Buffer Overflow protection

Discussion in 'other anti-malware software' started by Kees1958, May 4, 2007.

Thread Status:
Not open for further replies.
  1. Kees1958
    Offline

    Kees1958 Registered Member

    Hi,

    I tried Buffershield. According to their website XP DEP only protects against one exploit. After installing buffershield, I started the configuration. In the config ap, a special test tab is provided to check whether Buffershield is properly installed.

    To my surprise XP DEP intercepted all tests. I have DEP enabled for all programs and a processor which supports DEP. It seems that DEP catches all tests, does this mean DEP enabled for all programs is sufficient?

    Any insights/experience on this topic, anyone?

    Thx K
  2. ggf31416
    Offline

    ggf31416 Registered Member

    AFAIK the "software DEP" (for CPU without DEP) is the one that protects against a single exploit.

    EDIT: From http://www.grc.com/sn/SN-078.pdf (Page 9-10)

    Last edited: May 4, 2007
  3. lucas1985
    Offline

    lucas1985 Retired Moderator

  4. Kees1958
    Offline

    Kees1958 Registered Member

    GGF31416, Lucas1985

    Thanks for the info. Regarding BufferOverflow protection I always thought that a free software defense was: DEP of XP for all programs, Wehntrust and BoWall were the poor-man's solution.

    I wanted to trial Buffershield because it is only 19 dollar. Thinking what the heck, I got everything else covered with just EQSecure and GeSWall Pro on my wife's PC (my Son's PC has Antivir + DefenseWall + DSA, DW is supposed to protect against bufferoverflows according to Kareldjag).

    I did the install Buffershield as a trusted download and disabled EQSecure. The test covers the area's mentioned in the thread Lucas mentiones.

    I am still confused whether only the test program's (of BufferShield) uses the only exploit covered by XP DEP (software) or together with DEP enabling on a DEP featured CPU will cover you for all.

    Does somebody knows how the exploits are covered by Hardware DEP (the only pop-ups you get are the DEP pop-ups, plus the 'a fatal error message' of XP)?

    Thanks for the info

    (from this type of threads and earlier on SSM, FireWalls, sharing of new aps like PowerShadow and EQSecure, I really enjoy acquiring knowledge from other forum members)

    Regards K
  5. Rasheed187
    Offline

    Rasheed187 Registered Member

    I have to say that Buffershield really looks impressive (if you look at the exploits it protect against), I wonder why not a lot of HIPS are focusing on buffer overflow protection? Is it hard to code or something? But I really wonder if these tools are compatible with other HIPS, I do know that Wehntrust gave me problems a while back.

    http://www.sys-manage.com/english/products/products_BufferShield_Exploits.html
  6. Ilya Rabinovich
    Offline

    Ilya Rabinovich Developer

    Hardware DEP (NX/XD-bit) is the answer. Nobody will pay for solution, built-in into your processor.
  7. lucas1985
    Offline

    lucas1985 Retired Moderator

    Ilya,
    Are you saying that none of these tools offer protection beyond hardware-enforced DEP?
    What about ASLR?
  8. Peter2150
    Offline

    Peter2150 Global Moderator

    Not sure if that is really true. I have Hardware DEP turned on, and am less then enamoured with it. It decides something I do with explorer might be risky and it's solution is to crash explorer. There has to be a better mouse trap out there.
  9. Kees1958
    Offline

    Kees1958 Registered Member

    Hi, all

    As far as I know Microsoft software DEP covers just one of the buffer overflow exploits. When you know your processor, you can Google whether your CPU has build in Buffer Overflow protection.

    What I was wondering: is this ability turned on by enabling DEP for all programs or is it on by default (since it is a hardware feature). My PC passed all the Buffershield test.

    Regards K
  10. Ilya Rabinovich
    Offline

    Ilya Rabinovich Developer

    Yes, I mean it.
    ASLR is the only thing absent within WinXP SP2 buffer overflow defense. Vista already have it.
    It means that some Explorer's extension is written wrong. Remove it.
  11. lucas1985
    Offline

    lucas1985 Retired Moderator

    So, the features offered by WehnTrust Home User have some value or not?
    Thanks Ilya :thumb:
  12. Ilya Rabinovich
    Offline

    Ilya Rabinovich Developer

    With your Windows XP- yes. But there are some problems with this application:
    1. Wehnus doesn't correctly work with ZwSetSystemInformation hook- any kind of third-party hook cause BSOD.
    2. Wehnus doesn't correctly cover ZwQuerySystemInformation - this function return an old ntdll.dll base address. This will cause many issues with security software.

    I've sent e-mail to its support. but had no responce still.
  13. Rasheed187
    Offline

    Rasheed187 Registered Member

    OK, so the conclusion is: hardware DEP does the exact same job as Buffershield, and it´s capable of stopping all the exploits that Buffershield protect against? In that case, hardware DEP is better than I thought. :rolleyes:
  14. Ilya Rabinovich
    Offline

    Ilya Rabinovich Developer

    Just do not forget to switch it on for all the applications.
  15. lucas1985
    Offline

    lucas1985 Retired Moderator

    Well, I'll have to wait for a fix to these issues. I don't want an unstable machine :D
    Thanks again Ilya.
  16. Ilya Rabinovich
    Offline

    Ilya Rabinovich Developer

    I would suggest to ask their support if they going to improve their product first.
  17. lucas1985
    Offline

    lucas1985 Retired Moderator

    I'll do that ;)
Thread Status:
Not open for further replies.