ViRobot APT Shield 2.0...next tool for blocking exploits

I would stay away from this tool. Even though it's free.

I think its functionality is way too limited:
- There is no way to verify that it's protecting a certain application (No GUI for example)
- It does not seem to block the actual exploitation attempt, merely the payload.
- Creating a bypass should be quite trivial. (Like calling WinExec using a ROP chain instead of using 'regular' shellcode located)

It seems to be no match for HMPA or MBAE. (I even think that ERP or AP would offer a similar level of protection)

 

OK thanks, and no GUI is always a deal-breaker. And yes, Exe Radar and AppGuard will also stop most exploits, because most payloads need to execute from disk.

 

This is not limited to in-mem malware but more common technique, and currently I don't know any in-mem malware which uses this technique exclusively, so it's just a possibility―but there well can be.
You can tell phishing if you closely look at details, or at least certificate but finding HTML injeciton will be hard as it is displayed in ligetimate trusted website and attacker even can make is't no different from original site. And I guess detecting it by AV would be not trivial as some legitimate addon also do similar things.

 

According to the website, AS does the following across a variety of Windows applications:

* Blocking malicious code that exploits vulnerabilities in applications.

Document program
MS office, Adobe reader, Ichitaro, etc.

Web browser
IE, Firefox, Chrome, Safari, Opera, Java, Flash, ActiveX, etc.

Media player
Real player, QuickTime player, Winamp, etc.

Messenger
Skype, Yahoo, Google, . etc.

Compression software
WinZip, WinRAR, 7-Zip, etc.


It does not have a traditional GUI but it does alert the user when a malicious payload
has been blocked:

http://www.hauri.net/updata/product_info/apt20_img01.gif

Apparently, its a combo anti-executable/exploit blocker. You might even call it an anti-malware behavior blocker because it uses a general set of heuristic rules to decide what malicious payload to silently block. It runs silently as expected of zero day threat software - and will show an alert when a malicious payload attempted to run that it blocked. It won't replace an anti-virus or classical HIPS but it will catch what more traditional anti-malware might miss. AS blocks application vulnerabilities, malware that hijacks those vulnerabilities and it blocks social media vectors that can be used to drop malicious payloads. Its a companion to an AV and also runs alongside EMET and MBAE to provide comprehensive anti-malware protection.

 

HAURI is a very well known security firm - by the way.

I will be watching this product, if it offers anything above what I already use, and doesn't impact performance I will consider it.