opinions on Comodo Memory Firewall

i have avast home pctools firewall and sandboxie is this a good addition?
also what are the opinions on it i cant seem to find any reviews?

 

IIRC CMF has been discontinued as a stand alone product - it's now integrated in CIS. IMHO you don't need it. I believe with DEP enabled for all programs and services you should be protected against buffer overflows.

Do you have any other security software running? You could consider adding an AV and/or HIPS.

 

Hi,

CMF is indeed discontinued as a standalone product. But that doesn't mean it's useless. As it's not relying on any definitions is will always protect you.

The need of a buffer overflow is arguable, but IMHO it's needed.

DEP isn't so strong as CMF

Xan

 

Like others said, buffer overflow protection has now been integrated to CIS.
I recommend you to use CIS instead, since memory firewall module is still being improved/updated.

 

Well i had it installed for several months, and never saw a peep out of it. Naturally i presumed i didn't have any BO's, until one day i ran Process Monitor http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

Unbelievable ! The amount of Buffer overflows listed in all sorts of Apps etc was staggering. I think people should run it and see how they fare. I'd be very interested in the results, and i'm sure you will be too.

Buffer overflows are just one vector Malware can enter a PC, and therefore protection is a good thing. So was CMF working correctly, or was PM giving FP's ? I tend to err on the side of PM. The thing is, i wasn't aware of any issues with any of my software, but ?

 

Hello.

1. Software DEP is nothing but SEH chain validator (means it's not a DEP but some way to prevent one rare type of shellcode's injection)
2. Hardware DEP is very incompatible thing, that's why:
a) DEP mode by default is OptIn = all system services are protected, user apps aren't protected
b) DEP is _VERY_ incompatible thing so we 've got one more "layer" over DEP-mode - windows disables DEP for app which is know to be incompatible with DEP (this includes many checks, like exe-packers check and so on)
3. DEP-protection is vulnerable to ret2libc kind of attack (so you're not protected at all)

This is why BO protection is in CIS.

Cheers,
Josh

 

Too bad there is no more standalone comodo memory firewall.
People would have already a suites of HIPS, firewall, etc. and would not want to have CIS installed for the buffer overflow protection.
Tested over slipfest, and comodo memory firewall works.
Dll injection by it, I scanned heuristically by avz and passed as not trojan-like or having keylogger activity.
I have tested Ozone HIPS as buffer overflow protections but it's address space randomization have prevented my firewall/HIPS from monitoring openprocess calls from other applications.
Hope they bring back comodo memory firewall as a standalone. As Hardware DEP is not enough.

 

Buffer overflows listed in Process monitor, Filemon or Regmon is very different from the buffer overflows that malwares take advantage of.
Hear it straight from the horse's mouth, the creator of those softwares...
http://blogs.technet.com/markrussinovich/archive/2005/05/17/buffer-overflows.aspx
http://blogs.technet.com/markrussinovich/archive/2005/06/04/buffer-overflows-in-regmon-traces.aspx

I have yet to detect buffer overflows in the wild, as I used oldversions and unpatched softwares like media players with documented buffer overflow exploits and vulnerabilities in the wild and zero day malwares using those. I have been downloading questionable media files with possible embedded codes and still waiting for my hips/firewall to catch it. And I am not using any updated antivirus, still zero malware.

 

The only time I've ever seen any is when finding a URL in an alert posted somewhere. This has been the case with the PDF exploits going around. Here is one:

All of the buffer overflow exploits in the wild I've seen reports on, embed a URL to call out to download malware as shown above - easily blocked by a HIPS or execution prevention type of program, as you mention.

I've been looking (unsuccessfully) for any buffer overflow exploits in the wild that do something besides act as a trigger
to download malware.

If anyone knows of some, please let me know.

thanks,

rich

 

Please check your pm and you will have a lot of fun

eXPerience

 

*Have you seen the thread: COMODO Memory Firawall - pitiless extinction of all species of buffer overflows?

* Have you DEP? For all ..?

P

 

Re: Examples in the wild of Buffer Overflow Exploits

Thanks, I'm aware of these, but they are Proofs of Concept.

I'm interested in looking at exploits circulating in the wild.

----
rich

 

Me too, and still looking.

From a developer perspective, it seems more efficient to pursue a separation of concerns development approach whereby the instructions in the overflow would do only what Rmus described, leaving other 'modules' to perform a wide array of different capabilities.

I've wondered whether the overflow environment is sufficiently variable/unpredictable such that the ROI for just doing a "dropper" far outweighs that of doing something more multipurpose or tailored.

Well, after "droppers" become less effective, the malware developers may just have to employ more complex instructions in the overflow.

Cheers,

Eirik

 

trismegistos

Thanx for the info, very revealing ! Comodo Memory Firewall is still available, i tested the download www yesterday http://www.memoryfirewall.comodo.com/

Rmus

Hi rich, first off congrats on your appointment as Exploit Analyst, you deserve it. If i come across and potential naughty www's i'll let you know.

 

Hi StevieO - thanks. This month is the first I've seen you around here in a long time!

(naughty URLs ... hmmm...)

----
rich

 

StevieO, these are not harmful BO's. Please read response I got in this post... https://www.wilderssecurity.com/showthread.php?p=1257625

This is just a way of saying that all is fine. Problem avoided.