dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
7
share rss forum feed


Steve
I know your IP address
Consultant
join:2001-03-10
Foothill Ranch, CA
kudos:5

1 recommendation

reply to Rebirth

Re: Buffer Overflow blocked by AV, what should I do?

said by Rebirth:

If you run Procmon from Sysinternals, you'll be Amazed at just how many BO's you'll see, from ALL sorts of legit Apps & Processes. etc. "Aparently" is quite normal, from what i've read !

Those aren't buffer overflows, those are just unfortunately-named Windows error codes.

ERROR_BUFFER_OVERFLOW is an error code returned by a number of API calls when the buffer provided by the user - which includes the size - is not sufficient for the API function to put the result there.

you: Hey Windows, here is a buffer of 100 bytes, stick the answer here
Win: Sorry, 100 bytes is too small, you need 150 bytes.

That is an ERROR_BUFFER_OVERFLOW error, and it means the application has to allocate a bit more memory and try again. This is a common exchange, and no actual overflow of anything has occurred.

You can't really see a real-deal buffer overflow with Process Monitor.


norwegian
Premium
join:2005-02-15
Outback
said by Steve:

ERROR_BUFFER_OVERFLOW is an error code returned by a number of API calls when the buffer provided by the user - which includes the size - is not sufficient for the API function to put the result there.

you: Hey Windows, here is a buffer of 100 bytes, stick the answer here
Win: Sorry, 100 bytes is too small, you need 150 bytes.

That is an ERROR_BUFFER_OVERFLOW error, and it means the application has to allocate a bit more memory and try again. This is a common exchange, and no actual overflow of anything has occurred.

You can't really see a real-deal buffer overflow with Process Monitor.

Thanks also for that, I read somewhere back when Mark ran Sysinternals before Microsoft that they were to be ignored but never really understood fully why.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke


dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS
reply to Steve
To expand on what Steve said: it is a common design pattern that, in order to find out how much space something needs, the program attempts to read it into a buffer of some size (often zero length), and gets told "your buffer is not big enough, needs to be at least N bytes". That is, it's not a programming error, it's the way it is supposed to work.

So "BUFFER_OVERFLOW" in this case means that the available data would overflow the provided buffer.

This is an example of program use that prevents actual buffer overflow. The buffer overflows this thread is concerned about are those that just go ahead and write 150 bytes "into" a 100-byte buffer.

scottp99

join:2010-12-11
All I want to wish to know, is that when McAfee AV pops up a message that a Buffer Overflow has been blocked, then what should I do? I just want to compare the actions of a worm, trojan or virus and this is the way I usually do it:

* Disconnect the LAN cable
*Try cleaning or deleting the infected file with AV
*If that cleaning or deleting fails, then reformat the drive, or restore the OS image.

But I want to know if this can be done with a Buffer Overflow infection. But even though the AV has blocked it, is there any way to find out if it survived the restore of my OS image?

Thats all I want to know at this point.

Can a Buffer Overflow survive a clean restore of an OS image or am I safe since McAfee has blocked it?

I dont know, but this may be a "bug" in McAfee (the latest version), because I never had this from the older versions before.

Thanks.


NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
said by scottp99:

All I want to wish to know, is that when McAfee AV pops up a message that a Buffer Overflow has been blocked, then what should I do?

I have not used a McAfee product in years, but in general when a security application tells me that it has detected something and that it "has been blocked", I assume that it indeed "has been blocked" (unless I see some indications that say otherwise).

Do you worry about your firewall reporting that unwanted incoming traffic "has been blocked", or are you just happy that it "has been blocked"?
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.


norwegian
Premium
join:2005-02-15
Outback
reply to scottp99
said by scottp99:

Can a Buffer Overflow survive a clean restore of an OS image or am I safe since McAfee has blocked it?

If the image is from before the detection, no, it will not have any affect on the image you restore from.

You could discuss if it has affected the MBR records, and whether the image you have includes MBR records or just the partition image, but as mentioned - it was blocked. Either as a real detection or a false positive. As IE and ntdll were mentioned, I'd be more worried about a false positive and file corruption before your concerns of the detection of malware. It can be just as dangerous to system integrity.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke