Advice Request Hemidal Pro with HMP.A

[advanced_skill]

Is running Hemidal Pro with HMP.A (and MBAM) overkill?
I haven't researched much about Hemidal, but I'm guessing HMP.A has some of the same features.

 

[Welldone]

We do not endorse the use of multiple security solutions as it potentially impedes the ability of these solutions to detect exploits, or adversely affect the capabilities of other installed security products. This is one of the reasons why we created our Exploit Test Tool, to determine if all detection features still work when e.g. HMPA, MBAE or EMET is installed in the presence of another security solution.

Obviously, we currently have no plans to downgrade our solution or remove a major feature. HMPA already offers the ability to disable individual modules or even exclude a particular process or program.

I would also like to mention that from the hundreds of thousands of systems that HMPA is currently protecting, the vast majority of protection events were made thanks to our Exploit Mitigation technologies. Not Safe Browsing, not CryptoGuard. When one of the Exploit Mitigations is triggered, e.g. crypto-ransomware is not even delivered - in most of today's ransomware attacks, Exploit Mitigations cuts the ground away for CryptoGuard, which is a good thing.

When HMPA detects an attack (e.g. a Stack Pivot) it also means that these third-party security services have failed:

1. Network-based Web Filter (URL)
2. Network-based Web Filter (Content Scanning)
3. Host-based Antivirus Software (URL)
4. Host-based Browser Filter (URL)
5. Host-based Antivirus Software (Content Scanning)

And in case of a spam or spear-phishing e-mail with a malicious attachment (e.g. a weaponised Word document with macro that downloads the payload from the web), HMPA had to step in because even more security services failed:

1. Network-based Spam Filter (Content Scanning)
2. Host-based Email Client Junk Mail Filter (Content Scanning)
3. Network-based Web Filter (URL)
4. Network-based Web Filter (Content Scanning)
5. Host-based Antivirus Software (URL)
6. Host-based Browser Web Filter (URL)
7. Host-based Antivirus Software (Content Scanning)

Remember that attackers have infinite possibilities to hide their attacks (e.g. on trusted services) and obfuscate their malware to bypass Web Filters and Antivirus Software. This is evidenced by the many victims that the hundreds of thousands of new malware samples make every day. But did you know that attackers must always use the exact same techniques to deliver their malware? And that there are only two dozen of them and only (maybe) 1 new technique (like the recent Wow64 exploit) is discovered every year?

These core techniques are mandatory and attackers must and will use these techniques to exploit any known and future vulnerability, yes even the vulnerabilities that do not exist or haven't been discovered yet! The core techniques to exploit a vulnerability are called e.g. Stack Pivot, Return-Oriented Programming (ROP) and Heap Spray, but could also be a logic-flaw technique like a VBA script. And especially in case of a memory corruption vulnerability, two, three or more techniques must be used in sequence in order for the attack to be successful and deliver malware.

When a security application, like HMPA, is capable of detecting and blocking the core techniques, attacks are successfully stopped, even if you are singled-out in a spear-phishing attack, are served a unique URL, script, or are attacked with targeted plain or obfuscated malware.

Since these core techniques are essential for any exploit-based attacker, HMPA seriously raises the bar as attackers can no longer employ any these techniques. Of course, there is also a big difference how anti-exploit solutions detect these techniques and hands down, our HMPA has by far the most comprehensive technique prevention. In order to bypass HMPA, attackers basically have to be insanely good and come up with a completely new attack method that doesn't use ANY of the known core techniques!

I would like to mention that the exploit prevention features in AV solutions are not nearly of the same quality or level as EMET or MBAE, let alone HMPA's. Current exploit prevention in AV does not revolve around exploit technique prevention at all (although I have seen some AVs that do detect a straight forward Stack Pivot, ROP or buffer overflow). This is also one of the reasons why we created the Exploit Test Tool, to illustrate that AV is hardly capable in this field. You can check it yourself.

So don't dismiss Exploit Mitigations so fast. It's the rain on every remote attacker's parade.

(Note that network-oriented security solutions, like Web Filter / UTM appliances, are loosing visibility now the web goes more and more to HTTPS/SPDY. To inspect secure communication, network appliances have to break the secure link. But in the presence of certificate pinning on the endpoint, network-oriented appliances are becoming more and more useless even though big companies and even governments are currently endorsing them. Remember that from an attacker's perspective, the endpoint was always and still is the target; a user's PC or a server that holds the documents. The endpoint is where it all happens and where data is decrypted, readable for the end user and for attackers to potentially access).

Anyway, hope this helps.

Source: HitmanPro.ALERT Support and Discussion Thread | Page 313 | Wilders Security Forums

 

[Azure]

Apparently they shouldn't overlap since they work differently.
Heimdal Free and Pro | Page 2 | Wilders Security Forums

Note: Heimdal is not yet fully compatible for Win. 10
Heimdal Free and Pro | Page 8 | Wilders Security Forums