ZeroVulnerabilityLabs ExploitShield

Discussion in 'other anti-malware software' started by sbwhiteman, Sep 28, 2012.

Thread Status:
Not open for further replies.
  1. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Are you able to install mbae now?
     
  2. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,285
    I have installed MAE , but it doesn't appear to be functioning. See here
     
  3. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,782
    Just testing ExploitShield out, does not function correctly running DefenseWall with Opera as untrusted, disabling DW and ES works fine, but I'm not willing to sacrifice the protection of DW to run ES. Hopefully future versions will work together as I see they could compliment one another.
     
  4. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,285
    Like LoneWolf, I too run DW with Opera as untrusted.

    Also, I won't be sacrificing DW in order to run MAE. Afterall, it appeared to be working with the last beta version installed, prior the sale to Malwarebytes.
     
  5. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    I get shell in Firefox. I download my payload. I create a startup entry in the registry for that payload. I wait for the user to restart.

    How does ES protect against this form of attack?

    I assume that when virtualalloc is called you check the stack/heap for traits that are typical for exploits. What if I never call virtualalloc? What if I call createremotethread? What if I call something else entirely? Do you hook every function?

    Details on how this product actually works would be nice. The only person who's said anything was that guy who did a security review and found it to be lacking. I realize your response isn't still up, but, as the author of that article said, it's not really relevant since the minute details of detection don't matter.

    You've got users here thinking that you prevent exploits the way EMET does when that is certainly not the case. Maybe you should try to be a bit more clear about how you're actually protecting them, because "antiexploit" certainly doesn't describe much.
     
    Last edited: Jun 23, 2013
  6. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Thanks for the reports. We'll try to contact Webroot, Trusteer and DW to have them whitelist us. With the move to Malwarebytes the binaries are now signed with Malwarebytes digital signature and they need to be whitelisted again by these vendors.
     
  7. A butcher and surgeon both use a knife and know where and how to cut, at least the objects and environment in which they operate is different. So telling which functions it hooks does not say anaything about the knowledge (decisions rules) behind these hooks (point 4). Like butcher and surgeon MBAE problably consider this knowledge the intellectual property of their trade/product.

    Considering the flow of events of the malware samples it protects (reported at ZVL website/user forum), MBAE should do the following:

    1. Hooks download and execute / create process functions

    2. Injects a DLL into programs listed as the protected programs

    3. When a hooked function is called, trackback to process originating the function call is made and the displacement location of the memory area calling this function within protected program

    4. Decision rules cause a block or not (here is where the context agnostic magic happens)

    So in laymen's terms protects front line applications and its plug-ins from download and execution of code from unusual/suspicious memory locations. The changing of the registry is problably a code execution from suspicious memory location. Combined with the code downloaded this would propblably would tick the alarm boxes of the decision rules.
     
    Last edited by a moderator: Jun 23, 2013
  8. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    If memory doesn't fail me, ZVL ExploitShield (now Malwarebytes Anti-Exploit) has never been advertised to prevent/stop exploits the way EMET does. They actually mentioned since the very beginning that it works in a different way.

    There have been a few questions by users over the time about that, and they always answered they worked different. How have users got the idea they work the same way? o_O Only someone not reading/paying attention would think that.
     
  9. Function

    Function Registered Member

    Joined:
    Feb 5, 2012
    Posts:
    76
    Location:
    UK
    Does ExploitShield work differently then AppGuard. Can both be used at the same time or should you only use one or the other. Like only installing one Anti Virus on a machine.

    Also does ExploitShield work with Sandboxie?
     
  10. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    @Windows_Security, that's not correct. Not every function call would be considered execution, and I don't believe (they can let us know, of course) that they're hooking every call. The logic behind its exploit detection is mostly irrelevant, since it only detects exploits after they've happened, and the detection logic only kicks in after specific calls are made. So avoiding those calls is all one has to do.

    I'm not really interested in pointing out more specific flaws, the point is that code is executed, then they detect if a call is made, then they prevent execution of a specific piece of code.

    And keeping their system a secret isn't helping, because it's only really laziness that prevents me from just reversing it and looking myself. There are way more motivated/ interested parties, and some of them won't be nice enough to post about it publicly.

    @m00n,

    Sorry, I wasn't implying that they were *telling* people it was like EMET, they've done the opposite. I'm saying that their misleading name, and the lack of details about their program, has led people to confuse it with EMET. In short, I'm saying they need to be clearer about how the program works, because people clearly are confused. I've seen a lot of people post about how they feel it does XYZ, or wondering if they still need EMET to prevent exploits, etc.
     
    Last edited: Jun 23, 2013
  11. No, you are right problably just a few hooks would be set, with a trackback check to see whether it is a monitored program with the MBAE DLL planted in.

    To get things done you need specific function calls, of course for some there are a few ways of doing this, but some logic just can't be done without calling specific functions.
     
  12. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    EMET deems around 50 calls as being critical for attackers, and that's why it redirects those calls to ensure further validation before killing the process. When ES first came out I believe it used around 5, though I have no clue how many it checks now. Again, whereas a program like EMET is incredibly open about its mechanics (which doesn't hurt its ability to protect at all) ES has almost no details whatsoever about its mechanics. MS has also been really open about the weaknesses of EMET, especially the Anti-ROP solutions (which are the closest to resembling the logic of ES) like their opened holes for false positives, design issues, etc.

    Knowing which calls it hooks provides nothing to attackers, who can simply find out themselves by downloading the program. I'm just calling for further clarity about how this program works.
     
  13. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    1) We never said ES or MBAE was like EMET. Quite the contrary we've always said they compliment each other and that someone with EMET + MBAE is better protected that with only one of those. In addition MBAE will protect against the bypasses that EMET has experienced as of late, like the ROP attacks.

    2) MBAE does not only include the limited checks or limited number of hooks you think it does. Don't believe everything you read, especially if it's old.

    3) MBAE also incorporates new memory exploit prevention techniques that don't rely on just blocking the payload. Again, don't believe everything you read. The fact that someone wrote something some time ago doesn't necessarily mean it is automatically true.

    4) We've also always said that MBAE is by no means complete. There are many other techniques to be incorporated into the product as it continues to evolve. This is precisely the motivation behind joining with Malwarebytes so that we can combine resources and knowledge to make it even better.

    5) Simply because you think we should tell you details of our intellectual property doesn't mean we "have to" do so. Do you ask every vendor of software you use to give you source code or publish their IP before you use their products? That's nonsense.

    6) Before you had a problem with the name "ExploitShield" and now it seems you don't like "Anti-Exploit" either. But I don't see you making such a big fuzz about Crystal Anti-Exploit, EMET (which at some point claimed that "no exploit ever might bypass its techniques" before it was bypassed by ROP) or AV products which claim to "detect all viruses" or "provide total and complete protection". With that in mind, plus all points 1-5 above, it seems to me yours is more of a personal problem and I'm sorry but I can't help you with that.
     
  14. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Yes, I realize I was very unclear here and I apologize. Like I said to m00n, I meant that users were confused, not that you were telling them that yours is like EMET.

    So what else does it hook? Before you hooked programs primarily having to do with launching payloads. Has this changed?

    The number one thing I have asked for is clarity about what your product is doing.

    I can't really say much about future plans, can I?

    I expect every security vendor to publish how their product works, yes. I wouldn't ever use a security product otherwise. I don't believe in security through obscurity, I don't really care about IP, and IP isn't productive in security. No one is asking for source code, don't be silly.

    Because both talk about exploits, when all I've seen is a prevention of payload execution, not remote code execution.

    Never heard of it. Point me in their direction, I'll tell them they need to be clearer about how they work too if I find that they're being disingenuous.

    Perhaps you mean when they said this about generic bypasses? I assume so. Either way, MS is *very* open about how their program works, including its shortcomings.
    -http://0xeb.files.wordpress.com/2013/06/inside-emet-4-0-recon20131.pdf-

    They don't feel the need to hide their security behind IP.

    I'm sure many users can attest to me ripping into AVs as well. I am certainly very much against AVs that claim to detect all viruses, or provide more protection than they can, and I've had many conversations here about this.

    I have no personal issues with you. I actually like the MBAM CEO quite a lot, he's always been very nice to me, and the security community. If anything that's kept me from being a lot meaner than I could be lol but I'm not really interested in being mean or degrading anyways, my only interest is getting clarity about a security program, because that will benefit the users. You should want the same thing.
     
    Last edited by a moderator: Jun 24, 2013
  15. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Believe me, this does not happen in endpoint security. Nobody will tell you details of how their product works, only marketing information. I'd love to see details of for ex Symantec heuristics and behavior analysis if you can get it.

    You say you want clarity about what the product does and we've provided that: "protection from vulnerability exploits". There was also a whole section describing the tech in the old ZVL website. What you are asking for is much more in-depth technical details and that we won't provide (unless of course you can convince MWB CEO).
     
  16. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    http://kb.eset.com/esetkb/index?page=content&id=SOLN127&locale=en_US

    Companies are open about how their products work. They won't tell you how they weight their heuristics, or give you source code, etc. But they are very open about the mechanics of a heuristic engine, and how it works, and what it's meant to prevent, and where it's weak.

    AVs have talked extensively about how they use new APIs, like OnOpen() in order to get their products to work faster. They publish all sorts of stuff. It's not just marketing nonsense like "We detect malware!" they will go into the mechanics, at least to an extent.

    MS published an incredibly in depth paper on the mechanics of EMET, posted above.

    Security companies are typically open about how they work, because attackers will take the time to find out anyways, and input from the security community is a good thing.

    "Protection from vulnerability exploits" tells me just about nothing. The old page was very sparse in terms of useful information.

    I messaged the CEO already, actually.
     
  17. vojta

    vojta Registered Member

    Joined:
    Feb 26, 2010
    Posts:
    830
    In that link I can only find a Wikipedia-level explanation, nothing that can reassure an user about how effective that piece of software is.

    Some people here give more credit to an anonymous Youtube video from 2010 or to a blog with just one entry from 2011 that they give to a company that works everyday to protect their users. That's how the internet 'intelligentsia' rolls.

    ~ Removed Off Topic Remarks ~
     
    Last edited by a moderator: Jun 24, 2013
  18. Feandur

    Feandur Registered Member

    Joined:
    Jun 15, 2005
    Posts:
    429
    Location:
    Australia
    O. M. G.

    I , for one , am glad to see ES, stay afloat and continue into the future.

    Currently using it [the 0.9.1 browser edition, not the corporate] on an XP box with NIS and shadow defender without problem.

    Have high hopes of seeing a really good first line of defense by December.

    God speed, and may she watch over you good Sirs!

    -cheers
    feandur
     
  19. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    @Vojta,
    It is far more explanation than we have received about ES. It explains types of heuristics, their mechanics, what they protect against, and how they have been designed. There is a lot of information there, and there's a lot more on the web.

    Can you tell me how ES works? Because, based on that ESET article alone I can tell you a lot about how at least one component of their product works.

    edit: Crap. I can't find the ESET article on heuristics I wanted. At one point they put out an article that was much more comprehensive, and explained how heuristics can be waited based on traits, etc. Either way, companies put out tons of information about the ideas behind their products.
    Lol this isn't some anonymous youtube video, and it's not an independent "blog" either. TrailofBits puts out plenty of research between Dan Guido and the other researchers there. It's probably over a lot of peoples heads, so maybe it doesn't seem legitimate to you, but that's not really my problem.

    What a shame that I've missed the 'off topic remarks', in my opinion those always make the conversation a lot more interesting.

    I don't want to derail this topic, users need support, and I don't want to get in the way of that. My opinions are there, and users can do whatever they like.
     
    Last edited: Jun 24, 2013
  20. vojta

    vojta Registered Member

    Joined:
    Feb 26, 2010
    Posts:
    830
    Funny that you thought it was aimed at you. In fact it was, but I was not talking about this precise case, I was referring to some previous intents to extract information from Trusteer about Rapport some time ago, in the same fashion as you are doing right now. It seems to be your main concern or favourite pastime here at Wilders.
     
  21. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    I assumed that video was what you were referring to, though it wasn't anonymous, and the content stood on its own regardless. A good example, actually.

    I find it annoying when companies make products and pretend they can do things they can't, or aren't open about how the products work. Most people have no technical education or background, and can't understand when companies do this, so I feel, given that I do have an education, that it makes sense to at least provide that educated opinion to them.

    It's not really a main concern, otherwise I'd have spent the time to reverse the program and truly demonstrate all of this, but it's something to kill time with.

    edit: But as I said above, I don't want to derail a support topic with my opinions. If you want to continue, you can always use PM.
     
    Last edited: Jun 24, 2013
  22. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Formal definition of this ............. "vaporware".:argh:
     
  23. For the definition of vaporware, see wikipedia

    For a product doing things it promises, see the list of blocked exploits on the website ZVL / MBAE

    Let's go back on topic
     
  24. Boost

    Boost Registered Member

    Joined:
    Feb 2, 2007
    Posts:
    1,294
    :thumb:
     
  25. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    I think you mean blocked payloads. But this misunderstanding is exactly the issue.

    I agree, best to get back to the topic.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.