dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
28

Steve
I know your IP address

join:2001-03-10
Tustin, CA

1 recommendation

Steve to Rebirth

to Rebirth

Re: Buffer Overflow blocked by AV, what should I do?

said by Rebirth:

If you run Procmon from Sysinternals, you'll be Amazed at just how many BO's you'll see, from ALL sorts of legit Apps & Processes. etc. "Aparently" is quite normal, from what i've read !

Those aren't buffer overflows, those are just unfortunately-named Windows error codes.

ERROR_BUFFER_OVERFLOW is an error code returned by a number of API calls when the buffer provided by the user - which includes the size - is not sufficient for the API function to put the result there.

you: Hey Windows, here is a buffer of 100 bytes, stick the answer here
Win: Sorry, 100 bytes is too small, you need 150 bytes.

That is an ERROR_BUFFER_OVERFLOW error, and it means the application has to allocate a bit more memory and try again. This is a common exchange, and no actual overflow of anything has occurred.

You can't really see a real-deal buffer overflow with Process Monitor.

norwegian
Premium Member
join:2005-02-15
Outback

norwegian

Premium Member

said by Steve:

ERROR_BUFFER_OVERFLOW is an error code returned by a number of API calls when the buffer provided by the user - which includes the size - is not sufficient for the API function to put the result there.

you: Hey Windows, here is a buffer of 100 bytes, stick the answer here
Win: Sorry, 100 bytes is too small, you need 150 bytes.

That is an ERROR_BUFFER_OVERFLOW error, and it means the application has to allocate a bit more memory and try again. This is a common exchange, and no actual overflow of anything has occurred.

You can't really see a real-deal buffer overflow with Process Monitor.

Thanks also for that, I read somewhere back when Mark ran Sysinternals before Microsoft that they were to be ignored but never really understood fully why.
dave
Premium Member
join:2000-05-04
not in ohio

dave to Steve

Premium Member

to Steve
To expand on what Steve said: it is a common design pattern that, in order to find out how much space something needs, the program attempts to read it into a buffer of some size (often zero length), and gets told "your buffer is not big enough, needs to be at least N bytes". That is, it's not a programming error, it's the way it is supposed to work.

So "BUFFER_OVERFLOW" in this case means that the available data would overflow the provided buffer.

This is an example of program use that prevents actual buffer overflow. The buffer overflows this thread is concerned about are those that just go ahead and write 150 bytes "into" a 100-byte buffer.
scottp99
join:2010-12-11

scottp99

Member

All I want to wish to know, is that when McAfee AV pops up a message that a Buffer Overflow has been blocked, then what should I do? I just want to compare the actions of a worm, trojan or virus and this is the way I usually do it:

* Disconnect the LAN cable
*Try cleaning or deleting the infected file with AV
*If that cleaning or deleting fails, then reformat the drive, or restore the OS image.

But I want to know if this can be done with a Buffer Overflow infection. But even though the AV has blocked it, is there any way to find out if it survived the restore of my OS image?

Thats all I want to know at this point.

Can a Buffer Overflow survive a clean restore of an OS image or am I safe since McAfee has blocked it?

I dont know, but this may be a "bug" in McAfee (the latest version), because I never had this from the older versions before.

Thanks.

NetFixer
From My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro
Netgear CM500
Pace 5268AC
TRENDnet TEW-829DRU

NetFixer

Premium Member

said by scottp99:

All I want to wish to know, is that when McAfee AV pops up a message that a Buffer Overflow has been blocked, then what should I do?

I have not used a McAfee product in years, but in general when a security application tells me that it has detected something and that it "has been blocked", I assume that it indeed "has been blocked" (unless I see some indications that say otherwise).

Do you worry about your firewall reporting that unwanted incoming traffic "has been blocked", or are you just happy that it "has been blocked"?

norwegian
Premium Member
join:2005-02-15
Outback

norwegian to scottp99

Premium Member

to scottp99
said by scottp99:

Can a Buffer Overflow survive a clean restore of an OS image or am I safe since McAfee has blocked it?

If the image is from before the detection, no, it will not have any affect on the image you restore from.

You could discuss if it has affected the MBR records, and whether the image you have includes MBR records or just the partition image, but as mentioned - it was blocked. Either as a real detection or a false positive. As IE and ntdll were mentioned, I'd be more worried about a false positive and file corruption before your concerns of the detection of malware. It can be just as dangerous to system integrity.