I never said that only the browser is attacked, I said it's often being exploited. Tools like EMET, MBAE and HMPA are trying to prevent apps from being exploited by remote code execution attacks with advanced exploit mitigations. HMPA specifically added a "process protection" module, because exploit mitigations are not meant to block process hollowing, even though as a byproduct it might sometimes prevent this. And besides, malware (not exploits) do not only attack svchost.exe and explore.exe, they can inject or hide code into any process. So this means that you would have to protect every process with a tool like EMET. Of course you can do whatever you want, but don't act like the rest of us don't know what we're talking about.
https://www.acunetix.com/vulnerabil...ler-could-allow-remote-code-execution-961501/ is one such example. what does for the most part mean? 99% 90% 70%? I assume it isnt 100%. Does the 1% not matter? A malware writer I know infects thousands of machines without using any web infections, he is able to exploit via vulnerable windows services. explorer and svchost are good targets because they are legit and not likely to draw attention, not to mention are also often already whitelisted by firewalls for network traffic. He doesnt like using browser vulnerabilities because they get patched so quickly, basically that method of exploitation has too much attention. Me personally the malware i have come across by accident is probably something like this. 5% via windows services on open lan <-> internet ports. 80% email 2-3% via flash content in browser rest via malware spread via software that is pirated copies of software. In 20 years of using the internet I have never come across a non flash web site that's set my anti virus off, or caused weird behaviour that has me believe I have been compromised. Yet apparently this is the only way malware spreads and the internet is plagued with such sites
@chrcol Could you please give an example of attack against explorer.exe and svchost.exe (also which service was targeted)? I don't remember hearing about them in the wild. It would also be interesting to know if behind Windows firewall and behind NAT/router FW user would be safe (most people I know have some kind of NAT in front of their machines and also don't disable WFW if it doesn't give them any problem). Thnx.
switch to a modern OS in first place instead to focus on XP, Vista, 7 or lower. Anyway my english doesn't support me further but you are simply out of route!
You're all over the place. The reason I responded to you is because you claimed that because EMET blocked the process hollowing attack, it proved your point that it makes sense to protect svchost and explore.exe. But I already explained you need separate protection against code injection/process hollowing to make sure it will always be blocked. And the exploit you refer to can easily be blocked by firewalls, you don't need anti-exploit for that. And yes, svchost and explorer.exe are often attacked by malware (not exploits), so there is no need to add exploit mitigations to them. You can do whatever you like, just don't complain if your system becomes less stable, that's all we're saying.
well obviously NAT been widespread these type of attacks there is a much smaller attack population, but there is still many devices out there that are not behind NAT and unpatched systems. Also people downloading modified pirated software (not via web protocols) is not uncommon. I am seeing if I can get my guy to post here himself, as he knows much more than me, I dont mess around with live malware personally.
Would a good AV prevent process hollowing, for instance, would kaspersky be effective? If so, why is there a need for HMPA for this? If kaspersky doesn't do it, can you combo HMPA with kaspersky?
I suspect Kaspersky might, but can't say for sure, as I can't use Kaspersky due to conflict with Sandboxie. I don't know about comboing HMPA with Kaspersky. Some other users might know, but you can always test. Besure to image your system first.
I can run both on my win10 x64 PC, without any visible conflicts. But how can I know if their protection mechanisms might be interfering with each other?
thanks. I think I will keep things simple and not try to combo it. I am presently running Voodooshield together with Kaspersky, but I think they are different enough to avoid interfering with each other. Tell me if you think otherwise.
Do you use antivirus only or Kaspersky Internet Security? If you are using the latter, you dont need Voodooshield, just enable Trusted Application Mode. http://support.kaspersky.com/11158
I have Total Security, and actually I wanted to ask about TAM, because I have a problem with it. When I enable TAM, it blocks certain trusted programs such as dropbox from internet access, and I have to go into the advanced firewall settings and mess around with the permissions. This happens even when TAM is on default settings.