Raynor

Member
  • Content Count

    119
  • Joined

  • Last visited

  • Days Won

    1

Posts posted by Raynor


  1. First of all, thank you for you reply.

     

    In the case of Firefox, the firewall wouldn't be able to help, since Firefox needs to be able to get out to the Internet to load webpages, and any exploit it would attempt to load and run it would do so as if it were a normal webpage (it's all loaded over HTTP/HTTPS).

     

    Yes, I'm aware of that - I'm only talking about setting the Behaviour Blocker to "Custom".

     

     

    As for the exploit itself, EIS isn't going to detect it, beyond perhaps the File Guard detecting a malicious HTML/JavaScript/etc. being saved in a browser/Flash/Java cache somewhere. What EIS will do is block whatever the exploit saves on your computer and executes, thus stopping the infection. The point of an exploit is to get a malicious executable (usually called a "dropper") to run on your computer, and then this "dropper" will install the infection, so we focus on stopping the dropper since it's what's actually dangerous.

    Setting Firefox to be monitored won't change any of this, and could potentially lead to strange problems with Firefox.

     

     

    What I've been thinking is that "Is it not theoretically possible to cause a legitimate process/app, e.g. Firefox, to misbehave by exploiting well, an exploit.

    In other words, is it not (at least theoretically) feasible that an exploit could be used to make a normal program misbehave by making it execute arbitrary code.,

     

    But thinking about it further ... yes, after all, for an infection to happen, at some point some executable needs to be dropped somewhere ...

     

    But couldn't perhaps Firefox itself be "abused" to act as the dropper. This would then be tolerated without any alerts being shown, wouldn't it (because Firefox is trusted and set to "Allow all" in the

    Behaviour blocker")?

     

    I'm talking about protecting against that specific vector.

     

    ... I'm still a bit confused :unsure::wacko: ... but maybe I'm overthinking the whole issue. :D


  2. Now here's a thing which I've been wondering about for quite some time now :wacko::

     

    Usually, the behaviour blocker automatically creates "All allowed" application rules

    when encountering digitally signed and thus trusted apps.

     

    I've been wondering if it might be safer to manually set the behaviour blocker to "custom montoring",

    at least for internet-facing, potentially exploitable apps.

     

     

    My reasoning:

     

    Let's say there is a critical vulnerability in a trusted program (e.g. Firefox) that can lead to

    arbitrary code execution / injection. If this vulnerability were executed, the program would

    be able to do some nasty stuff to the system.

     

    Wouldn't this unexpected and malicious behavior then be automatically tolerated by the behaviour blocker
    because the program itself is trusted and thus has been set to "All Allowed" ?

     

     

    Thanks for any insights,

    Raynor
     


  3. When Beta Updates are turned on, stable updates will still be installed if they are newer than the latest beta version. Once the fix is included in a stable version you can simply disable Beta Updates if you don't want to continue to receive them, and no further action should be required.

     

    Thank you for clarifying that.

     

    This could be your Internet Service Provider's IP address. You may want to check this list and see if you can find some information about the specific IP address you saw.

     

    Thanks for your reply. After doing a bit of more research, I have come to the conclusion hat this is indeed an auto-assigned link-local IP address

    (for those interested: https://en.wikipedia.org/wiki/Link-local_address).It is not assigned at every Windows startup (i.e. it often is not

    listed in the firewall's private network IP settings), so I figure that it only gets assigned whenever something goes wrong with the DHCP :P


  4. If using the beta, will it require uninstall, when, it out of beta, or will the update correct from beta to non beta?

     

    I have the same question :)

    Right now, I have the beta installed, and everything seems to be running very smoothly. Good job Emsisoft developers!

     

    On a side note: while browsing through all the firewall submenus to ensure that everything looks and behaves as it should

    I noted that a 169.245.X.X IP address gets added to my private network (in addition to the expected 192.168.X.X address).

    Is this safe ? A quick google search seems to indicate that this is a "link local" IP-adress that can somehow be assigned

    during (or before) the DHCP autoconfiguration process.

     

    So is my assumption correct that this is no bug or reason for concern and that this IP is indeed a "harmless" part of my local network ?

     

    Thanks in advance!

    post-37542-0-59401000-1438987169_thumb.png
    Download Image