ViRobot APT Shield 2.0...next tool for blocking exploits

Discussion in 'other anti-malware software' started by ichito, Jul 11, 2014.

  1. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,486
    Location:
    Poland - Cracow
    ui_L.png

    http://www.aptshield.net/apt_individual.html
    http://www.hauri.net/product/product_view.html?product_uid=OTU=
     
  2. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    830
    Location:
    UK
    Looks like malwarebytes anti exploit tool

    Anybody tried it yet?
    Noticed it runs on 64bit but doesnt mention if it is a 64bit version or 32bit under emulation.
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    It seems to make use of the anti-exe protection method. I don´t think it´s using advanced detection methods like MBAE and HitmanPro.Alert. That doesn´t mean it´s a bad tool of course. :)
     
    Last edited: Jul 11, 2014
  4. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,486
    Location:
    Poland - Cracow
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    @ ichito,

    It´s interesting to me that they don´t claim to offer "memory overflow" protection. When it comes to blocking exploits, it will probably offer the same level of protection as AppGuard and EXE Radar. :)
     
  6. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,486
    Location:
    Poland - Cracow
  7. Brandonn2010

    Brandonn2010 Registered Member

    Joined:
    Jan 10, 2011
    Posts:
    1,849
    Sounds intriguing but:

    1. How well-known/reputable is the developer?
    2. Is it completely free?
    3. Is there any point in running it alongside AppGuard?
     
  8. Brandonn2010

    Brandonn2010 Registered Member

    Joined:
    Jan 10, 2011
    Posts:
    1,849
    I installed APT Shield, then tried running a bunch of the HitmanPro.Alert 3 test exploits, and none were blocked by APT Shield.
     
  9. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ Brandonn2010

    Not good !

    Where would i get the HitmanPro.Alert 3 test exploits ?
     
  10. WSFfan

    WSFfan Registered Member

    Joined:
    May 10, 2012
    Posts:
    374
    Location:
    The Earth
    Please check this post.
     
  11. Tyrizian

    Tyrizian Registered Member

    Joined:
    Apr 26, 2012
    Posts:
    2,806
    I might have to test this in a virtual machine.

    Sounds interesting
     
  12. Tyrizian

    Tyrizian Registered Member

    Joined:
    Apr 26, 2012
    Posts:
    2,806
    Company information:

    Name: HAURI Inc.
    Founded: 1998
    Website: http://www.hauri.net/
    Company CEO & President: Mr. Chun Kim Hee
    Location Information:
    1Fl, Yale Bldg.
    60 Chungsin-dong
    Jongno-gu
    Seoul, 110844

    South Korea
    Phone: 82 2 3676 1100
    Fax: 82 2 3676 8011


    Company Overview:
    HAURI Inc., a security software development company, develops, produces, and distributes security solutions that protect customers from various IT threats and help enterprises manage the risk. It offers ViRobot Internet Security, a personal security solution that provides anti-virus, anti-spyware, anti-phishing, and firewall; ViRobot SDK engine to those who want to use anti-virus engine to integrate with their software; ViRobot Server Protection, an antivirus program for Windows file server; ViRobot Management System, an intellectual total security management program for enterprise; and ViRobot GatewayWall, a mail server quarantine program that supports Windows, Unix, Linux, Solaris, and other mail servers. The company also provides ViRobot Mail Security, an anti-spam security solution that provides anti-spam filtering, as well as anti-virus filtering; Online Security that scans and repairs the infected PC from Internet explorer; REDOWL SecuOS, a secure operating system solution that protects main servers against various types of threats, such as external hacking, insider security criminal, and etc.; and ViRobot Zip, an integrated compression solution that enables users to manage massive compressed file and do compress/extract files. It serves government office, finance, and enterprise customers in the United States, Mexico, Chile, Brazil, India, other Asian countries, and internationally. The company offers its products through distributors. HAURI Inc. was founded in 1998 and is based in Seoul, South Korea.


    Source Information from - http://investing.businessweek.com/research/stocks/private/snapshot.asp?privcapId=12935767
     
  13. Brandonn2010

    Brandonn2010 Registered Member

    Joined:
    Jan 10, 2011
    Posts:
    1,849
    Ok, so the company is fine, but the effectiveness of the product is questionable, since it gave not a peep from the HMP.A test.
     
  14. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ WSFfan

    Thanks for the link
     
  15. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,082
    Location:
    Netherlands
    You tube tests show that it blocks execution of embedded code in content processed by "Document programs, Web browsers, Media players, Messenger, Compression software".

    Their brochure says "detection of malicious code" is based on abnormal behaviour of applications, needing no pattern updates and having no false poistives. It also mentions that it monitors "targets of vulnabilities", so not claiming to:
    1. Block the actual (memory) exploit itself,
    2. Prevent the dropper delivering the malware.

    Anyone tested it with live malware?
     
    Last edited: Jul 15, 2014
  16. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,082
    Location:
    Netherlands
    APT like MBAE and HMPA injects a dll into the programs monitored. For people running AppGuard, AppLocker or SRP note that this DLL is located in C:\ProgramData and is called "VrNsdAppMon.dll". It reacts to executions triggered from protected applications.

    Still not sure how it determines illegal executions from UAC protected folders, but it does (according to the videos). Played a little with it and It seems to block certain risky MS calls (like registering a DLL) with blacklisting from user space and some sort of smart whitelisting for windows & program files. Problem is that lot's of hardware related stuff is often unsigend (audio and video dll's in C:\program files\common files). But it somehow can determine good from bad within plug-in execution. Is this the reason it needs internet connection at installation (and updates for home use are provided as long as allowed by Hauri's policy). As far as I know it resembles MBAE layer 3 protection.

    Are there members who understand Korean with some more info?
     
    Last edited: Jul 29, 2014
  17. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    @ Windows_Security

    Thanks for the info, so it seems to be a bit more advanced than we thought? It would be cool if some expert could test the most popular anti-exploit apps, I really wonder who would come out on top. :)
     
  18. buckslayr

    buckslayr Registered Member

    Joined:
    Jun 1, 2009
    Posts:
    484
    Location:
    Michigan, USA
    Would it be too much overlap to run alongside Appguard?
     
  19. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,082
    Location:
    Netherlands
    AppGuard blocks executions of unsigned in user space and prevents untrusted aps to make changes in admin space, so with what I know of them both, APT would just be eating CPU cycles doing nothing, so yes.
     
  20. buckslayr

    buckslayr Registered Member

    Joined:
    Jun 1, 2009
    Posts:
    484
    Location:
    Michigan, USA
    Thanks
     
  21. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,082
    Location:
    Netherlands
    A note of caution: when you launch a program before the "APT is active screen pop-up" it does not inject its dll (e.g. in chrome).
     
  22. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
    I haven't tried, but using a buzzword like APT automatically makes me skeptic.
     
  23. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,082
    Location:
    Netherlands
    Well for freebie users it makes offers a nice Combo with EMET for exploit protection.
     
    Last edited: Aug 2, 2014
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    I have watched some videos on YouTube, and I get the feeling that it´s not really blocking exploits, instead it´s blocking payloads, just like any other anti-exe. So if you´re using EXE Radar or AppGuard you probably won´t need this tool. :)
     
  25. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,082
    Location:
    Netherlands
    Not going into Exe Radar discussion again, see for instance http://www.offensive-security.com/metasploit-unleashed/Payload_Types
     
Loading...