Robbie

Level 29
Verified
Content Creator
Malware Tester
"You are wrong."

"Windows 7 is the best OS ever! No bloatware. No security updates. No probems."

/s


Source: Windows user's mindset.
I have heard this so many times... Even on "IT professionals forums/groups", disabling updates and calling others to do it, because according to them: updates always ruin your system and make it slower. And here I was, thinking patches are meant to fix, stupid Robo.
 

Andy Ful

Level 51
Verified
Trusted
Content Creator
...
If you are concerned about exploit of MS Office applications, and this is a very valid concern, EMET is probably effective on Windows 7, although the "anti-document exploit" feature of Hard_Configurator might be even better. Maybe @Andy Ful has something to say about it.
Windows 7 OS and applications are coded in C, C++, and C# - they are by design vulnerable to memory exploits, and there is not exist an application that could prevent this.
Using SUA can mitigate about 80% of OS exploits. Very important is also updating Windows and applications.
HitmanPro Alert or Emet can be used to mitigate memory exploits in applications. Restricting MS Office and Adobe Acrobat Reader (or even better not using both) can prevent most exploits introduced via weaponized documents.
SRP and anti-exe can be used to prevent running some exploits and block execution of payloads (post-exploitation protection). But, this also will require to block LOLBins.
Restricting scripts can be beneficial for preventing exploits (exploit kits) introduced by scripts.
Generally restricting/hardening Windows (disabling SMB, remote features, unused services, etc.) or using isolation/virtualization can prevent or mitigate many exploits too.
 
Last edited:

DDE_Server

Level 11
Verified
Regular Acrobat Reader and Foxit Reader are supported, not sure the paid version isn't?
You can ask the dev or add them yourself in the pro version.
unfortunately i donot have pro version also in pro (also i have bought cheap licence for Foxit phantom standard ) i cannot afford the fees of upgrade so i want to know if i can protect it from exploitation as it will not receive any major updates which of course include security updates
 

Gandalf_The_Grey

Level 24
Verified
unfortunately i donot have pro version also in pro (also i have bought cheap licence for Foxit phantom standard ) i cannot afford the fees of upgrade so i want to know if i can protect it from exploitation as it will not receive any major updates which of course include security updates
I don't know, because I don't use those 2 programs.
Just ask Dan the developer by mail: support at voodooshield.com
It could be that they are already supported or that he will add them. :unsure:
Doesn't hurt to ask...
 

Umbra

Level 21
Verified
The real definition of "Exploits" are in-memory attacks which can only be circumvented by tools like HMPA, MBAE, EMET/Windows Exploit Protection (those are true anti-exploit) or apps with some memory containment.
The worst kind, Kernel Exploits can only be prevented via OS patching.
What all of you are saying when talking about exploits is misnomer, and is in fact POST-exploitation (use of LOLbins, scripts, etc...).

But it is more exciting marketing-wise to use the term "anti-exploit" than "anti-post-exploitation". After all , average users won't do the difference and justy buy.
 

DDE_Server

Level 11
Verified
the real definition of "Exploits" are in-memory attacks which can only be circumvented by tools like HMPA, MBAE, Windows Exploit Guard or apps with some memory containment.
The worst kind, Kernel Exploits can only be prevented via OS patching.
What all of you are saying when talking about exploits is misnomer, and is in fact POST-exploitation (use of LOLbins, scripts, etc...).

But it is more excuting marketing-wise to use the term "anti-exploit" than "anti-post-exploitation". After all , average users won't do the difference and justy buy.
So blocking those types of script excuting via osarmor may be a proactive defense about this type of attacks related to memory one or need some didcated programs such as MBAE or HMPA ??
 

Umbra

Level 21
Verified
So blocking those types of script excuting via osarmor may be a proactive defense about this type of attacks related to memory one or need some didcated programs such as MBAE or HMPA ??
Everything acting in-memory need in-memory protection as i mentioned above (if not we won't need HMPA and co). there is no other way.
However, if the exploit is using LOLBins/LOLscript to do other malicious actions, then yes anti-exe like OSarmor may interrupt the attack chain but your system is still already breached.

note: some security suites (especially corporate ones like SEP, etc...) usually offers some kind of Exploit Protection on top of their Post-Exploit prevention system.
 
Last edited:

oldschool

Level 41
Verified
So blocking those types of script excuting via osarmor may be a proactive defense about this type of attacks related to memory one or need some didcated programs such as MBAE or HMPA ??
Your best free anti-exploit option is MBAE.

I would also email Dan at VS and ask him about joining the forum and using beta (for its anti-exe protection).

Those two work well together on older hardware.
 

DDE_Server

Level 11
Verified
Everything acting in-memory need in-memory protection as i mentioned above (if not we won't need HMPA and co). there is no other way.
However, if the exploit is using LOLBins/LOLscript to do other malicious actions, then yes anti-exe like OSarmor may interrupt the attack chain but your system is still already breached.

note: some security suites (especially corporate ones like SEP, etc...) usually offers some kind of Exploit Protection on top of their Post-Exploit prevention system.
Does EAM offer such protection :unsure: :unsure: ??
 

Umbra

Level 21
Verified
Does EAM offer such protection :unsure: :unsure: ??
EAM is an AV, not an anti-exploit, however he has a behavior blocker which is able to monitors attack vectors and block post-exploitation.

I have to say that the chance for a home user to cross a memory exploit is slim.
Even me, all the exploits alerts I got from HMPA were false positive due to other security softs doing dlls injections.

So if you are on Windows 10, using a decent AV having a default-deny component, you should be good. Of course don't have risky behaviors.