Why Google with F-Secure Search?

Senior Advisor

Re: Why Google with F-Secure Search?

Malwarebytes Anti-Exploit has regressed" to an alpha-candidate because the code "has been completely re-architected and (now) works as a Windows Service; https://forums.malwarebytes.org/index.php?showtopic=141741

 

An alternative anti-exploit product, which I have been running for a few months now is SurfRight's HitmanPro.Alert., as it has CryptoGuard protection; http://www.surfright.nl/en/alert/cryptoguard

 

But a new version 3 will be released in beta form in a week's time. 

 

SnapCrab_NoName_2014-2-21_16-53-7_No-00.png

 

SnapCrab_NoName_2014-2-21_16-53-25_No-00.png

 

 "Safe browsing (Intruder scan), CryptoGuard, Keystroke encryption, Webcam notifier, Hollow Process blocker and Vaccination against vm-aware malware are all in the free version. These are all signature-less features and ensure that you are alerted in case of banking trojans, crypto-ransomware (like Cryptolocker), Remote Access Trojan (RAT) or other malware on your system" . But the exploit protection will require a paid license.

 

http://www.surfright.nl/en/home/press/surfright-announces-alert-3

 

http://dl.surfright.nl/Alert-3/HitmanPro-Alert-3-Datasheet.pdf

 

http://blog.check-and-secure.com/hitmanpro-alert-cyber-vaccine-volume-3-announced/

 

Looks promising.

 

Advocate

Re: Why Google with F-Secure Search?

Indeed it looks promising, thanks for the information @Blackcat 

The comparison is impressive:

 

exploitComparison.png

Senior Advisor

Re: Why Google with F-Secure Search?

Should be released in next couple of days.
Advocate

Re: Why Google with F-Secure Search?

Blackcat, do you know if it's compatible with EMET, or if it's best used without it?

 

Regarding EMET, a report was released a few days ago saying "we found ways to bypass all of the protections in EMET". A good thing is that EMET 5.0 will be improved because of this. A bad thing that it still might be possible to bypass EMET protection for determined attackers. EMET 5.0 Beta was released 25 Feb 

http://labs.bromium.com/2014/02/24/bypassing-emet-4-1/

 

From the Conclusions section in the report PDF:

However, as was seen in our research, deploying EMET does mean attackers have to work a little bit harder; payloads need to be customized, and EMET bypass research needs to be conducted. Thus, EMET is good for the price (free), but it canbe bypassed by determined attackers. Microsoft freely admits that it is not a prefect protection, and comments from Microsoft speakers at conference talks admit that as well. The objective of EMET is not perfection, but to raise the cost of exploitation. So the question really is not can EMET be bypassed. Rather, does EMET sufficiently raise the cost of exploitation? The answer to that is likely dependent upon the value of the data being protected. For organizations with data of significant value, we submit that EMET does not sufficiently stop customized exploits.

Senior Advisor

Re: Why Google with F-Secure Search?

Hi NikK

 

yes it fully compatible with EMET Smiley Wink

 

And all recommendations from Bromium's paper are already in Alert 3, including deep-hooks-only (NtProtectVirtualMemory) and full 64-bit ROP detection. 

 

SnapCrab_NoName_2014-2-26_22-6-59_No-00.png

 

The "currently known" and "most exploits" limitations of EMET are history when using Alert 3.0.

 

EMET 5.0 here; http://www.youtube.com/watch?v=lP9Vtg1FvEQ

 

Overall, at this stage Hitman Pro Alert 3 seems a much easier and better bet of the two. Roll on the gold version.

Advocate

Re: Why Google with F-Secure Search?

Great, thanks!

 

Yes, but in that case why not use both was my thought. EMET also has website certificate protection, for IE that is.

I'll follow the development for Alert on WildersSecurity (which I assume you already do ;-)

A summary of the most interesting facts in my eyes:

 

  • Safe browsing (Intruder scan), CryptoGuard, Keystroke encryption, Webcam notifier, Hollow Process blocker and Vaccination against vm-aware malware are all free. These are all signature-less features and ensure that you are alerted in case of banking trojans, crypto-ransomware (like Cryptolocker), Remote Access Trojan (RAT) or other malware on your system. These features are free and remain free.
  • Only the exploit mitigation feature requires a license. If you already have a HitmanPro license, then you get exploit mitigation for free. Alert and HitmanPro use the same license.
  • Full compatibility with both EMET and MBAE. Alert can get mitigation profiles from the cloud for optimal configuration and compatibility.
  • If you use Sandboxie you have to add \Device\NamedPipe\hmpalert to Full Access