Is Google Chrome truly that vulnerable?

Discussion in 'other anti-malware software' started by CoolWebSearch, Jul 6, 2014.

  1. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Well, I would not say the only way to stop exploits is EMET. For example, I believe MBAE has some antiexploit techniques. Their efficacy just can't be verified, but they could be all new techniques of their own creation.

    Whether it's HMP or MB I haven't seen anyone too forthcoming about how the products work.
     
  2. DR_LaRRY_PEpPeR

    DR_LaRRY_PEpPeR Registered Member

    Joined:
    Oct 11, 2012
    Posts:
    141
    Location:
    St. Louis area
    Right, definitely not able to function correctly if not for Sandboxie. :) The Sandboxie service process(es) does stuff on behalf of the programs (like a proxy to access things). Facilitated by the SbieDll injected into sandboxed processes that hooks relevant functions, and routes requests through the service when things fail/aren't accessible. (Like e.g. with Chrome and its broker process.)
     
  3. DR_LaRRY_PEpPeR

    DR_LaRRY_PEpPeR Registered Member

    Joined:
    Oct 11, 2012
    Posts:
    141
    Location:
    St. Louis area
    Hardly. I think that would very much be an exception. WHY alter other processes when you already have code running in a process? That would be like saying for any normal program to do anything useful, it has to use another process to do it. o_O (Again, also why "anti-executables" are useless, since nothing needs executing (in their sense, another program) to run anything you want.)

    It seems "MemoryGuard" is a near-useless gimmick that serves no purpose than to be much more likely to screw up legitimate operation of certain programs.


    Tell me, someone, what can AppGuard do at all to stop kernel RCE exploits (font, graphics, etc. in the past) or any EoP/privilege-escalation exploit? It all happens in one process, and once it's running as SYSTEM, you're screwed, like you guys said, and AppGuard could be disabled/bypassed or such.

    Of course this last question applies to Sandboxie as well, but I feel a bit better with stuff hopefully staying in the sandbox longer (e.g. SYSTEM in Sandboxie is still contained, at first, right? At least until o_O?? happens).
     
  4. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    AppGuard will block the vast majority of real threats in the wild. You keep comparing the handful of products that specialize in blocking exploits to AG. AG is designed to block all types of threats except for solely memory based, and kernel level exploits. Solely memory based, and kernel level exploits are very very few in number in the wild. Kernel level exploits would bypass just about every security product on the market. I seriously doubt it would look good if you tested MBAE, HMPA 3, and EMET against a large number of threats of all types. I believe AG would block many more threats than products that specialize in exploits if this type of test was performed.
     
  5. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    It works for containment, and it works well for what it is intended for. AG is not just an AE; it sandboxes by limiting the rights of applications allowed to run. You can run the Flame Worm in Medium Mode of protection, and AG will allow it to run due to it's digital signature. AG then successfully prevents the machine from becoming infected. In Locked Down Mode AG does not allow it to run at all. The Flame worm was suppose to be some highly advanced virus, but AG had no problem blocking it just after it's discovery. https://www.youtube.com/watch?v=2Qop3OohIks
     
    Last edited by a moderator: Aug 23, 2014
  6. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    Not to rain on anyone's parade, but I didn't see anything overly impressive about that youtube demo. The malicious file was simply downloaded onto the desktop. This would have been deliberate by the end user; not even a drive-by download. Then when it's being executed - deliberately again - AG is put into no less than "High" Protection level. Wouldn't the Protection level be put to "Install" if the end user thinking the file was safe was intent on installing it? Please feel free to correct me if I missed something in the video. Things were moving rather quickly throughout. In no way is this a criticism of AppGuard; I just didn't see anything special about the malicious file block that most any anti executable would easily have stopped with its level set to stop unknown executables from launching.
     
  7. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    I just saw response from Fleischmann, he specifically answered/wrote on MBAE thread on page 38:
    "AppGuard definitely wouldn't have reached 100%, I can tell you that much, because it does not have any mitigations against reverse shell types, only payload types. It prevents guarded applications from manipulating the memory of other applications and has an anti-executable part as well. However, both AppGuard and NVT ExeRadar Pro do not prevent remote code execution as well as some specific payload types."

    And neither would NVS Exe radar Pro achieve 100% as well.
    Also, AppGuard and NVS Exe Radar Pro do not/cannot block exploits which do not need to start/run/execute in the first place.

    But what about enterprise edition of AppGuard and EdgGuard can they block/protect or do they block/protect what AppGuard for home users cannot block/protect against?

    Cool for Google Chrome, since AppGuard cannot/does not add anything to Google Chrome.
     
    Last edited: Aug 24, 2014
  8. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Than how did AppGuard beat EMET in that test provided by Barb_C (AppGuard scored 100%, and EMET scored only 80%?
     
    Last edited: Aug 24, 2014
  9. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Not needed, I will use Group policy in Windows XP (User Configuration-System-run only allowed windows applications and Don't run specified Windows applications settings and I will configure it, these settings are very similar to the way AppGuard works and protects any/every/all computer systems (system space and user space, it's the same as I'm using AppGuard, it's a good-quality replacement for AppGuard).
    Sure this will take tremendous amount of time to configure this, but it will be eventually be done.

    But if Sandboxie4 currently works and protects Windows system by using Windows integrity levels (like Gullible Jones wrote/confirmed), than it's very vulnerable on Windows XP Service Pack 3, the same as Chrome!
    So, I would not install it just for security purposes only.
    I have to find something else, most like I'd simply use Firefox with recommended extensions like NoScript, AdBlockplus and WebOfTrust.
    What do you all think?
     
    Last edited: Aug 24, 2014
  10. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    One caution - this setting is only meant for processes run by Explorer.
    If you want better protection you can setup Software Restriction Policies.
    Firefox with all those extensions seems good :thumb:
     
  11. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    OK, but I'll use both for security and protection, however, I have to extremely careful when I configure what to allow and what to block, this is why I said it will take a very long time to do it, but to be honest I thought SRP is not available/does not exist in Windows XP versions?
    If there is, than definitely I'd use it.
    Thanks in advance.
     
  12. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    SRP is available in Windows XP. Here is a good article with instructions how to set it up: http://www.mechbgon.com/srp/
     
  13. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    AppGuard does not allow applications on the guarded apps list to write to the system space, or to the Program Files directory. That includes web browsers. So if code was injected into a Chrome process it still will not be allowed to write to the system space, or Program files directory. I'm not sure how much damage these threats can do if it's only allowed to run in the memory, and cannot execute any sort of payload. The exception would be a kernel level exploit which are very few in number. I guess there would be a window of opportunity there to steal data from your browser when entering info on a web page, but I don't think the threat will be able to survive a reboot. The memory guard is just intended for containment. You can also add any program you want to the guarded apps list for added security.
     
    Last edited: Aug 24, 2014
  14. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    That makes no sense. Why would you deliberately disable AG's protection to infect your machine? What would that prove? The user would be more of a threat to themselves then due to stupidity. No security application will protect the user if they disable it. The user was not trying to demonstrate a scenario were the user believes a file to be safe. Are you saying they should have tried executing the threat from a dos command prompt? They could have tried to find a site serving the payload, but the result should have been the same in the end.
     
  15. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    I guess that this is achieved in Medium protection level? What happens if malware is installed in user space (in C:\Users directory and HKCU registry hive)? Will AG provide protection from this malware's actions that got successfully installed?
     
    Last edited: Aug 24, 2014
  16. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    There's nothing impressive about the demo. That's the point I'm trying to make.

    1. User downloads file
    2. User executes file
    3. Anti-executable at its typical protection level stops it

    All I'm trying to say is any anti-executable approach will stop the mainstream vectors, especially the above approach.

    Probably, but then it would be a more impressive demo. What if they found a site serving up a true type font parsing vulnerability on a setup that wasn't patched for it, and the anti-executable (or similar) stopped it? Now that would be an even more impressive demo!
     
  17. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Unfortunately, in this case neither AppGuard and NVT Exe Radar Pro would not be able to protect against this kinds of exploits and vulnerabilities (like the ones you mentioned; true type font parsing vulnerabilities/exploits).
     
  18. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    Agreed, I think you are right. I've often wondered if these type tools might at the very least present a "stumbling block" for those exploits, but based on what I've seen said of them they will simply blow right past them.
     
  19. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes I would like some Cappuccino. :D

    But anyway, the main purpose of security tools should be to stop malware (that is triggered by exploits) from running at all. If malware can´t run, they can not perform code-injection and can´t steal or modify your data. So that´s why AG's "Memory Guard" and "Private Folder" feature are not interesting to me when it comes to blocking exploits, know what I mean? :)
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes, you have 2 kind of anti-exploit apps, namely the "dumb ones" like AG and EXE Radar, and the "smart ones" like EMET, MBAE and HMPA. Dumb exploit blockers simply lock down the whole system, you won´t be able to install software yourself when they are in "lockdown mode", so of course it will also block lots of exploits! The smart exploit blockers however, will let all apps run freely on the system, and will only come in action when they spot something suspicious. :)
     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes thanks, but I would still like some more technical info. I can understand the virtualization part, but what is the purpose of running apps as "Untrusted", is it to strip them from all kinds of privileges and deny them to communicate with apps with different "Integrity levels"? And what if it does need a certain privilege, how does SBIE decide what´s allowed and what´s not? :)
     
  22. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    You can use http://sourceforge.net/projects/softwarepolicy/ (Simple Software Restriction Policy) software on Windows XP which is open source and will allow you to use SRP within XP.
     
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    When I say EMET, I also mean HMPA and MBAE, I was just too lazy to type it all. But seriously, I still don´t know what you mean with "can´t be verified". If you download the new HMPA v3, you can run the exploit tool and you can read about it in the PDF file. HMPA will tell you exactly what kind of exploit techniques it protect against, just like EMET. MBAE refuses to do so, but they probably do about the same. :)

    On a more technical level: HIPS work by hooking certain API calls, so if a certain API is triggered then you will get to see an alert. I think that anti-exploit tools probably work by injecting IAT Hooks into process memory, to monitor "process execution flow". But you have a lot more technical knowledge, so perhaps you already knew about this, or perhaps I am totally wrong? Only developers will be able to give some clarity, I guess.
     
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    @ Hungry Man

    Here a comparison (done by SurfRight) between MBAE, EMET and HMPA. Of course Malwarebytes didn´t like it and decided to do a "sponsored test" that made some products look bad. :)
     

    Attached Files:

  25. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    Considering that test contains total garbage like "anti keystroke logging" it's obvious why MBAE would want to sponsor a proper (hopefully) test that actually tests exploit mitigation techniques and nothing else.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.