ZeroVulnerabilityLabs ExploitShield

Does ES prevents the execution of the Shellcode or the eventual binary payload like an anti-executable does? I am a bit confused

 

it prevents the payload

 

You can think of it like a behavioral anti-malware that's focused on detecting exploit behavior. After that it stops execution of the payload and quarantines it just like an anti-malware does.

 

I have a FP with a java based tv guide, so even it's FP, it seems to work.
I think i'll keep it.

 

Yes, I have read it in the previous posts that it blocks and quarantines like an anti-malware does but it it stated in the following link in their website that it stops the execution of shellcodes, hence I asked this question.

http://www.zerovulnerabilitylabs.com/home/technology/zerovulnerabilitylabs-technology/

 

ZeroVulnLabs
Any News Updates / ETA on the release of version 0.8.2 ?

I mean, it's almost March, right?

-cheers,
feandur

 

Ah, I hadn't seen that. I too would like to know this, then

If it can stop shellcode from executing in memory, then that would be a great step against APTs.

 

It's wrong on the website, it should says blocks payload from executing. Will be fixed asap.

Just as other techniques (DEP, ASLR, etc) ExploitShield prevents the payload from executing.

 

DEP and ASLR don't stop payloads from executing. They stop stage-1 and stage-2 (respectively) shellcode from executing. You can call these all payloads, and taht wouldn't be wrong, but it's got some... 'iffy' implications.

AE, like ES, prevents the payload from executing.

 

It would not be correct at all to compare ES to an AE.

 

Why not?

 

AE uses white and blacklists, ie no intelligence. ES does not use whitelist nor blacklist, it is 100% intelligence.

 

Probably more productive to think of it as a behavioral AM (which it probably actually is).

 

But they're still entirely comparable in terms of how they work. Just as Sandboxie and Low Integrity mode are two very different things, they are both sandboxes.

I would consider ES a per-application behavioral antiexecutable, but that's just me.

 

"Behavioral anti-exploit" would be more correct.

AM wouldn't be correct either as it implies we somehow need identify the payload binary like AV/AM normally does (sigs, heuristics, runtime behavioral of PE, ...). This is not the case with ES. You could drop calc.exe from an exploit and ES would also block it.

 

I'm thinking of behavioral AM the way that ThreatFire was, which would identify and kill malware based entirely on behavior.

 

In as much as anything that stops malware from running is -- like any on-execution AM. However if you were to run one of those payloads manually then ES probably wouldn't stop it; even from the same directory. It also quarantines anything that it blocks.

 

Anti-Exploit implies that at some point the exploit is interfered with. Is it? Maybe something is different in the pro version that does that? As opposed to interfering with the execution of the payload, which would be separate, in my opinion.

 

I'm guessing since Comodo is so slow to even address the compatibility issue with version 6... there will be absolutely none for version 5, which I'm still on and forsee continuing to stay on for some time.

So I don't think I'll be able to roll with ES after all unless I choose another FW/HIPS... bummer.

 

@luciddream, I believe the latest Comodo has fixed some incompatibility issues with ES. We haven't been able to verify it but that's the information we received. You might want to try that latest version.

@Hungry Man, Anti-exploit means that it prevents successful exploitation of software vulnerability exploits, which is what ES does.

 

I'm running ES alongside CIS 6 with no apparent issues - Comodo dragon, Cyberfox, W7 X64
Other than both these browsers need a tweak for ES to recognise them.

EDIT: Cyberfox is detected.

 

You might run ProcessExplorer and take a look at the DLLs loaded to check that ExploitShield.dll is loaded by the browser.

 

I have... and believe me many people are sticking with v5 for good reason, not simply because they haven't gotten around to updating yet. There are half a dozen things under the hood and I only need 2 of them. Plus the interface isn't intuitive at all. v5 is perfectly suited to my needs.

Well maybe ES will play just fine with 5 for me. I never seem to run into the types of problems everyone else does. Unless there is something specific, and universal that would stop the 2 from playing together.

 

Have you tried ES and CIS5 together yet? If so, what was the problem?

 

Running Exploitshield stops Windows Media Player from working. If I remove ExploitShield, Windows Media Player works fine.