(EMET 4.1 U1) test 32 bit The test ROP WinExec via anti-Detour is passed. With the previous version is failed.
The new version sounds very good but I can't get it to work properly. What's supposed to happen when you run the non-exploit calc against another app, IE11? Any other way to verify the test? In EMET I have all mitigations enabled for IE11 and when I run the test tool against IE11 EMET alerts about EAF for every exploit. Something must be wrong. If I try to protect the test tool itself EMET detects EAF immediately when it's launched. And if I disable EAF it won't be protected the same way my programs are and therefor not as good test. I've tried excluding the test tool from my AV to rule out a possible conflict but no difference. Oh, and "Browse for 32-bit application" always hangs the program
Well, in the end I've settled with HMP.A... The experiment is now on hiatus unless someone is willing to continue it.
Tried ver. 1.5 yesterday on WIN 7 SP1 x64, IE10, EMET 5.1. Had exact same issues you described. Only way I could get test tool to run was disable EAF for app in EMET. Whatever these later versions are doing, they are not handling EAF properly. Best version I have used in testing EMET and MBAE was 1.0.0.13.
Since I got another computer (and will probably lose HMP.A license in the near future), this project has been revived! Only difference is, EMET won't be factored in due to me having a MBAE Premium license (thanks Pedro!) and the other computer is quite vanilla.
When it comes down to the level of protection that they offer they should be pretty similar. If one knows how to bypass one tool then the rest shouldn't be a problem at all, it is just luck that those kind of exploits have not yet been observed.
Yes, but the free version of HMP.A does not include exploit mitigation (or even Process Protection), as noted in OP.
Ah, but I don't use Office or Reader on the new tablet. Only Chrome for some PDF. And I do have a license for MBAE (going to be on main laptop) as a Wilders member/contributor.
Good thread, so this has learnt me 2 things. Adding svchost.exe to EMET is indeed not a waste of time like some say it is. Process hollowing on HMPA blocked that malware which is good as I have disabled EMET on system processes since last week on the advice of others. EMET isnt on my laptop at all now, its on my win10 machine but protecting nothing (no apps configured), on my win7 machine it just protects a few third party services that HMPA doesnt cover. I have always considered explorer.exe and svchost.exe as a weakness in the windows OS, due to the fact 3rd party software can utilise both.
You're misunderstanding, exploit protection is not meant to protect against process hollowing. And normally speaking, system apps like explorer.exe and svchost.exe are not directly attacked by exploits, that's why everyone is saying they don't need any protection.
Odd I have seen them frequently hijacked by malware. svchost is a well known way into windows systems by malware authors. As so many services attach to it. What it is meant to do is a matter of opinion really, the evidence is here in this thread that hardening svchost blocked the malware sample.
You don't seem to know the definition of "exploit". System apps like svchost.exe are often attacked by malware that has managed to run on the system. But the point of HMPA and MBAE is to block the malware from running at all, by blocking the exploit.
Perhaps the question is is there any benefit to protecting svchost.exe with HMPA in case a malware does manage to execute and hijack svchost.exe, or is something else needed at that point?
I am talking about malware using svchost to run in the first place, not something already running. But even if its already running it doesnt make svchost protection pointless. The term exploit has existed for decades, the current marketing term for it seems to make it associated with memory hacking only. If malware is trying to hack memory then its already managed to infect software to get in the position of attempting the exploit in the first place. svchost it would seem is already protected in HPMA by that process hollowing feature. https://www.trustwave.com/Resources/SpiderLabs-Blog/Analyzing-Malware-Hollow-Processes/
Yes, it does make it pointless, because svchost.exe and explorer.exe are not attacked by exploits, it's most of the time the browser. So if you block the browser exploit, you have already won the battle. If for whatever reason malware has managed to run, then you should protect the system against stuff like code injection and process hollowing. Why do you think that HMPA offers the "process protection" feature which is labeled as "risk reduction"? I have no idea what you point is, it's confusing to say the least, because it seems that you are actually agreeing with me?
why do you think only the browser is attacked? is an odd way of thinking, you need to think out of the the box. svchost and explorer are attacked by some types of malware.
https://en.wikipedia.org/wiki/Exploit_(computer_security) An exploit (...) is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic.
With Windows 10 we have implemented many features and mitigations that can make EMET unnecessary on devices running Windows 10.
?? Ill ask again. why do you think only the browser is attacked? is an odd way of thinking, you need to think out of the box. You are trying to say that malware only targets web browsers, which is nonsense. Also I know what an exploit is, I am not the who said process hollowing is not a type of exploit.
All they are trying to say is, that in today's world, we are seeing exploits on browsers/flash/java only (for the most part). Not on explorer.exe/svchost.exe.. If you think otherwise (i.e., exploits do exists for explorer.exe/svchost.exe), care to refer the recent CVEs for them?