Do you use a software anti-exploit?

Discussion in 'polls' started by Sampei Nihira, Jul 14, 2014.

?

On your security setup used the software anti-exploit?

  1. Yes

    57 vote(s)
    62.0%
  2. No

    20 vote(s)
    21.7%
  3. I'm not interested

    15 vote(s)
    16.3%
  1. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,712
    Location:
    USA
    Even SimExecFlow?
     
  2. malware1

    malware1 Registered Member

    Joined:
    May 26, 2014
    Posts:
    133
    No, that would prevent me from getting some malware samples.
     
  3. guest

    guest Guest

    This is just my random mumbling so there's no need to take it seriously.

    I feel anti-exploit software is somewhat overrated. Somehow everyone jumps into anti-exploit bandwagon these days. I admit that it is a fancy idea, but I see them as more into a complementary feature rather than an entity being. You all can hit me with lollipops if you want but that's how I view them.
     
  4. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Exploits are rare, but they are the only things an experienced Wilders member cannot protect themselves from. Rather than complementary, I find anti-exploit the only truly necessary addition to common sense.
     
  5. guest

    guest Guest

    Didn't I say not to take it seriously? :p

    Ah well, it's true that anti-exploit is worthy, but I just see them to have too much spotlights than needed. I mean, not having a standalone anti-exploit software is not much of a big issue. The software developers should make their own software to be secure first, and then if required anti-exploit feature should be part of security software which have larger scopes such as AV, policy restriction, CHIPS, etc. After all, exploit is just one chapter of an intrusion.
     
  6. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    Maybe nitpicky: exploits are not rare, since anything that runs arbitrary code without user input is one by definition. What's rare are direct-to-root remote exploits.

    Chaining a remote userspace exploit to a local kernel one is rare for now, but it is also trivial to perform if you can reliably invoke both exploits. Personally I expect to see more of that in the future.
     
  7. guest

    guest Guest

    I tend to go to the reverse direction than my own will. I do like EMET though, version 5 looks to be the best version I've tried so far. Encountered some problems in Palemoon but it might be just Palemoon's own bugs.

    Maybe I should ask a custom title like "Upside Down" or something, lol.
     
  8. mattdocs12345

    mattdocs12345 Registered Member

    Joined:
    Mar 23, 2013
    Posts:
    1,892
    Location:
    US
    Switched to Debian some time ago. No need for anti-exploit at this point of the game.
     
  9. TS4H

    TS4H Registered Member

    Joined:
    Nov 5, 2013
    Posts:
    523
    Location:
    Australia
    I have to agree, EMET 5 is the lightest version i have ever used, big improvement. Even running Chrome and its derivatives under all mitigations has no issues for me. Currently not using HMPA, but plan to once officially released although i do check out the tech preview on my other PC.
     
  10. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    For the purposes of this poll, does WehnTrust qualify?
     
  11. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    862
    I would say on the contrary that social engineering and drive-by downloads would be the two most common vectors of infection. It's hard to get reasonable statistics, since most stats seem to list "trojans" together, without mentioning the actual mechanism of infection. I do recall statistics a few years ago that listed web exploits as the source behind a majority of infections, but 10 minutes of googling hasn't shown me anything useful.

    Whitelisting sites which can run Javascript is a simple way to avoid exploit kits. Despite this, I still use EMET for internet facing apps including Adobe Flash, but not for Palemoon which apparently has some exploit protection built-in. I still need to find out if there are any EMET options which can stably be enabled for Palemoon.
     
  12. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Drive-by downloads and social engineering still need to the defeat common sense of an experienced Wilders member somehow and make them manually execute the malware.

    I don't see how it's on the contrary when I already stated exploits are rare, unless you think somehow they would still be most common for someone like myself to get infected.
     
  13. jpcummins

    jpcummins Registered Member

    Joined:
    Feb 20, 2006
    Posts:
    628
    Location:
    Terre Haute, IN
    For someone still running Windows XP Pro which anti-exploit would be best. And yes I know I should update but I have so much older software and hardware that I would have to replace should I update. I would appreciate all replies and would thank you in advance.

    John
     
  14. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    862
    Maybe re-read my post, as well as your original post to which I replied. You stated exploits are rare (false), and that Wilders members can't defend themselves against them (false).

    Now you are saying common sense can defeat them, since you have to manually execute a web exploit? Have you ever seen a drive-by download/web exploit in action?
     
  15. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Exploits to up-to-date software is definitely rare. By defending, I mean in the context of without security tools.

    You stated drive-by download, which is simply a javascript automatic download that doesn't necessarily equate to drive-by install.
     
  16. daman1

    daman1 Registered Member

    Joined:
    Mar 27, 2009
    Posts:
    1,292
    Location:
    USA, MICHIGAN
    I voted yes, HMPA 3 is just another layer of protection ,so why not.
     
  17. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    862
    So you mean that zero-day exploits are rare, and need a different strategy than patching and safe browsing habits?

    That's fair enough, but TBH I'm not sure how rare zero-day attacks really are, as it's hard to get solid statistics. An old study from 2007 showed that when vulnerabilities were reported over 7 years, 15% of these already had an exploit available (although a proportion were POC and not ITW). Symantec define a zero-day vulnerability as "one that is reported to have been exploited in the wild before the vulnerability is public knowledge and prior to a patch being publicly available."

    According to Symantec, the zero-day attacks each year since 2008 were:
    - 9 in 2008;
    - 12 in 2009;
    - 14 in 2010;
    - 8 in 2011;
    - 14 in 2012;
    - 23 in 2013.

    These figures are high IMO, and are for common applications and plugins such as IE, FF, Java, Adobe Flash & Reader, etc. Each zero-day vulnerability can be repacked over and over into variants to evade detection during the vulnerable period, which can last anywhere from days to months and average 312 days according to one group of researchers. Also since exploits tend to be saved for targeted attacks on higher-value targets, how many of these go unreported due to lack of surveillance or reporting?

    From: http://arstechnica.com/security/2012/10/zero-day-attacks-are-meaner-and-more-plentiful-than-thought/
    Normally the nomenclature for "drive-by download" just means a web exploit leading to the silent installation of malware without user intervention, as the other kind you mention is relatively uncommon and is far less likely to lead to an infection. Also there are other sources of web exploits e.g. activex, vbscript, malicious fonts etc., not just javascript.

    Some resources:
    http://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf
    http://www.symantec.com/content/en/...ces/b-istr_main_report_v19_21291018.en-us.pdf
    https://www.fireeye.com/content/dam/legacy/resources/pdfs/fireeye-zero-day-attacks-in-2013.pdf
     
  18. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    That's a very narrow and carefully worded definition. It doesn't include those that escaped detection during usage, those that are stockpiled by criminal organizations, governments and LEAs, or bought and sold in black markets. All we see is the tip of the iceberg, those that were discovered because someone was sloppy regarding its usage. We're seeing lots of servers and companies being exploited and no one knows how it was done. It's quite likely that zero-days were used and the evidence of their existence was wiped from the system.
     
  19. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    862
    Agreed. We can't know how many escape detection for all the reasons you list. The statistics were the best at hand, and more than demonstrate that zero-day exploits are more common than people credit.

    Symantec found more exploits in 2013 than Fireeye did in the same year. Similarly, the methods used by researchers Bilge & Dumitras lead to the detection of only about a 1/4 of the zero-day exploits that Symantec as a whole found. I haven't looked through them individually, but I'd expect that most were exploits used on a wide-scale.
     
  20. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,626
    Location:
    USA
    HMPA3 and very pleased with it. Can't deal with EMET anymore.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.