opinions on Comodo Memory Firewall

Discussion in 'other anti-malware software' started by trekie12cat, Jun 3, 2009.

Thread Status:
Not open for further replies.
  1. trekie12cat

    trekie12cat Registered Member

    Joined:
    Apr 12, 2007
    Posts:
    15
    i have avast home pctools firewall and sandboxie is this a good addition?
    also what are the opinions on it i cant seem to find any reviews?
     
  2. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    IIRC CMF has been discontinued as a stand alone product - it's now integrated in CIS. IMHO you don't need it. I believe with DEP enabled for all programs and services you should be protected against buffer overflows.

    Do you have any other security software running? You could consider adding an AV and/or HIPS.
     
  3. eXPerience

    eXPerience Registered Member

    Joined:
    Apr 28, 2009
    Posts:
    98
    Hi,

    CMF is indeed discontinued as a standalone product. But that doesn't mean it's useless. As it's not relying on any definitions is will always protect you.

    The need of a buffer overflow is arguable, but IMHO it's needed.

    DEP isn't so strong as CMF

    Xan
     
  4. nomarjr3

    nomarjr3 Registered Member

    Joined:
    Jul 31, 2007
    Posts:
    502
    Like others said, buffer overflow protection has now been integrated to CIS.
    I recommend you to use CIS instead, since memory firewall module is still being improved/updated.
     
  5. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Well i had it installed for several months, and never saw a peep out of it. Naturally i presumed i didn't have any BO's, until one day i ran Process Monitor http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

    Unbelievable ! The amount of Buffer overflows listed in all sorts of Apps etc was staggering. I think people should run it and see how they fare. I'd be very interested in the results, and i'm sure you will be too.

    Buffer overflows are just one vector Malware can enter a PC, and therefore protection is a good thing. So was CMF working correctly, or was PM giving FP's ? I tend to err on the side of PM. The thing is, i wasn't aware of any issues with any of my software, but ?
     
  6. 3xist

    3xist Guest

    Hello.

    1. Software DEP is nothing but SEH chain validator (means it's not a DEP but some way to prevent one rare type of shellcode's injection)
    2. Hardware DEP is very incompatible thing, that's why:
    a) DEP mode by default is OptIn = all system services are protected, user apps aren't protected
    b) DEP is _VERY_ incompatible thing so we 've got one more "layer" over DEP-mode - windows disables DEP for app which is know to be incompatible with DEP (this includes many checks, like exe-packers check and so on)
    3. DEP-protection is vulnerable to ret2libc kind of attack (so you're not protected at all)

    This is why BO protection is in CIS.

    Cheers,
    Josh
     
  7. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    Too bad there is no more standalone comodo memory firewall.
    People would have already a suites of HIPS, firewall, etc. and would not want to have CIS installed for the buffer overflow protection.
    Tested over slipfest, and comodo memory firewall works.
    Dll injection by it, I scanned heuristically by avz and passed as not trojan-like or having keylogger activity.
    I have tested Ozone HIPS as buffer overflow protections but it's address space randomization have prevented my firewall/HIPS from monitoring openprocess calls from other applications.
    Hope they bring back comodo memory firewall as a standalone. As Hardware DEP is not enough.
     
  8. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    Buffer overflows listed in Process monitor, Filemon or Regmon is very different from the buffer overflows that malwares take advantage of.
    Hear it straight from the horse's mouth, the creator of those softwares...
    http://blogs.technet.com/markrussinovich/archive/2005/05/17/buffer-overflows.aspx
    http://blogs.technet.com/markrussinovich/archive/2005/06/04/buffer-overflows-in-regmon-traces.aspx

    I have yet to detect buffer overflows in the wild, as I used oldversions and unpatched softwares like media players with documented buffer overflow exploits and vulnerabilities in the wild and zero day malwares using those. I have been downloading questionable media files with possible embedded codes and still waiting for my hips/firewall to catch it. And I am not using any updated antivirus, still zero malware.
     
  9. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    The only time I've ever seen any is when finding a URL in an alert posted somewhere. This has been the case with the PDF exploits going around. Here is one:

    All of the buffer overflow exploits in the wild I've seen reports on, embed a URL to call out to download malware as shown above - easily blocked by a HIPS or execution prevention type of program, as you mention.

    I've been looking (unsuccessfully) for any buffer overflow exploits in the wild that do something besides act as a trigger
    to download malware.

    If anyone knows of some, please let me know.

    thanks,

    rich
     
    Last edited: Jun 4, 2009
  10. eXPerience

    eXPerience Registered Member

    Joined:
    Apr 28, 2009
    Posts:
    98
    Please check your pm and you will have a lot of fun :D

    eXPerience
     
  11. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
  12. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Re: Examples in the wild of Buffer Overflow Exploits

    Thanks, I'm aware of these, but they are Proofs of Concept.

    I'm interested in looking at exploits circulating in the wild.

    ----
    rich
     
  13. Eirik

    Eirik Registered Member

    Joined:
    Oct 6, 2008
    Posts:
    544
    Location:
    Chantilly, Virginia
    Me too, and still looking.

    From a developer perspective, it seems more efficient to pursue a separation of concerns development approach whereby the instructions in the overflow would do only what Rmus described, leaving other 'modules' to perform a wide array of different capabilities.

    I've wondered whether the overflow environment is sufficiently variable/unpredictable such that the ROI for just doing a "dropper" far outweighs that of doing something more multipurpose or tailored.

    Well, after "droppers" become less effective, the malware developers may just have to employ more complex instructions in the overflow.

    Cheers,

    Eirik
     
  14. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    trismegistos

    Thanx for the info, very revealing ! Comodo Memory Firewall is still available, i tested the download www yesterday http://www.memoryfirewall.comodo.com/

    Rmus

    Hi rich, first off congrats on your appointment as Exploit Analyst, you deserve it. If i come across and potential naughty www's i'll let you know.
     
  15. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hi StevieO - thanks. This month is the first I've seen you around here in a long time!

    (naughty URLs ... hmmm...)

    ----
    rich
     
  16. polocanada

    polocanada Registered Member

    Joined:
    Aug 19, 2007
    Posts:
    60
    StevieO, these are not harmful BO's. Please read response I got in this post... https://www.wilderssecurity.com/showthread.php?p=1257625

    This is just a way of saying that all is fine. Problem avoided.
     
Loading...
Thread Status:
Not open for further replies.