SP2 and Buffer-overflow

i hear that SP2 protects against buffer-overflow. the last time i tried SystemSaftyMonitor my computer couldn't handle it because of buffer-overflow and shut down.

With SP2 now installed will that stop the shutdown from happing?

also i hear that Prevx protects against buffer-overflow, but in a different way from SP2. will this mean that i can install Prevx, and with SP2, wont have any problems with my computer shuting down?

thanks, iceni60 : )

 

I had the same problem, see post number 111 here

No.

No, try not installing SSM and see how you go…

Cheers

 

thanks for the reply, Blackspear .

but are you saying that you had SSM, Prevx and nod all running at the same time?

and also did you have SP2 when this happened?

because this PC has AVG and would only run SSM or Prevx with SP2

this is my friends PC and that is what we were thinking of trying it on.

however, i was also going to try it on my own PC and from what i can remember we have almost exactly the same security apps as one another, so if that happened to you it will more then likely happen to me too.

BTW, have you tried, abstrusion Protector? and im not sure if this is the same program as abstrusion Protector, but there is also PC Internet Patrol. i got these from post no.5 from this thread

once again Blackspear, thanks for your time and help

 

Just curious what versions of SSM you guys are using? Because there are different versions of SSM including a yet to be released beta version that may work better with other programs and sp2. You can still get SSM v1.89 at snapfiles.com and it may work better. I just downloaded and saved the installer for 1.89 just incase i want it later and it is no longer available. I think the last version of SSM, before the yet to be released beta, was 1.9.4 (beta 1). I would try the different versions and see which works best. You may need to learn Russian though to find some of the different versions.

 

Yes, latest public release versions of all…

Yes.

I would then run Prevx, as you can use TeaTimer that comes as part of Spybot Search and Destroy to monitor the registry…

I believe it will, Eset are currently working on why there is a conflict…

I did try AP, I can’t remember why I stopped using it, but then again I have a fairly tight system, you can see my current spec’s here

My pleasure…

Let us know how you go…

Cheers

 

thanks, Blackspear. i think i'll give prevx a try. one thing while i remember. on the form you have to fill out at Prevx, it asks for your password. now, to me it looks like it's asking for your email password . can you tell me that i've got this wrong? and they're just asking for a password to use for there program that isnt related to my email.

Blackspear, do you know of PC Internet Patrol?

and TimeKeeper, i dont remember which version of SSM i was useing, but it was about 3 months ago i downloaded from their site written in English

oh, and just-in-case it wasnt clear, although i just saw the thread starter was iceni60 at friends, helen is my friend and i was at her house

 

can anyone tell me which password they are asking for in the form? email or program password? thanks

 

Ice,

The password is just for PrevX website, not your email password.

 

thanks again for helping me, Devinco

 

Sorry Iceni60, dropped the ball on this one, must have snoozed off

You have this wrong

All they want is a made up password by you, so that you can access their download site again should you need to…

No, not needed with my setup, it runs smoothly

Same with this program.

Clear as mud


Hope this helps, even with a little tongue in cheek

Cheers

 

Hey guys I may be wrong but I think that I read that to get the buffer overflow protection with SP2 you have to have the new 64 Processor from Athlon.

 

I have Prevx instead

Cheers

 

To all:

I ve had buffer underrun with SSM too.The solution is to delete mchooknt.dll . The suggestion was given to me by SSM's author himself and works (i m running the latest version with SP2 right now ,but used it with SP1 too)

 

well, one thing i havent done, which i know is awful is update my friend's computer to SP2, although the computer has only been used to come here. so when we've got SP2 i'll get Prevx, if all runs smoothly i might give it a go on my computer thanks for the advice, Blackspear

 

do you mean the latest public release or the latest Beta release, thanks Hyperion

 

My pleasure.

Cheers

 

Until Eset work out what the conflict is between SSM and Nod32, SSM has been removed from my system

Cheers

 

why do sandboxes suffer from buffer problems? is it because they never know how much memory they are going to have to use and they need to act quickly

 

I meant the 1.9.4 beta. But now i see a new beta is out and i also see that unfortunately SSM is going to be shareware soon.

I have tried PrevX beta,and was doing fine,but i didn't like the fact that wants to call home and download "updates" every few days.I think i ll go with Abtrusion Protector again soon.

 

I believe that this is only partly correct. When people discuss "buffer overflow" vulnerabilities, by far the most common is technically a stack overflow (there are also heap overflows, but I believe those are more difficult to take advantage of for the purposes of malware execution). Windows XP SP2 attempts to tackle these problems in several ways:

1. hardware-enforced Data Exectution Prevention (DEP), which requires the use of a processor that supports No Execute (NX) protection;
2. software-enforced Data Execution Prevention (DEP), that is a limited subset of protection functionality that can run on any processor; and
3. recompilation of many core Windows executables with the use of the latest compiler options which assist in preventing stack overruns.

So, clearly you get the biggest benefit with the latest processors which support NX... but my understanding is that those without such processors also get some benefits with SP2.

The "stack" is the place where the processor stores many things temporarily. It is called a stack because you can think of it sort of like a stack of trays in cafeteria or stack of Pez in a Pez dispenser or something. The processor can "push" things it wants to store onto the stack, and then "pop" them off later. Usually it is a last-in, first-out (LIFO) storage mechanism. But, you can also access the stack locations directly sometimes if you need to as well.

At a fundamental level the most common thing the stack is used for is what's described as the creation of a stack frame for a called function. Let's say your program has a "Main" function where processing basically begins, and inside that Main function is a call to another function called "CreateWindow" which will create a displayable window for us. Well, the processor not only needs to know where in memory it should jump to begin execution of CreateWindow, but it also must know where in memory it is supposed to return to once CreateWindow is finished. It stores this "return address" on the stack. It also stores various register state information on the stack. If CreateWindow has some temporary, "local" variables that it needs then these are also created as positions on the stack.

The problem traditionally has been that if a developer is not careful in their use of variables, then sometimes a value that is too big can be written into one of those "local" variable locations on the stack which would cause changes in unrelated variables and stack locations as the given variable would overflow into them. Hackers can often exploit these conditions by purposely overflowing the local variable locations to such an extent that they can overwrite the return address in the stack frame. Then, when the processor thinks it is done with the called function, say our CreateWindow example, the processor will be tricked into "returning" to a location it is not supposed to be going to. The hacker can therefore get the processor to run code he/she wants run.

Modern compilers can essentially automatically put in things like stack guards that are values placed "in front" of the return address. If a local variable overflows now and tries to overwrite the return address, it will also overwrite the stack guard which acts like an alarm or tripwire. When the compiler creates code to return from the called function, it will also automatically add code that checks the stack guard value to see if it has been tampered with. If it has, the compiler code can halt execution of the program which is usually far preferable to malware beginning execution on your system. The technology isn't 100% infallible, and it doesn't automatically eliminate stack overflow programming errors, but it does make it harder for hackers to take advantage of those underlying errors.

 

i just downloaded ssm. in post 19 of this thread, Hyperion says you can delete the mchooknt.dll to stop buffer underrun does this mean if i delelte the dll, when its installed, i wont have bufferoverrun?

 

dont bother with my last question. when i clicked ssm.exe, my computer didnt just reboot, or even take the 4 secs or so it would, to shut down, if i pressed the button on the floor thingy. it just turned straight off. i'll keep it just incase i ever need to turn my computer off really quickly

 

You can set the frequency it checks for updates RT click monitor > show management console >lpreferences > Update frequency .(there you can set the amount of days ) As it doesnt rely on updates ( it uses a diffirent method of detection ) its not really required that often at all.