Comodo Memory Guardian Beta v1 (Buffer overflow Protection) [Closed]

Comodo Memory Gurdian is a buffer overflow detecion and protection tool which provides the ultimate defense against one of the most serious and common attack types on the Internet.

What is a Buffer Overflow attack?

…excerpt from Buffer overflow - Wikipedia
"
In computer security and programming, a buffer overflow, or buffer overrun, is a programming error which may result in a memory access exception and program termination, or in the event of the user being malicious, a possible breach of system security.

A buffer overflow is an anomalous condition where a process attempts to store data beyond the boundaries of a fixed-length buffer. The result is that the extra data overwrites adjacent memory locations. The overwritten data may include other buffers, variables and program flow data and may cause a process to crash or produce incorrect results. They can be triggered by inputs specifically designed to execute malicious code or to make the program operate in an unintended way. As such, buffer overflows cause many software vulnerabilities and form the basis of many exploits. Sufficient bounds checking by either the programmer or the compiler can prevent buffer overflows."

Features :

  • Detection of Buffer Overflows which occur in the STACK memory,
  • Detection of Buffer Overflows which occur in the HEAP memory,
  • Detection of ret2libc attacks,
  • Full 32 bit and 64 bit Support,

Important Note : This is a BETA product and is intended only for the users who would like to test the product and provide us some feedback. It may contain major bugs which may cause your system to be unstable or cause permanent data loss. Please do not instal this software into a production machine or distribute it.

You may download it from the following locations :

For Windows 2000 SP5 /XP SP2(32 Bit),
http://download.comodo.com/cpf/download/setups/beta/cmg32_install.exe

For Windows Vista(32 Bit)
http://download.comodo.com/cpf/download/setups/beta/cmg32vista_install.exe

For XP (64 Bit - X64)
http://download.comodo.com/cpf/download/setups/beta/cmg64_install.exe

For Windows Vista(64 Bit - X64)
http://download.comodo.com/cpf/download/setups/beta/cmg64vista_install.exe

Please go ahead and give us your feedback. thank you

(CLY)

Melih

Souns like a nice product.
I’ll try it out now, and tell you in a few days about my experience with it.
I bet it’s a good product, since it’s from Comodo :wink:

Ragwing (L) (R)

EDIT: Installed and rebooted, no BSoD so far :wink: But seems like it open up the Comodo folder on start? Seems strange since it’s not even installed in that folder, and there’s no tray icon even tho ‘C:\Program\Comodo Memory Guardian\cmg.exe’ is set to start on boot-up, I’ll try and see if it works if I change it to “C:\Program\Comodo Memory Guardian\cmg.exe” -minimize or “C:\Program\Comodo Memory Guardian\cmg.exe” /background. Else the main driver, cmgs32.exe is running as normal.

Small thing… I also ran into to the AutoRun issue with CMG.EXE (the systray/UI component). The entry has not been correctly set-up for the way it is called… as a result it tries (and succeeds in my case) to open explorer. This is because the AutoRun entry is not encapsulated in double quotes as it should be and the nested spaces in the directory name “break” the command & forces the opening of explorer as a result. A quick edit to add the missing DQs resolved that & it now starts fine.

PS If CMG.EXE is not running, then the service (CMG32S.EXE for XP/32) is effectively disabled. So, you need to get CMG.EXE running.

Ah, thanks Kail, how could I forget to add DQ’s before adding -minimize and /background. Also like Kail said, this is a serious bug, since without cmg.exe CMG fail the test, as it won’t pop up any warning message. Instead, it just open the test fail. So this should be fixed till next beta/final. But else, there’s no other problem so far. I’d let you know if I find some more.

Ragwing

Actually I didn’t say it was a serious bug, since it can easily be rectified & is also, visibly, a bit obvious. Even by running CMG.EXE manually, if you don’t know how to edit AutoRun entires, will fix it. You could probably also install CMG without nested spaces in directory path… that will probably work as well (not tested by me). I actually said it was a “small thing”.

edit: I considered it a small “deployment” issue. But, that is why its a beta.

I think there are few test apps out there, that tries to write to Stack or Heap that you can use to test this product. Or even go to some sites that you know that will attempt a BO :slight_smile: (at your own risk that is of course :slight_smile: )

Melih

Yes, I know it’s not serious if you just run it manual, or now how to modify auto-start values.

I tested to terminate the cmg.exe process using various methods, and it failed almost all of them. I don’t tried with cmgs32.exe, but I guess it’s the same for it, and also, it’s useless without cmg.exe. I use a software called Advanced Process Termination, from DiamondCS. It got 2 suspend+resume methods, 12 kill methods, 2 kernel kill methods and 2 crash methods.

Here’s the results for cmg.exe:

KEY: 1=Termination succeeded 0=Termination failed

TerminateProcess kill method: 1
WM_CLOSE message method: 0
WM_QUIT message method: 1
SC_CLOSE message method: 0
TerminateThread kill method: 1
CreateRemoteThread->ExitProcess method: 1
EndTask kill method: 1
DebugActiveProcess kill method: 1
EIP modification->ExitProcess kill method: 1
WinStationTerminateProcess kill method(requires Terminal Services): 1
DDL inject that calls ExitProcess: 1
Inject killcode into an accomplice process which becomes the terminator: 1
ZwTerminateProcess kill method (Kernel-mode/driver based): 1
VirtualProtectEx method: 1
WriteProcessMemory method: 1

I don’t know what kind of merhod trojans and other malware use to terminate processes. Also maybe add protection from termination thru task manager?

Ragwing

Hi Ragwing

The protection against termination will be provided by CFP v3. There was no point in writing the same code in 2 different products. This product is a natural fit for CFP v3. However we are releasing it on its own to first get it to a mature level, then we will include it in CFP v3 as well as making it available (most likely) on its own as well. So the tests we would like to see would be: Any kind of BO attacks to see if CMG can stop them or not.
Thank you.
Melih

Genius (Brainiac )

Experienced the blue screen of death repeatedly; always suspected the heat (meaning temperature :SMLR ) – no funny code on the disks.
Can’t wait to see it inside CFP v3; hopefully this will finally prevent iexplorer - bad coded websites- from taking control of the running tasks. I’ll install it first thing tomorrow morning.
Brilliant.

Melih is a shrewd guy, he asks us (https://forums.comodo.com/feedbackcommentsannouncementsnews/buffer_overflow_attack_protection_how_important_is_it-t10989.0.html;msg78409#msg78409) what we think about BO protection - if Comodo should provide it - and the next few day he gives it to us!

(R)

/LA
[i]
EDIT: OK, I have it too now. No problems this far (XP, SP2), but I changed the startup value before rebooting, so I don’t know what would have happened. I see there is not much to configure or play around with, I guess we’ll have to wait for an attack. Anybody suspects if we’re gonna be attacked soon?

What can I do to give Comodo feedback on this one? Thanks.[/i]

EDIT 2: I really like the tray icon.

Did the same thing w/BOclean… Hmm, I don’t supposed Comodo bought out NGSec, did they? :wink:

LM

Yeah, I had BOClean in my mind too, when I wrote my post :wink:

/LA

I’m not sure if this has been reported above, but the following happens (image attached) when Comodo Memory Guardian is running, and I try to open the interface via the start menu shortcut.

/LA

[attachment deleted by admin]

that happens when its already running.
if its in the sys tray and you try to run it again, this is the message u get.
we’ll fix it. thanks

There should be some tests out there you can try or some malware that attacks you thru BO that can try if you like :wink: (he he).

Melih

sounds like a great product
I will give it a run in a few days
I will watch the forums for a little while and see what the comments are alittle short on time for a while
:THNK

OD

I don’t know about everybody else, but I’m having trouble finding any BO test applications… found some incomplete & example C source code. But, nothing you can just run. Anything that was once on offer has since been removed. There’s some SQL & XML stuff… but, again its example code. I ignored some payware.

BO Malware… for me that’s a problem, I’ve no idea where to find any (on purpose). I did try to join the Malware-Research forum some time ago, but they rejected my application. Perhaps someone else (Kevin for example) is a member there & can get their hands on some BO deploying Malware or perhaps CMG can be investigated on those forums, assuming they’re willing to share the results… of course, they might not be at all interested. But, no harm in asking.

kail,

Have you checked Foundstone to see if any of their free tools will simulate an overrun? All their stuff is geared toward security testing, so they might have something…

LM

LM

Initially, no I didn’t. Probably because Google didn’t find anything there. But, after just looking through the tools there, I still cannot find any buffer overflow tests.

CMG does come with one test itself. its installed in the program menu.
Melih

Could not resist
I loaded it and right away I noticed 2 things
I am usuning a Limted(user) account In windows XP SP 2 All security patches installed

  1. No Icon in SYStray when logged in as user as it does show up when logged in as an Admin
  2. When i first log in it automatically opens c:\programs files\comodo automatically, not sure when I’m logged in as Admin, I’ll check

I think I saw comments about both these but I am postinganyway I need to keep the count up (:WIN)

OD

Thanks Melih Great work Comodo Team
Edit:
It appears that CMG is Not starting when I logged in as Admin either(not my real admin name) I stiil did not have an ICON in SYStray only after install (not a big problem I can fix that one)

Test seemed to Work and CMG passed, as it should. This test was created specifically for CMG

   1 I checked Block and it logged this

[31-07-2007 10:28:36 PM]
process: C:\Archivos de programa\Comodo Memory Guardian\test32.exe
attack type: buffer overflow
address: 0x0006FFBD
memory type: stack
action: kill
2 I checked Allow and it logged this.
[31-07-2007 10:30:20 PM]
process: C:\Archivos de programa\Comodo Memory Guardian\test32.exe
attack type: buffer overflow
address: 0x0006FFBD
memory type: stack
action: allow

After clicking allow it opens Cmd.exe