Buffer Overflow protection

Discussion in 'other anti-malware software' started by Kees1958, May 4, 2007.

Thread Status:
Not open for further replies.
  1. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Hi,

    I tried Buffershield. According to their website XP DEP only protects against one exploit. After installing buffershield, I started the configuration. In the config ap, a special test tab is provided to check whether Buffershield is properly installed.

    To my surprise XP DEP intercepted all tests. I have DEP enabled for all programs and a processor which supports DEP. It seems that DEP catches all tests, does this mean DEP enabled for all programs is sufficient?

    Any insights/experience on this topic, anyone?

    Thx K
     
  2. ggf31416

    ggf31416 Registered Member

    Joined:
    Aug 20, 2006
    Posts:
    314
    Location:
    Uruguay
    AFAIK the "software DEP" (for CPU without DEP) is the one that protects against a single exploit.

    EDIT: From http://www.grc.com/sn/SN-078.pdf (Page 9-10)

     
    Last edited: May 4, 2007
  3. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Hi Kees,
    You may want to take a look at this thread :)
     
  4. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    GGF31416, Lucas1985

    Thanks for the info. Regarding BufferOverflow protection I always thought that a free software defense was: DEP of XP for all programs, Wehntrust and BoWall were the poor-man's solution.

    I wanted to trial Buffershield because it is only 19 dollar. Thinking what the heck, I got everything else covered with just EQSecure and GeSWall Pro on my wife's PC (my Son's PC has Antivir + DefenseWall + DSA, DW is supposed to protect against bufferoverflows according to Kareldjag).

    I did the install Buffershield as a trusted download and disabled EQSecure. The test covers the area's mentioned in the thread Lucas mentiones.

    I am still confused whether only the test program's (of BufferShield) uses the only exploit covered by XP DEP (software) or together with DEP enabling on a DEP featured CPU will cover you for all.

    Does somebody knows how the exploits are covered by Hardware DEP (the only pop-ups you get are the DEP pop-ups, plus the 'a fatal error message' of XP)?

    Thanks for the info

    (from this type of threads and earlier on SSM, FireWalls, sharing of new aps like PowerShadow and EQSecure, I really enjoy acquiring knowledge from other forum members)

    Regards K
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I have to say that Buffershield really looks impressive (if you look at the exploits it protect against), I wonder why not a lot of HIPS are focusing on buffer overflow protection? Is it hard to code or something? But I really wonder if these tools are compatible with other HIPS, I do know that Wehntrust gave me problems a while back.

    http://www.sys-manage.com/english/products/products_BufferShield_Exploits.html
     
  6. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Hardware DEP (NX/XD-bit) is the answer. Nobody will pay for solution, built-in into your processor.
     
  7. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Ilya,
    Are you saying that none of these tools offer protection beyond hardware-enforced DEP?
    What about ASLR?
     
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Not sure if that is really true. I have Hardware DEP turned on, and am less then enamoured with it. It decides something I do with explorer might be risky and it's solution is to crash explorer. There has to be a better mouse trap out there.
     
  9. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Hi, all

    As far as I know Microsoft software DEP covers just one of the buffer overflow exploits. When you know your processor, you can Google whether your CPU has build in Buffer Overflow protection.

    What I was wondering: is this ability turned on by enabling DEP for all programs or is it on by default (since it is a hardware feature). My PC passed all the Buffershield test.

    Regards K
     
  10. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Yes, I mean it.
    ASLR is the only thing absent within WinXP SP2 buffer overflow defense. Vista already have it.
    It means that some Explorer's extension is written wrong. Remove it.
     
  11. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    So, the features offered by WehnTrust Home User have some value or not?
    Thanks Ilya :thumb:
     
  12. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    With your Windows XP- yes. But there are some problems with this application:
    1. Wehnus doesn't correctly work with ZwSetSystemInformation hook- any kind of third-party hook cause BSOD.
    2. Wehnus doesn't correctly cover ZwQuerySystemInformation - this function return an old ntdll.dll base address. This will cause many issues with security software.

    I've sent e-mail to its support. but had no responce still.
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    OK, so the conclusion is: hardware DEP does the exact same job as Buffershield, and it´s capable of stopping all the exploits that Buffershield protect against? In that case, hardware DEP is better than I thought. :rolleyes:
     
  14. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Just do not forget to switch it on for all the applications.
     
  15. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Well, I'll have to wait for a fix to these issues. I don't want an unstable machine :D
    Thanks again Ilya.
     
  16. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    I would suggest to ask their support if they going to improve their product first.
     
  17. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    I'll do that ;)
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.