ViRobot APT Shield 2.0...next tool for blocking exploits

http://www.aptshield.net/apt_individual.html

http://www.hauri.net/product/product_view.html?product_uid=OTU=

 

Looks like malwarebytes anti exploit tool

Anybody tried it yet?
Noticed it runs on 64bit but doesnt mention if it is a 64bit version or 32bit under emulation.

 

It seems to make use of the anti-exe protection method. I don´t think it´s using advanced detection methods like MBAE and HitmanPro.Alert. That doesn´t mean it´s a bad tool of course.

 

Very interesting quote from pdf-brochure...unfortunately only as the screenshots







http://www.hauri.net/download/brochure.html

 

@ ichito,

It´s interesting to me that they don´t claim to offer "memory overflow" protection. When it comes to blocking exploits, it will probably offer the same level of protection as AppGuard and EXE Radar.

 

ViRobot works stably and smooth...its usage of resources is about 17 MB



Thanks my friends I can link some test on YT

Spoiler: YT tests

https://www.youtube.com/watch?v=M5EW2SQxVd0
https://www.youtube.com/watch?v=35B6aL9loh8
https://www.youtube.com/watch?v=iJV8GSpZccs
https://www.youtube.com/watch?v=HnJKzhWwwTU
https://www.youtube.com/watch?v=YkQM75GS8NA
https://www.youtube.com/watch?v=Tc1ipfYvlzE
https://www.youtube.com/watch?v=A1iTibQpQGc
https://www.youtube.com/watch?v=M0Lqx5do1pU
https://www.youtube.com/watch?v=sdBUjUxY43Y
https://www.youtube.com/watch?v=dGrcIV_sOmI
https://www.youtube.com/watch?v=lr76vjD2bvo
https://www.youtube.com/watch?v=44OomxDoP2I
https://www.youtube.com/watch?v=Fr0mrQMT1A8
https://www.youtube.com/watch?v=Ym9-xzM82WM
https://www.youtube.com/watch?v=BawGb_V6gds

 

Sounds intriguing but:

1. How well-known/reputable is the developer?
2. Is it completely free?
3. Is there any point in running it alongside AppGuard?

 

I installed APT Shield, then tried running a bunch of the HitmanPro.Alert 3 test exploits, and none were blocked by APT Shield.

 

@ Brandonn2010

Not good !

Where would i get the HitmanPro.Alert 3 test exploits ?

 

Please check this post.

 

I might have to test this in a virtual machine.

Sounds interesting

 

Company information:

Name: HAURI Inc.
Founded: 1998
Website: http://www.hauri.net/
Company CEO & President: Mr. Chun Kim Hee
Location Information:
1Fl, Yale Bldg.
60 Chungsin-dong
Jongno-gu
Seoul, 110844

South Korea
Phone: 82 2 3676 1100
Fax: 82 2 3676 8011

Company Overview:
HAURI Inc., a security software development company, develops, produces, and distributes security solutions that protect customers from various IT threats and help enterprises manage the risk. It offers ViRobot Internet Security, a personal security solution that provides anti-virus, anti-spyware, anti-phishing, and firewall; ViRobot SDK engine to those who want to use anti-virus engine to integrate with their software; ViRobot Server Protection, an antivirus program for Windows file server; ViRobot Management System, an intellectual total security management program for enterprise; and ViRobot GatewayWall, a mail server quarantine program that supports Windows, Unix, Linux, Solaris, and other mail servers. The company also provides ViRobot Mail Security, an anti-spam security solution that provides anti-spam filtering, as well as anti-virus filtering; Online Security that scans and repairs the infected PC from Internet explorer; REDOWL SecuOS, a secure operating system solution that protects main servers against various types of threats, such as external hacking, insider security criminal, and etc.; and ViRobot Zip, an integrated compression solution that enables users to manage massive compressed file and do compress/extract files. It serves government office, finance, and enterprise customers in the United States, Mexico, Chile, Brazil, India, other Asian countries, and internationally. The company offers its products through distributors. HAURI Inc. was founded in 1998 and is based in Seoul, South Korea.

Source Information from - http://investing.businessweek.com/research/stocks/private/snapshot.asp?privcapId=12935767

 

Ok, so the company is fine, but the effectiveness of the product is questionable, since it gave not a peep from the HMP.A test.

 

@ WSFfan

Thanks for the link

 

You tube tests show that it blocks execution of embedded code in content processed by "Document programs, Web browsers, Media players, Messenger, Compression software".

Their brochure says "detection of malicious code" is based on abnormal behaviour of applications, needing no pattern updates and having no false poistives. It also mentions that it monitors "targets of vulnabilities", so not claiming to:
1. Block the actual (memory) exploit itself,
2. Prevent the dropper delivering the malware.

Anyone tested it with live malware?

 

APT like MBAE and HMPA injects a dll into the programs monitored. For people running AppGuard, AppLocker or SRP note that this DLL is located in C:\ProgramData and is called "VrNsdAppMon.dll". It reacts to executions triggered from protected applications.

Still not sure how it determines illegal executions from UAC protected folders, but it does (according to the videos). Played a little with it and It seems to block certain risky MS calls (like registering a DLL) with blacklisting from user space and some sort of smart whitelisting for windows & program files. Problem is that lot's of hardware related stuff is often unsigend (audio and video dll's in C:\program files\common files). But it somehow can determine good from bad within plug-in execution. Is this the reason it needs internet connection at installation (and updates for home use are provided as long as allowed by Hauri's policy). As far as I know it resembles MBAE layer 3 protection.

Are there members who understand Korean with some more info?

 

@ Windows_Security

Thanks for the info, so it seems to be a bit more advanced than we thought? It would be cool if some expert could test the most popular anti-exploit apps, I really wonder who would come out on top.

 

Would it be too much overlap to run alongside Appguard?

 

AppGuard blocks executions of unsigned in user space and prevents untrusted aps to make changes in admin space, so with what I know of them both, APT would just be eating CPU cycles doing nothing, so yes.

 

Thanks

 

A note of caution: when you launch a program before the "APT is active screen pop-up" it does not inject its dll (e.g. in chrome).

 

I haven't tried, but using a buzzword like APT automatically makes me skeptic.

 

Well for freebie users it makes offers a nice Combo with EMET for exploit protection.

 

I have watched some videos on YouTube, and I get the feeling that it´s not really blocking exploits, instead it´s blocking payloads, just like any other anti-exe. So if you´re using EXE Radar or AppGuard you probably won´t need this tool.

 

Not going into Exe Radar discussion again, see for instance http://www.offensive-security.com/metasploit-unleashed/Payload_Types