Freeware setup giving malware a hardtime to intrude your system

guest have you ever used SecureAPlus?

 

Been play in a VM, SmartObjectBlocker looks awesome - any idea how the coverage compares to Appguard? I guess the key advantage is the ability to add extra rules as required

Has any run any of the exploit suite agsint this config - CLT HMPA exploit or simliar?

 

If EMET can do those things, and MBAE apparently can't, then how come you said that if you had MBAE Premium you don't need EMET?

Also thank you very much, that goes out to the makers of this fine software too. I'm going to give this current Safe Admin approach a try on my Win7 Ultimate x86 & x64 setups, along with a few of my own wrinkles, Sandboxie, Comodo FW/D+, and Shadow Defender.

 

no and i don't need it.

 

A comment here. EMET's ASR will not protect you from in memory exploits, if that is your primary concern. MBAE Premium, HMP-A paid, or a good HIPS will because you can define non-browser processes with them.

ASR
The Attack Surface Reduction (ASR) feature in EMET 5.0 helps reduce the exposure of applications by preventing the loading of specific modules or plugins within the target application. This protection can really be effective in cases where an attacker forces the target application to load a specific DLL to bypass ASLR (Java msvcr71.dll is a very typical case). Protection provided by ASR does not affect our exploit in any way because we are using a memory leak to bypass ASLR in the IE ColspanID exploit. We are also not loading any extra modules to bypass DEP. Nevertheless, we conducted some research to understand where this mitigation is located within EMET.dll. Once again, we noticed that the actual checks are done within the very same ROP-P routine, thereby making ASR entirely ineffective once the ROP-P general switch has been zeroed out. However, if an attacker is planning to force the target application to load a blacklisted module to bypass ASLR, he wouldn’t be able to disarm the EMET ASR protection using our technique before loading the forbidden DLL.

Ref.: https://www.offensive-security.com/vulndev/disarming-emet-v5-0/

-EDIT- However, the following excerpt from the above link states enabling EAF+ and copying the noted .dlls into the protected app would mitigate the ASP bypass. You would have to test the app for full functionality.

EAF+, on the other hand, introduces a few extra security checks. First of all, it offers the possibility of blacklisting specific modules that should never be allowed to read protected locations (EAT and MZ/PE header of specific modules). For IE, EAF+ blacklists by default mshtml.dll, Adobe Flash flash*.ocx, jscript*.dll, vbscript.dll and vgx.dll.

Note however that EAF+ will not prevent malware.dll being injected from memory using methods such as reflective dll injection.

-EDIT 2- Win 7( WIN 8 much less so ) is vulnerable to memory heapspray exploits. EMET for all practical purposes is totally ineffective against advanced heapspray attacks due to it's checking of fixed location low-address based memory only.

 

Thanks for this. So many things I did not knew

 

May i also suggest https://www.wilderssecurity.com/posts/2524470/ ?

 

On business / partly holiday travel at cape town now. Will be updating this thread with all new features of smart object blocker when I a back. No need for EMET ASR any more since SOB can block this now

 

Looking forward to all that when you make it back to update.

@Windows_Security Hope that you enjoy the Leisure side of things while on your stay and all is well

 

For a Dutchman it is awkward to see a split society in which the Dutch were partly responsible. But the country is beautiful. Thx

 

Hi Kees,

I'm wondering if this strategy would still be helpful on Windows XP, even though it lacks UAC. I'd be logged in as an Administrator (unavoidable), but threatgate applications would be forced to run as a Basic User, and probably sandboxed by GeSWall as well.

Phil

 

Itman the point of adding vbscript, jscript, etc to ASR is that exploit based intrusions access to shell or script engines. Actual exploit changes the flow of events, but then some code has to execute, nearly always the free accessible code execution is used (vbscript, jscript, cscript, powershell, dotNet). So by blocking these DLL's in EMET you mitigate the impact of intrusion.

 

@pclavert

Phil, yes this would work, but leave out the Smart Object PARENT rules (post 4) and EMET ASR for threat gate applications protected by GeSWall. You need to allow the EMET/MBAE/SOB dll's in GeSWall protected applications, otherwise GW will block them.

Regards Kees

 

Hi Kees,

So, under Process block rules I should leave out the lines that begin with "[%PARENT%: ". Is that correct? If so, what is the reasoning behind leaving out those lines?

Phil

 

Yes, because GeSWall takes care of that (it redirects or blocks).

 

Thank you Kees, I really appreciate your help.

 

Thanks windows_security, good guide, also is good what you did for security setup link, wish there was more posts like this on here instead of people just recommending to buy 4+ commercial programs.