Freeware setup giving malware a hardtime to intrude your system

Discussion in 'other anti-malware software' started by Windows_Security, Aug 7, 2015.

  1. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,312
    Location:
    USA
    guest have you ever used SecureAPlus?
     
  2. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,046
    Been play in a VM, SmartObjectBlocker looks awesome - any idea how the coverage compares to Appguard? I guess the key advantage is the ability to add extra rules as required

    Has any run any of the exploit suite agsint this config - CLT HMPA exploit or simliar?
     
  3. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    If EMET can do those things, and MBAE apparently can't, then how come you said that if you had MBAE Premium you don't need EMET?

    Also thank you very much, that goes out to the makers of this fine software too. I'm going to give this current Safe Admin approach a try on my Win7 Ultimate x86 & x64 setups, along with a few of my own wrinkles, Sandboxie, Comodo FW/D+, and Shadow Defender.
     
  4. guest

    guest Guest

    no and i don't need it.
     
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,822
    Location:
    U.S.A.
    A comment here. EMET's ASR will not protect you from in memory exploits, if that is your primary concern. MBAE Premium, HMP-A paid, or a good HIPS will because you can define non-browser processes with them.

    ASR
    The Attack Surface Reduction (ASR) feature in EMET 5.0 helps reduce the exposure of applications by preventing the loading of specific modules or plugins within the target application. This protection can really be effective in cases where an attacker forces the target application to load a specific DLL to bypass ASLR (Java msvcr71.dll is a very typical case). Protection provided by ASR does not affect our exploit in any way because we are using a memory leak to bypass ASLR in the IE ColspanID exploit. We are also not loading any extra modules to bypass DEP. Nevertheless, we conducted some research to understand where this mitigation is located within EMET.dll. Once again, we noticed that the actual checks are done within the very same ROP-P routine, thereby making ASR entirely ineffective once the ROP-P general switch has been zeroed out. However, if an attacker is planning to force the target application to load a blacklisted module to bypass ASLR, he wouldn’t be able to disarm the EMET ASR protection using our technique before loading the forbidden DLL.


    Ref.: https://www.offensive-security.com/vulndev/disarming-emet-v5-0/

    -EDIT- However, the following excerpt from the above link states enabling EAF+ and copying the noted .dlls into the protected app would mitigate the ASP bypass. You would have to test the app for full functionality.

    EAF+, on the other hand, introduces a few extra security checks. First of all, it offers the possibility of blacklisting specific modules that should never be allowed to read protected locations (EAT and MZ/PE header of specific modules). For IE, EAF+ blacklists by default mshtml.dll, Adobe Flash flash*.ocx, jscript*.dll, vbscript.dll and vgx.dll.

    Note however that EAF+ will not prevent malware.dll being injected from memory using methods such as reflective dll injection.

    -EDIT 2- Win 7( WIN 8 much less so ) is vulnerable to memory heapspray exploits. EMET for all practical purposes is totally ineffective against advanced heapspray attacks due to it's checking of fixed location low-address based memory only.
     
    Last edited: Aug 31, 2015
  6. Nevis

    Nevis Registered Member

    Joined:
    Aug 28, 2010
    Posts:
    812
    Location:
    255.255.255.255
    Thanks for this. So many things I did not knew :)
     
  7. Kyle_Katarn

    Kyle_Katarn Registered Member

    Joined:
    Dec 20, 2007
    Posts:
    2,440
  8. On business / partly holiday travel at cape town now. Will be updating this thread with all new features of smart object blocker when I a back. No need for EMET ASR any more since SOB can block this now
     
  9. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,437
    Location:
    U.S.A. (South)
    Looking forward to all that when you make it back to update.

    @Windows_Security Hope that you enjoy the Leisure side of things while on your stay and all is well :)
     
  10. For a Dutchman it is awkward to see a split society in which the Dutch were partly responsible. But the country is beautiful. Thx
     
  11. pcalvert

    pcalvert Registered Member

    Joined:
    May 21, 2005
    Posts:
    234
    Hi Kees,

    I'm wondering if this strategy would still be helpful on Windows XP, even though it lacks UAC. I'd be logged in as an Administrator (unavoidable), but threatgate applications would be forced to run as a Basic User, and probably sandboxed by GeSWall as well.

    Phil
     
  12. Itman the point of adding vbscript, jscript, etc to ASR is that exploit based intrusions access to shell or script engines. Actual exploit changes the flow of events, but then some code has to execute, nearly always the free accessible code execution is used (vbscript, jscript, cscript, powershell, dotNet). So by blocking these DLL's in EMET you mitigate the impact of intrusion.
     
  13. @pclavert

    Phil, yes this would work, but leave out the Smart Object PARENT rules (post 4) and EMET ASR for threat gate applications protected by GeSWall. You need to allow the EMET/MBAE/SOB dll's in GeSWall protected applications, otherwise GW will block them.

    Regards Kees
     
    Last edited by a moderator: Jan 23, 2016
  14. pcalvert

    pcalvert Registered Member

    Joined:
    May 21, 2005
    Posts:
    234
    Hi Kees,

    So, under Process block rules I should leave out the lines that begin with "[%PARENT%: ". Is that correct? If so, what is the reasoning behind leaving out those lines?

    Phil
     
  15. Yes, because GeSWall takes care of that (it redirects or blocks).
     
  16. pcalvert

    pcalvert Registered Member

    Joined:
    May 21, 2005
    Posts:
    234
    Thank you Kees, I really appreciate your help.
     
  17. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    905
    Location:
    UK
    Thanks windows_security, good guide, also is good what you did for security setup link, wish there was more posts like this on here instead of people just recommending to buy 4+ commercial programs.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.