TF, CMF, Sandboxie, and buffer overflows

Discussion in 'other anti-malware software' started by jdd58, May 14, 2008.

Thread Status:
Not open for further replies.
  1. jdd58

    jdd58 Registered Member

    Joined:
    Jan 30, 2008
    Posts:
    525
    Location:
    Arizona
    Does anyone see the need for Comodo Memory Firewall if one is using Threatfire?
    Both claim buffer overflow protection.

    Or is that a moot point as all browsing is done inside Sandboxie?

    As it is on my Vista laptop I keep all programs updated and have DEP enabled for all programs. Previous versions of Threatfire have never run without problems on this laptop, but the current version works so well on XP I may give it another try. CMF on the other hand is very unintrusive.

    Currently running Avira Personal, CMF, Sandboxie paid on this machine.

    Thanks
     
  2. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Well when you consider TF (and are running LUA, at least in quiet mode using TweakUAC freeware utility), you could change to TF + SB only (so drop Avira and CMF).

    CMF on the other hand protects against TWO forms of bufferoverflow. NO other security programs protects against. So in this sense CMF is a UNIQUE program. You have to give Comodo credits for that.

    Irony is that CMF protects against a threat which is nearly as rare as it is unique. Because it is very difficult to abuse these two buffer overflow weaknesses in a controlled and predictable manner. That is problably also the reason that no other security application bothers to protect against it . So it is more marketing than risk containment (risk = chance of happening X impact), when you ask me.


    Regards Kees
     
    Last edited: May 15, 2008
  3. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    You can get buffer overflows in programs other than just browsers. For example, you could play a poisoned movie file in your media player.

    Since I don't know the intimate details of ThreatFire's buffer overflow protection, I think it would be a good idea to also use Comodo Memory Firewall, unless there is some conflict.

    The buffer overflow protection technologies in Vista are nice, but unfortunately most 3rd-party programs don't use them. As a result, IMHO it's a good idea to use 3rd-party programs that provide buffer overflow protection, even in Vista.

    See https://www.wilderssecurity.com/showthread.php?t=207074, a recent thread on buffer overflows. In particular, see post #119 in that thread.
     
  4. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    MrBrian,

    Thanks for the info

    Do you know of PoC (am not allowed to ask for malwares) which use the two methods CMF UNIQUELY protects against (not the common one everybody protects against) which not only proove that it can change an address field, but also manage to use it in a controlled and predictable manner (meaning hijacking the execution flow)?

    Regards Kees
     
  5. jdd58

    jdd58 Registered Member

    Joined:
    Jan 30, 2008
    Posts:
    525
    Location:
    Arizona
    Kees and Mr. Brian thanks for the thoughtful replies.

    That previous thread is what led me to install CMF. However I wanted to avoid duplication of coverage, (less chance of conflict), if I installed TF. So far the new version of TF is not exhibiting any of the previous problems on this PC and both are running together without problems.

    If I find time it would be interesting to try some of the testing tools, (PoCs) and see which program nabs it first.

    Kees I agree completely regarding (risk = chance of happening X impact) which may lead me to follow your advice as I do run a LUA.

    Mr. Brian thanks for the heads up regarding poisoned media player files. If I run the media player sandboxed I think I would be protected in that instance also. Correct me if I am wrong.

    Again, Thanks
     
  6. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    You're welcome :). You're correct, but any type of (poisoned) data coming into contact with a vulnerable program could potentially cause a buffer overflow. I just gave one particular example.
     
  7. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Offhand sorry I don't have such info. But, I wouldn't assume that just because program A and program B cover the same type of buffer overflow, that protection on that type of buffer overflow is the same across all possible buffer overflows, due to differences in how the buffer overflow protection is implemented. Please see the 'Bypassing 3rd Party Windows Buffer Overflow Protection.' article referenced in post #119 at https://www.wilderssecurity.com/showthread.php?t=207074 for more details.
     
  8. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I forgot about Comodo BO Tester.
     
Thread Status:
Not open for further replies.