ZeroVulnerabilityLabs ExploitShield

Discussion in 'other anti-malware software' started by sbwhiteman, Sep 28, 2012.

Thread Status:
Not open for further replies.
  1. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    The actual title of the column at the real-time list of blocked attacks is "exploit payload" so there shouldn't be any misunderstanding.
     
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    I talked to the CEO and I think it's cleared up anyways. I think it's clear that people are confused about what the program does. I am only looking for it to be made clearer, and I recognize the difficulty in trying to convey how a complex program works to people who don't really understand the difference between exploit and payload etc anyways. And I realize that the program is a beta, and you can't just change the site, and document it overnight.

    Regardless of whether I think the program is super useful, my main issue has always been that users aren't understanding what it's doing to make them secure. I think that's your responsibility to make clear.
     
  3. Trespasser

    Trespasser Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    1,204
    Location:
    Virginia - Appalachian Mtns
    Thanks, Hungry Man, for your efforts to educate. :thumb: .

    Later...
     
  4. Function

    Function Registered Member

    Joined:
    Feb 5, 2012
    Posts:
    76
    Location:
    UK
    So with this all cleared up can anyone tell me if this program works would Appguard? I am still confused if this works like AppGuard (A anti-EXE) or if it is something else.
     
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Statements along the lines of "you should run ES along with EMET because ES protects against things EMET does not" bother me. If that is the case, show a simple table comparison between the two products.

    Bottom line is exploits can be blocked any number of ways. Even by your AV as long as it has a signature for the exploit.
     
  6. Tested the beta this afternoon (CET-1) to check whether the problem with Word was solved. After that I de-installed MBAE and hit the link of the malware sample again, this time there was no MBAE to stop it, so the payload landed in the Temp directory, (see pic), it also tried to add a registry entry to HKCU/run to survive reboot. IMO MBAE will be a usefull addition for average users due to its near zero configuration and user dependance.

    Theory & opinions don't stop malware, for now practise & proof are convincing enough for me, so back on topic please
     

    Attached Files:

    Last edited by a moderator: Jun 24, 2013
  7. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,321
    Location:
    AmstelodamUM
    Shouldn't that be 'Even by your AV as long as it has a signature for the exploit's payload'?
     
  8. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    I remember when SocketShield was around, before they were bought by AVG. I don't think that they could have done better in explaining their product, but people just couldn't understand the product -- even with videos and one-on-one discussions.

    The problem is that people don't know and don't care about exploits, and getting them to understand beyond the most basic level requires more than is appropriate for a commercial website. Plus, if you throw too much info at them then they're more likely to just walk away.

    I think ZVL does a fine job of providing relevant info.

    You can't really compare ES to something like EMET, which uses techniques given to the public and is FAR from being the company's bread and butter. ZVL doesn't exist without ES, and they're entitled to trade secrets like any company. They did mention, though, that they'd be able to speak more freely after the patents are issued (although I suppose that depends on MB now). Other AM companies are making similar functionality for their products, and they're being even more tight-lipped about it (funny, though, that the company offering the most information is the one that gets accused of hiding too much). This particular technology is in something of an arms race right now, and I don't expect to hear much about it until everyone has their patents and the technology becomes a lot more common and mature. Even then we'll still probably get relatively basic details that are common to most/all of them.

    It would be great if we lived in an open-source world where developers/companies could tell all and not worry about how it might affect their ability to make a living, but we don't.
     
  9. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    No, it's more like an anti-malware that detects by behavior; sort of like how Threatfire used to be, but focused on detecting exploited processes.
     
  10. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Many filter exploits from web, email, and other traffic. Granted, those are often signatures for very specific lines of code, rather than detecting them generically or behaviorally.
     
  11. Function

    Function Registered Member

    Joined:
    Feb 5, 2012
    Posts:
    76
    Location:
    UK
    So its a behaviour blocker? If I have a HIPS (Online Armor) would I still need MBAM? Or does it just function like a HIPS without asking if you want to block.
     
  12. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    No. You might want to look back through this thread a bit.

    It monitors certain processes (like your browser), detects when the process is attempting to run a program file as the result of an exploit, then stops the file from running and quarantines it.
     
  13. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Kudos Notok for your in-depth understanding of the business and related issues!! :thumb: :thumb:
     
  14. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Scenario: copying a text from an online page, then pasting it into Microsoft Word and Save to .pdf will trigger a "Exploit Attempt Blocked" !!
    Test bed: Windows 7 x64, MBAE 9.2.1200 & 9.2.1400 (latest from jully 11th); Microsoft Office 2007 & Office 2010.


    This was reported to me, they asked that I pass it along. Couldn't find the other topic, so if it belongs there feel free to move it.
     
  15. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    This is a bug. We are aware of it and working on it already. Should be fixed in the next release. Thanks for reporting.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.