Exploits Explained: Comprehensive Exploit Prevention and Vendor Offerings

[Solarquest]

Exploits take advantage of weaknesses in legitimate software products like Adobe Flash and Microsoft Office to infect computers for criminal purposes. They’re commonly leveraged by cybercriminals in order to penetrate organizations’ defenses. The objectives of these criminals are diverse: stealing data or holding it for ransom, performing reconnaissance, or simply as a means to deploy more traditional malware.

It’s common to find exploits used as part of cyber attacks: upwards of 90% of reported data breaches find that an exploit is used at one or more points in the attack chain. Including exploit prevention as part of a comprehensive lineup of security defenses is clearly valuable. Exploits have been around for more than 30 years, so it should come as no surprise that almost every major security vendor can claim some level of exploit prevention. However, the breadth and depth of that protection varies significantly between vendors. For some, it’s a box to tick; for others, it’s a major focal point. Read this paper to learn more about exploits and the various levels of exploit prevention found in prominent security products.

way more in the link above

 

[HarborFront]

Why no comparison against HMPA?

 

[Azure]

Why no comparison against HMPA?

Because Sophos is using HMPA.

 

[HarborFront]

Because Sophos is using HMPA.

OK, thanks

 

[ForgottenSeer 55474]

Thanks for that article, i have Bitdefender,Malwarebytes antimalware+anti exploit both premium+superantispyware+hitman pro.
Am I safe then or could I do more, to stay safe
What about Android i have an HTC Nexus 9 running 7.0 nougat,with Dr. Web Security Space Lifetime Subscription+malwarebytes

 

[Svoll]

@carsten ibsen Thats a lot of security!!!!! I am not sure how much more safe you can get

I still like the idea of less is more, but am WOWed and impressed by your list of security scanners.

 

[XhenEd]

Why no comparison against HMPA?

In addition to @Azure Phoenix's, Sophos Intercept X is basically the same as Surfright HitmanPro.Alert, only that it's made for corporations. Thus, we can well say that they are comparing HMP.A against the others in this whitepaper.

 

[Azure]

In addition to @Azure Phoenix's, Sophos Intercept X is basically the same as Surfright HitmanPro.Alert, only that it's made for corporations. Thus, we can well say that they are comparing HMP.A against the others in this whitepaper.

Yeah, they are comparing business-level applications. I do wonder, though, if the consumer-versions of each one is the same or has less mitigations that their business-counterpart.

@harlan4096
You know a lot about Kaspersky, correct? Can you confirm if the chart is accurate at least regarding Kaspersky Endpoint Security?


I'm also curious what the other vendors that offer exploit mitigations in their antivirus have to say about the comparison.

 

[shmu26]

okay, so let's say I don't like HMPA, because of the price, or because of the many software and hardware conflicts it generates, or because of whatever.
What are my alternatives, for keeping my browser out of trouble and my log-in credentials safe?
I understand that MBAE is a poor cousin to HMPA.

 

[XhenEd]

Yeah, they are comparing business-level applications. I do wonder, though, if the consumer-versions of each one is the same or has less mitigations that their business-counterpart.

These are the closest answers I could get:
"... Sophos Intercept X which is Alert + central management." - HitmanPro.ALERT Support and Discussion Thread
"Sophos Intercept X will bring all features of Alert managable from the web and also installs alongside other vendor AVs" (emphasis mine). - HitmanPro.ALERT Support and Discussion Thread

Unless they changed things, I think HMP.A and Intercept X are the same (with modifications for Intercept X, of course, as it's for corporate environment).

 

[harlan4096]

Yeah, they are comparing business-level applications. I do wonder, though, if the consumer-versions of each one is the same or has less mitigations that their business-counterpart.

@harlan4096
You know a lot about Kaspersky, correct? Can you confirm if the chart is accurate at least regarding Kaspersky Endpoint Security?


I'm also curious what the other vendors that offer exploit mitigations in their antivirus have to say about the comparison.

Sincerely there is no much info from Kaspersky about this matter even less from business products...

Interesting link:
Strategies for Mitigating Advanced Persistent Threats (APTs) – Securelist – Information about Viruses, Hackers and Spam

 

[Azure]

okay, so let's say I don't like HMPA, because of the price, or because of the many software and hardware conflicts it generates, or because of whatever.
What are my alternatives, for keeping my browser out of trouble and my log-in credentials safe?
I understand that MBAE is a poor cousin to HMPA.

Just make sure your browser, operating system and other applications are properly updated.

As for keeping log-in credentials safe, be careful that the URL you are typing on is legitimate.

 

[shmu26]

If I run my browser in a sandbox, is there any point in exploit protection for it?

 

[tim one]

If I run my browser in a sandbox, is there any point in exploit protection for it?

Always to have the browser and the plug-ins fully updated is the first step, but we consider Sandboxie for example.

SB helps to avoid the possibility of 0-day flaws and vulnerabilities of remote code execution in the browser, are exploited.
So it avoids the possibility that an exploit may execute the shellcode in the RAM data area of the browser.
Shellcode is code that is OS-oriented (based on the operating system) that executes instructions to download and install (silent drive-by download and autoinstall) specific malware on the system.

SB would avoid the shellcode of code executed in data area of the browser or the vulnerable plug-in, can lead to installation of malware, as the sandbox itself blocks any output/action writing operation ( install in this case ) from the RAM of the browser to other areas of the system as registry and by creating executable files and/or .dll malware.

Any sandbox could have vulnerabilities, even if in my experience with Sandboxie, no problem until now.

 

[shmu26]

Are there types of browser exploits that can live in the sandbox, and steal your logins etc?

 

[tim one]

Are there types of browser exploits that can live in the sandbox, and steal your logins etc?

For example, if you keep passwords in the browser, sandboxed session means that the passwords are still there and can be stolen.

 

[shmu26]

so if your passwords are in a password manager such as LastPass, and your browser is sandboxed/isolated, then your browser won't really benefit from the type of exploit protection offered by HMPA?

 

[tim one]

so if your passwords are in a password manager such as LastPass, and your browser is sandboxed/isolated, then your browser won't really benefit from the type of exploit protection offered by HMPA?

Simply, a malicious Javascript code with hard-coded malicious links and search functions, can easily send browser-level password to the remote server, and all this happens in Sandboxie.
For this I always say that lightweight virtualization systems, virtualizes the current session BUT also the data that it contains.

The problem is if the browser keeps the password in clear, if the passwords are encrypted via password manager, the security obviously is greater.

 

[jamescv7]

I really wonder if those whitepaper like in Sophos, will serve as eye opener for other security programs to drive full implementation of anti-exploit modules?

The problem here is the priority of AV developers and how effective on the implementation instead.

 

[shmu26]

I really wonder if those whitepaper like in Sophos, will serve as eye opener for other security programs to drive full implementation of anti-exploit modules?

The problem here is the priority of AV developers and how effective on the implementation instead.

there is an almost insurmountable problem of compatibility issues. If the big AV companies start implementing the kind of exploit mitigations that HMPA uses, they will be totally swamped in complaints from users about things that don't work, both software and hardware.