found, do not create permit rule and do not permit the action (see image)"

    NOTE: BECAUSE YOU ARE GOING TO SET UP THE CONTAINMENT APPLICATIONS GROUP (STEP 3). THIS CONTAINMENT GROUP ACTS AS A SANDBOX, SO YOU CAN LEAVE YOU SYSTEM FOR A LONG TIME IN LEARNING MODE.
     

    Attached Files:

    Last edited: Dec 3, 2008
  4. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Now create a application group "Contained applications" with following characteristics and move your internet facing programs into it

    I have chosen Internet Explorer, Outlook Express and LimeWire.

    NOTE: I have moved the internet temporaru directories from default to D:\TEMP IE\, I have done teh same for teh windows temporaray directory (Now in D:\TEMP)
     

    Attached Files:

    Last edited: Dec 7, 2008
  5. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Internet Explorer settings

    (remember you can look at the logs and right click to generate a permit rule, or set all deny's of this application group to ASK and start them up in learning mode)

    Notice that IE7 is only allowed to save to download directory
     

    Attached Files:

    Last edited: Dec 7, 2008
  6. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Outlook Express settings.

    I have moved my WAB book using an registry tweak http://support.microsoft.com/kb/156828, within Outlook you can move your mail location (extra -> options -> maintenance -> change location of archive)

    Note that when you save something in an allowed directory (e.g. the download directory), you will get an error message, but the file will be saved. I have noticed Xiaolin of this little notification error.
     

    Attached Files:

  7. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    4 StripMyrights should be trusted (see included documentation).
    When running in Learning mode, few can happen when browsing internet or reading e-mail. Due to limited rights and the strong intrusion containment of the Contained Applications group (with default deny and not allowed to write to disk and regsitry).
    TIP Xiaolin: offer a preset Contained Applications box in which aps are launced as limited user up front, so I do not have to use stripmyrights

    ==>

    5 I run all the time im Learning mode, so my wife does not get a notification. I will do so for the next two months. When backing up etc I always close MD, to refrain from errors.

    When I do internet transactions I set MD in silent mode. Told my wife to do so also. It is a remarkable HIPS :thumb: :thumb: :thumb: I have managed to set it up as a silent clasical HIPS, with nice Anti Rootkit analysis extra's.


    Last post :p
     
    Last edited: Dec 3, 2008
  8. demoneye

    demoneye Registered Member

    Joined:
    Dec 30, 2007
    Posts:
    1,356
    Location:
    ISRHell
    Kees1958 nice work mate...

    but after try this software i gave up on it, 2 much popups for installing stuff , and for daily work.

    and u get an extra "bonus" after restart cpu stuck on 100% for some time , verify some sort of signatures (according to author)

    simple u can use CIS and get all this HIPS for free...haa yes + extra firewall :)
     
  9. demoneye

    demoneye Registered Member

    Joined:
    Dec 30, 2007
    Posts:
    1,356
    Location:
    ISRHell
    this is the stupid thing in such kinda hips... in 2 weeks ( 5 minuts even) u can get tons of malware ...so what the use?
    it is only got 100% effective when dealing with all this popusp , confirmation **** :)
     
  10. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Demoneye,

    As posted, my first impression was that it is a HIPS suited for die hard control freaks and I uninstalled. The setup posted will still protect you while in learning mode. The trick with StripMyrights and the "Contained Applications"group is that you create your own HIPS policy containment.

    When you switch on to silent mode while surfing it will protect you in a simular way a sandbox does without redirection or virtualisation. It actually impressed me like other software from china (Rising AV, EQSecure, Netchina S3, etc).

    Version 1.2.2 is fast on my rig by the way.

    Cheers
     
  11. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Hey Kees, I do not know How you do it but Great work.:thumb:perhaps I will have to give it a go again the first time I tried it, it ran great but the popups drive me insane.
     
    Last edited: Dec 3, 2008
  12. demoneye

    demoneye Registered Member

    Joined:
    Dec 30, 2007
    Posts:
    1,356
    Location:
    ISRHell
    what is ASK?
    it doesnt import them...said error , and yes i do rename it to *.dat
     
  13. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Nope it will protect you see previous post

    When running in Learning mode, few can happen when browsing internet or reading e-mail. Due to limited rights and the strong intrusion containment of the Contained Applications group (with default deny and not allowed to write to disk and regsitry).
     
  14. demoneye

    demoneye Registered Member

    Joined:
    Dec 30, 2007
    Posts:
    1,356
    Location:
    ISRHell
    silent mode is like standard mode , just deny/block with out notify :)
    10x a lot for the work ! it is much respect
     
  15. demoneye

    demoneye Registered Member

    Joined:
    Dec 30, 2007
    Posts:
    1,356
    Location:
    ISRHell
    and what about installing new software ? or remove them? the right just for brows... we got sandboxie for surfing which is 10 time better than this MD mate :)
     
  16. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Last edited: Dec 3, 2008
  17. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    I found some things confusing, like denying an application to start, only to see the rule ignored since it was allowed in another app rule's "Child Applications" tab.

    While it certainly seem better than SSM, SSM has a perfectly understandable application rule hierarchy. This one has rule priority not easily understood.
    In SSM, deny to start, done. Deny explorer to start xyz, done (and it reflects on xyz's rule). That small detail is something they need to address i think.

    If not for that, i see more to like than to dislike. Pretty awesome program! :D
     
  18. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Got me there I prefere the ease of use ranking order also

    Policy Sandboxes (DW), Intelligent behavioral blockers, Hybrids with white - black listing (OA outcompetes them all with run safer option for unknown programs), Classical HIPS

    For a classical HIPS lovers, Malware Defender is the dream application, I just tried to use its granular control to make it a quiet HIPS.

    Cheers Kees
     
  19. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    As mentioned in my first post, the rule hierarchy needs some time to get used to (it is a matrix based rule set). But the control granularity is impressive
     
    Last edited: Dec 3, 2008
  20. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    i use it when looking for trouble:D :cool: :D in silent mode dennying any files to write in my c: drive;) visited alot of dark places with confidence,i even saw antivirus 2009 died in the spot:thumb: no fuz,then go normal surfing with defensewall :thumb:
     
  21. Rickster100

    Rickster100 Registered Member

    Joined:
    Sep 29, 2005
    Posts:
    152
    Location:
    United Kingdom
    Thanks for the information, Kees. Very useful; thanks. :thumb:
     
  22. wat0114

    wat0114 Guest

    Thank you for the tips kees! lots of useful info for sure. I have become sold on MD so bought a license the other night, even though I don't really need another HIPS, but I like to support nice efforts like this one. xialoin mentioned he's working on network protection. That would be a cool addition to this :thumb:
     
  23. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Leaving it in Learning mode for a while with the Containment Applications fully restricted you can't be faced with a lot of pop-ups anymore. By the way when you have OA PAID, you can select to NOT be prompted when an unknown program runs AND run it in a RUN SAFER box. This makes OA very quiet while remaining strong.
     
    Last edited: Dec 3, 2008
  24. demoneye

    demoneye Registered Member

    Joined:
    Dec 30, 2007
    Posts:
    1,356
    Location:
    ISRHell
    MD owner doesn resolved the 100% cpu usage after reboot .... after wait more than 10 minuts u reset my pc and uninstall it..
     
  25. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Thanks for the tips,thats why I think I choose online armour, its more easy for me to understand it and set it up.Though I like MD I had no clue other then defaults settings how to configure it with out answering yes,NO maybe, have No clue what to Do.:doubt: Something I found rather strange with MD was and example, I have paragon drive back up it would ask for permission with different parts of the same program anothers words, I make a backup image allow or deny make a boot disk allow or deny.Really cool if you wanted to lock a user from certain aspects of the program but being the only user I had to answer several or more times for the same program which lead me to thiso_O
     
Loading...
Thread Status:
Not open for further replies.