EMET, MBAE, and HMP.A

Discussion in 'other anti-malware software' started by J_L, Nov 17, 2014.

  1. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Currently, I'm running all 3 in their free versions. That means MBAE only protects browsers and Java, while HMP.A doesn't have exploit mitigation. While I am beta testing, I have configured them to the limitations of their respective free versions.

    I'm thinking of setting them up this way: MBAE will cover the browsers, EMET will cover everything else, and HMP.A will add non-exploit-specific protection.

    The only problem is Java, should I double-team that vulnerable software? Currently, I have only EMET covering it, because MBAE isn't compatible with Java 8 (at least in my setup). *They're incompatible, chose MBAE over EMET.

    P.S. I've heard the "use one or the other" argument plenty of times, and will not regard it any further in this thread. That is unless one has proven it still applies in this specific setup during everyday activities.

    *Other incompatibilities with the above software, including SBIE, is welcome for side discussions. As is other anti-exploit software like ViRobot APT Shield, Crystal Anti-Exploit Protection, etc.
     
    Last edited: Nov 18, 2014
  2. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    658
    Location:
    Italy
    Run the test HPA3:

    http://test.hitmanpro.com/hmpalert3ctp4.zip


    If with MBAE + EMET get inferior results to only EMET there's something wrong.




    - Test HPA3 32 bit -
    EMET 4.1 U1

    Stack Pivot = Passed
    Stack Exec= Passed
    ROP Win Exec= Passed
    ROP Virtual Protect= Passed
    ROP Nt ProtectVirtualMemory= Passed

    ROP system in msvcrt= failed *
    ROP VirtualProtect via CALL gadget= failed *
    ROP WinExec via anti-detour= failed *


    Null Page= Alert - "Null Page exploit/test failed".

    SEHOP = Passed

    Heap Spray 1= Passed
    Heap Spray 2= Passed (no alert)

    Heap Spray 3= failed *
    Heap Spray 4= failed *


    Anti VM = Failed *

    Hollow process = Alert - "I feel so empty inside".

    Load Library = (No alert)


    URLMon = failed *
    URLMon 2 = Passed
    URLMon 3 = Passed

    p.s. EMET ver 5.1 probably pass test ROP VirtualProtect via CALL gadget.
     
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,041
    Hi J_L

    There is an old adage you get what you pay for, and in this case, I am not sure you get much. I just did a test against a live piece of malware, with very interesting results, but since I used the latest of each program, it doesn't fit your criteria. If you are interested I will post here.

    Pete
     
  4. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Thanks Sampei. Pete, I know that you usually get better stuff paying for it, but I don't see the need right now.

    I actually am using the latest versions of each program, but with settings configured the same way as the free versions.

    The testing with live piece of malware will be of great interest. Please provide it if possible. Thanks.
     
  5. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    700
    Location:
    North of the 38th parallel.
    Please do post your results.

    Thank you.
     
  6. Impet

    Impet Registered Member

    Joined:
    May 5, 2013
    Posts:
    894
    I thought A vs B is not allowed. :rolleyes:
     
  7. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    Only applies to anti-virus AFAIK.
     
  8. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    This is not A vs B, but instead A + B + C.
     
  9. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,041
    Okay, the piece of malware, was from one of those emails purporting to be sending a scan of tickets which you supposedly bought. It contains a zip file which contains an exe disguised as a doc file. I tested it in a vm machine, in which I have EIS,Appguard, ERP and latest private beta of Hitman Pro Alert. I disabled the first three as they would have stopped it. HMPA shut it down, and it wasn't a hardware mitigation, but the process hollowing. Detail said it was an Process Hollowing attack on Svchost.exe located in the Syswow64 area. HMPA shut it right down. I also tested it against EMET 5.1 and the latest beta of MBAE. I only had any one of them installed at a time. Neither alerted on the attack. Since adding apps in EMET is easy, I added svchost.exe to emets list, and reran the malware. Emet then did detect the attack. It was to difficult to add stuff to MBAE so I did try it alhought I presume it would work.

    So bottom line HMPA did stop an attack on something not in it's guarded list, where the other two didn't.

    Pete
     
  10. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Interesting, thanks for describing everything. Adding svchost.exe to EMET or MBAE isn't quite a good idea, so forget that. I'm curious of how you opened the executable doc file, if it was with a shielded office program, would EMET or MBAE have prevented it?
     
  11. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,041
    It wasn't an executable doc, it an executable, that they added the word icon too. It wasn't an exec you could "open" If you had file extensions turned off it looked like a doc file, but if you clicked on it, it just executed. With out the detail in HMPA I wouldn't have known it was attacking sychost.exe. And you are correct, EMET5.1 shut down svchost which wasn't cool. HMPA just stopped the attack without screwing up the system.
     
  12. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,628
    Location:
    Toronto, Canada
    Very interesting. Maybe not "cool", however, it prevented infection, right? If that is the case, than simply restarting Windows is a small price to pay in comparison to untold damage from malware infection.
     
  13. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,041
    True but HMPA stopped it without the same effect. Also without HMPA, I wouldn't have had a clue what it was doing.
     
  14. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    523
    Another quesition:

    If I have CIS installed with auto-sandboxing.. do I even need any of those programs? In the case of "Peter2150" CIS would have just sandboxed the hidden .exe when it tried to run ?

    Thanks
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,041
    I tested it with SBIE, and candidly I am not sure what the results told me, so I wouldn't assume this kind of malware might be stopped by the CIS malware. Does a sandbox stop process hollowing. I am not sure
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Actually, it doesn't sound like it's an exploit, this seems to be malware that's using the "process hollowing" technique. So this means that if you run this malware, apps like HMPA, EIS and AppGuard should all be able to stop this attack. EXE Radar, EMET and MBAE are not designed to stop this technique, so that's why I'm surprised that EMET could stop it. But it only did after adding svchost.exe to the protection list, so that doesn't really count. Could you perhaps test EIS and AG?
     
  17. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,041

    That is exactly what I said, it's a process hollowing attack. EIS BB does stop it, as it Appguard's policy. Exe Radar stops it from running, but that is it.
     
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Yes but what I mean is, you can't blame certain tools for not being able to stop this, because they simply don't offer protection against "process hollowing". Can you perhaps also post screenshots from OA and AG blocking this attack? I would like to know what type of alert they give. To clarify, they should not block the process from running (EXE Radar can also do that), but they should stop the code injection.
     
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,041
    Rasheed, no I won't go back and repeat every to post screen shots for you. You are quite free to test on your own. Sorry
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    OK forget about the screenshots, can you perhaps tell me how they notify you, surely it must end up in the log file? Do they report something like "code injection blocked"? If I'm correct, OA will alert, and AG will silently block.

    BTW, ZeroVulnLabs already explained why EMET did alert about it, see this: https://www.wilderssecurity.com/threads/malwarebytes-anti-exploit.354641/page-49#post-2428324
     
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,041
    First, EMET didn't alert about it. It only alerted after I figured out was going on from HMPA, and protected SVCHOST.exe in EMET, which isn't wise at all. Baring my doing that, EMET flunked.

    As to the rest of your questions, Rasheed, if you had trialed any of these programs you wouldn't be asking them. Frankly I am not about to spend an hour typing answers to questions you could get for your self by trialing all the software. Sorry
     
    Last edited: Nov 18, 2014
  22. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,027
    Location:
    Hengelo, The Netherlands
    The hollow process feature in Alert warns the user that malware is trying to exploit the identity of a legitimate process by replacing its code with malicious code. It is a very common trick used by malware authors, especially RAT malware. This because a legitimate process does not stand out in task manager or process explorer.
    The feature does not require a user's descision/interaction either so it is useful for average computer users. The hollow process feature provides another layer of protection.
     
  23. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,041
    I totally agree. A lot of my other software alerted me and forced me to make a decision. HMPA just took care of it. Well done.

    Pete
     
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Yes I know, see post #16.

    Why the heck would I trial apps that I don't plan on using, that's just silly. And I didn't know it took that much time and effort to test it, I thought you was using VM's, it should be a 10 minute job then. But never mind, some other members have already tested it with HMPA's testing tool.
     
  25. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,041
    Exactly, and why should I waste 1 minute let alone 10 minutes answering questions about an App you have no intention of using?
     
Loading...
Similar Threads
  1. emmjay
    Replies:
    5
    Views:
    757
  2. lodore
    Replies:
    3
    Views:
    650