Is the shell-code injection protection of D+ good to go against heap spray and / or ROP chain exploits?
That stuff is scary as all get-out. A root-kit drive by download is the stuff of nightmares.
I’m configured D+ paranoid. I gets D+ alert for everything. ALL rules are custom except:
Windows System Applications (sans SVCHost) - Windows System Applications
Windows Updater Applications - Installer Updater
Update, i.e., %windir%\SoftwareDistribution\Download*\update\update.exe, ?:*\install.exe, ?:*\HotFixInstaller.exe, - Installer / updater
drwtsn32.exe - trusted
dwwin - trusted
ntbackup - trusted
shell32 - Installer / updater
That being said, SVCHost was removed from the default CIS file-gruop and runs per its own custom.
AFAIU, CIS will block execution and access to any ‘resource’ by any process that CIS don’ know anything 'bout.
The qwexion in my mind how robust is CIS against heap spray type attack whereby CIS becomes corrupt per its internal polls.
