1. I do not know the exact functioning/purpose of this feature. (I haven't yet asked them) 2. I do not have access to the exact specifications of the lockdown features in MBAE and HMPA, so I cannot fully compare them. 3. They have stated before that there won't be a consumer version and I can easily understand why. (Resolving issues with a sysadmin is easier than with a layman, developing a special consumer version might not be worth the investment, etc.) Global settings:
@ ropchain Thanks for the pic, and I can understand the logic about not releasing a consumer version. BTW, seems like they have a new website. http://trapmine.com/
Trapmine does not want to deal with home consumers... and consumer sales are much less profitable per sale. Small team = devote company resources to most profitable sales.
On new site it is 50 bucks per client. When I click on the buy now tab I get an error. http://trapmine.com/trapmine-endpoint/
My question is this. What does this offer above the combo of Appguard and HMPA. From the screenies I don't see anything.
People have to decide for themselves which product is most suitable for their situation. But I can understand that companies don't want to deal with two additional mitigation products (HMPA and AppGuard) besides their current Endpoint Protection. Competition just means that multiple products are available for customers. For example: - EMET - MBAE - HMPA - Trapmine - Palo Alto Traps etc. (Yes, I am aware of the fact that a large company won't switch to another security vendor that quickly)
Same over here, I think they need another payment provider. It's probably much of the same. The only difference might be the amount of exploit mitigations used.
I can provide an answer to that question: Isn't that the same with Antivirus? In the end you you will end with the same kind of techniques. (Yes, I know, that opinion does not account for all mitigations) For example: Stack pivots can be detected by checking whether the current stack pointer (esp/rsp) is between the stack boundaries defined in the TEB, Caller Check mitigations would most likely operate by checking whether critical functions like VirtualProtect are called using a CALL instruction, etc. In other situations you have to develop new techniques. For example: HW assisted CFI (HMPA) Micro-VMs (Bromium) (I do not know whether this one is comparable to traditional sandboxing solutions like Sandboxie) etc.
It seems to me that most companies today some sort of endpoint security. It would be fun to know how many use Emsisoft Internet Security, AppGuard, HitmanPro.Alert, Sandboxie and NVT ERP. I think maybe some smaller companies might but the larger ones use a endpoint I think. I only mention that because as of now, trapmine is a company- business based product, not home user.
No one is able to provide a scientifically substantiated test without hiring a company like MRG Effitas. Because there is one thing that everyone loves while bashing on other pieces of software and that are independent tests.
Yes that's what I said, but like we know, not all anti-exploit tools use the same amount of techniques. HMPA claims to use more than MBAE, but MBAE claims to be able to stop all known exploit kits. So does this mean that HMPA will perform better in certain "exotic tests", when highly advanced exploit techniques are being used? I really don't know. And on top of that, a well configured anti-executable or white-listing tool, will probably also block most exploits, or at least the payload when it's disk-based.
Yes, HMPA offers better protection than MBAE in certain scenario's, but of course, a real multi-staged attack can be detected in multiple phases of the exploitation process. (Something that is not being tested by the HMPA test tool for example. Yes, the old discussion, again ) About the more advanced exploitation techniques: Everything is possible if you know the limitations of general mitigation techniques. For example: If you want to bypass a stack pivot then you can just run a ROP chain from the stack and if you want to bypass a Caller Check mitigation then you can just use a CALL VirtualProtect() instead of returning to VirtualProtect. That is research that has been described pretty well in the last two years. I agree on the fact that a well configured anti-executable might perform well against dropped executables. Although I do not know how certain anti-executables react on in-memory implants.
Two things: 1 First I was asking in general terms is there anything in trapmine that is unique, and I am guessing the answer is no. 2. I would admit that my setup is approaching if not at the paranoid level, but let me ask, if you were one of my clients and i had your financial data on my machines, would you rather I take this approach or a very lax one.
1. I don't know, I could not any documentation 2. I have seen machines used for financial administration that were lacking 2 years worth of patches.
I believe it. But while I have a service my business is all about trust. I protect that trust at all costs.
I don't think so either, but of course I don't know. No, it's completely understandable. Sorry for lashing out at you.
Yes, that's why I feel safe with MBAE at the moment. Have you been able to figure out what type of (or how many) anti-exploit techniques are being used by Trapmine? The question is, how many exploits are using in-memory payloads, I keep reading about standard exploits who use disk-based payloads like ransomware and banking trojans.
I have noticed some software makers here use Metasploit to test their software. http://www.rapid7.com/products/metasploit/editions.jsp Dynamic payloads to evade leading anti-virus solutions De-facto standard for penetration testing with more than 1,200 exploits and 1.2 modules added per day
1.a In the screenshots I posted earlier you can notice that it contains the same memory mitigations as EMET, HMPA and MBAE. (Yes I know, this is still the general picture, there are always subtle differences between all the mitigation tools, they are all capable of mitigating most current exploitation techniques) 1.b I cannot make a comparison of the 'Application hardening/lockdown' feature of Trapmine and those of HMPA/MBAE, simply because I do not know the complete details of the implementation used in HMPA/MBAE. 2. I can't give a conclusive answer to that question. afaik Angler EK was using diskless infection methods and also some exploits used in targeted attacks.
dynamic payloads != in memory payloads. Although you can perform a lot of actions using the Meterpreter functionality. Furthermore, exploits are still exploits. It doesn't matter whether they originate from MSF or from an EK. (If you're talking about the used exploitation techniques)
Bedep and poweliks...chief "fileless" payloads. Lurk and phasebot are others. Relative to "how many exploits are using in-memory payloads" granted it's the payload which distinguishes the particular exploits used. I'm seeing CVE-2012-0158 exploited (poweliks), multiple flash (bedep/angler) and java exploits for the older classes (lurk/phase).
