别跟我说什么主防什么HIPS ，防护系统程序不受侵入才是王道，VoodooShield你过来！

jone_jys

墨家小子 发表于 2016-3-24 23:35
有人已经测试过了，杀SWF，不过单开漏洞利用防护就不行了

嗯。
MES10.1的漏洞利用防护其文件版本太旧了，还是15年8月份的。。

gold2007

yaoogle007 发表于 2016-3-24 17:13
HitmanPro.Alert兼容性如何？

与Sandboxie搭配, 除了偶尔会抽风(报浏览器被攻击, 经查看是Sandboxie进程注入浏览器), 其他都还好.

gold2007

墨家小子 发表于 2016-3-24 18:30
确实够了，就是操作性看自己的适应程度吧，这是第一步，第二步，我觉得第一道防御被破，剩下来就是信息不 ...

第二道防御我选的是大蜘蛛, 够用了.

墨家小子

jone_jys 发表于 2016-3-24 23:42
嗯。
MES10.1的漏洞利用防护其文件版本太旧了，还是15年8月份的。。

没有更新版本吗

jone_jys

墨家小子 发表于 2016-3-25 09:51
没有更新版本吗

没有，文件内容应该还是10.0的。。。
最新的10.1正式版是15年底推出的， 今年1月份推出了2个热修复补丁，防御和WEB的。。。

http://bbs.kafan.cn/thread-2033391-1-1.html
倒数第三张截图的“关于”有很详细的信息。。。

墨家小子

jone_jys 发表于 2016-3-25 10:08
没有，文件内容应该还是10.0的。。。
最新的10.1正式版是15年底推出的， 今年1月份推出了2个热修复补丁 ...

看到了，去年八月份的

墨家小子

qftest 发表于 2016-3-24 14:07
VS已卸载，管他Ai吹得再牛逼也不装了，让我感到吃惊的是Dan神居然能精确的统计中国区发放了多少个 ...

这位大哥Cutting_Edgetech说：

I was saying the Parent Child feature is not a good ideal because of exploits. When a process is exploited it happens within the process memory. The exploited process could then be used as the parent to allow the child which could be the payload. That's why I was saying never allow vulnerable processes to be parents (web apps). During our discussion we decided web apps should never be allowed to be parents.

This discussion has made me wonder if the exploit used on that Chinese forum was able to launch those other processes by taking advantage of the parent child feature. When you switched to the KMD driver did you make sure that Vlad was aware that the parent child feature does not apply to web apps (vulnerable applications)? Web apps should never be permitted to allow child processes using the parent child feature. Another way to launch those processes would be to inject into processes already running, and use those processes to do it. That could be why they were able to launch additional processes, but not successful in executing their own binary payload.

Edited 3/20 @ 3:36

然后今天看到，Dan神这样回复了：

I have been thinking about this quite a bit... even though no payload should slip through the way VS is currently, there is no reason for a web app to start any Windows or other vulnerable processes to spawn a child process. So I agree with you, we should take this one step further and basically have it so that web apps cannot spawn Windows (and other vulnerable processes) as child processes at all... even if they are whitelisted. Thank you for the recommendation... even though the malicious payload would be blocked either way, there is no reason to not block Windows and other vulnerable child processes of web apps, even when the item is whitelisted, mainly because the only time there would be a prompt is when an exploit is trying to exploit a vulnerable process. So I stand corrected ;), thank you!

是不是不春天来了，万物复苏，Dan神大脑解冻了？

qftest

墨家小子 发表于 2016-3-25 12:48
这位大哥Cutting_Edgetech说：

http://bbs.kafan.cn/forum.php?mo ... 25&pid=37350889

这不是对同一段话2016/3/20 3:26 PM的不同回复吗？
2016/3/23 11:29 PM，一会说But VS will block the payload from the exploited processes!!!...either way, the determination is made to block the process if it is spawned by a vulnerable process. Does this make sense?...只要阻止了被注入的父进程下载的恶意程序、那么由注入衍生出来的子进程也会被自动拦截...（被控制的子进程无法作恶所以没有意义不必理会）VS是安全的没有被绕过。。。；
2016/3/24 3:41 PM，一会又说So I agree with you...So I stand corrected...没有任何理由允许被注入的父进程（即使是白名单程序，即使成功阻止其下载的恶意程序）衍生出子进程，完全有必要采取措施阻止这种事情的发生。。。
果然厉害，怎么说都有理
Dan也许太忙碌，忘了这段话之前已经回复过

墨家小子

qftest 发表于 2016-3-25 17:32
http://bbs.kafan.cn/forum.php?mod=redirect&goto=findpost&ptid=2034225&pid=37350889

这不是对同一 ...

根本不是忙，估计是测试了，结果懵逼了，之前说话说得太满，不好往回收，这不出来认错了，再不认错，尼玛，我组织一批人把这几天VS测试的录像贴youtube上去，让大家看他嘴炮功力

墨家小子

qftest 发表于 2016-3-25 17:32
http://bbs.kafan.cn/forum.php?mod=redirect&goto=findpost&ptid=2034225&pid=37350889

这不是对同一 ...

我看到有些人狂吠突然想起来该试试OP了