ZeroVulnerabilityLabs ExploitShield

Discussion in 'other anti-malware software' started by sbwhiteman, Sep 28, 2012.

Thread Status:
Not open for further replies.
  1. sbwhiteman

    sbwhiteman Registered Member

    Joined:
    Jul 20, 2009
    Posts:
    63
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    So it protects against what it protects 100% of the time. Yeah...

    At no point in the article do they indicate how it works except that it isn't a sandbox or antivirus.

    So it's very likely something similar to EMET. Nice, but they also claim to prevent Java exploits, which EMET doesn't. And I'm very doubtful that this program would stop Java exploits.

    edit: Downloaded it and wrote up a very quick piece. https://insanitybit.wordpress.com/2012/09/28/zerovulnerabilitylabs-exploitshield/

    I'll see if I can test it out later.

    edit2: It does seem to stop Java exploits but I haven't tested it personally so I can't say exactly how.
     
    Last edited: Sep 29, 2012
  3. phalanaxus

    phalanaxus Registered Member

    Joined:
    Jan 19, 2011
    Posts:
    499
    I would take any program that claims 100% success with a grain of salt.
     
  4. carat

    carat Guest

    Hahaha, well said! ;)
     
  5. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    There are Youtube videos of it. Search for them using the keyword ZeroVulnLabs. :)
     
  6. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,175
    Location:
    USA
    Thanks for testing & reviewing our product.

    Yes ExploitShield Browser Edition does protect Java and other components within the browser (Flash, Shockwave, Adobe Reader, etc.).

    Of course nothing is 100% as you said. The comment refers to the type of exploits we have tested against, it has blocked 100% of them. That is not to say of course there could be a new exploit tomorrow which it doesn't. But for now everything we've thrown at it has been blocked... 3 different IE 0-days, 3 different Java 0-days, Blackhole Exploit Kit 2.0, Phoenix, Incognito, Sakura, PDF exploits, VLC exploits, Windows Media Player exploits, etc.

    EDIT: I am pbust btw but this is a project of mine which is separate from Panda.
     
    Last edited: Sep 28, 2012
  7. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,960
    Location:
    Boston, MA
    Looks interesting. It's still in beta and they're looking for testers. From what the video shows it's very much like EMET except it blocks java exploits. It has a list of shielded programs. Worth taking a look.
     
  8. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    Interesting....
    The title of the thread brought me back to the day's of Exploit Prevention Labs and Linkscanner/ScoketShield.
    Taking this for a spin around the block in ShadowMode.
     
  9. kdcdq

    kdcdq Registered Member

    Joined:
    Apr 19, 2002
    Posts:
    657
    Location:
    Southwestern Massachusetts
    What the heck. I'm gonna try it.....:)
     
  10. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    You mention it's not a sandbox (or someone did) but it seems like your product denied execution of a payload. It's a bit vague so I can't really tell what's happening yet but that seems sandboxesque to me? Can you provide some details as to how it works?
     
  11. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ ZeroVulnLabs

    Looks interesting :thumb: so i installed it.

    I've discovered that ES has stopped HitManProAlert from running ! No fly out as it hasn't even launched !

    Are you, or anyone else able to confirm this ?

    Anyway, all the best with it :)
     
  12. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,175
    Location:
    USA
    Weird, I don't see any block events similar to what you are describing. Can you PM me your exploitshield.log file from within %ProgramFiles%\ZeroVulnerabilityLabs\ExploitShield directory?
     
  13. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,175
    Location:
    USA
    What we can say is posted on our site. I recommend these two pages:
    http://www.zerovulnerabilitylabs.com/home/technology/zerovulnerabilitylabs-technology/
    http://www.zerovulnerabilitylabs.com/home/technology/frequently-asked-questions/
     
  14. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Great, thank you.

    edit: well, it kinda told me more about what it isn't. It's not exactly clear still but I suppose that's alright.
     
  15. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,175
    Location:
    USA
    I hope you understand we cannot tell all the details of how we do it... for many reasons. Bad guys, competitors, etc.
     
  16. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I understand.
     
  17. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ ZeroVulnLabs

    I'll PM the Log in a minute ;) You'll notice i had to install it several times, due to my wanting to see what it was going to install first via ProcessGuard alerts first. Amongst other things, i needed to allow the driver & FF injection. After these were allowed it installed with no errors, that i could see anyway.

    I don't see any obvious issues in the Log, but you're the best judge of that :D

    Have you tried it with HMPA ?

    I'm using FF v.3.6.14 & don't intend on changing it.

    Regards
     
  18. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,175
    Location:
    USA
    Thanks for the log!

    I don't see any block events. What exactly happened with HMP? Are you sure it was ExploitShield blocking it or it simply failed to run? Did you see a red+black+white alert popup from ExploitShield?
     
  19. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ ZeroVulnLabs

    I'll log out of here so i can close FF & reload & see what happens. Then log back in again & report what i find.
     
  20. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,175
    Location:
    USA
    For those of you that want to test it against real and live drive-by exploit kits, we do have a section in our forum where we post live exploit URLs. You have to be registered and logged in to view it:
    http://www.zerovulnerabilitylabs.com/forum
     
  21. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    NO

    I "think" the FF injection by ES is interfering "somehow" with HPMA.

    Please note, it's HitManProAlert & not HitManPro ;)
     
  22. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,175
    Location:
    USA
    Installed HMP but didn't see a HMP.Alert anywhere. Where can I download the .Alert program from?
     
  23. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
  24. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,175
    Location:
    USA
    Thanks for the info. We'll check both of these and get back to you.
     
  25. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,744
    Location:
    New York City
    When I stop protection, the color of the taskbar icon doesn't change. I would expect a diagonal line or a change in color (red) or change in tooltip.
    Also changing from start to stop or back to start protection causes a "Not responding" message before the change is made.

    Version 0.7
    Windows 7 Ultimate, 32 bit
    IE 9
     
    Last edited: Sep 28, 2012
Thread Status:
Not open for further replies.