What is your experience of using Intrusion Detection and Anti Exploit software?

Forum for anything else which doesn't fit in the above forums. Site feedback, random talk, whatever, are welcome.
Post Reply
Zephyr
Posts: 136
Joined: Sun Nov 22, 2015 4:53 pm
Location: London

What is your experience of using Intrusion Detection and Anti Exploit software?

Post by Zephyr » Sat Jun 26, 2021 5:25 am

According to Wikipedia "An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations."

Intrusion detection is divided into host intrusion detection systems (HIDS) and network intrusion systems (NIDS). According to Wikipedia "A HIDS monitors the inbound and outbound packets from the device only and will alert the user or administrator if suspicious activity is detected. It takes a snapshot of existing system files and matches it to the previous snapshot. If the critical system files were modified or deleted, an alert is sent to the administrator to investigate" A well known open source HIDS is OSSEC. According to Wikipedia "Network intrusion detection systems (NIDS) are placed at a strategic point or points within the network to monitor traffic to and from all devices on the network. It performs an analysis of passing traffic on the entire subnet, and matches the traffic that is passed on the subnets to the library of known attacks." A well known open source NIDS is Snort.

If anyone has tried systems like OSSEC and Snort I would like them to share their experiences with us. I must say I am skeptical of the effectiveness of OSSEC in protecting against modern intrusion techniques.

I am currently using applications that detect and prevent malicious activity before alterations to the system can be made, which includes exploits like rootkit installation, injection, impersonation and hijacking. I suppose these applications could be labelled as Host Intrusion Prevention Systems (HIPS). I am using the Comodo Firewalls Leak Testing Suite released in 2008 to evaluate them. If anyone knows of a more up to date security testing suite I would like to know about it. Here is a list of all the tests done by the Comodo Leak Test:

1. RootkitInstallation: MissingDriverLoad
2. RootkitInstallation: LoadAndCallImage
3. RootkitInstallation: DriverSupersede
4. RootkitInstallation: ChangeDrvPath
5. Invasion: Runner
6. Invasion: RawDisk
7. Invasion: PhysicalMemory
8. Invasion: FileDrop
9. Invasion: DebugControl
10. Injection: SetWinEventHook
11. Injection: SetWindowsHookEx
12. Injection: SetThreadContext
13. Injection: Services
14. Injection: ProcessInject
15. Injection: KnownDlls
16. Injection: DupHandles
17. Injection: CreateRemoteThread
18. Injection: APC dll injection
19. Injection: AdvancedProcessTermination
20. InfoSend: ICMP Test
21. InfoSend: DNS Test
22. Impersonation: OLE automation
23. Impersonation: ExplorerAsParent
24. Impersonation: DDE
25. Impersonation: Coat
26. Impersonation: BITS
27. Hijacking: WinlogonNotify
28. Hijacking: Userinit
29. Hijacking: UIHost
30. Hijacking: SupersedeServiceDll
31. Hijacking: StartupPrograms
32. Hijacking: ChangeDebuggerPath
33. Hijacking: AppinitDlls
34. Hijacking: ActiveDesktop

Here is list of some well known HIPS applications that I have tested with the scores they achieved when tested with the Comodo Leak Test:

Malware Defender v2.8.................330/340 (97%)
EQ Secure v3.41.........................290/340 (85%)
Pro Security v1.43.......................250/340 (73%)
System Safety Monitor 2.4.0.622....250/340 (73%)
Eset NOD32 Antivirus 8.0.319.0......210/340 (62%)
Threatfire 4.11.2.22.....................190/340 (56%)
EQ Secure 4.2.............................160/340 (47%)
Threatfire 4.7.0.53.......................150/340 (44%)
Private Firewall 7.0.......................60/340 (18%)
EMET 4.1....................................30/340 (9%)
MBAE beta 1.13.1.316...................30/340 (9%)

Malware Defender

Clearly Malware Defender is the king of HIPS, so although modern firewalls and AV are supposed to include a HIPS module, I always install Malware Defender and disable the built-in HIPS of my AV. Here is a list of the Malware Defender rules:

Application Rules
Create new processes
Access memory of other processes
Control other processes and threads
Send message to other processes.
Duplicate handle from/to other processes
Load kernel drivers
Access kernel memory/objects
Access physical memory
Write physical disk
Read physical disk
Access keyboard in low level
Access registry in low level
Install message/event hooks
Set system time
Shutdown Windows
Access Service Control Manager
Load dynamic link libraries
Access COM interfaces

File Rules
Read permission
Write permission
Create permission
Delete permission

Network Rules
Direction (inbound/outbound)
Protocol (TCP/UDP/Raw IP)
Remote port (any/single/range)
Remote address (any/single/range/mask)
Local port (any/single/range)

Registry Rules
Select registry key, value or group
Permissions (ask/permit/deny/deny and kill process)

Eset NOD32 Antivirus

File operations
•Delete file
•Write to file
•Direct access to disk
•Install global hook
•Load driver

Application operations
•Debug another application
•Intercept events from another application
•Terminate/suspend another application
•Start new application
•Modify state of another application

Registry operations
•Modify startup settings
•Delete from registry – Deleting a registry key or its value.
•Rename registry key – Renaming registry keys.
•Modify registry

Malwarebytes Anti Exploit Beta

I am also using the last version of Malwarebytes Anti Exploit Beta for XP which is 1.13.1.345 and you can obtain it here. Although it gives a low score on the Comodo Leak Test it does provide protection from some of the latest exploits used by ransomware for instance. Here is a list of it's advanced settings:

Application Hardening
* DEP Enforcememt
* Anti-HeapSpraying Enforcement
* Dynamic Anti-HeapSpraying Enforcement
* BottomUp ASLR Enforcement
* Prevent loading of VB Script Library
* Detection of Anti-Exploit fingerprinting attempts

Advanced Memory Protection
* Maliceous Return Address detection
* DEP Bypass Protection
* Memory Patch Hijacking Protection
* Stack Pivoting Protection
* CALL ROP Gadget detection (32bit)
* RET ROP Gadget detection (32bit)
* CALL ROP Gadget detection (64bit)
* RET ROP Gadget detection (64bit)

Application Behaviour Protection
* Maliceous LoadLibrary Protection
* Protection for Internet Explorer VB Scripting
* Protection for MessageBox Payload
* Protection for Office WMI abuse
* Protection for Office VBA7 abuse

Java Protection
* Prevent Web-Based Java Command Line
* Java Maliceous Inbound Shell Protection
* Java Maliceous Outbound Shell Protection
* Java Metasploit Meterpreter Generic Protection
* Java Metasploit Meterpreter Command Execution Protection
* Allow insecure Java Operations in Internal IP Ranges

Microsoft Enhanced Mitigation Experience Toolkit (EMET)

According to Microsoft "The Enhanced Mitigation Experience Toolkit (EMET) is designed to help prevent attackers from gaining access to computer systems. EMET anticipates the most common attack techniques attackers might use to exploit vulnerabilities in computer systems, and helps protect by diverting, terminating, blocking, and invalidating those actions and techniques. "

Here is a list of the vulnerabilities that it is designed to address:

CVE-2004-0210 Windows
CVE-2006-2492 Office
CVE-2006-3590 Office
CVE-2007-5659 Adobe Reader, Adobe Acrobat
CVE-2008-4841 Office
CVE-2009-0927 Adobe Reader, Adobe Acrobat
CVE-2009-4324 Adobe Reader, Adobe Acrobat
CVE-2010-0188 Adobe Reader, Adobe Acrobat
CVE-2010-0806 Internet Explorer
CVE-2010-1297 Adobe Flash Player, Adobe AIR, Adobe Reader, Adobe Acrobat
CVE-2010-2572 Office
CVE-2010-2883 Adobe Reader, Adobe Acrobat
CVE-2010-3333 Office
CVE-2010-3654 Adobe Flash Player
CVE-2011-0097 Office
CVE-2011-0101 Office
CVE-2011-0611 Adobe Flash Player, Adobe AIR, Adobe Reader, Adobe Acrobat
CVE-2011-1269 Office
CVE-2012-0158 Office, SQL Server, Commerce Server, Visual FoxPro, Visual Basic
CVE-2012-0779 Adobe Flash Player
CVE-2013-0640 Adobe Reader, Adobe Acrobat
CVE-2013-1331 Office
CVE-2013-1347 Internet Explorer
CVE-2013-3893 Internet Explorer
CVE-2013-3897 Internet Explorer
CVE-2013-3906 Windows, Office
CVE-2013-3918 Windows
CVE-2013-5065 Windows
CVE-2013-5330 Adobe Flash Player, Adobe AIR
CVE-2014-0322 Internet Explorer
CVE-2014-0497 Adobe Flash Player
CVE-2014-1761 Office, SharePoint
CVE-2014-1776 Internet Explorer
CVE-2015-0313 Adobe Flash Player
CVE-2015-1815 Internet Explorer

I imagine that most of these vulnerabilities have been patched with security updates for the applications or system files affected, which makes EMET rather pointless, especially if you don't use the Adobe Reader, IE, Flash Player or Office. CVE-2006-2492, for instance, is a buffer overflow vulnerability that enables remote code execution in Word. This has been addressed in in Microsoft Security Bulletin MS06-027 and is resolved with the security updates KB917334, KB917345, KB917335, and KB917346.
Last edited by Zephyr on Thu Jul 15, 2021 4:41 am, edited 1 time in total.
XP FOREVER!

User avatar
bphlpt
Posts: 1388
Joined: Sat Apr 19, 2008 1:11 am

Re: What is your experience of using Intrusion Detection and Anti Exploit software?

Post by bphlpt » Sat Jun 26, 2021 9:49 am

Thanks for this info @Zephyr. I am also interested in anyone's experiences with OSSEC and Snort type of products.

I am also interested in anyone's opinion of the most effective set of Firewall and AV products to use today in 2021 with MS OS, specifically Win 7, but any MS OS really. From what you have said above, I would assume you would currently suggest some combination of Firewall, AV, Malware Defender, and Malwarebytes? I stress the term effective, meaning cost, if any, is reasonable, should be light weight since it's not much good if it drags your system down, current updates are readily available and easily installed, and the whole set works well together, is easy to set up, and is as unobtrusive as possible once it is set up.

I have been frustrated enough with past offerings that I have often just run with no AV at all and just been careful. Not the safest approach, I know.

For anyone making suggestions, please provide specific version of each software with current functional links for download and/or more info.

Cheers and Regards

Zephyr
Posts: 136
Joined: Sun Nov 22, 2015 4:53 pm
Location: London

Re: What is your experience of using Intrusion Detection and Anti Exploit software?

Post by Zephyr » Thu Jul 15, 2021 4:33 am

Another issue I an interested in is to what extent does the security features of the operating system provide protection from attempts to execute malicious code on a PC. Here is a paper Is Exploitation Over? Bypassing Memory Protections in Windows 7 that discusses mitigations like GS, SafeSEH, DEP, ASLR, SEHOP and their implementation in the different versions of Windows. As you can see each new version of Windows includes extra mitigation features until we get to Windows 10 which has a complete set of known mitigation features (but at what cost to performance?). Should we regard these OS level mitigation techniques as a second line of defense after vulnerabilities in applications have been exploited? Just how vulnerable are users of unsupported versions of Windows if they keep their application software up to date with the latest patches for known vulnerabilities?
XP FOREVER!

Post Reply