Do you use exploit mitigation software?

Discussion in 'polls' started by ropchain, Jul 5, 2015.

?

Do you use exploit mitigation software?

  1. Yes, and I can explain (in detail) how exploits targeting modern operating systems work.

    10.3%
  2. Yes, but I do not exactly know how exploits work.

    67.2%
  3. No

    22.4%
  1. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    In the few months that I have been on the forum I have noticed that a number of people is fond of combining multiple security products. I am curious to find out which of these people are using exploit mitigation software (e.g. EMET/HMPA/MBAE) and can explain how a typical exploit works.

    If you can answer yes to most of the following items then you should be able to explain how modern exploits work.
    - I have basic experience with reading/writing assembly (e.g. ROP chains and shellcode) and I know what stacks and heaps are.
    - I can explain why a stack pivot is necessary in certain situations.
    - I know why VirtualProtect/VirtualAlloc are quite often used in exploits.
    - I can roughly explain against which exploitation techniques mitigation software protects.

    Thanks in advance!
     
  2. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    Interesting thread, I use MBAE and cast my vote for choice #2. I would be more than happy to see a discussion and basic knowledge about the items you've mentioned above. Thanks.
     
  3. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    8,627
    I don't and probably never will. I like to keep my security setup as basic as possible.
     
    Last edited: Jul 7, 2015
  4. jadinolf

    jadinolf Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    1,047
    Location:
    Southern California
    Nope, I use the KISS theory.

    Keep it simple stupid.:)
     
  5. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
  6. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    Yes.
    In my pc (XP) use only EMET 4.1U1.
    In the pc of my daughter (7 - 64 bit) use EMET 5.2 + MBAE Premium.
     
    Last edited: Jul 6, 2015
  7. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    I don't see why not, even if you don't fully understand it, as long as its been proven to work.
     
  8. ArchiveX

    ArchiveX Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    1,501
    Location:
    .
    I tried EMET and MBAE but removed them due to compatibility issues:

    When
    the exploit mitigation software makes your favorite apps
    not starting at all or behaving strangely,
    then,
    you do not want to go on...:sick:
     
    Last edited: Jul 7, 2015
  9. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    1,134
    Are you doing a study for school?
     
  10. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    I am not doing a study for school, I want to see whether people are aware of the limitations of the available exploit mitigations and the abilities of more advanced adversaries.

    "as long as its proven to work" is not a very strong statement. All mitigation software is only able to mitigate threats up to a certain level and if this aspect would actually be included in test reports then they would result in the development of bypasses for every mitigation tool available. Conventional mitigation software is slowly but surely becoming less effective against more advanced attackers. And actually it surprises me that EMET bypasses are not yet mainstream.

    I will give you another example: 'testing' the effectiveness of anti-virus software can 'easily' be done just by developing some PoC cases (which can be done by any person with a bit of programming experience) the issues with testing exploit mitigation software are a bit bigger. It requires specialized knowledge to create custom PoC's. Almost all exploits have to rely on just a few exploitation techniques that can be easily blocked in their default configurations (e.g. stack pivots and running shellcodes from the stack). And with mitigation software you have to look at the corner cases that are called 'bypasses' because attackers are now also looking at them (e.g. https://hitmanpro.wordpress.com/2015/07/02/how-apt3-evaded-anti-exploits-with-cve-2015-3113/).

    Regards,
    'ropchain'

    PS. I was one of the people who voted for "Yes, and I can explain how exploits targeting modern operating systems work"
     
    Last edited: Jul 6, 2015
  11. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    1,134
    Are you going to provide a solution or just state how exploit mitigations are of none or semi-none effective?
     
    Last edited: Jul 6, 2015
  12. test

    test Registered Member

    Joined:
    Feb 15, 2010
    Posts:
    499
    Location:
    italy
    Alert 3.

    Anyway i belong to type 2...
     
    Last edited: Jul 7, 2015
  13. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    Firstly,
    I am not saying that exploit mitigation tools are useless, but I am a supporter of proving the effectiveness of a mitigation tool before recommending it to others.

    Secondly,
    SurfRight already received multiple PoC's regarding HitmanPro.Alert.
    However, currently I am not able to provide PoC's to Malwarebytes and the EMET team of MS due to export restrictions. (Hint: Wassenaar Arrangement)
     
  14. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I voted yes, Hitman Pro Alert, and I run it as part of my security suite. I selected 2, as I have a vague understanding, but probably couldn't explain it. I've tested HMPA against some live malware send to by some less then nice folks, and HMPA, does stop it so that makes me feel it's worth it.

    Pete
     
  15. wshrugged

    wshrugged Registered Member

    Joined:
    Jun 12, 2009
    Posts:
    266
    I'm also in the second category -- yes, MBAE, "Yes, but I do not exactly know how exploits work."

    I've relied, in a second-hand way, on others' reports on the subject. Your statements are provocative and interesting. Any guidance on a subject-matter research path would be appreciated.
     
  16. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    I do not fully understand your comment but I will try to give an appropriate answer.

    I would not say that my statement was "provocative". Companies can advertise there products in two different ways: 1. As the ultimate protection against exploits (APT Shield for example) 2. As an additional obstacle for more advanced attackers. With enough resources everything can be bypassed.

    Regarding providing more in-depth information about my research I would have to disappoint you, I am not going to perform a full disclosure. Although export regulations are not making things easier...
     
  17. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,387
    Exploit mitigation software like EMET, Malwarebytes Anti Exploit and Hitman Pro Alert arent a silver bullet by any means, but in my opinion they really make the job harder for attackers and for this reason they should be deployed along some security practice.

    HMPA and its layered approach for example can augment almost all security setup, so it is good to see tools like these in the "APT" Era that we are living.
     
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes I use it, and all security tools can be bypassed, that's why you should use layered security. I do know how anti-exploit tools work, to a certain level. If you're using anti-exploit + anti-exe, it will be normally very hard for hackers to bypass them both, unless they are using some OS kernel bug, which you don't often see. Nowadays you can even use anti-exploit + isolation (like Sandboxie) which makes it even harder to do any damage.
     
  19. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    427
    I chose the second option though I'm a bit more in between. I have some basic self-taught xp in asm starting with Motorola 64k (eg Palm Pilots) and a bit more more recently with x86 ASM (took me three months to get through the first program). I tend to use Olly but I've resorted to IDA for a few drivers and the x64 programs I needed to check. I understand some of the basics they protect against but others are more advanced than me so I'd say yes to 1 & 3, not really to 2 and sortof but not really to 4.
     
  20. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    862
    I don't exactly know how anything works, even for things I'm considered an expert on.

    As for anti-exploit, they have no discernible affect on system performance once compatibility issues are sorted, so there's little reason not to add them. I'm sure in theory it's possible to bypass such measures - but my chances of running into such a problem are very, very low.

    Given my passive measures have been adequate to prevent me from seeing a challenge to my security setup, I'm erring on the side of not worrying needlessly about this.
     
  21. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    2,015
    I use EMET and MBAE (mostly separately). I believe they are good tools for memory hardening.
     
  22. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    3,418
    Location:
    Slovakia
    No idea, how exploits work in detail, until the developers describe, what their product does, not interested. Just saying, that it is good for you, is not good for me.
    Exploits are one of many threats, but how dangerous, it is hard to tell without any data about it. As far as I understand, they work in collaboration with others.
    If someone would be selling an umbrella, which would protect you from a lightning, would you buy it, since you know, what a slim chance being hit by one is?
     
  23. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    To select the 1st choice would most likely mean that one knows hacking/cracking. So I am glad that most members seems to be of the category 2nd or third. Those kind of activities are the lowliest of computer activities anyone can get involved IMO.

    I myself have been forced to use one of those programs as a mitigation against exploits, without knowing of course how the exploits work or caring any to know. But as the TO above posted, the chances for any normal internet user is quite slim. Being stalked and targeted is a totally another matter.
     
  24. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    I am not sure whether you are a troll or just naive.
    Knowing how to protect against attacks starts with knowledge about these attacks and how you can reproduce them in a controllable way.
     
  25. wshrugged

    wshrugged Registered Member

    Joined:
    Jun 12, 2009
    Posts:
    266
    I appreciate the answer, thank you.

    My perspective is of a person who has relatively little knowledge on exploits and mitigation as compared to the standard you've set in your OP --

    While I hadn't thought that mitigation was bullet-proof, I perhaps was becoming a little complacent in my thinking of it. I have some respect and trust of you so your statement below was a splash of cold water in my face, so to speak. That's what I meant by provocative (and appreciated).

    I wasn't asking you to provide in-depth information on your research. Your work is your work. I was merely asking for a general learning path on the subject but you've provided that really, in your OP.

    Thanks again.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.