Malware Defender

Kernel hooks are the primary source of instability when running 2 HIPS or Firewalls.

MD hooks the kernel. PFW does NOT hook the kernel. Reason: PFW is 64bit ready. MD is NOT. ( In 64bit Windows versions, PatchGuard precludes hooking the kernel.)

Therefore - - -

+ It is totally safe to run MD & PFW together.

+ You can turn off PFW's HIPS component because MD will do the HIPS job. However, leaving PFW's HIPS running won't cause any problems -- it's just unnecessary.

+ You can turn off MD's "Network Protection" (it's a weak-sister firewall-type protection) because PFW's SPI-based firewall is much MUCH more powerful than MD's Network Protection. However, leaving MD's Network Protection running won't cause any problems -- it's just unnecessary.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of the pudding (a segment of my sys tray) - - -

 

I would imagine that the 32bit version of PFW hooks the kernel. They don't use the same driver for 32/64.

 

I am running both of them in WinXP SP3 32bit.

 

Maybe it relies on appinit to do all of its filtering. Interesting.

 

And all kernel hooks of the pwipf6.sys belong to Piggly Wiggly and not Privacyware.

Cheers

 

The substance of PFW's support (Greg) reply to my 10/12/2010 query is as follows . . .

1- Greg said that development of the upcoming update to PFW is coming along pretty well. It works splendidly on Win7 and Vista. They are currently working out some issues on XP.

2- Once the update is completed, Greg said they will submit to Winqual for review and ultimately release an update to the public. Greg estimates another few weeks until public release.

3- Concerning hooks in 32bit, Greg said that PFW "utilizes several common implementations of kernel mode hooks to control actions of user applications."
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Okay, so PFW does hook it for 32bit. My bad.

Even so, I haven't encountered any instability ever -- having (at various but separate times) run MD alongside PFW as well as Outpost as well as Spyshelter -- all of which have HIPS to one degree or another.

 

bellgamin,
I appreciate your posts about MD and working with PFW also. I don't know much about firewalls but am running both of these. Would these settingsin PFW be adequate protection alongside of MD without getting too complex. Or, should I change something that would increase protection but not enable the HIPS n PFW and thanks.





Gary

 

Aloha Gary,
Your settings look grrreat to me except I don't see the need to display main menu every time you launch PFW.

On Main Menu you should also set slides for Internet Security & Network Security to "High".

The slide for Process Monitor controls PFW's HIPS. I set it to "Off" when running MD.

 

Thanks for that - acidentally hit that display main menu option. Appreciate your help and loving this combo - MD and PFW.

Gary

 

I'm not even going to try to post up the convoluted URL for this translated Oct 20th forum posting, so check out my screen shot...

"Positive Solutions for landlord after the acquisition that will not be any updates after."

Could that mean 2.7.2.0001 is the last MD?

Here's the link to the forum home page...
-http://bbs.360.cn/5451703.html-

 

It could mean nothing. The source may be nobody of any importance. And/or the translation may be wrong, e.g. it could be a question. Xiaolin always said that as Malware Defender matures the frequency of updates would reduce and that's what has happened. I advised Xiaolin of a bug I found in MD in September and he said he'd look into it for the next version. If there's no new version 12 months from now, then it would then be safe to assume that's it.

 

I would like to see Eset purchase malware defender, and integrate it into ESS. MD would just need to be made more simple to use for those less tech savy. I believe it would be a good move for both parties. They better do it before Comodo does Lol Comodo bought 2 HIPS in the past that i can remember of. I sometimes wonder where Comodo gets their funding since most of their products are free.

 

Cutting_Edgetech MD has already been bought up by an antimalware company from China that make 360.
Comodo's main money maker is selling authentication, certification : ssl certificates...

 

Agreed. But do it by hiding the complexities and allow all current (expert) access.

How could I live without being able to edit a [Registry Group]Autostarts Locations -> [Registry]HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services rule?!

 

jeez, NOT this perfect tool in hands of theses (...) dudes!

 

Better them than Symantec Lol

 

This idea would be excellent idea for any major AV company, as long as they incorporate MD as it is, but without its firewall, as additional hips protection.

 

Sorry, but I think this is a total nonsense idea:

1. Malware Defender is owned by 360Safe now - part of the deal with Xiaolin joining them

2. If you hadn't noticed Malware Defender is a classical HIPS. Classical HIPS do not sit well with the traditional users of antivirus software. It would require a total rewrite of MD to the point where you might as well start again.....which they would have to....but of course they wouldn't because they'd never do such a stupid thing in the first place as to try to buy MD!

Now, if the question is "Is it a good idea to add an intelligent HIPS to an AV suite?" then the answer is yes, imo. But MD is not an intelligent HIPS, it's the most raw type you can get.

No AV company snapped up SSM, ProSecurity, EQSecure, Neoava Guard, Netchina etc, when they went bump. And the same principles apply here...except even more so, because Malware Defender is still alive and owned by another security company.

 

Sorry but I have to disagree too. Traditional hips is a perfect complement for an AV software, especially for a single AV without firewall.

 

Ok, maybe I'm missing something here. Tell me about a current AV with a traditional classical HIPS built in - not an intelligent HIPS with features such as whitelists, but a proper classical HIPS. I can't think of a single one - even Comodo has abandoned proper classical HIPS. So if there isn't one, maybe that's because AV companies think it's a crap idea?

 

The request is rather off the mark because the usual combo is not AV+HIPS but rather FW+HIPS (e.g., Private FW, Outpost, Online Armor, et alia). FW+HIPS is a logical combo because (speaking simplistically):

+++ A "conventional firewall" is a security-wall between the OS and the internet.

+++ A "HIPS" is a security-wall between the OS and its kernel.

The D+ component of CIS is a classical HIPS.

Granted MD has no built-in whitelist. That's why I recommend running it for several days in learning mode while exercising your computer through its normal/daily/safe routine. Thereby MD automatically builds a whitelist unique to your own particular computer.

For thoughtful high-risk users, a classical HIPS is a superb addition to most any security set-up. Unlike most other security apps, a classical HIPS not only covers a full range of malware-type behaviors but ALSO provides broad-scope/configurable protection of the complete registry and all computer files, at the user's discretion.

The main reason that we do not see many extant classical HIPS is because most folks are uninterested &/or incapable of providing knowledgeable responses to the alerts generated by a classical HIPS.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

P.S. Interestingly enough, Threatfire (which is generally known only as a marginally out-dated behavior blocker) can also provide full-range protection of registry & files - - - by user-configuration of TF's advanced rules options.

 

Hi Bellgamin, while I agree with most of your comments, I think you are also broadly agreeing with me. The subject I was responding to was the suggestion that Eset (or another AV vendor) should buy MD and incorporate it into their AV suite.

And my argument is that this is unlikely to be a sensible move by an AV vendor....witness the failure of any AV vendor to purchase any of the now defunct HIPS, some of which were superb applications. And witness the move of Comodo D+ from a pure classical HIPS to an intelligent HIPS - D+ is no longer a classical HIPS in the way it operates to the end-user in default configuration.

I couldn't agree more...and that is exactly why an AV company is never going to buy and incorporate a pure classical HIPS into its mass-market product. Intelligent HIPS, yes (e.g. Online Armor, Kaspersky), classical HIPS, no.

 

The conventional perspective is something Whitelisted (via user input or as a built-in known-good) in a "modern" HIPS will never bother the user again; allowed forever - the friendly/silent/intelligent HIPS rule. I'm not sure MD rules built for apps/processes while in Learning mode can be considered as having Whitelisted those apps/processes except in a generic sense. Persistent rule sets is a more apt descriptor.

Like, Sandboxie is in the habit of building GUID named folders in its Container store. Even after a lengthy Learning period, once in Normal mode Sandboxie will eventually cause MD to throw out a file rule challenge (which I quickly ended for Firefox only with a e:\sandbox\user1\* file rule). Even MD's zero priority * rule is peppered with "Ask" permissions.

As I did for all of Sandboxie's components, among others - Zemana, CCleaner, etc., one can toss stuff in MD's Trusted Applications-Normal group but as I understand it and have observed they are subject to the Application-System rules. As when, for example, the first time a Trusted app would want to write to the registry by way of services.exe. So, MD Trusted is still not a silent/friendly/intelligent HIPS known-good Whitelist thing.

MD is about as classic as it gets!

That said, regardless of the levels of silent/friendly/intelligent known-good Whitelisting in currently marketed mainstream user-friendly HIPS enabled suites, an eventual chat up for a user decision is an inescapable eventuality. Otherwise it wouldn't be a HIPS, would it? That there is a whole new can of worms as evidenced by that MRG/SpyShelter discussion a while back.

Developers can play with that all they but in the long run it's unlikely we thoughtful high-risk users will be able to turn off the "Intelligence." Sad. Yeah, no Intelligence is a lot of effort at first even with a Learn/Train mode. So what?

 

I don't like the terms 'classical HIPS', 'intelligent HIPS', 'modern' HIPS etc.
Either it is a real HIPS or it is a watered down HIPS.

I think people like MD because it is a real HIPS, means mostly the user is in charge.
There are more than enough watered down HIPS, which try to answer for the user as often as possible.

A real HIPS is a very rare species and should not be killed only to get another watered down HIPS lookalike.

Cheers

 

Agreed.
Most people ever online worldwide; 1,966,514,816 link
Most users ever online on Wilders; 1,581

(Members: 106,747, Active Members: 10,326)

Many more folks then just Wilders members know/prefer classical HIPS but uptake of MD (as is) in a mainstream security suite is simply a no-go imao.
Perhaps a recipe for bankruptcy. I mean, anyone here who would recommend it to mum?