Free XP anti-exploit

Discussion in 'other anti-malware software' started by Windows_Security, Jun 7, 2015.

  1. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,083
    Location:
    Netherlands
    I had converted six family members to Linux (with XP skin), one older couple could not get used to the changes and asked me to revert their PC back to Windows XP again.

    Their son maintains the PC, he checks their PC once a week (they seem to delete shortcuts, so they can't find programs anymore). They always run as Admin, so I made some changes. Run as PowerUser instead of Admin and installed Pretty Good Security. Added basic user as protection level, set default software restriction as unrestricted, run al user applications (except Chrome) as limited (basic) user and set a deny execute to some often used folders of ransomware and drive by's. Installed other Crystal Security (from Kardo Crystal) as executable tripwire, ran all their software to populate the whitelist (and raised auto decide level). Added RestoreRollbackRX free to keep the shortcust returning after each reboot.

    First and best choice for FREE anti-exploit protection is Malware Bytes Anti-Exploit FREE. MBAE protects browsers and plug-ins. On Vista and above, EMET is the obvious companion when looking for a FREE anti-exploit setup, but on XP benefits of EMET are limited.

    Therefore I decided to take a look at Crystal AEP (Anti-Exploit Protection). This program had some attention at Wilders. Pitty the programmer had to much ambition by adding all documented Anti-Exploit counter masures he could find. When tightening up default OS-mechanism, you are bound to run into compatability issues (HitmanProAlert 3 for instance was in Alpha/Beta for over a year).

    Get MBAE-free from https://www.malwarebytes.org/antiexploit/

    Get Crystal AEP from http://www.softpedia.com/get/Security/Security-Related/Crystal-Anti-Exploit-Protection.shtml
     
    Last edited: Jun 8, 2015
  2. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,083
    Location:
    Netherlands
    After installation, choose experts options, don't be afraid of the programmer's warning, I have checked the options. As with all my posts, please make sure you have a working and tested image/data recovery plan in place. On a plain vanilla XP with only Office 2003 and Chrome installed it worked fine.

    1.png
     
    Last edited: Jun 7, 2015
  3. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,083
    Location:
    Netherlands
    Now remove all system related processes, from the protection list (only keep the windows help executables). Now add your PDF reader, Mail application, Media player and Alternative Office applications (like Libre Office). Also remove the browsers (Chrome.exe, Iexplore.exe, firefox.exe) becaise MBAE deals with them.

    2.png
     
  4. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,083
    Location:
    Netherlands
    Tab to the protection options, first one is MEMORY MONITOR (right to Connection Monitor tab).

    3.png
     
  5. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,083
    Location:
    Netherlands
    Next the API Monitor 1, which brings some Windows7 features to XP, so certainly worth to try.

    4.png
     
  6. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,083
    Location:
    Netherlands
    Crystal AEP also contains a nice ANTI-EXECUTABLE (same way as EMET uses ASR to block dll's). You get a warning when another programs is started from a guarded program e.g. when clicking on a LINK in a MAIL, the browser is started (Chrome in my case).

    5.png

    6.png
     
  7. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,083
    Location:
    Netherlands
    Last setting COM guard. Because we don't guard Internet Explorer, I have disabled this (and it requires to much tweaking to get it to work)

    7.png
     
  8. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,083
    Location:
    Netherlands
    Last option, to reduce the downsides of Crystal AEP:

    - Is beta program, so adding options might get you into trouble.
    - Protects only 32 bits processes (not a problem for XP users, since there are very little XP 64 bits lisences sold).
    - Implements protection through AppInitDll. But that is just my personal preference. I prefer MBAE process monitor over HMPA injecting its DLL in every process.
    - Has a very ugly icon

    So I disable the GUI application. Protection works without GUI

    8.png
     
  9. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    333
    I don't see why the benefits of EMET 4.1 should be limited on Windows XP. MBAE basically comes down EMET 4.1 + application hardening functionality. (Yes, we can argue about this statement)

    The mitigations offered by Crystal AEP look promising, but which issues have you encountered yourself? I think that this tool might cause quite some false positives, compatibility issues and a noticeable slowdown.
    But still, nice write-up :thumb:
     
  10. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    830
    Location:
    UK
    Thanks, looks interesting.

    I currently use hitmanpro.alert 2.5 on xp and NVT AE.

    Might be worth switch those 2 programs for this one at sometime in the future
     
  11. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    830
    Location:
    UK
    hmm not updated anymore?
    2012
     
  12. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,083
    Location:
    Netherlands
    You can keep NVT AE, have a look at Secure Folders when you consider dropping HPMA 2.5 to add some protection against ransomware.

    Yes it is an abandoned project, like XP
     
    Last edited: Jun 7, 2015
  13. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,083
    Location:
    Netherlands
    Well maybe I should have said that XP does not have SEHOP and ASLR, this reduces EMET protection on XP, because EMET enforces these OS-capabilities. Advantage of Crystal AEP is that it brings SEHOP and ASLR like features to XP. see post 5

    The ones that I disabled. When you stick to mail, mediaplayer, PDF-reader and Office programs, you should not run into false positives, nor slowdowns. But you guessed it right about slowdown's in browsers. These are noticeable in IE and Chrome (did not test Firefox), that is why I used MBAE-free instead.
     
    Last edited: Jun 7, 2015
  14. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    333
    I do not know which libraries are loaded at a randomized location. If the implementation is similar to the pseudo-ASLR implementation in HMPA then it is not very effective, but I am not going to spend effort on auditing Crystal AEP to verify this.
     
  15. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,083
    Location:
    Netherlands
    Pseudo ASLR may be easier to bypass (in theory), but I would settle for it (in practise) on XP when you have no ASLR at all. Considering that it is free why not use it?

    Also most of these easy theoretical bypasses should be consumed with a grain of salt, see this post
     
    Last edited: Jun 7, 2015
  16. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    2,283
    Is Crystal AEP by same developer as Crystal Security
     
  17. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,083
    Location:
    Netherlands
    No, just a coincidence Crystal AEP is good for XP when you want to use a free program (brings ASLR and SEHOP like features to XP and adds a nice lanch control/anti executable to protected programs).
     
  18. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,875
    No, it is not...I checked the link for Softpedia that was posted by the OP. It was developed by Peter Winter-Smith.
     
  19. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    855
    Thanks for the guide! I had considered using this program at one point, but didn't put the effort into working out which elements were stable and which weren't like you have.

    I haven't used my XP machine in months, but might try this out next time I do.
     
  20. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    This is one that i sadly overlooked at the time, & since ! I expect it's due to my not having .NET installed. It certainly appears to include a heck of a lot of interesting protection etc, that other apps didn't or dont. If i had .NET i'd install it straightaway.
     
  21. pcalvert

    pcalvert Registered Member

    Joined:
    May 21, 2005
    Posts:
    203
    Hi Kees,

    Thanks for posting this tutorial. I am currently using Crystal Anti-Exploit on Windows XP, along with EMET 4.1 Update 1. Since Crystal AEP seems to provide much better protection than EMET on Windows XP, I am considering uninstalling EMET.

    Despite your "warning" not to use Crystal AEP to protect web browsers, I wanted to try it to see what would happen. Opera did not like being protected by Crystal AEP, and tried twice to launch its crash reporter (I denied the attempts). After loading, Opera seemed to work fine except for some noticeable sluggishness. When I tried SeaMonkey it loaded quickly and seemed to be working just great. Unfortunately, when I checked I found that it was not being protected by Crystal AEP. I have no idea why.

    Vivaldi seems to work just fine when protected by Crystal AEP. There may be a tiny bit of sluggishness, but if I hadn't been looking for it I might not have even noticed. Two web browsers seem to get along with Crystal AEP quite well -- Internet Explorer 8 and Slimjet. Since Slimjet is based on Chromium and I can protect it with Crystal AEP, I am planning to make it my default web browser on Windows XP.

    Phil
     
  22. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    974
    How does this app compare to WehnTrust?

    Features of WehnTrust:
    Randomized Image Files (DLLs, EXEs with relocations)
    Randomized Memory Allocations (Stack, Heap, etc)
    Randomized PEB/TEB
    Application and Image File Randomization Exemptions
     
  23. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,083
    Location:
    Netherlands
    Not entirely correct, but for ease of understanding:

    Wehntrust implemented sort of ASLR for XP, this app implementys EMET + some of the third line MBAE protections + Wehntrust for protected applications only
     
  24. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    974
    Another app that supposedly implemented ASLR for XP was Ozone. (Security Architects)
    Complete details of implementation don't seem to be available. //Abandonware

    Only info I came across was Ozone was a host intrusion prevention system which delivers
    multi-layer security that incorporates buffer overflow prevention, application sandboxing
    and application specific (layer 7) security technology.
     
  25. pcalvert

    pcalvert Registered Member

    Joined:
    May 21, 2005
    Posts:
    203
    Crystal AEP seems to be compatible with GeSWall, but not with Sandboxie. I think it might be possible to get it working with Sandboxie 3.76, but I only have a vague idea of how to modify Sandboxie's configuration so that Crystal AEP will be able to protect sandboxed programs.

    Phil
     
Loading...