Currently, I'm running all 3 in their free versions. That means MBAE only protects browsers and Java, while HMP.A doesn't have exploit mitigation. While I am beta testing, I have configured them to the limitations of their respective free versions. I'm thinking of setting them up this way: MBAE will cover the browsers, EMET will cover everything else, and HMP.A will add non-exploit-specific protection. The only problem is Java, should I double-team that vulnerable software? Currently, I have only EMET covering it, because MBAE isn't compatible with Java 8 (at least in my setup). *They're incompatible, chose MBAE over EMET. P.S. I've heard the "use one or the other" argument plenty of times, and will not regard it any further in this thread. That is unless one has proven it still applies in this specific setup during everyday activities. *Other incompatibilities with the above software, including SBIE, is welcome for side discussions. As is other anti-exploit software like ViRobot APT Shield, Crystal Anti-Exploit Protection, etc.
Run the test HPA3: http://test.hitmanpro.com/hmpalert3ctp4.zip If with MBAE + EMET get inferior results to only EMET there's something wrong. - Test HPA3 32 bit - EMET 4.1 U1 Stack Pivot = Passed Stack Exec= Passed ROP Win Exec= Passed ROP Virtual Protect= Passed ROP Nt ProtectVirtualMemory= Passed ROP system in msvcrt= failed * ROP VirtualProtect via CALL gadget= failed * ROP WinExec via anti-detour= failed * Null Page= Alert - "Null Page exploit/test failed". SEHOP = Passed Heap Spray 1= Passed Heap Spray 2= Passed (no alert) Heap Spray 3= failed * Heap Spray 4= failed * Anti VM = Failed * Hollow process = Alert - "I feel so empty inside". Load Library = (No alert) URLMon = failed * URLMon 2 = Passed URLMon 3 = Passed p.s. EMET ver 5.1 probably pass test ROP VirtualProtect via CALL gadget.
Hi J_L There is an old adage you get what you pay for, and in this case, I am not sure you get much. I just did a test against a live piece of malware, with very interesting results, but since I used the latest of each program, it doesn't fit your criteria. If you are interested I will post here. Pete
Thanks Sampei. Pete, I know that you usually get better stuff paying for it, but I don't see the need right now. I actually am using the latest versions of each program, but with settings configured the same way as the free versions. The testing with live piece of malware will be of great interest. Please provide it if possible. Thanks.
Okay, the piece of malware, was from one of those emails purporting to be sending a scan of tickets which you supposedly bought. It contains a zip file which contains an exe disguised as a doc file. I tested it in a vm machine, in which I have EIS,Appguard, ERP and latest private beta of Hitman Pro Alert. I disabled the first three as they would have stopped it. HMPA shut it down, and it wasn't a hardware mitigation, but the process hollowing. Detail said it was an Process Hollowing attack on Svchost.exe located in the Syswow64 area. HMPA shut it right down. I also tested it against EMET 5.1 and the latest beta of MBAE. I only had any one of them installed at a time. Neither alerted on the attack. Since adding apps in EMET is easy, I added svchost.exe to emets list, and reran the malware. Emet then did detect the attack. It was to difficult to add stuff to MBAE so I did try it alhought I presume it would work. So bottom line HMPA did stop an attack on something not in it's guarded list, where the other two didn't. Pete
Interesting, thanks for describing everything. Adding svchost.exe to EMET or MBAE isn't quite a good idea, so forget that. I'm curious of how you opened the executable doc file, if it was with a shielded office program, would EMET or MBAE have prevented it?
It wasn't an executable doc, it an executable, that they added the word icon too. It wasn't an exec you could "open" If you had file extensions turned off it looked like a doc file, but if you clicked on it, it just executed. With out the detail in HMPA I wouldn't have known it was attacking sychost.exe. And you are correct, EMET5.1 shut down svchost which wasn't cool. HMPA just stopped the attack without screwing up the system.
Very interesting. Maybe not "cool", however, it prevented infection, right? If that is the case, than simply restarting Windows is a small price to pay in comparison to untold damage from malware infection.
True but HMPA stopped it without the same effect. Also without HMPA, I wouldn't have had a clue what it was doing.
Another quesition: If I have CIS installed with auto-sandboxing.. do I even need any of those programs? In the case of "Peter2150" CIS would have just sandboxed the hidden .exe when it tried to run ? Thanks
I tested it with SBIE, and candidly I am not sure what the results told me, so I wouldn't assume this kind of malware might be stopped by the CIS malware. Does a sandbox stop process hollowing. I am not sure
Actually, it doesn't sound like it's an exploit, this seems to be malware that's using the "process hollowing" technique. So this means that if you run this malware, apps like HMPA, EIS and AppGuard should all be able to stop this attack. EXE Radar, EMET and MBAE are not designed to stop this technique, so that's why I'm surprised that EMET could stop it. But it only did after adding svchost.exe to the protection list, so that doesn't really count. Could you perhaps test EIS and AG?
That is exactly what I said, it's a process hollowing attack. EIS BB does stop it, as it Appguard's policy. Exe Radar stops it from running, but that is it.
Yes but what I mean is, you can't blame certain tools for not being able to stop this, because they simply don't offer protection against "process hollowing". Can you perhaps also post screenshots from OA and AG blocking this attack? I would like to know what type of alert they give. To clarify, they should not block the process from running (EXE Radar can also do that), but they should stop the code injection.
Rasheed, no I won't go back and repeat every to post screen shots for you. You are quite free to test on your own. Sorry
OK forget about the screenshots, can you perhaps tell me how they notify you, surely it must end up in the log file? Do they report something like "code injection blocked"? If I'm correct, OA will alert, and AG will silently block. BTW, ZeroVulnLabs already explained why EMET did alert about it, see this: https://www.wilderssecurity.com/threads/malwarebytes-anti-exploit.354641/page-49#post-2428324
First, EMET didn't alert about it. It only alerted after I figured out was going on from HMPA, and protected SVCHOST.exe in EMET, which isn't wise at all. Baring my doing that, EMET flunked. As to the rest of your questions, Rasheed, if you had trialed any of these programs you wouldn't be asking them. Frankly I am not about to spend an hour typing answers to questions you could get for your self by trialing all the software. Sorry
The hollow process feature in Alert warns the user that malware is trying to exploit the identity of a legitimate process by replacing its code with malicious code. It is a very common trick used by malware authors, especially RAT malware. This because a legitimate process does not stand out in task manager or process explorer. The feature does not require a user's descision/interaction either so it is useful for average computer users. The hollow process feature provides another layer of protection.
I totally agree. A lot of my other software alerted me and forced me to make a decision. HMPA just took care of it. Well done. Pete
Yes I know, see post #16. Why the heck would I trial apps that I don't plan on using, that's just silly. And I didn't know it took that much time and effort to test it, I thought you was using VM's, it should be a 10 minute job then. But never mind, some other members have already tested it with HMPA's testing tool.
Exactly, and why should I waste 1 minute let alone 10 minutes answering questions about an App you have no intention of using?