Question: WehnTrust

Discussion in 'other anti-malware software' started by Painkiller, Oct 1, 2006.

Thread Status:
Not open for further replies.
  1. Painkiller

    Painkiller Registered Member

    Joined:
    Aug 24, 2004
    Posts:
    42
    Hi,

    Did anyone used this software before ... any insights ?

    10x guys

    Painkiller:D
     
  2. QBgreen

    QBgreen Registered Member

    Joined:
    Jan 1, 2005
    Posts:
    627
    Location:
    Queens County, NY
    WehnTrust

    I've come across a HIPS that claims to be designed to specifically protect against buffer overflow exploitation. It's called WehnTrust, and there is a Pro and freeware version. I'm going to give the freeware version a go. If anyone wants to read about it or download it, look here: http://www.wehnus.com/products.pl
     
  3. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Re: Quesrion: WehnTrust

    Hi,

    I have tried it for a while. It randomises memory space. This prevents exploits from finding images in memory/stack and accessing an offset, because the address space is not fixed anymoere the accessed offset is not used for what the malware thinks it is used for. Therefore the memory/stack hack does not have the effects the malware tries to achieve.

    Sounds complexe, example:
    You can compare it with hacking the GUI of a exe file. Some people search for the text "files" within an exe file and change it to another value with notepad. Some exploits work in the same way only they do in memory/stack. They search for a fixed binary value and change the address space using the fixed binary value as a starting point.

    Example find value '0A' and access the address space at offset 08. With this change they are able to change the logic of the program in memory.

    The standard feature DEP (of XP) gives simular protection, by only allowing executables to access only the 'variable' parts of memory. Whentrust gives some more protection, because the attacked offset space could be a legal memory place to change (a variable).

    Whentrust is a hardening tool with HIPS-like effects, to prevent overflow attacks. It is usefull when you do not use a overflow protection program or a classic HIPS like SSM (free version does protect against physical memory access, unlike ProSecurity free).

    I uses SSM-free plus DEP now and think this is sufficient protection.

    Regards
     
  4. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Re: Quesrion: WehnTrust

    I have also used this - the free home version, hardly knew it was there.
    Address Space Layout Randomization, ASLR like for UNIX based OS, but for Windows, cannot add anymore than above.
    In xp turn DEP on for all programs.
     
Thread Status:
Not open for further replies.