Security Software Usage Of Mitigation Techniques With Slopfinder

I recently read a post that used static analysis of executable files to see which applications were using DEP/ASLR and to what extent. This inspired me to perform the same analysis with the same tool, but on security software.

Antivirus software runs with very high privileges on a system, and it deals directly with malicious, attacker controlled code. Ensuring that modern mitigation techniques are enabled is essential when designing security software, as your code is inherently exposed to an attacker. In other words, the code here should be held to the highest standard. A

nalysis performed in a Windows 8 64bit VM using slopfinder in Chrome Stable. Slopfinder is a tool that performs static analysis on executable files to check their security flags, whether or not they make use of DEP / ASLR.

Using Slopfinder is as simple as dragging/ dropping a folder full of executables and then looking through the results, which is what I’ve done here.

Default installations – trial software used if available for Pro versions. Some of these programs install “web guards” that are actually glorified Ask Toolbars or some other BS toolbar- these are included in results, they’re part of the ‘security’ package and they’re entirely relevant.

If I don’t specify DEP/ASLR it means both are disabled. This is the case for the majority, which I’m assuming has to do with ‘permanent’ DEP, as I’d be very surprised if DEP were really disabled so frequently – but who knows! UPDATE: Here is an explanation for the DEP.

Keep in mind that just because some files don’t support ASLR or DEP doesn’t mean you’re vulnerable. Some of these files won’t ever interact with ‘attacker code’ – there’s little reason for program uninstallers to support ASLR, for example, and the same goes for installers.

If anyone has more information to add (for example if one of these offending DLLs is particularly critical, like if it’s loaded into the browser) I’ll happily add it in.

Microsoft Security Essentials/ Windows Defender

I found no executable files not compiled with DEP/ASLR.

Avast! Pro Trial (25)

/Avast/aswRegSvr.exe

/Avast/aswRegSvr64.exe

/Avast/aswRunDll.exe

/Avast/defs/12103100/Sf.bin

/Avast/Setup/INF/aswFw2k.sys

/Avast/Setup/INF/aswKbs.sys

/Avast/Setup/INF/aswMon.sys

/Avast/Setup/INF/aswMon2.sys

/Avast/Setup/INF/aswMonFlt.sys

/Avast/Setup/INF/aswNdis.sys

/Avast/Setup/INF/aswFsBlk.sys

/Avast/Setup/INF/aswNdis2k.sys

/Avast/Setup/INF/aswRdr.sys

/Avast/Setup/INF/aswSnx.sys

/Avast/Setup/INF/aswSP.sys

/Avast/Setup/INF/aswTdi.sys /

Avast/Setup/INF/Aavmker4.sys

/Avast/Setup/INF/aswFw.sys

/Avast/Setup/INF/aswNdis2.sys

/Avast/Setup/INF/x64/aswNdis.sys

/Avast/Setup/INF/x64/Aavmker4.sys

/Avast/Setup/INF/x64/aswFsBlk.sys

/Avast/Setup/INF/x64/aswFW.sys

/Avast/Setup/INF/x64/aswKbs.sys

/Avast/Setup/INF/x64/aswMon2.sys

/Avast/Setup/INF/x64/aswMonFlt.sys

/Avast/Setup/INF/x64/aswNdis2.sys

/Avast/Setup/INF/x64/aswRdr.sys

/Avast/Setup/INF/x64/aswsnx.sys

/Avast/Setup/INF/x64/aswSP.sys

/Avast/Setup/INF/x64/aswTdi.sys

/Avast/Setup/INF/x64/aswnet.sys

/Avast/Setup/INF/x64/aswRdr2.sys

/Avast/Setup/INF/x64/aswnet.sys

/Avast/Setup/INF/x64/AswRdr2.sys

/Avast/sfzone/wow_helper.exe

Avira Premium Trial + Toolbar (41)

 

/Ask.com/CallingIDSDK/CIDCoreLight.dll

/Ask.com/CallingIDSDK/CIDGlobalLight.exe

/Ask.com/CallingIDSDK/CIDGlobalLightPS.dll

/Ask.com/CallingIDSDK/CIDWPADLight.exe

/Ask.com/CallingIDSDK/CIDWPADLightPS.dll

/AntiVir Desktop/aecore.dll

/AntiVir Desktop/aeemu.dll

/AntiVir Desktop/aeexp.dll

/AntiVir Desktop/aegen.dll

/AntiVir Desktop/aehelp.dll

/AntiVir Desktop/aeheur.dll

/AntiVir Desktop/aeoffice.dll

/AntiVir Desktop/aepack.dll

/AntiVir Desktop/aerdl.dll

/AntiVir Desktop/aesbx.dll

/AntiVir Desktop/aescn.dll

/AntiVir Desktop/aescript.dll

/AntiVir Desktop/aevdf.dll

/AntiVir Desktop/avacl.dll

/AntiVir Desktop/avevtrc.dll

/AntiVir Desktop/aebb.dll

/AntiVir Desktop/libapr-1.dll

/AntiVir Desktop/libapriconv-1.dll

/AntiVir Desktop/libaprutil-1.dll

/AntiVir Desktop/libdb44.dll

/AntiVir Desktop/rchelp.dll

/AntiVir Desktop/unacev2.dll

/AntiVir Desktop/FAILSAFE/aebb.dll

/AntiVir Desktop/FAILSAFE/aeemu.dll

/AntiVir Desktop/FAILSAFE/aeexp.dll

/AntiVir Desktop/FAILSAFE/aegen.dll

/AntiVir Desktop/FAILSAFE/aehelp.dll

/AntiVir Desktop/FAILSAFE/aeheur.dll

/AntiVir Desktop/FAILSAFE/aeoffice.dll

/AntiVir Desktop/FAILSAFE/aepack.dll

/AntiVir Desktop/FAILSAFE/aerdl.dll

/AntiVir Desktop/FAILSAFE/aesbx.dll

/AntiVir Desktop/FAILSAFE/aescn.dl

/AntiVir Desktop/FAILSAFE/aescript.dll

/AntiVir Desktop/FAILSAFE/aevdf.dll

/AntiVir Desktop/FAILSAFE/aecore.dll

AVG Internet Security Pro (27)

/AVG Secure Search/13.3.0.17

/AVG Secure Search_toolbar.dll (Browser componnent it would seem)

/AVG2013/HtmLayout.dll (Also possible browser component)

/AVG2013/Drivers/avgboota.sys

/AVG2013/Drivers/avgbootx.sys

/AVG2013/Drivers/avgfwd6a.sys

/AVG2013/Drivers/avgfwd6x.sys

/AVG2013/Drivers/avgidsdrivera.sys

/AVG2013/Drivers/avgidsdriverx.sys

/AVG2013/Drivers/avgidsha.sys

/AVG2013/Drivers/avgidshx.sys

/AVG2013/Drivers/avgidsuniversaldda.sys

/AVG2013/Drivers/avgldx64.sys

/AVG2013/Drivers/avgldx86.sys

/AVG2013/Drivers/avgloga.sys

/AVG2013/Drivers/avglogx.sys

/AVG2013/Drivers/avgmfx64.sy

/AVG2013/Drivers/avgmfx86.sys

/AVG2013/Drivers/avgrkx64.sys

/AVG2013/Drivers/avgrkx86.sys

/AVG2013/Drivers/avgwfpa.sys

/AVG2013/Drivers/avgwfpx.sys

/AVG2013/Tuneup/GainDiskSpace.dll

/AVG2013/Tuneup/RegistryCleaner.dll

/AVG2013/Tuneup/ShortcutCleaner.dll

/AVG2013/Tuneup/TUMicroScanner.exe

/AVG2013/Tuneup/TuneUpCore.bpl

McAfee All Access – Total Protection (14)

Note: McAfee became increasingly unstable on my system. I uninstalled it before I could analyze the Chrome extension that it installs.

/McAfee/Gkp/hiphandlers.dll

/McAfee/Temp/qxz2281/CompatibilityTester.exe

/McAfee Online Backup/MOBKbackup.exe

/McAfee Online Backup/MOBKconf.exe

/McAfee Online Backup/MOBKshell.dll

/McAfee Online Backup/MOBKstat.exe

/McAfee Online Backup/backup.dll

/McAfee Online Backup/oem.dll

/McAfee Online Backup/MOBK.sys

/McAfee Online Backup/librs2.dll

/McAfee/Gkp/hiphandlers.dll

/McAfee/MSC/CompatibilityTester.exe

/McAfee/MPF/HipsBkup/hiphandlers.dll

/McAfee/MPF/HipsBkup/hiphandlers32.dll

Norton (17)

/Norton 360/Engine/20.1.0.24/diFVal.dll

/Norton 360/Engine64/20.1.0.24/buShell.dll

/Norton 360/Engine64/20.1.0.24/buVssXP.dll

/Norton 360/Engine64/20.1.0.24/buComm.dll

/Norton 360/Engine/20.1.0.24/x64/DIFxAPI.dll

/Norton 360/Engine64/20.1.0.24/SymIM/symimv.sys

/Norton 360/MUI/20.1.0.24/IMAGES/diFVal.dll

/Norton 360/Branding/20.1.0.24/09/01/diFVal.dll NO ASLR

/Norton 360/Engine/20.1.0.24/x86/x86/GEARAspiWDM.sys

/Norton 360/Engine/20.1.0.24/x64/x64/GEARAspiWDM.sys

/Norton 360/MUI/20.1.0.24/09/01/coActMgr.loc NO ASLR

/Norton 360/MUI/20.1.0.24/09/01/coIDSafe.loc NO ASLR

/Norton 360/MUI/20.1.0.24/09/01/coMCPlug.loc NO ASLR

/Norton 360/MUI/20.1.0.24/09/01/coSfShre.loc NO ASLR

/Norton 360/MUI/20.1.0.24/09/01/coUICtlr.loc NO ASLR

/Norton 360/MUI/20.1.0.24/09/01/diFVal.dll NO ASLR

/2013.1.0.32_0/npcoplgn.dll NO ASLR (browser plugin)

Sophos Antivirus (No Firewall) (F-)

It doesn’t seem that any of the executable files support ASLR. Many do not support DEP as well, including quite a few that seem to interact with the web. When your “xmlparser.dll” doesn’t show DEP/ASLR support… yikes. There’s no point listing them all. Sophos gets an F- here.

Panda Cloud AV Pro (42)

/pandasecuritytb/pandasecurityDx.dll (Possibly part of the browser extension)

/pandasecuritytb/pandasecuritytb.dll (Possibly part of the browser extension)

/Toolbar Cleaner/ToolbarCleaner.exe

/pandasecuritytb/uninstall.exe

/Toolbar Cleaner/uninstall.exe

/Panda Security/Panda Cloud Antivirus/cc3290mt.dll

/Panda Security/Panda Cloud Antivirus/bcbie120.bpl

/Panda Security/Panda Cloud Antivirus/MiniCrypto.dll

/Panda Security/Panda Cloud Antivirus/PAV2WSC.exe

/Panda Security/Panda Cloud Antivirus/Pavsddl.dll

/Panda Security/Panda Cloud Antivirus/PSBoot.dll

/Panda Security/Panda Cloud Antivirus/PSBoot.sys

/Panda Security/Panda Cloud Antivirus/pskmad.sys

/Panda Security/Panda Cloud Antivirus/PSUAAlerts.dll

/Panda Security/Panda Cloud Antivirus/PSUNConsole.dll

/Panda Security/Panda Cloud Antivirus/PSUNCtrl.bpl

/Panda Security/Panda Cloud Antivirus/PSUNFwConfig.dll

/Panda Security/Panda Cloud Antivirus/PSUNMsg.dll

/Panda Security/Panda Cloud Antivirus/PSUNPnlConfig.dll

/Panda Security/Panda Cloud Antivirus/PSUNProcMon.dll

/Panda Security/Panda Cloud Antivirus/PSUNReports.dll

/Panda Security/Panda Cloud Antivirus/PSUNScan.dll

/Panda Security/Panda Cloud Antivirus/PSUNSuspects.dll

/Panda Security/Panda Cloud Antivirus/putczip.dll

/Panda Security/Panda Cloud Antivirus/putsig.dll

/Panda Security/Panda Cloud Antivirus/puturar.dll

/Panda Security/Panda Cloud Antivirus/putuzip.dll

/Panda Security/Panda Cloud Antivirus/borlndmm.dll

/Panda Security/Panda Cloud Antivirus/RKPavProc64.sys

/Panda Security/Panda Cloud Antivirus/rtl120.bpl

/Panda Security/Panda Cloud Antivirus/SetupUI.dll

/Panda Security/Panda Cloud Antivirus/bspatch.exe

/Panda Security/Panda Cloud Antivirus/USBVacineDLL.dll

/Panda Security/Panda Cloud Antivirus/vcl120.bpl

/Panda Security/Panda Cloud Antivirus/vclactnband120.bpl

/Panda Security/Panda Cloud Antivirus/vclie120.bpl

/Panda Security/Panda Cloud Antivirus/vclx120.bpl

/Panda Security/Panda Cloud Antivirus/WinSkinc2009.bpl

/Panda Security/Panda Cloud Antivirus/xmlrtl120.bpl

/Panda Security/Panda Cloud Antivirus/DG/MsiZap.Exe

/Panda Security/Panda Cloud Antivirus/DG/PAV2WSC.exe

/Panda Security/Panda Cloud Antivirus/Tools/PandaSecurityTb.exe

Panda left its god damn blekko crapware in my browser.

Comodo CIS (71)

.cav files are definition files, they shouldn’t matter. I realized this partway through and stopped logging them.

/Comodo/Dragon/wow_helper.exe

/Comodo/Dragon/uninstall.exe

/COMODO/COMODO GeekBuddy/uninstall.exe

/COMODO/COMODO Internet Security/cmdagent.exe

/COMODO/COMODO Internet Security/cmdcomps.dll

/COMODO/COMODO Internet Security/cmdhtml.dll

/COMODO/COMODO Internet Security/cmdinstall.exe

/COMODO/COMODO Internet Security/crashrep.exe

/COMODO/COMODO Internet Security/framework.dll

/COMODO/COMODO Internet Security/cfpupdat.exe

/COMODO/COMODO Internet Security/inspect.sys

/COMODO/COMODO Internet Security/msica.dll

/COMODO/COMODO Internet Security/platform.dll

/COMODO/COMODO Internet Security/cfpconfg.exe

/COMODO/COMODO Internet Security/cfp.exe

/COMODO/COMODO Internet Security/cavshell.dll

/COMODO/COMODO Internet Security/signmgr.dll

/COMODO/COMODO Internet Security/cavscan.exe

/COMODO/COMODO Internet Security/7za.dll

/COMODO/COMODO Internet Security/scanners/pe32.cav

/COMODO/COMODO Internet Security/scanners/dosmz.cav

/COMODO/COMODO Internet Security/scanners/dunpack.cav

/COMODO/COMODO Internet Security/scanners/extra.cav

/COMODO/COMODO Internet Security/scanners/gunpack.cav

/COMODO/COMODO Internet Security/scanners/heur.cav

/COMODO/COMODO Internet Security/scanners/mach32.dll /

COMODO/COMODO Internet Security/scanners/mem.cav

/COMODO/COMODO Internet Security/scanners/pe.cav

/COMODO/COMODO Internet Security/scanners/common.cav /

COMODO/COMODO Internet Security/scanners/pkann.dll

/COMODO/COMODO Internet Security/scanners/rkdenum.dll

/COMODO/COMODO Internet Security/scanners/rkdhive.dll

/COMODO/COMODO Internet Security/scanners/rkdntfs.dll

/COMODO/COMODO Internet Security/scanners/script.cav

/COMODO/COMODO Internet Security/scanners/white.cav

/COMODO/COMODO Internet Security/repair/guard32.dll

/COMODO/COMODO Internet Security/repair/7za.dll

/COMODO/COMODO Internet Security/repair/cavscan.exe

/COMODO/COMODO Internet Security/repair/cavshell.dll

/COMODO/COMODO Internet Security/repair/cfp.exe

/COMODO/COMODO Internet Security/repair/cfpconfg.exe

/COMODO/COMODO Internet Security/repair/cfpupdat.exe

/COMODO/COMODO Internet Security/repair/cmdagent.exe

/COMODO/COMODO Internet Security/repair/cmdcomps.dll

/COMODO/COMODO Internet Security/repair/cmderd.sys

/COMODO/COMODO Internet Security/repair/cmdGuard.sys

/COMODO/COMODO Internet Security/repair/cmdhlp.sys

/COMODO/COMODO Internet Security/repair/cmdhtml.dll

/COMODO/COMODO Internet Security/repair/cmdinstall.exe

/COMODO/COMODO Internet Security/repair/common.cav

/COMODO/COMODO Internet Security/repair/crashrep.exe

/COMODO/COMODO Internet Security/repair/default.set

/COMODO/COMODO Internet Security/repair/dosmz.cav

/COMODO/COMODO Internet Security/repair/dunpack.cav

/COMODO/COMODO Internet Security/repair/extra.cav

/COMODO/COMODO Internet Security/repair/framework.dll

/COMODO/COMODO Internet Security/repair/guard64.dll

/COMODO/COMODO Internet Security/repair/gunpack.cav

/COMODO/COMODO Internet Security/repair/heur.cav

/COMODO/COMODO Internet Security/repair/inspect.sys

/COMODO/COMODO Internet Security/repair/mach32.dll

/COMODO/COMODO Internet Security/repair/mem.cav

/COMODO/COMODO Internet Security/repair/msica.dll

/COMODO/COMODO Internet Security/repair/pkann.dll

/COMODO/COMODO Internet Security/repair/platform.dll

/COMODO/COMODO Internet Security/repair/rkdenum.dll

/COMODO/COMODO Internet Security/repair/rkdhive.dll

/COMODO/COMODO Internet Security/repair/rkdntfs.dll

/COMODO/COMODO Internet Security/repair/signmgr.dll

Webroot SecureAnywhere Complete

ASLR/DEP seem to be enabled on all three executable files (including the Chrome extension). Can’t seem to find any others.   If anyone has more info please share.

5 thoughts on “Security Software Usage Of Mitigation Techniques With Slopfinder

  1. Awesome use of my tool! Nice work. Really liking your blog. Keep up the good work.

    I need to fix up SlopFinder to note that some files (64 bit, .dll’s, and .sys files) do not need DEP. I had to do some research to figure this out (http://0xdabbad00.com/2012/12/07/dep-data-execution-prevention-explanation/). I still need to do some research into ASLR. I probably should also do some sorting and formatting options to make it easier for folks to put together posts like this.

    Also, if you happen to know of some additional _easy_ static analysis checks I can do I’d be interested. It might take me a bit though to really do some cool stuff with it, as I’m focused on the main icebuddha.com project (in browser hex editor) right now.

    • It’s a really easy to use tool, thanks for providing it. I’ve actually been planning on looking at AVs but I was going to use ProcessExplorer to check which files loaded up support ASLR, which would have been a massive pain in the ass. It would have turned a few hours into a few days.

      Thanks for the DEP explanation, I had sorta assumed something similar. Great read and I’ll link it up in the first post.

      If I think of any additions I’ll let you know. Perhaps stack cookies/ force ASLR? SafeSEH? That would likely cover it.

  2. Interesting post, and a little scary. Makes me glad I usually recommend MSE to Windows novices, though I don’t doubt there’s a catch there too.

    I’d be interested in seeing how the userspace components of popular HIPS/FW software support (like Comodo, Outpost, etc.) support DEP and ASLR, and maybe other exploit mitigation techniques. Especially components related to the firewall part, because bugs in those might offer the possibility of *remote* vulnerabilities.

  3. Pingback: AntiVirus As Attack Surface » InsanityBit InsanityBit

Leave a Reply

Your email address will not be published. Required fields are marked *