Layered defenses largely fail to block exploits, says NSS

Will emerge or should emerge? I ask because Google reveals no results on this

 

Right, ZA Suite uses KAV right?

Do you currently use Bullgard or G_Data at the moment?

Nothing in your signature Fax?

 

By the time emet detects these (not all since no tool can ever do that) the parasite has passed through all your layers.

I'm not saying don't use emet just don't rely 100% on it.

 

YES!!!! EXACTLY!

My question earlier about which were the 18 combos that did well remains unanswered?

Anybody?


I don't care if my combo or anybody else's is listed since if I find a better one I'll switch as fast as I can. Sorry vendors but I have no loyalty to you.

IMO, it should be the other way around loyalty to us the trusting customers.


What I would like to see is AV_comparitives do tests on these 18 layered combos ! Best to have verification.

Where is the list of 18 combos?

 

I agree that EMET is not 100% strong. It's interesting have EMET participated in their 606 combos? EMET is especially designed to mitigate exploits.

 

Again, using products from different vendors won't help if all of those products fail to cover certain issues.

Re EMET, I believe it mostly uses Windows' native mechanisms, so it doesn't work as well on Windows XP. If your company is still using XP, then you basically have huge gaping holes in your setup no matter what.

Anyway it's all in the air until someone can find a link to the original paper.

Edit: getting the paper may require purchasing a subscription.

 

It will emerge, this are the signals in which I see future development heading

elevated = high = installer, system, admin
normal = medium = user
sandbox = low = protected mode & app container = low & untrusted

In normal trustzone = policies can be set on signed software from trusted publishers (your good old applocker) to prevent shoot in the foot installs

But Comodo has its behavioral blocker which kicks in when an unknown untrusted binary executes, Avast auto sandbox does simular based on static PE analysis, signing, reputation scoring.

EMET will be the main mitigation from sandbox to normal. At the moment Hitmanpro alert, Trusteer Rapport, ExploitShield BE all more or less check integrity or prevent intrusion (like AppGuard's memory protection).

PrevX4 was the early innovator in this, has it all, but they should market it better (and provide Kees1958 settings out of the box ) see https://www.wilderssecurity.com/showpost.php?p=2233300&postcount=30207

cheers

 

Bypassing EMET 3.5′s ROP Mitigations.

[post=1891079]Re: EMET - A new Windows security mitigation toolkit[/post]

 

Very good, thanks!

 

Ron:

Okay so be it, IF I buy a subscription to id these 18 combos and then "know" what should I do then Ron?

The subscription will probably say I can't give Wilders the results.

What I might be allowed to do is answer questions like:

Is OP FW Pro 8.0 and Nod32 AV a "good" combo?

and I respond NO or YES.

So then guys with that combo (like me) will scream proof proof and I won't be able to answer....

 

Agreed on that. Keeping stuff like this hidden behind a paywall is a little much.

 

I ain't sure that this bulletproof 3% are of the same strength on all possible OSes, with all possible apps environment running in the OS etc.

 

Here is the "orginal" press release.


https://www.nsslabs.com/news/press-releases/are-security-professionals-overconfident-%E2%80%9Cdefense-depth%E2%80%9D



IMHOl I may be guilty of overconfidence

I'm going to join their free reports with
a disposable addy and see if I can get their 19 combos!

Oh dear what will I do if my signular answer is not listed

I've got it go on the attack to prove them wrong and their testing must be flawed!!

 

Actually, EMET would be the first line of defense against those exploits. If it's able to prevent the exploit code, then your other defenses won't have to do anything. If the exploit code passes through all you other layers, then it means that EMET also failed. They all failed.

 

Can anyone download the PDF file? -https://www.nsslabs.com/system/files/public-report/files/2013-04ABCorrelatedDetectionFailures130514a.pdf

I'm getting a message that the file can't be found in the server...

 

trythis m00nbl00d..it works
-https://www.nsslabs.com/reports/correlation-detection-failures

 

Thanks. It did work I've dowloaded the pdf.

I'm disappointed it did not id the actual products that were used in layers combo.

Only their types.

ie next generation firewall
an av for virus and malware.

 

My first line of defense is my hardware fw in the router.

 

The biggest pitfall in system security is users delegate their security to products they understand little about then proceed to behave dangerously and carelessly...

So multilayer ed, uni layered approach fail invariably...
Multiple security tools like an AV, then An Antispyware and antimalware also fail invariablly as none of them actually know or see all malware at all time.

It's best to use well patched applications, and up to date oses, within a limited user account, use unique and tough complex passwords, 15 + Hexadecimal character - a different one for each applications, systems or sites (Roboform Helps) , and try and limit all external behavior such as web browser and email activity to a sandbox...

but most important, know intimately and control what is running in your system at all time!

Then your choice of security software will actually matter but only then.

Guy