Jump to content

Antiexploit, how to test

novice

By novice
in ESET NOD32 Antivirus

 Share

Recommended Posts

novice

novice 20

Posted
Posted

Hi,

 

Under HIPS I selected "Enable exploit blocker" and I downloaded from MBAE a test utility  mbae-test.exe which would simulate a behavior typical to an exploit.

 

Here is the explanation:

"The attached mbae-test.exe utility was developed by Malwarebytes to simulate an exploit behavior in order to verify that MBAE is installed and working correctly. The utility only has two buttons labeled Normal and Exploit. The Normal button will open the Windows Calculator (calc.exe) using normal system calls which are typically used when users are trying to open the Calculator. The Exploit button will attempt to open the Windows Calculator using system calls which are typically used by exploits to launch their payloads (i.e. malware). Keep in mind that mbae-test.exe is NOT malicious. Even if you don't have MBAE install and click the "Exploit" button, the only thing that will happen is that the Windows Calculator will open. However if you have MBAE installed and running correctly, you will see an alert popup window from MBAE."

 

hxxps://forums.malwarebytes.org/index.php?/topic/139368-how-to-verify-that-mbae-is-working-correctly/

 

I did not get any reaction from Nod32.

 

Any idea?

Link to comment
Share on other sites
FleischmannTV

FleischmannTV 9

Posted
Posted (edited)

The tool from Malwarebytes doesn't exploit vulnerable applications which ESET's exploit blocker is watching. Hence there are no alerts. I suggest you try the Exploit Test Tool from Surfright. This tool allows you to choose the application which is exploited. From there you can select your browser or pdf reader. Then you should get alerts from ESET.

 

hxxp://www.surfright.nl/en/downloads/

Edited by FleischmannTV
Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted (edited)

The tool from Malwarebytes doesn't exploit vulnerable applications which ESET's exploit blocker is watching. Hence there are no alerts. I suggest you try the Exploit Test Tool from Surfright. This tool allows you to choose the application which is exploited. From there you can select your browser or pdf reader. Then you should get alerts from ESET.

 

hxxp://www.surfright.nl/en/downloads/

My experience with the this test tool is as follows.

 

First and most important, only do browser tests with the Surfright test tool. Eset's exploit protection only works for apps that are being monitored by protocol filtering. Eset will not block tests from the test tool itself.

 

Both ekrn.exe and egui.exe must be excluded from Eset's protocol filtering. That done, Eset will block the test exploit payload i.e. calc.exe from executing. You will receive no alert or log entry from Eset. Additionally, the shell of the browser being tested will still be running after Eset has blocked the test exploit payload and delivery process i.e. the exploit test tool. There will be multiples of these browser shells if you do all the tests in one session. You will have to manually terminate those processes using Task Manager or Process Explorer/Hacker. 

 

Note the above behavior is running the x64 version of the test tool on a x64 WIN 7 OS. When I did 32 bit browser testing, I believe the 32 bit test tool actually allowed IE 10 x86 to open and close. All calc.exe test exploit payloads were blocked however.

Edited by itman
Link to comment
Share on other sites
novice

novice 20

Posted
  • Author
Posted

Hi itman,

 

Thank you for your answer!

I have to be honest, I did not understand a lot from what were you saying.... :(

In simple words, ESET's exploit blocker is protecting against what??? and is better or worse than MBAE?

 

Thanks!

Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted (edited)

Hi itman,

 

Thank you for your answer!

I have to be honest, I did not understand a lot from what were you saying.... :(

In simple words, ESET's exploit blocker is protecting against what??? and is better or worse than MBAE?

 

Thanks!

I will try to simplify as much as possible.

 

On a recent NSS Labs test that was done ad hoc i.e. Eset did not sponsor or pay for the test, Eset's exploit protection against 32 bit exploits running on 32 bit WIN 7 was for all practical purposes 100%. You can read the details here: https://www.nsslabs.com/reports/consumer-endpoint-protection-test-report-eset-smart-security-exploits

 

On another recent exploit test done by Malware Research Group against 32 and 64 bit exploits running on 64 bit WIN 7, Eset scored 80%. In comparison to other vendors tested, Eset ranked slightly below the middle. This test however was sponsored and paid for by Surfright for the purpose of specifically testing their HitmanPro Alert product. You can read details here:  https://www.mrg-effitas.com/wp-content/uploads/2015/04/MRG_Effitas_Real_world_exploit_prevention_test.pdf

 

Bottom line - I don't fully trust Eset's exploit blocker on a 64 bit OS running 64 bit software. Note that 64 bit exploits are rare but are increasing in frequency. Presently I personally am supplementing Eset with MBAE free since I run 64 bit WIN 7 and 64 bit IE10.

Edited by itman
Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...