I am curious if Defense Plus can intercept this malware. It was able to bypass Faronics Anti-executable.
May be the buffer overflow protection could. The mentioned ROP and Stack pivoting are both attacks at the stack. The stack gets protection from the buffer overflow protection but I cannot comment on details and whether that protection is enough.
Ok, I tested it with Comodo Defence Plus, paranoid mode and it failed as expected.
Malwarebytes AntiExploit intercepts it as expected.
I think time for CIS to get an anti-exploit module, just like MBAE, HitmanPro Alert and EMET.
[attachment deleted by admin]
Such a wish was created but was then rejected, I objected the rejection but my objection was rejected because I’ve not been able to show an instance where an exploit has been able to bypass CIS… Well my objection wasn’t really rejected, I just wanted to make the word thingie…
Either way, please report your findings in this thread: https://forums.comodo.com/addedrejected-wishes-cis/ability-to-detect-when-exploits-try-to-deliver-payload-and-sbox-payload-m1276-t107099.0.html and preferably ask them to reconsider the wish.
I think miserable failure of Comodo against such attacks should enough, esp after this post. However I can understand that it will need a lot of new code to be written.
Fileless malware versus HPA.
[attachment deleted by admin]
And finally fileless malware versus EMET.
[attachment deleted by admin]
Very nice aigle, I believe that this is an issue that Comodo needs to pursue, if they aren’t ready to commit to full on exploit shield, protecting against this specific method is the least they could do.
Anyone know of a good guide of using Emet? I tried setting it up a while ago and just got so darn confused and didn’t understand what anything of it meant even after trying to look it up.
I would use Malwarebytes Anti-Exploit but it doesn’t support Comodo Dragon by default and you need to pay to get it to protect custom applications… I’d be fine with it if it was a one time payment, but nope.
I did the test in my production machine with win 7 pro x64 sp1 updated (and modified/configured) + cis 8 final configured by me (almost no changes) and the malware gets sandboxed and blocked (2 distinct tests), but there was no file to be removed, just a freak log with no information. I guess I am protected from this kind of malware… right?
so…?
How you know it?
Two interesting Exploit tools/ POCs are here.
1- mbae-test.exe
It needs MBAE installed or just copy msvcr100d.dll from MBAE folder to the directory where you put the mbae-test.exe.
2- hmpalert-test.exe
I was reading some of the information you linked and noticed that the testing takes place on Windows XP SP2. Out of curiosity I am wondering if they are they equally vulnerable.
Add
\Device\*vid*
to protected files/folders and CIS will protect web cam.
What do you mean by they?
I meant to ask if later Windows versions were equally vulnerable. Sorry for the confusion.
“…but there was no file to be removed, just a freak log with no information”
Is that not clear?
Screenshot of log would make it more clear…
I’m not sure if it matters or not – the mentioned applications might originate from trusted vendors.
Hi Eric! I don’t have many details. These were basically Java, flash exploits etch. The original tester did show the exploit working on windows 7 as well. See here pls.
Sure, it’s not clear. I am not an expert. Can’t comment. Regarding files, you must know it is fillets malware, in memory only.