EMET, MBAE, and HMP.A

Discussion in 'other anti-malware software' started by J_L, Nov 17, 2014.

  1. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I never said that only the browser is attacked, I said it's often being exploited. Tools like EMET, MBAE and HMPA are trying to prevent apps from being exploited by remote code execution attacks with advanced exploit mitigations. HMPA specifically added a "process protection" module, because exploit mitigations are not meant to block process hollowing, even though as a byproduct it might sometimes prevent this.

    And besides, malware (not exploits) do not only attack svchost.exe and explore.exe, they can inject or hide code into any process. So this means that you would have to protect every process with a tool like EMET. Of course you can do whatever you want, but don't act like the rest of us don't know what we're talking about.
     
  2. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    https://www.acunetix.com/vulnerabil...ler-could-allow-remote-code-execution-961501/

    is one such example.

    what does for the most part mean? 99% 90% 70%? I assume it isnt 100%. Does the 1% not matter?

    A malware writer I know infects thousands of machines without using any web infections, he is able to exploit via vulnerable windows services.

    explorer and svchost are good targets because they are legit and not likely to draw attention, not to mention are also often already whitelisted by firewalls for network traffic.

    He doesnt like using browser vulnerabilities because they get patched so quickly, basically that method of exploitation has too much attention.

    Me personally the malware i have come across by accident is probably something like this.

    5% via windows services on open lan <-> internet ports.
    80% email
    2-3% via flash content in browser
    rest via malware spread via software that is pirated copies of software.

    In 20 years of using the internet I have never come across a non flash web site that's set my anti virus off, or caused weird behaviour that has me believe I have been compromised. Yet apparently this is the only way malware spreads and the internet is plagued with such sites :p
     
    Last edited: Feb 9, 2016
  3. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    @chrcol
    Could you please give an example of attack against explorer.exe and svchost.exe (also which service was targeted)? I don't remember hearing about them in the wild. It would also be interesting to know if behind Windows firewall and behind NAT/router FW user would be safe (most people I know have some kind of NAT in front of their machines and also don't disable WFW if it doesn't give them any problem). Thnx.
     
  4. test

    test Registered Member

    Joined:
    Feb 15, 2010
    Posts:
    499
    Location:
    italy
    Last edited: Feb 9, 2016
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    You're all over the place. The reason I responded to you is because you claimed that because EMET blocked the process hollowing attack, it proved your point that it makes sense to protect svchost and explore.exe. But I already explained you need separate protection against code injection/process hollowing to make sure it will always be blocked.

    And the exploit you refer to can easily be blocked by firewalls, you don't need anti-exploit for that. And yes, svchost and explorer.exe are often attacked by malware (not exploits), so there is no need to add exploit mitigations to them. You can do whatever you like, just don't complain if your system becomes less stable, that's all we're saying.
     
  6. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    well obviously NAT been widespread these type of attacks there is a much smaller attack population, but there is still many devices out there that are not behind NAT and unpatched systems.

    Also people downloading modified pirated software (not via web protocols) is not uncommon.

    I am seeing if I can get my guy to post here himself, as he knows much more than me, I dont mess around with live malware personally.
     
  7. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    Would a good AV prevent process hollowing, for instance, would kaspersky be effective? If so, why is there a need for HMPA for this?
    If kaspersky doesn't do it, can you combo HMPA with kaspersky?
     
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I suspect Kaspersky might, but can't say for sure, as I can't use Kaspersky due to conflict with Sandboxie. I don't know about comboing HMPA with Kaspersky. Some other users might know, but you can always test. Besure to image your system first.
     
  9. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    I can run both on my win10 x64 PC, without any visible conflicts.
    But how can I know if their protection mechanisms might be interfering with each other?
     
  10. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Not easy. I tested my setup by running malware against it to see what happens.
     
  11. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    thanks. I think I will keep things simple and not try to combo it.

    I am presently running Voodooshield together with Kaspersky, but I think they are different enough to avoid interfering with each other. Tell me if you think otherwise.
     
  12. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,387
    Do you use antivirus only or Kaspersky Internet Security? If you are using the latter, you dont need Voodooshield, just enable Trusted Application Mode.

    http://support.kaspersky.com/11158
     
  13. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    I have Total Security, and actually I wanted to ask about TAM, because I have a problem with it.
    When I enable TAM, it blocks certain trusted programs such as dropbox from internet access, and I have to go into the advanced firewall settings and mess around with the permissions. This happens even when TAM is on default settings.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.