ZeroVulnerabilityLabs ExploitShield

[sbwhiteman]

Seth Rosenblatt at CNET is reporting on a new beta product developed by Pedro Bustamante and David Sanchez Lavazo, both (formerly?) of Panda Security, which claims to block all exploits:

http://download.cnet.com/8301-2007_4...ntent=My+Yahoo

[Hungry Man]

Quote:

It blocks 100 percent of the exploits it protects against

So it protects against what it protects 100% of the time. Yeah...

At no point in the article do they indicate how it works except that it isn't a sandbox or antivirus.

So it's very likely something similar to EMET. Nice, but they also claim to prevent Java exploits, which EMET doesn't. And I'm very doubtful that this program would stop Java exploits.

edit: Downloaded it and wrote up a very quick piece. https://insanitybit.wordpress.com/20...exploitshield/

I'll see if I can test it out later.

edit2: It does seem to stop Java exploits but I haven't tested it personally so I can't say exactly how.

[phalanaxus]

I would take any program that claims 100% success with a grain of salt.

Quote:

Originally Posted by Hungry Man

So it protects against what it protects 100% of the time. Yeah...

Hahaha, well said!

[m00nbl00d]

There are Youtube videos of it. Search for them using the keyword ZeroVulnLabs.

[ZeroVulnLabs]

Thanks for testing & reviewing our product.

Yes ExploitShield Browser Edition does protect Java and other components within the browser (Flash, Shockwave, Adobe Reader, etc.).

Of course nothing is 100% as you said. The comment refers to the type of exploits we have tested against, it has blocked 100% of them. That is not to say of course there could be a new exploit tomorrow which it doesn't. But for now everything we've thrown at it has been blocked... 3 different IE 0-days, 3 different Java 0-days, Blackhole Exploit Kit 2.0, Phoenix, Incognito, Sakura, PDF exploits, VLC exploits, Windows Media Player exploits, etc.

EDIT: I am pbust btw but this is a project of mine which is separate from Panda.

[kjdemuth]

Looks interesting. It's still in beta and they're looking for testers. From what the video shows it's very much like EMET except it blocks java exploits. It has a list of shielded programs. Worth taking a look.

[LoneWolf]

Interesting....
The title of the thread brought me back to the day's of Exploit Prevention Labs and Linkscanner/ScoketShield.
Taking this for a spin around the block in ShadowMode.

[kdcdq]

What the heck. I'm gonna try it.....

[Hungry Man]

Quote:

Originally Posted by ZeroVulnLabs

Thanks for testing & reviewing our product.

Yes ExploitShield Browser Edition does protect Java and other components within the browser (Flash, Shockwave, Adobe Reader, etc.).

Of course nothing is 100% as you said. The comment refers to the type of exploits we have tested against, it has blocked 100% of them. That is not to say of course there could be a new exploit tomorrow which it doesn't. But for now everything we've thrown at it has been blocked... 3 different IE 0-days, 3 different Java 0-days, Blackhole Exploit Kit 2.0, Phoenix, Incognito, Sakura, PDF exploits, VLC exploits, Windows Media Player exploits, etc.

EDIT: I am pbust btw but this is a project of mine which is separate from Panda.

You mention it's not a sandbox (or someone did) but it seems like your product denied execution of a payload. It's a bit vague so I can't really tell what's happening yet but that seems sandboxesque to me? Can you provide some details as to how it works?

[CloneRanger]

@ ZeroVulnLabs

Looks interesting so i installed it.

I've discovered that ES has stopped HitManProAlert from running ! No fly out as it hasn't even launched !

Are you, or anyone else able to confirm this ?

Anyway, all the best with it

[ZeroVulnLabs]

Weird, I don't see any block events similar to what you are describing. Can you PM me your exploitshield.log file from within %ProgramFiles%\ZeroVulnerabilityLabs\ExploitShield directory?

[ZeroVulnLabs]

Quote:

Originally Posted by Hungry Man

You mention it's not a sandbox (or someone did) but it seems like your product denied execution of a payload. It's a bit vague so I can't really tell what's happening yet but that seems sandboxesque to me? Can you provide some details as to how it works?

What we can say is posted on our site. I recommend these two pages:
http://www.zerovulnerabilitylabs.com...bs-technology/
http://www.zerovulnerabilitylabs.com...ked-questions/

[Hungry Man]

Great, thank you.

edit: well, it kinda told me more about what it isn't. It's not exactly clear still but I suppose that's alright.

[ZeroVulnLabs]

I hope you understand we cannot tell all the details of how we do it... for many reasons. Bad guys, competitors, etc.

[Hungry Man]

I understand.

[CloneRanger]

@ ZeroVulnLabs

I'll PM the Log in a minute You'll notice i had to install it several times, due to my wanting to see what it was going to install first via ProcessGuard alerts first. Amongst other things, i needed to allow the driver & FF injection. After these were allowed it installed with no errors, that i could see anyway.

I don't see any obvious issues in the Log, but you're the best judge of that

Have you tried it with HMPA ?

I'm using FF v.3.6.14 & don't intend on changing it.

Regards

[ZeroVulnLabs]

Thanks for the log!

I don't see any block events. What exactly happened with HMP? Are you sure it was ExploitShield blocking it or it simply failed to run? Did you see a red+black+white alert popup from ExploitShield?

[CloneRanger]

@ ZeroVulnLabs

I'll log out of here so i can close FF & reload & see what happens. Then log back in again & report what i find.

[ZeroVulnLabs]

For those of you that want to test it against real and live drive-by exploit kits, we do have a section in our forum where we post live exploit URLs. You have to be registered and logged in to view it:
http://www.zerovulnerabilitylabs.com/forum

[CloneRanger]

Quote:

Did you see a red+black+white alert popup from ExploitShield?

NO

I "think" the FF injection by ES is interfering "somehow" with HPMA.

Please note, it's HitManProAlert & not HitManPro

[ZeroVulnLabs]

Installed HMP but didn't see a HMP.Alert anywhere. Where can I download the .Alert program from?

[CloneRanger]

Here ya go http://www.wilderssecurity.com/showthread.php?t=324841

Also i've discovered ES prevents my FF addon SecretAgent from allowing seperate windows to be selectively configured differently. https://www.dephormation.org.uk/index.php?page=81 Some windows i like to use in default mode, others randomized.

[ZeroVulnLabs]

Thanks for the info. We'll check both of these and get back to you.

[Thankful]

When I stop protection, the color of the taskbar icon doesn't change. I would expect a diagonal line or a change in color (red) or change in tooltip.
Also changing from start to stop or back to start protection causes a "Not responding" message before the change is made.

Version 0.7
Windows 7 Ultimate, 32 bit
IE 9