Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
General Security Discussions
OSA/VS/AG/SAP differences
Message
<blockquote data-quote="ForgottenSeer 823865" data-source="post: 838139"><p>There is still confusion about "anti post-exploit" features and "anti-exploits"</p><p></p><p><strong>Anti Post-Exploit</strong>:</p><p>All those anti-exe, SRP, HIPS, etc... Those don't block the exploit itself, they have nothing to protect the memory space (they don't use SEHOP, etc...) they just prevent LOLbins to be used by the exploit to do further damages. Example: blocking rundll32.exe being used by exploited Lsass.exe to open reverse connection.</p><p>If you believe that anti-exes which all lack of any kind of memory mitigations will prevent an exploit, you are ready for a big disappointment if an exploit hit you. Their marketing staff will say "if we block the process to execute nasty stuff, then we prevent the exploitation of the system ", uh no... If you have a bullet (exploit) in the chest (system) , putting a bandage (anti-exe) to stop the bleeding (abused LOLbins) doesn't nullify the injury (exploited system) , the bullet is still there, you still are in critical condition.</p><p>Remove the bandage, you will bleed again.</p><p></p><p><strong>Anti-exploit</strong>:</p><p>MBAE, HMPA, EMET/Exploit Guard. Those are real anti-exploit. Look at their settings, they all have dozen of options with weird names (SEHOP, ASLR, bottom up ASLR, etc...), those are memory mitigations. Those will prevent the exploit.</p></blockquote><p></p>
[QUOTE="ForgottenSeer 823865, post: 838139"] There is still confusion about "anti post-exploit" features and "anti-exploits" [B]Anti Post-Exploit[/B]: All those anti-exe, SRP, HIPS, etc... Those don't block the exploit itself, they have nothing to protect the memory space (they don't use SEHOP, etc...) they just prevent LOLbins to be used by the exploit to do further damages. Example: blocking rundll32.exe being used by exploited Lsass.exe to open reverse connection. If you believe that anti-exes which all lack of any kind of memory mitigations will prevent an exploit, you are ready for a big disappointment if an exploit hit you. Their marketing staff will say "if we block the process to execute nasty stuff, then we prevent the exploitation of the system ", uh no... If you have a bullet (exploit) in the chest (system) , putting a bandage (anti-exe) to stop the bleeding (abused LOLbins) doesn't nullify the injury (exploited system) , the bullet is still there, you still are in critical condition. Remove the bandage, you will bleed again. [B]Anti-exploit[/B]: MBAE, HMPA, EMET/Exploit Guard. Those are real anti-exploit. Look at their settings, they all have dozen of options with weird names (SEHOP, ASLR, bottom up ASLR, etc...), those are memory mitigations. Those will prevent the exploit. [/QUOTE]
Insert quotes…
Verification
Post reply
Top