the Internet Windows Android
Expand
the main

Crystal Anti-Exploit Protection - utility to protect your PC from Internet threats. Protecting end devices, or why antivirus does not panacea powerful protection from Exploit

This fall windows 10 updated to the version 1709 with the code name Fall Creators Update or Redstone 3. Among the set of changes, we first of all interested in improved protection against unknown malleants. Microsoft adopted a number of measures to counteract Trojan-encrypters and exploits. How successful they are successful?

Old new defender

All new is well rebracted old. In the "Autumn Update for Designers", embedded security components combined in the Windows Defender Security Center. Even the software firewall began to be called "Windows Defender Firewall", but these changes are purely cosmetic. More significant concerns new features that we will consider more detail below.

Another old-new component appeared in Redstone 3 is called "Explit Protection". Windows Defender Exploit Guard, or simply EG, turns on through the Windows Defender Security Center in the "Application and Browser" section.

Technically Exploit Guard is a former service program Enhanced Mitigation Experience Toolkit with a slightly growing feature set and a new interface. Emet appeared in times Windows Vista.Now its support is stopped, and Exploit Guard took her place. It belongs to the Advanced Threat Protection, along with the Device Guard Connected Device Manager and Application Guard Application Defenders. Evil languages \u200b\u200bsay that in Microsoft initially wanted to present the general component of the Advanced System Security Guard, but the abbreviation came out completely intact.

Protection against exploit

Exploit Guard is just a risk reduction tool, it does not eliminate the need to close vulnerabilities in software, but it makes it difficult to use. In general, the principle of operation of Exploit Guard is to prohibit those operations that are most often used by malware.

The problem is that many legitimate programs also use them. Moreover, there are old programs (or rather, dynamic libraries) who will simply stop working if you use in Windows new Memory Control Functions and Other modern means protection.

Therefore, the Exploit Guard setting is the same forks as previously used EMET. In my memory, many administrators deliberate in the subtlety of the settings, and then simply stopped using restrictive functions due to numerous user complaints.

If security is above all and it is required to spin the nuts at the fume, then the most demanded functions of Exploit Guard were (from the time EMET) and remain:

  • DEP. (Data Execution Prevention) is to prevent data from performing data. Does not allow you to run a code fragment that has not intended for this memory area (for example, as a result of a stack overflow error);
  • random redistribution of memory - prevents attack at well-known addresses;
  • disable expansion points - prevents the implementation of the DLL to the started processes (see about the UAC bypass, where this method was widely used);
  • team DisallowChildProcessCreation - prohibits the specified application to create subsidiaries;
  • filtering of the Tables of Import Addresses (IAF) and Exports (EAF) - does not allow (malicious) process to carry out the viewpoint of address tables and access the system library memory page;
  • Callercheck. - checks the availability of rights to call the confidential API;
  • SIMEXEC. - Imitation of execution. Checks before the actual execution of the code, who will return the calls for the confidential APIs.

Commands can be transmitted via PowerShell. For example, the ban to create subsidiary processes looks like this:

Set-Processmitigation -Name executable_File.EXE -ENABLE DISALLOWCHILDPROCEssCreation

All X86 processors and chipsets of the last ten years of release support DEP at the hardware level, and for quite old software, the software implementation of this function is available. However, for the sake of compatibility of new versions of Windows Microsoft's old software still recommends turning on the DEP in the system processes only. For the same reason, it was left left to turn off the DEP for any process. All this is successfully used in the techniques of the data prevention system.

Therefore, the meaning of using Exploit Guard will be only if there is a possibility to use several protective functions at once, without causing a failure at least in the work of the main applications. In practice, it is rarely possible. Here is an example of an EG profile converted from EMET, which generally calls Windows 10 in BSOD. Once in the "hacker" was the heading "Zapostroy", and Exploit Guard would fit perfectly into it.

Continuation available only to participants

Option 1. Join the site community to read all the materials on the site

Membership in the community during the specified period will open you access to all the materials of Hacker, will increase your personal accumulative discount and will accumulate a professional Xakep Score rating!

At the stage of development in all programs and networks, the mechanisms of protection against hackers in the type of locks, warning unauthorized surveillance, are embedded. The vulnerability is similar to the open window, to get through which will not be much difficult for an attacker. In the case of a computer or network, attackers can establish malicious software by using vulnerability in order to obtain control or infect the system for their mercenary purposes with relevant consequences. The bowl of all this happens without the user's knowledge.

How are the exploit arise?

Explant are caused by errors in the development process softwareAs a result of which vulnerabilities are prosecuted in the program protection system, which are successfully used by cybercriminals to obtain unlimited access to the program itself, and through it further to the entire computer. Explants are classified in accordance with the type of vulnerability, which is used by a hacker: zero day, DOS, spoofing or XXS. Of course, program developers will soon release security updates to eliminate found defects, however, up to this point, the program is still vulnerable to intruders.

How to recognize exploit?

Since the exploits use bars in program security mechanisms, an ordinary user has almost no chance to determine their presence. That is why it is extremely important to support software installed Updated, especially in a timely manner to install security updates manufactured by program developers. In the event that the software developer releases security update to eliminate a certain vulnerability in its software, but the user will not establish it, then, unfortunately, the program will not receive the most recent viral definitions.

How to eliminate exploit?

Due to the fact that the exploits are the consequence of committed defects, their elimination is included in the direct duties of the developers, so the authors will have to prepare and send error correction. However, the obligation to maintain the installed programs updated and timely install the update packages in order not to give a chance of chances to use vulnerabilities, lies completely on the user. One of possible methods Do not miss the latest updates - use application manager that will ensure that all installed programs have been updated, or - what is even better - use the automatic search tool and install updates.

How to stop attempts by hackers to use vulnerabilities of third-party programs
  • Make sure you have installed the latest security updates and patches for all programs.
  • To be safe online and stay up to date with events, set all updates immediately after their release.
  • Install and use Premium Anti-Virus, which is capable of automatically updating the installed programs.
Secure yourself from exploits

Rely on common sense and follow the basic rules of safe work on the Internet. Hackers can only take advantage of vulnerability if they manage to access your PC. Do not open the attachments in suspicious messages and do not download files from unknown sources. Support installed programs updated, and also timely install security updates. If you want to simplify this task as much as possible, download antivirus Avast.which will not only provide reliable protection against all types of malicious software, but also will help with the installation of the most recent updates for third-party programs.

The number of extortion viruses for last year tripled, and the number of redemptions increased by 266% and on average the world amounted to 1000 dollars from the victim.

Yakov Grodzensky, Head of the Direction of IB "System Software"

The volume of finite devices, including mobile, in networks of enterprises over the past decades has grown at times. This growth takes place on a depressing threat landscape: symantec. reportDaily in the global network appears over a million virus samples. For example, the number of extortion viruses last year has tripled, and the number of redemptions increased by 266% and on average the world amounted to 1,000 dollars from the victim.

It seems that the object of cybersecurity of endpoints today has become the titanic and hardly implemented by manually and / or with the help of alone antivirus.

And indeed, gartner analysts mark the steady trend of multi-level end device protection, including the creation of white and blacklists of programs, nodes and applications and other control tools in the framework of the full protection cycle. What does this mean, how to guarantee the security of the enterprise and are there any business not enough old good antiviruses?

Let's try to figure out.

What is Endpoint Security for the company and the market?

From which the mature strategy for protecting the end devices, if each device connected to your corporate networkIs essentially a "door" to valuable personal and business data?

First of all, from understanding that the IB-administration is the phenomenon of complex, and the end devices are an element of IT (and it means IB) infrastructure and to determine where their protection ends and protection begins, for example, network, is actually impossible and meaningless.

That is, administration policies and the security protocol itself should cover the protection of all elements of IT infrastructure. BUT modern network Enterprises connect a variety of end devices, including PCs, laptops, smartphones, tablets, POS terminals ... and each such device must meet network access requirements. This means that their cyber protection should be at least automated. Moreover, compliance with the EndPoint security policies, taking into account the growing number of threats today, requires to use at least one:

  1. firewalls for different types of devices;
  2. antiviruses for email;
  3. monitoring, filtering and protection of web traffic;
  4. security management and protective solutions for mobile devices;
  5. control of application operation;
  6. data encryption;
  7. invidence detection tools.

At the same time, the market offers three basic solutions to the protection of end devices and their combinations:

1. Traditional antiviruses based on signatures. They give a stable result - but only within the signature base. By virtue of an incredibly large number of malicious samples, it cannot be relevant 100% at every moment of time, plus the user is able to turn off the antivirus on its machine.
2. ENDPOINT Detection and Response (EDR) or detection and response to incidents. Such solutions, for example, Kedr from Kaspersky Lab, recognize indicators compromatrates on the end device and block and / or treat it. Usually these systems work only on the fact of hacking (invasion) on the device or in the corporate network.
3. Advanced Endpoint Protection (AEP) or advanced protection of finite devices, which includes preventive methods for protection against exploit and malicious software, devices and ports, personal firewalls and so on. That is, the Aer-Decision struggles with threats: the threat is recognized and destroyed before hacking, such as, for example, in the Palo Alto Networks TrapS, Check Point Sandblast Agent (this solution is detected while detecting suspicious activities make backups) or FORTICLIENT.

But what kind of vendor or a combination of services you choose, initially it is worth knowing the basic rules for evaluating such solutions and building an effective cyberscant strategy of end devices on your network.

Seven basic rules Endpoint-cyberschits

The rule is first. Protection should neutralize the entire chain of attacks.

According to analysts and representatives of the cyberscare market, thinking "viruses and antiviruses" is a failed strategy for an enterprise that wants to protect their business. The virus infection and itself is only one link in a much longer chain leading to hacking corporate networks.

And she begins with an attempt to invade your infrastructure. Accordingly, effective protection against invasions today contains:

  1. tools of careful check postal applications (Email is still leading as a "tool for delivery of malware" on user devices);
  2. protection tools from loading unwanted applications from the Internet - 76% of sites contain unpleasant vulnerabilities. The technology analyzing the entire incoming and outgoing traffic and offering a browser protection to block such threats to run on the final device will help here.
  3. powerful protection for the end devices themselves, that is, the service with control and applications, and the device itself.
  1. the file reputation analysis and the definition of their key attributes (the initial location of the file and the number of its downloads). Ideally, the system tracks and examines hundreds of links and billions of connections between users, sites and files to track the distribution and mutation of malware and prevent attack;
  2. advanced machine learning elements. That is, really working nonsense technology that can analyze trillions of files in a global network, to distinguish "good" files from "bad" and block malicious software before it is triggered;
  3. protection against exploit, especially zero day vulnerabilities and memory readers;
  4. behavioral monitoring, that is, the definition of "dangerous" behavior of scripts, applications, devices and nodes in the network - and eliminate such a threat;
  5. high-quality emulation, or fast creation "Sandboxes" to identify and block malicious software on the device.

Rule second. Endpoint Detection and Response (EDR) or investigation and response to incidents should work on the result.

The problem is that 82% of today's cybercriminals according to statistics Able to kidnap the valuable data of the enterprise "per minute or less", while 75% of companies do not respond to incidents at least weeks. Such a gap speaks of truly high risks in the security zone of end-devices.

Advanced EDR solutions can isolate your end device for efficient explosion investigation, stop the spread of the virus and restore the device through its unreleased copy of the data.

Rule third. The system should not interfere with business, which means:

a) The performance and scalability of your protection systems is equally important. That is, your defense should not impede the efficiency of business processes and the rapid data exchange in the network. Plus, it is important to quickly deploy a cybersecurity system in new workplaces, for example, in a regional or foreign branch.

b) the cumulative value of its implementation and use should be optimal.

Rule fourth. Centralized cybersecurity management. Scattered, manually controlled from different points. Protective solutions increase the number of errors, excessive alerts and false positives, not to mention extra temporary and financial spending On the administration of this "zoo".

Rule fifth. Seamless integration with software and hardware solutions on each site of the network for efficient work ALL IB infrastructure, from protecting gateways to SIEM systems. It is important that the solutions for protecting endpoints are integrated with network access control (NETWORK Access Control, NAC) so that at a certain risk level, a computer can be isolate. It is also important that endpoint products work in conjunction with slutting IB solutions that support profound packets and SSL traffic inspection.

Rule sixth. Coverage of all possible OS, including server and mobile - remember the set of "different" devices that employees bring with them or choose to work in the office.

Seventh rule. Enhanced defense data. Let this moment and are not directly related to the protection of the end devices, but without it, in principle, it is impossible to develop an effective IB strategy. In data protection includes:

  1. encryption;
  2. segregation (separation) of sites and network nodes, user groups on the network;
  3. protection against loss data, recovery means;
  4. monitoring the integrity of files and file system.

... and three additional

First. Special attention to the elimination of cyber thugs on mobile devices. BYOD / CYOD / COPE Concepts It is only more popular, and the number of mobile devices in corporate networks is only growing.
These require special attention, because such devices are usually used not only for work and not only in the office, which means the risk of infection of the corporate network through them is very high.

Ideally, the "Mobile IB Management" strategy may include:

  1. mobile VPS;
  2. enhanced authentication of devices in the corporate network;
  3. control and monitoring of third-party content;
  4. containerization of applications.

Second. Analysis of your KPI maturity protection of end-devices.

Forrester Research analysts distinguish five (taking into account the zero six) stages of the maturity of IB strategy of the enterprise:

Zero or absent - No need, no understanding, no formalized requirements.

Adhoc or spontaneous - The need for cyberscount arises from the case of the case, there is no planning of IB resources, processes are not documented.

Forced - intuitive, undocumented, is used uninterrupted, if necessary.

Conscious - Processes are documented, the strategy itself is understood and predictable, but the assessment of actions and resources is carried out on occasion.

Related - A high-quality management tools are introduced, a good formalization level and (often) automation procedures, a regular assessment of actions, processes and investments.

Optimized - Processes and levels of protection are usually automated, and the strategy itself is built with long-term, efficient and projective business protection. High level of integration of IB services and systems.

Accordingly, it is cheaper and safer in the last three stages. With this gradation, it is also easier to set the goals of improving the IB strategy if you are in the first three.

Third. Finally, your users of the end devices know what cyber protection is, and constantly increasing their ib-knowledge and skills. The most destructive factor is human, and without commercial personnel, any even the most advanced defense will be failed. Resist the human factor without prejudice to operational work No one has learned business yet. Therefore, it's easier and much cheaper in time to train people to Azam safe behavior and use of their gadgets.

The exploits are a special kind of malware, which is used by attackers to install various Trojans or backdors on the user's computer. Such an operation of installation using exploits is carried out unnoticed for the user, which gives attackers indisputable advantages. The exploit is trying to use vulnerability in a particular OS component for a similar operation.

For the user, the most dangerous script is the use of exploit attackers, which allows you to remotely set the code in the OS. In this case, a person is enough to visit the compromised web resource for malicious code (Drive-BY). If your computer has a vulnerable version of the browser or plugins to it, then the likelihood that you can infect malicious code very high.

Update OS, as well as the installed software is a good practice. Since manufacturers regularly close the vulnerability reappearing in it. By the number of components through which the user is subject to special risk, the following can be attributed:

In the case of special targeted attacks or attacks of "Watering Hole", attackers can use 0day vulnerabilities in software and OS. This name is vulnerabilities that at the time of use by their intruders have not yet been closed by vendor.

Anti-virus products are able to detect exploits by signatures. Thus, it allows you to protect the user from malicious content on the fly, blocking the appropriate web page with malicious content.

Modern editions Microsoft Windows.: Windows 7, 8 and 8.1 have built-in mechanisms that allow us to protect the user from destructive actions of exploits. These features include:

  • DEP & ASLR Mechanismswhich make it difficult to exploit one or another vulnerability in software and the OS due to the imposition of restrictions on the use of memory not subject to execution and placement of programs in memory for arbitrary addresses. DEP & ASLR on Windows 7+ is used at the maximum possible level.
  • User. Account Control, Uacwhich was finalized from Windows 7 and requires confirmation from the user to launch programs that need change system settings and creating files in system directories.
  • SmartScreen Filter for OS (starting with Windows 8 for OS), which helps prevent loading of malicious by the user from the Internet based on its Microsoft reputation information.
  • Special "Advanced Protected Mode" (Enhanced Protected Mode) For Internet Explorer browser (starting with IE 10). On Windows 8 allows you to run the browser tabs in the context of isolated processes that are limited in performing certain actions. For Windows 7 x64, allows you to run the browser tabs as separate 64-bit processes.

PDF files

Files designed to open in programs Adobe Reader., Acrobat has PDF format and are sufficiently dangerous, especially if they are obtained from unreliable sources. Adobe has expanded PDF to a masks of a possible level, allowing you to embed there all sorts of content. One of the main advantages of using documents in pDF format It is a cross-platform, subject to the availability of the RIDER (Adobe Reader) for the platform you need.

In many cases, attackers use precisely malicious PDF files to deliver malware to the user. In the event that the Adobe Reader version used is vulnerable, there is a high probability of computer infection.

In view of high risks of using PDF documents from unsafe sources, as well as taking into account the non-historicalness of users in safety issues, modern versions of Adobe. Reader have a special "protected mode" of viewing documents or "Sandboxing" (protection in an isolated software environment). When using such a regime, code from PDF file. The performance of certain potentially dangerous functions is fully prohibited.


Fig. Sandbox mode settings in Adobe Reader.

By default, the secure mode is in the removed state. Despite the active tick "Enable secure mode at startup", it is turned off since the use of this mode is in the "Disabled" state. Accordingly, after installing the program, it is extremely recommended to transfer this setting to "for files from potentially unsafe sources" or "All Files".

Please note that when the secure mode is turned on, Adobe Reader disables the range of functions that can be used in PDF files. Therefore, when you open the file, you can get the following notification.

Fig. A pop-up tip indicating the active protected viewing mode.

If you are confident in the origin of this file, you can activate all its functions by pressing the appropriate button.

Adobe Flash. Player.

The attackers are very loved by Adobe Flash Player. Since its plugins for playing content are used in all browsers, search for vulnerabilities in it and their subsequent use in malicious purposes is an extremely priority task from intruders.

Like the other software from Adobe, Flash Player is regularly updated as part of the Adobe Security Bulletins (Adobe Security Bulletins). Most of these vulnerabilities have a type of Remote Code Execution, this suggests that the attackers can use one vulnerability for remote execution of the code.

Web browser manufacturers like Adobe do not sit in place and embed special exploit protection mechanisms that use Flash Player plugins. Browsers like MS Internet Explorer (V10 on Windows 8), Google Chrome and Safari OS X (new version) launch Flash Player player in the context of the Sandbox process (i.e. sandboxes), limiting access to this process to many system resources, places in file System and working with the network.

Highly an important function It is timely update plugin Flash. Player for browser. Browsers like Google Chrome and Internet Explorer 10 are automatically updated with new output. flash version Player, so the player will be updated automatically for them.

To check your version of Adobe Flash Player, use the official. Source Adobe.

In addition, the browsers support the possibility of a complete disconnection of the Flash Player plugin, to prohibit the browser to play similar content. We have already written a deployed article about the problems of using the Java plugin in browsers. Turning off the Flash Player plugin is made in the same way.

For Google Chrome.

"Settings" -\u003e "Show Advanced Settings" -\u003e "Content Settings" -\u003e "Disable individual modules".

For Internet Explorer.

"Service" -\u003e "Set up superstructures."

ESET Exploit Blocker

Is an add-in over proactive protection in the latest versions of the seventh generation anti-virus products Eset Smart. Security and Eset Nod32 Antivirus. Unlike the usual static signature detection, the EXPLOIT BLOCKER module analyzes the application's behavior for suspicious actions and techniques that exploits enjoy. After discovering such actions, they are analyzed and the malicious process is immediately blocked. Some similar actions are subjected to additional analysis in our cloud, which provides additional features On the protection of users from targeted attacks and attacks using 0day exploits.

MS Internet Explorer and Google Chrome

We have already written at the beginning of our material that the most preferred attack method on users for intruders is remote code execution through the browser (drive-by download). One way or another, regardless of the installed plugins, the browser itself may contain and potentially contains a certain amount of vulnerabilities. If the vulnerability has already been investigated by the developers and the update has been released for it, the user can establish an update and not worry that the attackers compromise its OS. On the other hand, if the attackers use an unknown vulnerability, that is, the one that was not closed (0day), the situation is complicated.

Many modern web browsers and OS have in their composition the technology of isolation technology of the application process, not allowing the execution of any actions that the browser is not fulfilled. In general, this technique is called Sandboxing and allows you to impose restrictions on the actions performed by the process. One example of such an insulation is the fact that modern browsers (for example, Internet Explorer and Chrome) execute their tabs as separate processes in the OS, which thus setting permission to perform certain actions to a specific tab, as well as ensuring the stability of the browser itself. . In the event that one of the tabs hangs, the user can complete it without completing others.

In modern versions of the MS Internet Explorer browser (IE10 & 11) there is a special Sandboxing technology, which is called "Enhanced Protected Mode" (Advanced Protected Mode). This mode allows you to limit the actions of the tab of the tab or plugin and thus impede the possibilities of operation of the browser for intruders.


Fig. Sandboxing mode for Internet Explorer, which has been available from the 10th version.

Enhanced Protected Mode (EPM) was finalized for Windows 8. If you are using EPM in Windows 7 x64, then this feature provides the browser tabs as 64-bit processes (by default IE launches your tabs as 32-bit processes). Note that the default EPM is turned off.


Fig. Demonstration of EPM on Windows 7 x64 [Using MS Process Explorer]. With the option enabled, the processes of the browser tab are launched as 64-bit, which makes it difficult to operate their ability to install a malicious code.

Starting with Windows 8, Microsoft entered the support for the operation of the process (Sandboxing) at the OS level. The technology was named "AppContainer" and allows you to maximize it possible to use the advantages of this mode for EPM. Internet Explorer tab processes with an active EPM function work in AppContainer mode. In addition, in Windows 8, EPM mode is enabled by default.

Fig. Demonstration of EPM on Windows 8, AppContainer enabled for tabs (Aka Sandboxing).


Fig. Differences in EPM on Windows 7 & 8.

Google Chrome as IE also has special abilities To prevent attacks such as Drive-by Download. But unlike it, the Sandboxing mode for Chrome works constantly and does not require additional actions to enable it from the user.

Sandboxing mode for Chrome means that tab processes are started with low privileges, which does not allow them to perform various system actions.


Fig. Sandboxing mode as it is implemented in Google Chrome. Almost all SID user user identifiers in the Access Marker have DENY status, which prohibits the process to perform important system functions allowed by these groups.


Fig. Chrome uses a special task object, which includes all the processes of the browser. The object allows you to limit the actions of the application with respect to the OS resources, preventing the exploitation of the browser by intruders.

In addition to this mode, Google Chrome has the ability to block malicious URLs or sites that were blacklisted by Google as distributing malware (Google Safe Browsing). This feature is similar to the URL database in Internet Explorer SmartScreen.


Fig. Google Safe Browsing in Google Chrome in action.

In relation to the browser and the OS, it is a virtual machine (or JRE Wednesday) to execute Java applications. Platform independence of such applications makes Java very popular in use, today it is used for more than three billion devices.

Like other plagins to the browser, the Java plugin is quite attractive to use for attackers, and given the previous experience in using vulnerabilities, we can say that Java is the most dangerous component from all other browser plugins.

In our previously published material about the problems of using Java on your system, we wrote how you can turn off this plugin for various browsers In case you do not use Java applications and do not want to expose yourself danger.

When you use Java on Windows, then the security settings of this program can be adjusted using an applet on the control panel. In addition, the latest items of its versions allow you to customize security settings in more detail, which allows you to run only trusted applications.


Fig. Update settings for Java. Update check is enabled by default, the user is notified before the download operation.

To completely disable Java, in all browser systems used in the system, it is necessary to configure the "Enable Java Content In The Browser" setting in the Java applet.


Fig. Removing the "Enable Java Content in Browser" tick completely disables the possibility of using plug-ins in the installed browsers.

Microsoft manufactures a free tool for users to help protect the OS from the methods of attacks used in exploits.


Fig. EMET interface.

The Enhanced Mightigation Experience Toolkit (EMET) tool uses preventive methods for blocking various exploit actions to protect applications from attacks. Although modern Windows 7 and Windows 8 have built-in, default, DEP and ASLR capabilities, eMet, EMET allows you to enter new features of blocking exploit actions, as well as enable DEP or ASLR forcibly for necessary processes (Strengthen the protection of the system on older versions of the OS).

EMET is configured separately for each application, i.e. to protect the application through this tool you need to specify it in the corresponding list. In addition, there is a list of applications for which EMET is enabled by default, such as Internet Explorer, Java, Java, Microsoft Office Package Programs.

For more information on the use of EMET and an overview of its capabilities, see our corporate blog.

Some Windows components that we have not paid special attention to higher, can also be used by attackers for remote code execution or privilege enhancement.


Fig. Correction statistics of various Windows components within monthly Patch Tuesday updates. The rating shows the components that were updated more often than the first half of 2013.

The above ranking shows that the Internet Explorer browser closed the greatest number Vulnerabilities, within the framework of twelve updates, more than fifty vulnerabilities were closed, and six of them had the status of IS-BEING-EXPLOITED-IN-THE-WILD at the time of closure, i.e. were in the active operation of intruders.

The second most corrected component is the well-known Windows subsystem driver - win32k.sys, which provides the operation of the graphics system of the OS in the kernel mode. Vulnerabilities in this component are used by intruders to increase the privileges in the system, for example. Bypass restrictions imposed by UAC.

Please note that by default in Windows 7 & 8 it is possible to automatically deliver updates to the user. Check updates can also be checked through the control panel.

The Security Architecture of The Chromium Browser Link
Understanding IE Enhanced Protected Mode Link

Tags: Add Tags

It is trying to detect the activity characteristic of malicious software by blocking any actions that seem suspicious.

Most antivirus programs are identified malicious files In order to prevent their download and execution on the client PC. It works, but only until the new virus appears, for which there are no accurate decisive signs. CAEP (CRYSTAL ANTI-EXPLOIT PROTECTION) offers additional protection measures - it does not scan the computer, does not use the signature database: instead, a special recognition system is used. The main task of this system is to identify and block any potentially malicious activity on the PC.

For example, the so-called "backway downloads" (drive-by download), which most often lead to a virus getting into a computer, are usually the result of the execution of a certain code from unverified sources. To cope with this threat, the CAEP package may prohibit any application execution of the code from temporary folders, from the downloads folder and other places. If attempts to do it still appear, the user receives a warning - if you do not allow the execution of the file, then most likely avoid infection.

Connection Monitor Connection Model allows you to check all incoming and outgoing connections using multiple and custom filters to decide which connections can be resolved, and which cannot be. Module Memory Monitor provides protection random access memory From the well-known exploits, the signs of which are a sharp change in the allocated memory applications, the unexpected inclusion of the Data Execution Prevention - protection from the execution of foreign data) for processes, cleaning "Heaps" and so on. Another COM / ACTIVEX MONITOR module helps find the ActiveX components of certain applications, enjoying them in white or black lists.

The CAEP package for the most part is focused on technically savvy users. Of course, you can just run the program and not go into all the technical details. However, to get the maximum return, you will be very useful to knowledge about low-level device windows systems. Another restriction of the CAEP package is that only 32-bit processes are currently supported, although the utility itself works and in 32, and in 64-bit versions of Windows.

It is also worth mentioning that the CAEP package often asks for confirmation of the launch for the add-ons, and not just the main programs. So, when you start the Outlook 2010 client with add-ons, you will have to confirm the launch and main package, and all the add-ons to be somewhat tedious. In general, when using the CAEP package, some caution should be observed, since this program may interfere with the work of quite trustworthy components, including system updates, so you just need to ensure reliable backup of your system.

If you do not consider the above problems, the Crystal Anti-Exploit Protection utility is an extremely interesting and powerful tool to prevent intrusion, with which you can form an additional level of protection for any PC. In addition, the package is attached detailed guide, with the help of advanced user Will be able to fully configure the program for your requirements, for example, turn off unnecessary warnings. Read more about product and

Did not find an answer to your question? Look at here
Doesn't Diablo III start?Doesn't Diablo III start?
How to check the computer to spywareHow to check the computer to spyware
Spyware on the computerSpyware on the computer