ZeroVulnerabilityLabs ExploitShield

If Microsoft does buy up this company and incorporates its technology into Microsoft Security Essentials - it will have an unbeatable advantage over its competitors. If this does prove itself on the market, an offer from Redmond will not be long in coming!

 

Please check if exploit shield protected against CVE-2012-5112 , it is for google chrome

 

There's no exploit code or any details about that exploit out.

 

Forgive me, but no I didn't. I don't know much about it at all. I don't have a test machine so I can't try it, and very little is being said about exactly how it works (for good reason). So chill out with the angry face.

If it conflicts with Sandboxie, and/or is a huge overlap with it, then with all due respect... I won't be using it. I thought it was more like EMET using different techniques.

 

Its somewhat like EMET but it also ensures your browser is contained so malicious zero day exploits cannot download and install on your computer. So you don't need to run SB to get that level of additional security.

 

Sounds like Geswall to me

 

Does Geswall block java and flash and IE zero days?

 

Hi all,

Just registered here after trying ExploitShield last week. When I first heard about it, didn't think too much about it, figuring it was simply an EMET-like tool, limited to browser-type programs. But when I read in the CNET article (link in OP) that it's supposed to block "currently known exploit methods" against EMET (like these?) and anti-anti-ROP stuff, I thought it sounded promising.

And I also saw the posts here wondering about, or questioning, compatibility with Sandboxie, which I wouldn't want to give up "just" to use ExploitShield's protection...

No, not one or the other. ExploitShield (like EMET) tries to prevent anything from happening, which is the best thing after keeping software updated. Sandboxie can then still act as containment in case anything does happen.


I looked into running both together after noticing that the ES GUI did not show anything in Sandboxie being Shielded. Although ExploitShield.dll was injected -- does that enable protection even if the GUI doesn't indicate it...?

I found out what Sandboxie configuration settings need to be added for compatibility, and posted on the SBIE forum whenever tzuk wants to add an official Template.

You need to add for your sandbox(es):

OpenIpcPath=$:ExploitShield.exe
OpenIpcPath=*\BaseNamedObjects*\ZVL_IPC_CHANNEL*

Or, from the SBIE GUI: Sandbox Settings > Resource Access > IPC Access > Direct Access and Add the 2 parts after the = sign.

Then it seems to work as much as I've been able to check, as far as the GUI status, etc. ZeroVulnLabs, are there any other IPC/communication "channels" that are used to enable protection that Sandboxie may still be blocking and I missed?

 

But the thing is... I will be using SBIE. It isn't going anywhere. So if it's one or the other, and conflicts are inevitable (or it's mostly overlap), as promising as ES looks I won't be using it.

But this investigation by Pepper sounds promising to me. I hope to be able to use both without conflicts. Though I personally think Tzuk should wait until a final/stable build is out and it matures a bit until adding compatibility for it. Not only to prevent potential problems, but because it may change from now till then.

If this can be pulled off, I'll definitely be adding ES to my setup. It'll be nice to be able to take advantage of good mitigation techniques here on XP without having to add .NET bloatwork... err, I mean "framework" onto my setup. Not to mention the fact that the full advantage of EMET isn't possible on XP anyway.

 

I tried another, but it was intercepted in the browser warning[AVG] as follows:



I then chose to ignore the warning, and got...

 

Then this one which looks like it was on its way to infecting my system, but not intercepted by ES.





After seeing the Sygate FW popup for the second time, I answered 'No' this time, and got this warning...

 

How can it be somewhat like EMET, when the software developers behind it claim it's different than EMET? Are you aware of something that makes you say that? Or, are you saying it's somewhat like EMET, because it also helps to stop exploits?

 

Common preventive and reactive approaches to mitigate exploit attacks

 

Indeed, they are not the same, as ZeroVulnLabs are had mentioned in this thread. I'm not sure why people consider one to exclude the other; the same way, using one wouldn't exclude Sandboxie.

Of course, I'm not talking about hopening holes in Sandboxie to let the two (EMET & ExploitShield) work... that's another talk. Perfect, would be for Sandboxie's author to include EMET's techniques into Sandboxie.

 

Why is http://www.zerovulnerabilitylabs.com/ being picked up by US cyber command as Malware website?

Just an FYI.


You have attempted to access a blocked website. Access to this website has been blocked.

Category: malware-sites

URL: www.zerovulnerabilitylabs.com

Contact your local Network Control Center for information on how to gain access to MISSION ESSENTIAL or otherwise authorized websites, or to report a mis-categorized website.

 

Say what? I don't get an exciting message like this when I go to the site

 

@ GrammatonCleric

Hi i'ld love to see a screenie of that Alert

No probs here either !

 

Does it give you an info URL or somewhere to contact? Obviously its an FP, but might be due to the fact that we do publish some exploit kit URLs on our site.

 

Sorry can't take screen shot, not currently at work.


But here is the POC you might want to inquire with:
USCC_ServiceDesk@cybercom.mil

 

Unfortunately ES does not protect apps from MS Office 2000...there is no such line in "Logs" tab. I've noticed this on my XP SP3.

 

The browser edition only protects the browser, I think.

 

Maybe you are right so in this case I would ask the developer - why on ExploitShield Browser Edition site you wrote

and after clicking some app from the list in "Shields" tab we get the message



not e.g. "only browsers are protected in ES Browser Edition"??

 

Can exploitshield developers stop the mentioned loophole in the article ?

 

Yes. More info in the comments of the article.

 

I just installed ExploitShield 0.7 beta (after making a system image backup)and gave it a spin in XP SP3 partition and installation was smooth.

This partition has:

Avira Internet Security 2012(with firewall /ProActive realtime)
Keyscrambler Pro(on-demand --I use it when I connect to the internet)
Sandboxie Free
MBAM Pro(on-demand)
HitmanPro(on-demand)

As of this writing I am testing it on two of my mostly used browsers which is Google Chrome 22 Stable and Firefox 15.01. I have enabled:

Java (2 files) - Version: 10.7.2.10 in Google Chrome
Java Deployment Toolkit / Java (TM) Platform SE 7 U7 in Firefox 15.01

A couple of questions though:

The 'General Tab' shows 24 shielded applications while in the 'Log Tab' it shows only 3 protected applications. Kindly see image attached.

Is that's supposed to be correct? I even opened a printed .pdf file of this thread, PolyEdit Lite, etc but I cannot see it in the log. Can't that 24 Shielded applications be shown in the log as well?

Is the Log Tab only for browsers (Broswer edition). Incidentally I also tried to use SRWare Iron and Comodo Ice Dragon but it seems they are not supported. I also noticed that when you close a browser, say, Opera. It still shows in the log.

Does it stays there like that? Is the time of termination from protection not also shown? Can that be shown as well?

Noticed that when I right-click the tray-icon the GUI disappears. Anyone seen this beahavior?

On SBIE,

I tried to run Chrome in SBIE (taking into consideration what DR_LaRRY_PEpPeR
posted above) while Firefox /Opera in plain ES protection. I did not notice anything that would make it incompatible. Visited some porn sites hoping to see it in action but there was none I saw.

Kindly see image attached of the SBIE settings and the image with browsers running with/without SBIE.

I also was able to download an .flv file from a porn site that is red via WOT. The file is not infected as of the scans from MBAM and Avira.

Maybe (I hope) Sully can take a stab as to some additionals for SBIE/ES to work together.

Still observing here.

Nice work there pBust you the man!