Buffer Overflow Protection

To get back on track, it should be noted that a buffer overflow isn't the end of the attack. Your other security apps would probably pick up other phases of the attack, so whether you would want specific buffer overflow protection would really depend a lot on what phase of the attack you want to stop. What I like about Attack Shield is that it covers just about any kind of attack on the processes it protects, the worst that is likely to happen is that those processes could be crashed. Buffer overflows may be common, but it's ultimately going to be up to the developers to not leave their apps vulnerable to them. However if you have the extra resources, it's probably not going to hurt anything to have some specific protection available.

 

When someone talks out of ignorance, I reserve my rights to call him on it. If you call this baiting so be it.

So you agree with me in everything. If that's the case, I must be doing a poor job of baiting you then

 

As we all know the holy grail is KAV+RD+PG+WG+ZAP There!

I beg to difer that I'm the one making the hype. Anti-hype maybe. I feel scanners are getting the short end of the stick in the forums recently, with people trumpeting "pro-active defense" and advising newbies that all they need is KAV only.

I understand that IDS/HIPS/behaviourial monitoring (of which watching app launch is the most general and IMHO probably least useful) or whatever you want to call it is hot these days, but I believe that scanners have their place and more. Espically if you are the type to be a bit lax when installing new programs (a bet quite a few people).

Lest I be accused of 'baiting' again, let me repeat, no matter how early in the execution stream PGS and company reacts , only a scanner has a chance of helping you detect a nasty in a program you want to install.

So scan first with maybe 2 or more AVS and ATS before you install, because PG's exe monitoring is most likely not going to help.

Scanners are also much easier to use unlike exe monitoring which tends to throw up far too many prompts, making the problem of rare False positives by AV look like a mosquito next to an elephant.

Lastly, tools like PG are in my view of little value for unskilled users, in many cases, even if correctly used such tools add only a very small amount of protection anyway.

Of course, any non-expert can use PG, but whether they can really react correctly when the time comes I think is a very big question mark.

 

Hi CN232,

If all you are saying is that users should have a good scanner, then who has said otherwise? What scanners and security protection do you recommend for the "average user". I am sure there are lots of people who would be interested in your recommendations. AVs, ATs, ATs, pro-active software of any type? I personally would be very interested in your "recommended" configuration.

In regards to the usefulness of ProcessGuard:

There is a free version available. I think I can trust people enough for them to decide for themselves once they have had a chance to try it out. $29 is the price of a good meal. If people who have very little technical ability decide they can manage it (as many people I know), what exactly is your argument. That they don't know what they are doing? Well, if that is the case (which it isn't ), then just accept the fact that people make mistakes. I know people who have lost millions on the stock market. This is $29 to add additional protection against keyloggers, rootkits, and unauthorized programs. Unless you think that people are going to destroy the usefulness of their machine by installing PG. If this is your argument, I have seen zero evidence of this.

So exactly, what are you arguing? That people shouldn't even try it out? That $29 is just to much to risk? That PG doesn't do what it claims it can do?

Rich

 

PG Full's ability to block hooks and services from installing would undermine that statement in my view. Unskilled users would just not notice malware being blocked (of course they would have to remember to clear these options or disable PG when installing new software, but this is not rocket science).

 

Oh I wasn't talking about you baiting me. And I don't agree with everything that you've posted, just those things that I said.

Also as I said, it's the nature of your posts that is baiting, not any 'corrections' that you make. If you want further clarification "I reserve my rights to call him on it" is exactly what I'm talking about. A simple correction doesn't require this.

 

Ladies and Gents,

Let's simply focus on the thread topic....and skip over the fishing and baiting comments Please....it really distracts from what has been a very good thread over-all.

 

Whilst i applaud the developers of the products mentioned in this thread for producing viable solutions to the problem, especially the free ones, it really is another case of the Browser/OS supplier/s responsibility to actually fix the hole/s.

They are the one/s who made it that way, and they are the one/s who have had plenty of time to do something about it, but have glaringly failed to do so in the full knowledge that there is a problem. So it begs the questions, why havn't they, and when can we expect them to do so ?

StevieO

 

certainly the driveby downloads and popop problems should be completely fixed, although I don't see what could stop a download that you click on. Then there's the P2P networks etc thta still pose a problem.

 

Hi Stevio,

It is sometimes called the "Law of Unintended Consequences". The same "capabilities" (or holes) that were designed by Microsoft and others to create "economic value" out of the Internet/Web, can unfortunately also be exploited for more nefarious purposes. While MS may have some interest, for example, in the security of their users, they actually have an even greater interest in "capturing users" (e.g. embedding IE in the operating), monitoring their activities, and selling products/capabilities to them, by utilizing this information. Ditto for other Internet companies who sell personal information between themselves and have no control where all this information ends up. I don't think there is a way out. The Internet is in sort of a equilibrium where the good and bad tend to balance each other out.

Rich

 

here are some bookmarks i have.
http://www.antionline.com/showthread.php?s=&threadid=258281
http://www.antionline.com/showthread.php?s=&threadid=258644
http://www.linuxdocs.org/HOWTOs/Secure-Programs-HOWTO/library-c.html

 

This has been a good thread and an interesting read. Up until the point of the P contest regarding what PG and or RD can or can't do.

I would like to hear more about "what can be done" to help prevent buffer overflow attacks vs. the technical capabilities of PG. We do have a forum here for that you know.

My two cents, carry on peeps.

Jag

 

Not quite. I like how felixible your attention to detail is, though I'm not agreeing with everything you've said on the issue, only exe protection in isolation from other layers, and only for a certain amount of users. It's still a quite good layer, but there are certainly many instances that things would slip by. Of course if someone still ended up infected, they could go into PG, change that file's execution permission to 'deny always', and reboot. It may also give you some insight into what the other layers may be popping up. Exe protection is most certainly a valuable layer to have for some, but unless you're a HJT log analyzer, it's by no means the end all, and that's where I do agree with you. It is also something that is very much up to individual choice. I haven't seen anyone tell anyone that they need exe protection, nor have I seen any of this "hype" you speak of.

It should also be noted that PG is more than exe protection, as P2k pointed out, and there are other programs that do exe protection. To state that PG is inneffective because most people couldn't use exe protection 100% effectively is kind of a misnomer. With additional layers, exe protection will alert you to the fact that something is running, at which point you can keep an eye on the rest of what's going on. There've been plenty of times for me that I ran something (allowing it to pass exe protection) and had it start tripping enough other alerts that I stopped it and cleaned up. Again as P2k pointed out, the termination prevention and service & driver installation protection is the greater aspects of PG. This would go back to what I was saying about buffer overflows in particular, maybe you can't stop the initial BO attack, but you can stop the subsequent behavior. Of course, if I can stop the buffer overflow itself, then I certainly will.. but with any IPS, the functionality goes beyond a single behavior or alert. Programs like PG are not for everyone by any means. There are plenty of users that simply could not use them effectively. They are, however, one of several options that one can choose from. For many, more focused and transparent apps like Attack Sheild or Qwik-Fix may be a far better choice. As far as safe practices- that goes without saying, but everyone has to start somewhere, and you'll never stop some people from going to places like porn sites.. there are always trade-offs.

 

Notok,

What's the deal with Attack Shield? That is a worm prevention software correct? Is it free? I had heard there is a pay version as well.

Feel free to PM me to discuss so we don't stray OT too much.

Thanks,

Jag

 

Hi Jag,

Since I am most focused on stopping any unauthorized program running, before they it can exploit a buffer overflow vulnerability, I have tried (based upon advice on this forum), to plug the major entry paths for malware by running:

1) Kaspersky AV which scans files for malicious behavior before they launch
2) ProcessGuard which stops all unauthorized programs from running as well as the installation of unauthorized drivers and services
3) WormGuard which alerts me to any malicious scripts.

These would be my pro-active defense. I also run Ewido/BOClean to guard against malicious programs that might try to take advantage of buffer overflow vulnerabilities.

Attack Shield was one product that was recommended that monitors the behavior of Windows services and alerts when there something abnormal is detected - which would include a program that may be attempting to take advantage of a buffer overflow vulnerability. Of course, by this time the malicious software has penetrated and is attemptnig to do something nasty.

Given that the general feeling is that buffer flow attacks on personal computers are very rare in themselves, I believe that a good layered script/program protection is probably more than sufficent to guard against this possibility. Apparently, the greater vulnerability lies in server based programs (e.g. SQL Server) that must accept external requests (personal computers have firewalls to reject such requests), and have buffer overflow vulnerablities in the way they were developed.

So bottom line is, from what I can tell, is that if you are well protected against the more common types of malicious software, you probably already have sufficient protection against any potential buffer overflow issue. And, if one decides to provide explicit buffer overflow protection on the PC, then many of the available products only offer limited protection, so some due diligence is required. Personally, I am satisifed where I am at.

Rich

 

Hi Notok et al,

For me (and my friends who are using PG), the most important aspect of PG is execution protection. This feature provides me specific control over what can and cannot run on my computer (within the constaints of PG's capabilities). Similarly for WormGuard. For me, this trumps all.

Stopping the installation of services and rootkits are nice, but this implies that the malicious software is already running and attempting to do something. Once the malware is in action, it may be too late. So for me, my goal is to detect the malware as early as possible in the "processing execution stream". Kaspersky AV will scan files as my first line of defense, ProcessGuard and WormGuard will give specific warnings before a script/program has a chance to execute. This is really what I am looking for and what appeals most to the people that I have introduced PG to. I realize that others may have other priorities.

For me, PG was way easier to learn than the dozen or so "office programs" (e.g. Word, Photoshop, Excel), all of which have a very long learning curve, frequently require the purchase of large reference books (the market for these books is huge), and often require specialized training classes. And yet people still spend the time because of the payback. The few hours I had to spend in order to learn how to use ProcessGuard and RegDefend (WormGuard is a no-brainer) was easily worth it to me.

Rich

 

In all the talk about the benefits of execution protection, in this thread and the one CN232 started, only Notok's posts have put forward any cogent arguments in its defence, offering three scenarios where execution protection may be valuable:

1) when installing software of dubious provenance
2) when handling malware samples
3) in the event of infection, to stop malware running on reboot (I'm guessing that this will not be effective for all kinds of malware)

Control over what's running on your PC sounds nice, but it begs the question of how the user knows that a process is malicious. If an executable gets through all my scanners, even Jotti if I'm exceptionally cautious, why would I want to block it? And so how is execution protection helping me? CN232 has made these points repeatedly, and responding with vague remarks about extra layers of protection and the reasonable cost of various products is neither here nor there.

 

Hi Meltdown,

"If an executable gets through all my scanners, even Jotti if I'm exceptionally cautious, why would I want to block it?"

Because it may be malicious? No scanner is perfect.

The answer to your question is so obvious. I simply stop all programs that pop out of no where. (Rmus made the same point). 99.9% of the time PG is absolutely quiet. I do get alerts for explorer.exe and rundll.exe because I choose to do so. Everything else is suspect and I hardly ever get such alerts. In fact, I don't remember getting such alerts in ages. When I do (and maybe he has happened once or twice), I simply Google to see what the exe is all about. In all cases it has been benign. On my son's account he might get an alert once every six months, if that much.

I wonder whether you or CN232 have ever even used the product. If so, exactly what type of alerts are you talking about that are so difficult to handle? Can you provide me with a specific example and circumstance? Thanks.


Rich

 

There is a fourth situation - where an exploit triggers the running of an executable. This could be a drive-by download where an ActiveX control starts a trojan-dropper to download more malware or an actual worm attack (one of the symptoms of the Sasser worm was that it would cause lsass.exe to run). In these cases, the PG-equipped user would get an execution prompt without having done anything to run a program - in this case the timing should provide enough warning that the prompt should be denied.

Yes, the examples given above could be countered by browser configuration, web filtering and (in the case of known worms) anti-virus software. Yes, System Safety Monitor's Application Watching would be a better choice since it includes the calling program when prompting and in subsequent rules (so you could have Internet Explorer started by Windows Explorer but nothing else). However this is another valid case where user control over program execution can protect against attack.

 

I'm not surprised. Looking at your portfolio of security products, I don't think you'll find much malware that is unknown to Kasperksy, Ewido and BoClean, yet has celebrity status on Google

Thank you for your input, Paranoid2000. I think that's the strongest argument yet in favour of execution protection.

 

I've always thought of PG's exe/dll protection in a similar way to ZoneAlarms application firewall.

 

Meltdown,

The idea is that when you Google an item and it doesn't show up on Google, then you probably have a piece of malware. My friend, who is a real neophyte at this, figured this out very quickly. It is usually quite easy to find lots of refererences on Google for valid software.

Rich

 

Here is an interesting comment from Jotti:

"Approximately 2 malicious programs pass this scanner, without any AV product noticing anything, every day!"

So even if you are using all of Jotti's scanners (a physical impossibility), you would still be susceptible to intrusion. My friends, who I helped clean their systems in the last few weeks, both had top-rated AVs (Norton and Trend-micro), but were still penetrated.

My guess is that even if you added a good AT to the mix, there is still susceptibility, though quite minute. It might be so small, that for many people it isn't worth worrying about especially if the machine is used only for games or browsing. But for some people, it is worth it to add some additional layered safeguards (e.g. WormGuard and PG) to close remaining holes. Hence the discussion concerning Buffer OverFlow).

Rich

 

It should be noted, in all fairness, that this applies to file scanners which may have problems identifying compressed, crypted, rebased or patched/hexed malware. Most AV/AT software also includes a memory scanner which has a much higher chance of identifying such items (typically when they decompress/decrypt, etc).

 

Hi P2000,

Yes, this is very true. Recently, while cleaning a friend's computer, several instances of malware, which were packed in ADS files, were undetected by TDS-3, Ewido, and KAV 5.0 scans, but were detected by KAV 5.0 real-time. I cleaned them all out with a single scan of ADSSPY.

Rich