Well i noticed aigle's post about threatfire and wondering what you all think about buffer overflow protection. Is it needed? Have you encountered it?

Well two products that are suppose to protect against it are threatfire and comodo memory guardian which is being kept quiet in the beta area.

Comodo Memory Guardian was made to protect only against them. It will also be eventually integrated into the firewall.

Like to see some feedback about it.

Sorry about the big pictures. Taken right from the developer.

They are pics of CMG blocking the new vista .ani vulnerability and the yahoo messenger exploit.

http://www.wilderssecurity.com/attachment.php?attachmentid=194724&d=1193872801
http://www.wilderssecurity.com/attachment.php?attachmentid=194725&d=1193872801

{QUOTE-> Comodo Memory Gurdian is a buffer overflow detecion and protection tool which provides the ultimate defense against one of the most serious and common attack types on the Internet.

What is a Buffer Overflow attack?
-------------------------------------
...excerpt from http://en.wikipedia.org/wiki/Buffer_overflow
"
In computer security and programming, a buffer overflow, or buffer overrun, is a programming error which may result in a memory access exception and program termination, or in the event of the user being malicious, a possible breach of system security.

A buffer overflow is an anomalous condition where a process attempts to store data beyond the boundaries of a fixed-length buffer. The result is that the extra data overwrites adjacent memory locations. The overwritten data may include other buffers, variables and program flow data and may cause a process to crash or produce incorrect results. They can be triggered by inputs specifically designed to execute malicious code or to make the program operate in an unintended way. As such, buffer overflows cause many software vulnerabilities and form the basis of many exploits. Sufficient bounds checking by either the programmer or the compiler can prevent buffer overflows."

Features :

* Detection of Buffer Overflows which occur in the STACK memory,
* Detection of Buffer Overflows which occur in the HEAP memory,
* Detection of ret2libc attacks,
* Full 32 bit and 64 bit Support,

Important Note : This is a BETA product and is intended only for the users who would like to test the product and provide us some feedback. It may contain major bugs which may cause your system to be unstable or cause permanent data loss. Please do not instal this software into a production machine or distribute it. <-QUOTE}

Hi, folks:

Speaking of buffer overflow protection, Sunbelt Kerio FW does offer this protection, it will block buffer overflow code execution. it will alert user when the problem occurs. So far I have not encountered it yet. I have not tested its strength, therefore no verdict can be delivered. Take care.

I wish there could be some way to test it against actual exploiits.

Hello,
Not really needed if you keep your software up to date and mainly use less-mainstreams apps. Switch to Firefox / Opera and Pidgin and problem solved.
Mrk

Mrk, assuming no bugs, you're right of course. :)
But with this, you don't need to rely on Mozilla etc., and vulnerabilities are found.
CMG should be incorporated in CFP later on, if my memory serves me right.

{QUOTE-> I wish there could be some way to test it against actual exploiits. <-QUOTE}

It can. Those pictures were real tests. The dev just made them by running the same code used in the exploits in ie. Also comodo made a test application.

Doesn't turning on DEP for all programs cover buffer overflows?

{QUOTE-> Doesn't turning on DEP for all programs cover buffer overflows? <-QUOTE}
Apparently not. DEP still fails against HTML shellcode files, though the technical details as to why, or if this is even important, are beyond me.

{QUOTE-> Doesn't turning on DEP for all programs cover buffer overflows? <-QUOTE}
DEP Limitations (http://en.wikipedia.org/wiki/Data_Execution_Prevention#Limitations)
{QUOTE-> Unlike similar protection schemes available on other operating systems, DEP provides no address space layout randomization (ASLR (http://en.wikipedia.org/wiki/Address_space_layout_randomization), a feature now available in Windows Vista), which may allow return-to-libc attacks that could feasibly be used to disable DEP during an attack. <-QUOTE}

Thank you solcroft and lucas1985. It seems it's over my head also from the link that lucas1985 provided. This is the first I have heard of DEP not up to the task.

I'll assume that it's not urgent at the moment and keep my eyes on the forums.

{QUOTE-> It can. Those pictures were real tests. The dev just made them by running the same code used in the exploits in ie. Also comodo made a test application. <-QUOTE}I read a thread over TF forums and TF people were not satisfied with the test utility launched by Comodo.

I can,t say anything as the topic is well beyond my knowledge.

{QUOTE-> I read a thread over TF forums and TF people were not satisfied with the test utility launched by Comodo.

I can,t say anything as the topic is well beyond my knowledge. <-QUOTE}

Last time i checked companies do not usually compliment each other. Don't you think one app would get an unfair advantage being talked about in their own forums?

A user of threatfire said it cannot block the .ani exploit in vista and cmg can. That should be proof right there that comodo offers more protection if even a bit.

Coolio, hard to compare the two. One is built specifically for this, TF aims to be an "intelligent" program that detects malicious behavior in general.

I understand that and actually I trust neither of statements.

I will believe only when tested by some trsut worthy third party or somehow by myself. For myself it,s too difficult to test something against such exploits, well beyond my knowledge and expertise.

It,s even too hard to find a link with such an alive exploit!!:-[

{QUOTE-> Apparently not. DEP still fails against HTML shellcode files, though the technical details as to why, or if this is even important, are beyond me. <-QUOTE}

SolCraft,

Do you have a link to the above. Why is DEP ineffective against HTML shellcode.

Thanks.

Well, nice to see CMG in real life action, it´s running just fine on my machine, so it looks like a nice addition to my setup. And I must say that I was also quite impressed to see how many exploits a tool like Buffer Shield could stop, would be cool if CMG could do the same. :)

http://www.sys-manage.com/PRODUCTS/BufferShield/PreventedExploits/tabid/63/Default.aspx

{QUOTE-> And I must say that I was also quite impressed to see how many exploits a tool like Buffer Shield could stop, would be cool if CMG could do the same. <-QUOTE}
{QUOTE-> Hardware DEP (NX/XD-bit) is the answer. Nobody will pay for solution, built-in into your processor. <-QUOTE}
From here (http://www.wilderssecurity.com/showthread.php?p=1003989)

@ lucas1985,

Yes I know, but what I meant is that I think it´s impressive that a software based tool can protect against all of this. ;)

Understood :)

{QUOTE-> @ lucas1985,

Yes I know, but what I meant is that I think it´s impressive that a software based tool can protect against all of this. ;) <-QUOTE}

You are assuming it does so effectively....

{QUOTE-> You are assuming it does so effectively.... <-QUOTE}

Yes of course, I assume that these guys have enough knowledge to make a good product, and I already asked you why you said that the CMG testing tool is rubbish. I´m still waiting for your response.