Buffer Overflow Protection

Thanx Kareldjag.

 

simple explanation of buffer overflow

edited link : Wrong link. see post below

 

Hi Vikorr,

is this the correct link? It's an old article on ADS.

regards,

-rich

 

Oops, no it's not. Here's the correct link http://www.windowsecurity.com/articles/Analysis_of_Buffer_Overflow_Attacks.html

 

That's not quite true. Languages (and compilers) that enforce proper bounds checking on all variables will be immune to buffer overflows. This problem exists principally because C/C++ do not enforce size limits on variables. More modern languages like Java are immune to such flaws (see Learning the basics of buffer overflows) though implementations of the Java RunTime Environment written in C/C++ can have buffer overflows.

 

Why? Registering doesn't make me any less clueless I'm afraid

Clearly instafinder.exe sounds like some search engine hijacker and probably it doesn't fit the name of processes you expect when running the installer (unless you were installing an desktop searcher!), but I don't see why someone couldn't simply name it to something more appropriate.

As for the other processes, I bet they weren't very creatively named (or rather they were TOO creative!)

How do you know if any program has any business being in your system32 directory? I look at my system32 directory and I see tons of non-MS stuff sitting in there, granted many are related to security software, but not all.

I'm aware that the best argument for execution protecton is to detect trojan droppers, but even then, I would argue that it's pretty much guess work. I routinely run installerswith SSM on, and all I see is a bunch of processes, chain starting one another.

Being the type of person who doesn't know the difference between "c:\windows\svchost.exe and c:\windows\system32\svchost.exe" as you colorfully put it, am I merely wasting my time?

Any such "understanding" would be merely guesswork, unless you have the code isn't it?

I think I can fairly say that many users who tout PG's execution protection are in the same boat as me (clueless that is) and I'm not at all confident of my ability to use execution protection. I'm wondering if this feature merely gives me and them a warm and fuzzy feeling of being in control, even though in most cases the control merely eats up a couple of seconds of their time each day just to click yes

The irony is buffer overflows is probably one of the best reasons for execution monitoring. Though buffer overflows are not directly detected (the shell code injected I believe is seen as part of the normal functioning of the trusted process), in many cases, the shell code will need to start another process to do something, because the length of the shell code injected is usually pretty limited.

I already hinted at this point, when I asked Rich for "Type 4" events. I suppose the scenario would go that an attacker has some buffer overflow against your browser or you are running some media program listening to online music and you are hit.

How is this unrelated from your ftrusted process? I argue it's not the same because unlike in events I,II,III you have not made a mistake in executing/trusting a malicious program.

Very good answer Spikely, I expected Rich the defender of "proactive defense" to answer though, not someone who doubts whether PG is necessary! . For a malware to automaticly install itself on your computer (without you executing it directly) it would have to exploit an existing program that is network enabled (email client, browser, IM, some windows services if not firewalled, media player, any updater program?). It is either thru

a) A bug in the program (buffer overflow for exampe!) or
b) wrong configurations in some trusted program

Given that we are all security gurus here using PG (except clueless me), b) shouldnt be a problem. So it's down to a). So yes, PG's excution monitoring does have its point, but only in occasions when you are hit by some exploit of specific software you are using.

The point I'm making though is that most people don't get infected because of exploits in the software they are using. I'm talking about the people of this forum of course, who patch regularly, run reasonable security software (AV,firewall etc), use common sense, that's why they can live happily without execution protection.

The paranoid among us of course live for the day an attacker targets us with some unknown zero day exploit, but the chances of that is....

The clueless users DO get infected running warez/freeproggies and clicking yes to every prompt, IE and every other program throws up. Exe monitoring unfortunately, can't cover either hole obviously.

My beef with all this hype about exe monitoring is that without safe hex and a whole lot of knowledge it's pointless.

In fact , safe hex ,is way easier to learn than gaining HJT like skills for interpreting exe launch prompts ,and yields far more marginal protection. That is why I would NEVER recommend such features to anyone I find with a bunch of malware on their computer.

It's clear they don't even know the basics of safe hex (one worm maybe is understandably, but a bunch??), trying to get them to use PG's exe monitoring ability would be like expecting a kindergarten kid to pass a undergraduate exam.

Of course, if the guy gets hooked into this hobby and asks to learn more...

 

Huh? Even if windows is perfect, what does that have to do with anything?

My point is simpler, if you don't have the ability to evaluate properly the prompts (and I suspect even among the relatively high skill level here , the %tage wise is pretty small), exe monitoring is pretty much useless.

And even if you do have the experience, it's still pretty much guesswork.

 

Hi CN232,

You make this seem like an all or nothing proposition. Extreme positions are useful, but have limited real practicality.

For example, one can make the case that because every AV out there cannot detect all possible viruses, then they are useless. I pretty impractical position in my opinion.

Similararly for products like ProcessGuard and RegDefend (and others). Everyone who uses these products should have a top-rated AV. This is the first line of defense. If, per chance, some malware gets past this first line, then ProcessGuard may catch it (I also run WormGuard). If it does, the user has another chance to stop it. If ProcessGuard is not there, they probably have no chance to catch it. Is it worth the $29 insurance policy to have this chance. For me, and many others, the answer is of course yes. (Of course, there is the possibility to deploy anti-trojans and anti-spyware which actually generate as much, if not more, false positives than PG).

Again, from a practical point of view, it is going to be a very rare phenomenon for a user to be confronted with with a PG alert for a real piece of malware in the early stages of education. They, in all probability, we alerted to some programs that they run infrequently, and they can either research the program on Google (as I do), or just let it pass. It depends upon the nature of their machine and the program. Trust me, learning MS Word is far more difficult than this and tens of millions of people have somehow successfully learned to use MS Word.

So the bottom line is not whether PG offers a perfect user interface at this time (I think the user manual can be greatly enhanced with lots of benefits and not too much cost in resources), but rather whether the protection it affords is worth $29. For me, given the very limited learning curve (compared to cleaning a machine or researching false positives that all anti-malware generate), the answer is yes.

I think your extreme position is useful in discussing ways to improve ProcessGuard in the future, but does not fully give credit to the protection that it affords today - unless you truly believe that a false positive from PG is that much more difficult to research than the FPs I get from all of my security software.

Rich

 

There's a little Cluelessnewbie in all of us ....but I just know you'll always add positively to a thread....regardless if you decide to join or remain simply a Guest @ Wilders

 

This was my conclusion and the reason I shied away from PG: I *don't* have the experience to evaluate prompts for processes. In looking at the PG threads, they are full of posts asking about this process or that - "should I give permission? maybe one time only?" -- and often the suggestion is to *google* or check some database, etc. Even if I took the time and did that, I don't know that I could sort it out...

I opted for a simpler anti-exe program (it automatically creates a white list at installation) just to be able to catch malware that happens to sneak in (never has in more than 10 years of computing) -- but if so, there is only one answer to the prompt: DENY

because if anything should bring up a prompt (none so far), it's not authorized, so there!

Installing new stuff: I don't worry about monitoring installations to check each process, files, etc, because I don't frequent the back alleys of cyberspace and am not worried about installing a program that might have a trojan because I only purchase from reputable shops/sites.

After installing, add to the list.

That's it.

I'm not knocking PG - I spoke highly of it in the forum, it's amazing, really what it does - for me it is more bother and fuss than I need.

-rich

 

Hi Rmus,

There are many approaches to the problem.

Just as an aside, my wife and son have been using the machine with PG for about six months now. Neither have any computer background and truly are clueless. They have had zero problems using it. Unless you use the product, it is difficult to understand that unless one chooses a more 'restricted white list", there are hardly ever any prompts. I have purposely made a decision to restrict programs such as explorer.exe and rundll.exe, which gnerate almost all of the alerts. The product that you have chosen, no doubt, permits rundll.exe and explorer.exe, which if I did the same with PG would have the same effect.

As for real malware that may appear in alerts, I think you will find that some research will always be necessary no matter what the product. Malware developers just aren't of the mindset to make it obvious.

But in all probability, you will never face this situation if you have a top-rated AV. If KAV, for example, is catching 99% of the malware out there, then I would be at risk 1 out of ever 100 malware that I contact (on average). I get about two or three such alerts each year from KAV. That means I will not have had one hundred alerts in 30 years. So ProcessGuard really is an insurance policy. I will probably never be involved with a fire or a auto crash, but I still carry insurance just in case, for the off case that I might hit that 1 in 100 malware earlier in the cycle rather than later.

But this above example is with KAV. Two of my friends were seriously penetrated within a recent two week period using other top-rated AVs. One is now using RegDefend and ProcessGuard. The other decided to change her email habits and did not think that PG was necessary.

Rich

 

I beg to differ if you read any of my posts you will see I use parentheses genrously (most of the time anyway except for obvious positions) to qualify my statements!

I do not say exe monitoring has no value, just very little, and I have explained my view over and over again using examples.

In view of what you write next, it's clear you are missing the point or you are not thinking things through. It's not about extreme positions.

As for impractical positions, expecting users to gain a deep understanding about the guts of the windows system with only minor gains would be impractical IMHO.

How can PG generate "false positives" (FP) ? PG is not a signature based approach, the term false positive does not apply to it. Unlike AVs, PG does not state if process X is evil, it just states the process started.

Let's say for the sake of argument we try to use the term FP for Processguard.

When your AV prompts you about process X, and it shouldn't it's a FP.

If you want to use the term FP for PG, you would have to say 99.999% of the time when it prompts you, it's a FP, since you always allow it. LOL!

Every new process you start , PG will prompt you, which is a 100% rate. Even the worse AVs won't match that!


But you do tagentially bring up the point I'm talking about. For most users, even though signature based approaches generate some FPs, most of the time they generate information to act on.

That is way more useful than a prompt telling you that process X has started. So what? Is it bad? It is good? You don't know and if you are a newbie , it can be as scary as a FP from a AV. Or worse it can breed a habit of ignoring such prompts

Wasnt that Vikorr's line? Personally I doubt if this assertion is true, the basics of word processing is basically writing with a few standard menu functions (few need more), and enough work has being done by now to know how to make word processing fairly intutive. Using PG effectively to monitor launches, requires what one poster called a level of ability similar to that of reading HJT logs. Are you sure most people can do that?

Another point is that most people are required by their jobs to master word processing basics, so they do have the desire. You have to convince me though if they really need to have exe monitoring.

Espically when millions go without and are without problems.

For me, the exe monitoring was clearly secondary to it's main function of stopping process termination/modification. According to some reviews about the history of PG this is apparantly the case.

But for some reason Rich, you seem to hype it far more than what I see as other more important functions of PG.

Yes "proactive defense" is good , but within reason. Most of the time a process starting gives you zero information.

I'm personally going to market a new proactive defense product that will detect the second you press the power button on your computer and give you the option to disallow!


Talk about pro-active defense

Now that is extreme!

For me PG's ex monitoring gives me a 100% false positive rate

No I don't believe that. I just believe there are obviously more FPs for PG

 

Hello, richrf,

Yes, I became aware of that from following posts in the PG forum, and that was a good point in favor of getting it. But the reference I made to the Andreas paper about possible conflicts, made me a little leary, and since Anti-executable and Deep Freeze are made by the same company and are designed to work together, I opted for that setup.

If I get a prompt that an unauthorized .exe wants to run, I'll deny it. Why should I research it?

One reason for my setup is to preclude the necessity for AV. I just don't want to be bothered with updates, etc.

If malware gets in, it either:

1) attempts to run, or

2) sits and waits to do something later

If 1), it's blocked

If 2) it's removed on reboot.

I like life simple. That's why a firewall and those two security programs, and that's it!

-----------------
EDIT: in keeping with the topic of this thread, I should say something about buffer overflow

I agree with kareljad's comments:

-----------------------

Best regards,

-rich

 

Clearly you don't install many new programs. I wonder if you consider a new exe you are running for the first time "unauthorised".

But as you noted in the case where you don't often install new software, you are pretty much safe anyway.

 

Hi Rmus,

Lots of interesting points.

1) First, I agree with your decision. It is better to get the two products from the same company in order to avoid potential conflicts, especially if you are satisfied with the functionality of each product after you did your due diligence.

2) Yes, if I get prompted for any unknown exe I will also deny. However, the exe may be necessary for some authorized progam (e.g. a new update of an existing program). In this case, some additional research may be necessary in order to decide whether or not to give permission. This most usually happens in the case when PG is blocking the installation of some service or hook. So simply denying all "unknown" .exe's in all cases probably is not practical.

3) It is possible for malware to get past your FreezeX application firewall and be quite active until you reboot (as it has been discussed in other threads, PG and probably other similar application firewalls cannot stop all types of malware). A piece of malware nowadays can do a hunk of damage in between the time it is first introduced and hopefully eliminated by the re-boot. So I personally would not want to introduct that vulnerability into my system whether or not I use a product like Deep Freeze (there have been many discussions on this topic, and I recognize that there are different points of views).

Thanks for you comments,
Rich

 

Absolutely not! Why should I?

In looking back in my ZipFile directory, (I keep everything) I've installed 124 in the past three years (many just to evaluate; some upgrades) Has nothing to do with How many, but where they come from, as I stated in previous post.

regards,

-rich

 

Why? If it is an update from a reputable website for my program (I just upgraded to Opera 8 ) I will assume that it's OK

some clarification here:

FreezeX (now called anti-executable) is not a firewall, it's similar to PG (anti-exe part, anyway)

So, the malware cannot become active because the anti-exe program will block it from becoming active.

I don't understand how it can do a hunk of damage if it's blocked by the anti-exe program (PG or anything) from becoming active.

regards,

-rich

 

In other words, you trust the sources you are downloading/purchasing from which has nothing to do with protection from your security software.

Fair enough.

 

Correct - I did not purchase security software to protect me from trusted sources.

-rich

 

A common advise here is to avoid "suite type solutions". Couldn't over-reliance on solutions (even standalone solutions) by the same company be a possible similar problem?

For example, Jason as a hand in both Regdefend and Processguard right? What about wormguard or TDS-3? If he is the main programmer in all these, as brillant as he is, it might be possible that the same flaws might be in all of these programs.

Diversity might be a better idea.

Just wondering aloud...

 

pffff, I don't get it..it's you making the hype actually lol cause there is no such thing as 100% security there is no perfect thing .. if you find the holy grail CN232, let us know cause we all are searching here

 

Duely noted, and thanks for the article, it's a good one I was mainly reffering to types of programs, though.. you never know how well they're coded, and it doesn't matter which OS.

CN232: I'm actually agreeing with you here, but nevertheless, even with a modicrum of knowledge there are still some instances (unexpected or suspicious executions) that it can be useful. Sometimes things are obvious, and even those can sometimes slip by your other defenses. I have PG on my gf's system, she doesn't know much about computers but denies any new popups.. so in her case, it works quite well. But like I say, it's usefulness really has a lot to do with your comfort and skill level, as well as your habits.. It's certainly not for everyone. In my own case, there are times that my mouse skips and I end up running something that I don't mean to, so the ability to deny it's execution can be quite handy. The bottom line is that it really boils down to user preference.

 

Lol, yes Infinity, I'm glad you noticed. CN232 has been on a baiting spree for a while now

Although, I do agree with him about the limited to no use of global protecton/exe protection SPECIFICALLY in relation to installing programs. And I also agree with him that PG's best features are it's global protection settings. Although it's also nice to know that my protected exe's wont get infected (except maybe by buffer overflow)

 

so the question is: should pg protect buffer overflows? is that the question? does pg need to protect against everything? .. Don't think so .. like Kareldjag said: there are other tools specialized in this...don't put all your eggs into one basket...

just my two cents

 

quite agree