Security software can reduce effectiveness of DEP/ASLR

I'm considering removing Comodo and Mamutu actually. I need to figure some more things out =p

 

Ok then there is your answer.

 

You're welcome. The results of the CIS scan are rather telling, although I have no idea, really, how easily exploitable the issues are. Most of the information presented isn't the easiest for me to interpret, although it's indisputable the issues are numerous, at least if the ASA program is accurately formulating its scan results.

 

Seriously thats alot of issues showing up. Not good at all.

 

True, although I don't know how serious most of them are. If they're anything like the one sample kaspersky screenshot, it's a case of limited users having write access to certain directories created by the product in question. Still, this may be sloppy coding on the developer's part or it's actually necessary to allow write access for limited users for it to function properly?

BTW, Kaspersky looks to have less than half that of CIS.

 

Wow. I might be rethinking my security setup once again. Applocker stays of course Good thing I made some recent backups.

 

I'll be very interested in what you come up with. I couldn't stand having both of those on my system, but you and I very likely don't think the same things about security, lol. Where we do agree is that an OS should be a lot more secure out of the box. Not many people can handle even some of the stuff we put on our systems, so they really need to be helped. That's usually why they stick to AV software and such, even now it's the mantra of every security 101 article in the media. It's all they know and it's all they're ever told.

 

Looking at cis alone is a terrible way to say it's insecure. Look at a bunch of others and I bet you'll see lists just as long.

 

Doesn't matter if one product has more lines than the other. wat showed that Kaspersky had half the lines of CIS and that is still too much. The point is that the security issues are there and can be used as places to attack. No one said CIS is not secure but if someone decided to exploit those security issues then CIS is breached as with any 3rd party security software with similar issues.

 

I know. I just want people to realize that this isn't Comodo-specific.

I need to go through the report more carefully and see how big a deal some of these things are.

Writing to a meaningless config file about Comodo's theme may not be a big deal. But you figure the reason you don't need UAC prompts every time you open Comodo is because users can change the config.

Has anyone actually tried... you know... exploiting this stuff? Changing settings via these reg/files?

 

I did an scan for MBAM Pro w/ Realtime Protection just for fun.

 

Do something like Emsisoft AM. That should have tons.

The simpler the program the less it will have. Comodo has multiple modules with tons of config settings.

I'm still trying to figure out how to fix Comodo. I'm thinking I'll block access to the config files except for Admin and then run Comodo as Admin?

IDK, gotta be a better way...

 

Of course. I just wanted to see the results of a scan on MBAM Pro.

 

Users have modification access to most of C:\ProgramData contents. I just checked MBAM free and it gives me modification access to C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware.

Checking permissions I can see Users have two permission sets. One allows Read and Execute only. Another one special permissions, which gives Write access to folders and sub-folders. To delete one needs Administrator privileges.

It's not just restricted to security software, though. Some other applications files are free from being deleted, though. I never really tried delete the Write permissions and see what happens.

 

You're right, and there are the common user directories where write access by at least the account member is possible as well.

It would be interesting to see what happens after installing a security product, scanning for the issues, then removing the weak ACLs by removing write access to Everyone and Users. I wonder if it would break the functionality of the product or minimize the attack surface without breaking things? The latter scenario would obviously be ideal

 

While that would be nice and all, but wouldn't it just be easier to use built-in OS security and not be worry about what weak ACLs some 3rd party security software has. Just saying

 

It's not an issue with third-party security software or security software. It's software in general: download managers, etc.

But, I don't think that having only Read and Execute permissions would cripple software. Following a bit of logic, C:\ProgramData will affect all user accounts, correct? If so, then only the administrator should be able to perform changes to those folders. Most applications (specially security applications) have a process/service already running that would allow them such permissions, anyway. All other apps, we would be requested to allow the actions.

That said, I don't think we'd see that many alerts. After all, a process running already with administrator privileges/running as a service could do that in behalf of the program. This way, C:\ProgramData would be off limits to modification.

Would it break anything?

Users should only be able to Write/Modify their own user profile and nothing else.

 

Well my main concern wasn't software in general but only 3rd party security software.

 

True, I'm an advocate, as is probably quite obvious to many here, of using what's already built in to the O/S I was just speculating, although not really interested in trying it. m00nbl00d is probably right about the removal of write access not breaking anything.

 

Sandboxie x64 was scanned. A few weak ACLs against the Trusted Installer but overall I'd say very impressive

 

Not bad.

 

The only weakness Sandboxie has is that it won't mimic file system permissions/restrictions and that settings should be per user account and not global.

I would like for one user account not to be able to access the sandboxes of another user account. At the image of what happens in C:\Users\.... You cannot access other user profiles.

I'd also like to be able to, for example, apply a medium integrity level to Temp folder inside a sandbox. I tried it, but it won't stick. It's just how Sandboxie works.

Besides these issues (issues for me, anyway), Sandboxie is a blessed application.

 

Depends on how poorly written it was but I would suspect yes else this thread wouldn't exist.

 

As requested, here's Emsisoft am ...

 

Hungry Man would like to see this one. I will check it out as well.. Thanks wat.