SP2 and Buffer-overflow

Discussion in 'other software & services' started by iceni60 at friends, Sep 13, 2004.

Thread Status:
Not open for further replies.
  1. i hear that SP2 protects against buffer-overflow. the last time i tried SystemSaftyMonitor my computer couldn't handle it because of buffer-overflow and shut down.

    With SP2 now installed will that stop the shutdown from happing?

    also i hear that Prevx protects against buffer-overflow, but in a different way from SP2. will this mean that i can install Prevx, and with SP2, wont have any problems with my computer shuting down?

    thanks, iceni60 : )
     
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I had the same problem, see post number 111 here

    No.

    No, try not installing SSM and see how you go…

    Cheers :D
     
  3. Helen321

    Helen321 Guest

    thanks for the reply, Blackspear :).

    but are you saying that you had SSM, Prevx and nod all running at the same time?

    and also did you have SP2 when this happened?

    because this PC has AVG and would only run SSM or Prevx with SP2

    this is my friends PC and that is what we were thinking of trying it on.

    however, i was also going to try it on my own PC and from what i can remember we have almost exactly the same security apps as one another, so if that happened to you it will more then likely happen to me too.

    BTW, have you tried, abstrusion Protector? and im not sure if this is the same program as abstrusion Protector, but there is also PC Internet Patrol. i got these from post no.5 from this thread

    once again Blackspear, thanks for your time and help :)
     
  4. TimeKeeper

    TimeKeeper Guest

    Just curious what versions of SSM you guys are using? Because there are different versions of SSM including a yet to be released beta version that may work better with other programs and sp2. You can still get SSM v1.89 at snapfiles.com and it may work better. I just downloaded and saved the installer for 1.89 just incase i want it later and it is no longer available. I think the last version of SSM, before the yet to be released beta, was 1.9.4 (beta 1). I would try the different versions and see which works best. You may need to learn Russian though to find some of the different versions. :p
     
  5. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Yes, latest public release versions of all…


    Yes.


    I would then run Prevx, as you can use TeaTimer that comes as part of Spybot Search and Destroy to monitor the registry…


    I believe it will, Eset are currently working on why there is a conflict…


    I did try AP, I can’t remember why I stopped using it, but then again I have a fairly tight system, you can see my current spec’s here


    My pleasure…

    Let us know how you go…

    Cheers :D
     
  6. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    thanks, Blackspear. i think i'll give prevx a try. one thing while i remember. on the form you have to fill out at Prevx, it asks for your password. now, to me it looks like it's asking for your email password :eek: . can you tell me that i've got this wrong? and they're just asking for a password to use for there program that isnt related to my email.

    Blackspear, do you know of PC Internet Patrol?

    and TimeKeeper, i dont remember which version of SSM i was useing, but it was about 3 months ago i downloaded from their site written in English

    oh, and just-in-case it wasnt clear, although i just saw the thread starter was iceni60 at friends, helen is my friend and i was at her house :D
     

    Attached Files:

  7. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    can anyone tell me which password they are asking for in the form? email or program password? thanks :)
     
  8. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Ice,

    The password is just for PrevX website, not your email password.
     
  9. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    thanks again for helping me, Devinco ;) :D
     
  10. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Sorry Iceni60, dropped the ball on this one, must have snoozed off ;)


    You have this wrong ;)

    All they want is a made up password by you, so that you can access their download site again should you need to…


    No, not needed with my setup, it runs smoothly ;) :D


    Same with this program.


    Clear as mud ;) :D


    Hope this helps, even with a little tongue in cheek ;) :D

    Cheers :D
     
  11. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    Hey guys I may be wrong but I think that I read that to get the buffer overflow protection with SP2 you have to have the new 64 Processor from Athlon.
     
  12. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I have Prevx instead ;)

    Cheers :D
     
  13. Hyperion

    Hyperion Registered Member

    Joined:
    Sep 29, 2003
    Posts:
    302
    To all:

    I ve had buffer underrun with SSM too.The solution is to delete mchooknt.dll . The suggestion was given to me by SSM's author himself and works (i m running the latest version with SP2 right now ,but used it with SP1 too)
     
  14. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    well, one thing i havent done, which i know is awful is update my friend's computer to SP2, although the computer has only been used to come here. so when we've got SP2 i'll get Prevx, if all runs smoothly i might give it a go on my computer :p thanks for the advice, Blackspear :D
     
  15. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    do you mean the latest public release or the latest Beta release, thanks Hyperion
     
  16. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    My pleasure.

    Cheers :D
     
  17. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Until Eset work out what the conflict is between SSM and Nod32, SSM has been removed from my system :doubt:

    Cheers :D
     
  18. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    why do sandboxes suffer from buffer problems? is it because they never know how much memory they are going to have to use and they need to act quickly o_O
     
  19. Hyperion

    Hyperion Registered Member

    Joined:
    Sep 29, 2003
    Posts:
    302
    I meant the 1.9.4 beta. But now i see a new beta is out and i also see that unfortunately SSM is going to be shareware soon.

    I have tried PrevX beta,and was doing fine,but i didn't like the fact that wants to call home and download "updates" every few days.I think i ll go with Abtrusion Protector again soon.
     
  20. Alec

    Alec Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    355
    Location:
    Dallas, TX
    I believe that this is only partly correct. When people discuss "buffer overflow" vulnerabilities, by far the most common is technically a stack overflow (there are also heap overflows, but I believe those are more difficult to take advantage of for the purposes of malware execution). Windows XP SP2 attempts to tackle these problems in several ways:
    1. hardware-enforced Data Exectution Prevention (DEP), which requires the use of a processor that supports No Execute (NX) protection;
    2. software-enforced Data Execution Prevention (DEP), that is a limited subset of protection functionality that can run on any processor; and
    3. recompilation of many core Windows executables with the use of the latest compiler options which assist in preventing stack overruns.
    So, clearly you get the biggest benefit with the latest processors which support NX... but my understanding is that those without such processors also get some benefits with SP2.

    The "stack" is the place where the processor stores many things temporarily. It is called a stack because you can think of it sort of like a stack of trays in cafeteria or stack of Pez in a Pez dispenser or something. The processor can "push" things it wants to store onto the stack, and then "pop" them off later. Usually it is a last-in, first-out (LIFO) storage mechanism. But, you can also access the stack locations directly sometimes if you need to as well.

    At a fundamental level the most common thing the stack is used for is what's described as the creation of a stack frame for a called function. Let's say your program has a "Main" function where processing basically begins, and inside that Main function is a call to another function called "CreateWindow" which will create a displayable window for us. Well, the processor not only needs to know where in memory it should jump to begin execution of CreateWindow, but it also must know where in memory it is supposed to return to once CreateWindow is finished. It stores this "return address" on the stack. It also stores various register state information on the stack. If CreateWindow has some temporary, "local" variables that it needs then these are also created as positions on the stack.

    The problem traditionally has been that if a developer is not careful in their use of variables, then sometimes a value that is too big can be written into one of those "local" variable locations on the stack which would cause changes in unrelated variables and stack locations as the given variable would overflow into them. Hackers can often exploit these conditions by purposely overflowing the local variable locations to such an extent that they can overwrite the return address in the stack frame. Then, when the processor thinks it is done with the called function, say our CreateWindow example, the processor will be tricked into "returning" to a location it is not supposed to be going to. The hacker can therefore get the processor to run code he/she wants run.

    Modern compilers can essentially automatically put in things like stack guards that are values placed "in front" of the return address. If a local variable overflows now and tries to overwrite the return address, it will also overwrite the stack guard which acts like an alarm or tripwire. When the compiler creates code to return from the called function, it will also automatically add code that checks the stack guard value to see if it has been tampered with. If it has, the compiler code can halt execution of the program which is usually far preferable to malware beginning execution on your system. The technology isn't 100% infallible, and it doesn't automatically eliminate stack overflow programming errors, but it does make it harder for hackers to take advantage of those underlying errors.
     
    Last edited: Sep 16, 2004
  21. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    i just downloaded ssm. in post 19 of this thread, Hyperion says you can delete the mchooknt.dll to stop buffer underrun does this mean if i delelte the dll, when its installed, i wont have bufferoverrun?
     
  22. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    dont bother with my last question. when i clicked ssm.exe, my computer didnt just reboot, or even take the 4 secs or so it would, to shut down, if i pressed the button on the floor thingy. it just turned straight off. i'll keep it just incase i ever need to turn my computer off really quickly :D
     
  23. solarpowered candle

    solarpowered candle Registered Member

    Joined:
    Jan 9, 2003
    Posts:
    1,181
    Location:
    new zealand
    You can set the frequency it checks for updates RT click monitor > show management console >lpreferences > Update frequency .(there you can set the amount of days ) As it doesnt rely on updates ( it uses a diffirent method of detection ) its not really required that often at all.
     
Thread Status:
Not open for further replies.