• Unlock forum

    Guest, you need to be a "Verified" member to post a new thread or reply in this forum.

Atlas147

Level 30
Verified
Trusted
Content Creator
Honestly it's quite hard to test anti exploit for every programme, thats why the vendor normally provides a safe test to see if the protection is working, as you know HMP has one, and I know that malwarebytes has a programme to test their anti exploit too. Maybe you can try that?
 

qftest

Level 1
Honestly it's quite hard to test anti exploit for every programme, thats why the vendor normally provides a safe test to see if the protection is working, as you know HMP has one, and I know that malwarebytes has a programme to test their anti exploit too. Maybe you can try that?
I can't find a Malwarebytes test tool.
Maybe should use a special web page test?
 
VoodooShield antiexploit feature does not stop exploits in memory. It only blocks the exploit from dropping any binary payload by not allowing applications on the "Web Apps List" to spawn child processes. If I remember correctly this feature also prevents executables in the user-space from dropping payloads into Program Files Folders. The feature is only a policy based restriction mitigation being used with whitelisting. Blocking exploits in memory can lead to incompatibility with other products, and it takes a lot of development hours to maintain this type of feature.

I have a .jar file that drops a hidden payload into Program Files, and then executes. The payload is harmless, but it can drop any payload into Program Files Folders. It can drop crypto-malware, trojans, etc. It may be able to drop payloads into System space also, but i'm not sure. If the user clicks on the .jar file it does the rest on it's own. .Jar files are archives, and portable java applications. The .jar file I have bypassed most AE solutions at the time because they did not monitor the command lines of javaw.exe. It bypasses AppGuard with default settings. If you Guard javaw.exe then AG will block the payload from writing to Program Files Folders because Guarded applications are not permitted to write to Program Files Folders, or System Space. Voodoo Shield anti-exploit feature is suppose to block threats like these. There is a lot more that could be done with this feature.

Edited 11/23 @ 9:14
 
Last edited:

qftest

Level 1
VoodooShield antiexploit feature does not stop exploits in memory. It only blocks the exploit from dropping any binary payload by not allowing applications on the "Web Apps List" to spawn child processes. If I remember correctly this feature also prevents executables in the user-space from dropping payloads into Program Files Folders. The feature is only a policy based restriction mitigation being used with whitelisting. Blocking exploits in memory can lead to incompatibility with other products, and it takes a lot of development hours to maintain this type of feature.

I have a .jar file that drops a hidden payload into Program Files, and then executes. The payload is harmless, but it can drop any payload into Program Files Folders. It can drop crypto-malware, trojans, etc. It may be able to drop payloads into System space also, but i'm not sure. If the user clicks on the .jar file it does the rest on it's own. .Jar files are archives, and portable java applications. The .jar file I have bypassed most AE solutions at the time because they did not monitor the command lines of javaw.exe. It bypasses AppGuard with default settings. If you Guard javaw.exe then AG will block the payload from writing to Program Files Folders because Guarded applications are not permitted to write to Program Files Folders, or System Space. Voodoo Shield anti-exploit feature is suppose to block threats like these. There is a lot more that could be done with this feature.

Edited 11/23 @ 9:14
It sounds like the previous ANI virus.
No testing tools, I went to the page to test.
Results VS / HMPA no response, no interceptions.
I do not know why.
Code:
http:##//player.vodjk.com/player.swf?my_url=http://ek.vodjk.com/a/18001.shtml&my_pic=&a=18001&i=;
 
Last edited by a moderator:

Solarquest

Moderator
Verified
Staff member
Malware Hunter
JFI; on VT
Code:
http://ek.vodjk.com/a/18001.shtml&my_pic=&a=18001&i=;
= 0/66
upload_2015-11-24_0-7-44.png
upload_2015-11-24_0-7-44.png
 
Last edited by a moderator:
HMPA, and MBAE will not detect an exploit unless the application is vulnerable to being exploited. If the application on your machine has been patched then the exploit will not be able to run, and therefore there is nothing for HMPA, or MBAE to detect. What application on your machine does the exploit target? I can't read hànzì, or kanji. Are you sure the application has not been patched with an update?
 

qftest

Level 1
HMPA, and MBAE will not detect an exploit unless the application is vulnerable to being exploited. If the application on your machine has been patched then the exploit will not be able to run, and therefore there is nothing for HMPA, or MBAE to detect. What application on your machine does the exploit target? I can't read hànzì, or kanji. Are you sure the application has not been patched with an update?
oh i see.
Thank you for your reply.
hehe,"hànzì" is correct,"kanji" is an error.