EMET, MBAE, and HMP.A

Discussion in 'other anti-malware software' started by J_L, Nov 17, 2014.

  1. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    (EMET 4.1 U1) test 32 bit

    The test ROP WinExec via anti-Detour is passed.
    With the previous version is failed.


    Immagine.JPG
     
    Last edited: Dec 17, 2014
  2. Paranoya

    Paranoya Registered Member

    Joined:
    Nov 4, 2013
    Posts:
    59
    The new version sounds very good but I can't get it to work properly. What's supposed to happen when you run the non-exploit calc against another app, IE11? Any other way to verify the test?
    In EMET I have all mitigations enabled for IE11 and when I run the test tool against IE11 EMET alerts about EAF for every exploit. Something must be wrong.
    If I try to protect the test tool itself EMET detects EAF immediately when it's launched. And if I disable EAF it won't be protected the same way my programs are and therefor not as good test.
    I've tried excluding the test tool from my AV to rule out a possible conflict but no difference.

    Oh, and "Browse for 32-bit application" always hangs the program
     
  3. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Well, in the end I've settled with HMP.A... The experiment is now on hiatus unless someone is willing to continue it.
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    No thanks, like I said months ago, it's asking for trouble.
     
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Tried ver. 1.5 yesterday on WIN 7 SP1 x64, IE10, EMET 5.1. Had exact same issues you described. Only way I could get test tool to run was disable EAF for app in EMET. Whatever these later versions are doing, they are not handling EAF properly.

    Best version I have used in testing EMET and MBAE was 1.0.0.13.
     
  6. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Since I got another computer (and will probably lose HMP.A license in the near future), this project has been revived!

    Only difference is, EMET won't be factored in due to me having a MBAE Premium license (thanks Pedro!) and the other computer is quite vanilla.
     
  7. guest

    guest Guest

    What proyect exactly?
     
  8. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Thread OP, to an extent.
     
  9. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    When it comes down to the level of protection that they offer they should be pretty similar. If one knows how to bypass one tool then the rest shouldn't be a problem at all, it is just luck that those kind of exploits have not yet been observed.
     
  10. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Yes, but the free version of HMP.A does not include exploit mitigation (or even Process Protection), as noted in OP.
     
  11. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    Correct, but the free version of MBAE also doesn't cover MS Office or Adobe Reader ;)
     
  12. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Ah, but I don't use Office or Reader on the new tablet. Only Chrome for some PDF.

    And I do have a license for MBAE (going to be on main laptop) as a Wilders member/contributor.
     
  13. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    Good thread, so this has learnt me 2 things.

    Adding svchost.exe to EMET is indeed not a waste of time like some say it is.
    Process hollowing on HMPA blocked that malware which is good as I have disabled EMET on system processes since last week on the advice of others. EMET isnt on my laptop at all now, its on my win10 machine but protecting nothing (no apps configured), on my win7 machine it just protects a few third party services that HMPA doesnt cover.

    I have always considered explorer.exe and svchost.exe as a weakness in the windows OS, due to the fact 3rd party software can utilise both.
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    You're misunderstanding, exploit protection is not meant to protect against process hollowing. And normally speaking, system apps like explorer.exe and svchost.exe are not directly attacked by exploits, that's why everyone is saying they don't need any protection.
     
  15. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    Odd I have seen them frequently hijacked by malware.

    svchost is a well known way into windows systems by malware authors. As so many services attach to it.

    What it is meant to do is a matter of opinion really, the evidence is here in this thread that hardening svchost blocked the malware sample.
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    You don't seem to know the definition of "exploit". System apps like svchost.exe are often attacked by malware that has managed to run on the system. But the point of HMPA and MBAE is to block the malware from running at all, by blocking the exploit.
     
  17. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    Perhaps the question is is there any benefit to protecting svchost.exe with HMPA in case a malware does manage to execute and hijack svchost.exe, or is something else needed at that point?
     
  18. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    I am talking about malware using svchost to run in the first place, not something already running. But even if its already running it doesnt make svchost protection pointless.

    The term exploit has existed for decades, the current marketing term for it seems to make it associated with memory hacking only.

    If malware is trying to hack memory then its already managed to infect software to get in the position of attempting the exploit in the first place.

    svchost it would seem is already protected in HPMA by that process hollowing feature.

    https://www.trustwave.com/Resources/SpiderLabs-Blog/Analyzing-Malware-Hollow-Processes/
     
  19. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    Your comment makes my eyes bleed. Process hollowing is not an exploit.
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes, it does make it pointless, because svchost.exe and explorer.exe are not attacked by exploits, it's most of the time the browser. So if you block the browser exploit, you have already won the battle. If for whatever reason malware has managed to run, then you should protect the system against stuff like code injection and process hollowing. Why do you think that HMPA offers the "process protection" feature which is labeled as "risk reduction"?

    I have no idea what you point is, it's confusing to say the least, because it seems that you are actually agreeing with me?
     
  21. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    why do you think only the browser is attacked? is an odd way of thinking, you need to think out of the the box.

    svchost and explorer are attacked by some types of malware.
     
  22. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    https://en.wikipedia.org/wiki/Exploit_(computer_security)
    An exploit (...) is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic.
     
  23. anon

    anon Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    7,982
  24. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    ??

    Ill ask again.

    why do you think only the browser is attacked? is an odd way of thinking, you need to think out of the box.

    You are trying to say that malware only targets web browsers, which is nonsense.

    Also I know what an exploit is, I am not the who said process hollowing is not a type of exploit.
     
  25. harsha_mic

    harsha_mic Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    815
    Location:
    India
    All they are trying to say is, that in today's world, we are seeing exploits on browsers/flash/java only (for the most part). Not on explorer.exe/svchost.exe..

    If you think otherwise (i.e., exploits do exists for explorer.exe/svchost.exe), care to refer the recent CVEs for them?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.