Buffer-overflow attack

Discussion in 'ProcessGuard' started by spectator, Feb 26, 2005.

Thread Status:
Not open for further replies.
  1. spectator

    spectator Registered Member

    Feb 26, 2005
    Buffer overflow is a very common attack.

    Does processguard protect my computer from code that get runned by buffer overflow if I check "Block New and Changing program"?
  2. Pilli

    Pilli Registered Member

    Feb 13, 2002
    Hampshire UK
    Hi Spectator, ProcessGuard protects from driver / service install and will stop anything that is protected from change, if the buffer overrun mechanism is an executable then PG would see it and ask for permission to run.
    If it is an external attack then it is the job of your firewall.
    PrevX i said to protect againt buffer overrun but I have no experience with PrevX.
    Using the latest security patches from MS also address some of these attacks.

    HTH Pilli
  3. gottadoit

    gottadoit Security Expert

    Jul 12, 2004
    Hi Spectator,
    PG looks at the environment at the process level, so things like java/activex executing inside your browser (an already running process) don't interact with permissions set in PG unless they try to create an external process

    The short answer is that process guard does not protect you from a buffer overflow and the subsequent execution of code in the target process.

    What is can do is limit some of the damage that is able to be done afterwards, the most obvious thing that can be stopped is the execution of other programs (that are not set as "permit always") without you seeing a confirmation window. It does depend on how you have configured ProcessGuard and what you have specified with Permit Always privileges

    It is important to note that ProcessGuard only protects one Registry Key, so unless you have registry protection there is nothing stopping injected code like this having a good scribble in the registry, creating entries in the startup sequence and doing other nasty things (like deleting files or forcing a reboot)

    ProcessGuard (or something like it) is a small but important part of protecting your windows environment. It has a few flaws but on balance you are much better having it than not. There are plenty of threads around the wilders forum describing the other useful security tools

    You should be aware that malware can (and has) remove ProcessGuard from the startup sequence as there is a race condition during startup. As far as I am aware this is not a common event, but it has happened at least once so don't assume that nothing can remove it.
    Just knowing that this is possible removes some of the risk because you can do something proactive to try and be aware if it happens

    Have a look at the Registry Monitor Comparison thread for information about the different ones available

    Your choice of personal firewall also makes a big difference to the PC's security, do a search on the forum for "leak test". One of the things that PG is good for is to provide protection where some firewalls fail to and if you have PG you can broaden your firewall choices to some that normally fail some of the leak tests (because PG stops the leak). Personal firewalls seem to be a religion for some people (much like anti-trojan scanners)

    There are plenty of good discussions about anti-trojan scanners about whether you need one or not and how effective they are (for the cost).

    For broad coverage, I would suggest that a very good thread to read is Security that you use and its purpose
  4. gkweb

    gkweb Expert Firewall Tester

    Aug 29, 2003
    FRANCE, Rouen (76)
    I would just add that to my knowledge, it's impossible to prevent all buffer overflow attacks, there is always a way to go around a protection.
    PrevX tries to protect from that but it can be circumvented, same for the NX protection from XP SP2.

    That's a very complex subject that goes beyond me, may be someone else will be able to help you on this matter.

  5. kareldjag

    kareldjag Registered Member

    Nov 13, 2004

    ***A similar question has been discussed here:


    ***PG or any other soft can't protect against ALL threats.

    A home user has more chance to be infected by Trojans/virus/spywares than to be wronged of a buffer overflow attack.
    And in that case, ProcessGurad is a must-have against these kinds of malwares.

    ***And a Buffer Overflow principally concerns the Stack and not really the registry, even if this one could be used in some cases.

    ***PrevX is not a solution.You just can be alerted and warned if any intrusion on a file/folder is detected.
    But it does not automatically mean that it's a Buffer Overflow.

    ***AbtrusionProtector, an other must-have soft which works quite well with PG could also limit the impact of B.O:


    ***It's sure that a Buffer Overflow is a dangerous and very efficient attack.
    Some of them could be used in order to launch a Denyal of Service for instance.

    And to be honnest, there's really no soft which could really solved the problem.
    In fact, it's not to the user to protect his system.

    Developers and programmers have to secure their soft by using safe libraries (like libsafe) and by using secure compile methods.

    ***If there's no radically solution, it 's not a reason for doing nothing:

    *By disabling javascript on your browser, you can limit some B.O (there's many methods to hack javascript)

    *Take frequently a look at exploits and vulnerabilities which concerns your softs (CERT, Secunia, Bugtraq etc...).

    But as it happens often, the more advanced is the attack (like Buffer), the less you may be wronged of this attack. ;) :D

  6. spectator

    spectator Registered Member

    Feb 26, 2005
    Thanks for all the great reply. It was very informative!
Thread Status:
Not open for further replies.