ZeroVulnerabilityLabs ExploitShield

Discussion in 'other anti-malware software' started by sbwhiteman, Sep 28, 2012.

Thread Status:
Not open for further replies.
  1. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,674
    If Microsoft does buy up this company and incorporates its technology into Microsoft Security Essentials - it will have an unbeatable advantage over its competitors. If this does prove itself on the market, an offer from Redmond will not be long in coming! :isay:
     
  2. harshisthere

    harshisthere Registered Member

    Joined:
    Aug 8, 2011
    Posts:
    84
    Please check if exploit shield protected against CVE-2012-5112 , it is for google chrome
     
  3. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    There's no exploit code or any details about that exploit out.
     
  4. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    Forgive me, but no I didn't. I don't know much about it at all. I don't have a test machine so I can't try it, and very little is being said about exactly how it works (for good reason). So chill out with the angry face.

    If it conflicts with Sandboxie, and/or is a huge overlap with it, then with all due respect... I won't be using it. I thought it was more like EMET using different techniques.
     
  5. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,674
    Its somewhat like EMET but it also ensures your browser is contained so malicious zero day exploits cannot download and install on your computer. So you don't need to run SB to get that level of additional security. :thumb:
     
  6. Sordid

    Sordid Registered Member

    Joined:
    Oct 25, 2011
    Posts:
    235
    Sounds like Geswall to me
     
  7. harshisthere

    harshisthere Registered Member

    Joined:
    Aug 8, 2011
    Posts:
    84
    Does Geswall block java and flash and IE zero days?
     
  8. DR_LaRRY_PEpPeR

    DR_LaRRY_PEpPeR Registered Member

    Joined:
    Oct 11, 2012
    Posts:
    141
    Location:
    St. Louis area
    Hi all,

    Just registered here after trying ExploitShield last week. :) When I first heard about it, didn't think too much about it, figuring it was simply an EMET-like tool, limited to browser-type programs. But when I read in the CNET article (link in OP) that it's supposed to block "currently known exploit methods" against EMET (like these?) and anti-anti-ROP stuff, I thought it sounded promising. :cool:

    And I also saw the posts here wondering about, or questioning, compatibility with Sandboxie, which I wouldn't want to give up "just" to use ExploitShield's protection...


    No, not one or the other. :) ExploitShield (like EMET) tries to prevent anything from happening, which is the best thing after keeping software updated. Sandboxie can then still act as containment in case anything does happen.


    I looked into running both together after noticing that the ES GUI did not show anything in Sandboxie being Shielded. Although ExploitShield.dll was injected -- does that enable protection even if the GUI doesn't indicate it...? o_O

    I found out what Sandboxie configuration settings need to be added for compatibility, and posted on the SBIE forum whenever tzuk wants to add an official Template. :D

    You need to add for your sandbox(es):

    OpenIpcPath=$:ExploitShield.exe
    OpenIpcPath=*\BaseNamedObjects*\ZVL_IPC_CHANNEL*

    Or, from the SBIE GUI: Sandbox Settings > Resource Access > IPC Access > Direct Access and Add the 2 parts after the = sign.

    Then it seems to work as much as I've been able to check, as far as the GUI status, etc. ZeroVulnLabs, are there any other IPC/communication "channels" that are used to enable protection that Sandboxie may still be blocking and I missed?
     
  9. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    But the thing is... I will be using SBIE. It isn't going anywhere. So if it's one or the other, and conflicts are inevitable (or it's mostly overlap), as promising as ES looks I won't be using it.

    But this investigation by Pepper sounds promising to me. I hope to be able to use both without conflicts. Though I personally think Tzuk should wait until a final/stable build is out and it matures a bit until adding compatibility for it. Not only to prevent potential problems, but because it may change from now till then.

    If this can be pulled off, I'll definitely be adding ES to my setup. It'll be nice to be able to take advantage of good mitigation techniques here on XP without having to add .NET bloatwork... err, I mean "framework" onto my setup. Not to mention the fact that the full advantage of EMET isn't possible on XP anyway.
     
  10. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,967
    I tried another, but it was intercepted in the browser warning[AVG] as follows:

    ScreenShot_ES_malicious url_03.jpg

    I then chose to ignore the warning, and got...

    ScreenShot_ES_malicious url_04.jpg
     
  11. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,967
    Then this one which looks like it was on its way to infecting my system, but not intercepted by ES.

    ScreenShot_ES_malicious url_05.jpg

    ScreenShot_ES_malicious url_06.jpg

    After seeing the Sygate FW popup for the second time, I answered 'No' this time, and got this warning...

    ScreenShot_ES_malicious url_07.jpg
     
  12. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    How can it be somewhat like EMET, when the software developers behind it claim it's different than EMET? o_O Are you aware of something that makes you say that? Or, are you saying it's somewhat like EMET, because it also helps to stop exploits?
     
  13. test

    test Registered Member

    Joined:
    Feb 15, 2010
    Posts:
    494
    Location:
    italy
  14. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Indeed, they are not the same, as ZeroVulnLabs are had mentioned in this thread. I'm not sure why people consider one to exclude the other; the same way, using one wouldn't exclude Sandboxie.

    Of course, I'm not talking about hopening holes in Sandboxie to let the two (EMET & ExploitShield) work... that's another talk. Perfect, would be for Sandboxie's author to include EMET's techniques into Sandboxie. :D
     
  15. GrammatonCleric

    GrammatonCleric Registered Member

    Joined:
    Jan 8, 2009
    Posts:
    372
    Why is http://www.zerovulnerabilitylabs.com/ being picked up by US cyber command as Malware website?

    Just an FYI.


    You have attempted to access a blocked website. Access to this website has been blocked.

    Category: malware-sites

    URL: www.zerovulnerabilitylabs.com

    Contact your local Network Control Center for information on how to gain access to MISSION ESSENTIAL or otherwise authorized websites, or to report a mis-categorized website.
     
  16. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,089
    Location:
    USA
    Say what? I don't get an exciting message like this when I go to the site :)
     
  17. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
    @ GrammatonCleric

    Hi i'ld love to see a screenie of that Alert :thumb:

    No probs here either !
     
  18. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Does it give you an info URL or somewhere to contact? Obviously its an FP, but might be due to the fact that we do publish some exploit kit URLs on our site.
     
  19. GrammatonCleric

    GrammatonCleric Registered Member

    Joined:
    Jan 8, 2009
    Posts:
    372

    Sorry can't take screen shot, not currently at work.


    But here is the POC you might want to inquire with:
    USCC_ServiceDesk@cybercom.mil
     
  20. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,971
    Location:
    Poland - Cracow
    Unfortunately ES does not protect apps from MS Office 2000...there is no such line in "Logs" tab. I've noticed this on my XP SP3.
     
  21. vojta

    vojta Registered Member

    Joined:
    Feb 26, 2010
    Posts:
    830
    The browser edition only protects the browser, I think.
     
  22. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,971
    Location:
    Poland - Cracow
    Maybe you are right so in this case I would ask the developer - why on ExploitShield Browser Edition site you wrote
    and after clicking some app from the list in "Shields" tab we get the message

    121013160000_1.jpg

    not e.g. "only browsers are protected in ES Browser Edition"??
     
  23. harshisthere

    harshisthere Registered Member

    Joined:
    Aug 8, 2011
    Posts:
    84
  24. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Yes. More info in the comments of the article.
     
  25. constantine76

    constantine76 Registered Member

    Joined:
    Dec 18, 2010
    Posts:
    191
    I just installed ExploitShield 0.7 beta (after making a system image backup)and gave it a spin in XP SP3 partition and installation was smooth.

    This partition has:

    Avira Internet Security 2012(with firewall /ProActive realtime)
    Keyscrambler Pro(on-demand --I use it when I connect to the internet)
    Sandboxie Free
    MBAM Pro(on-demand)
    HitmanPro(on-demand)

    As of this writing I am testing it on two of my mostly used browsers which is Google Chrome 22 Stable and Firefox 15.01. I have enabled:

    Java (2 files) - Version: 10.7.2.10 in Google Chrome
    Java Deployment Toolkit / Java (TM) Platform SE 7 U7 in Firefox 15.01

    A couple of questions though:

    The 'General Tab' shows 24 shielded applications while in the 'Log Tab' it shows only 3 protected applications. Kindly see image attached.

    Is that's supposed to be correct? I even opened a printed .pdf file of this thread, PolyEdit Lite, etc but I cannot see it in the log. Can't that 24 Shielded applications be shown in the log as well?

    Is the Log Tab only for browsers (Broswer edition). Incidentally I also tried to use SRWare Iron and Comodo Ice Dragon but it seems they are not supported. I also noticed that when you close a browser, say, Opera. It still shows in the log.

    Does it stays there like that? Is the time of termination from protection not also shown? Can that be shown as well?

    Noticed that when I right-click the tray-icon the GUI disappears. Anyone seen this beahavior?

    On SBIE,

    I tried to run Chrome in SBIE (taking into consideration what DR_LaRRY_PEpPeR
    posted above) while Firefox /Opera in plain ES protection. I did not notice anything that would make it incompatible. Visited some porn sites hoping to see it in action but there was none I saw.

    Kindly see image attached of the SBIE settings and the image with browsers running with/without SBIE.

    I also was able to download an .flv file from a porn site that is red via WOT. The file is not infected as of the scans from MBAM and Avira.

    Maybe (I hope) Sully can take a stab as to some additionals for SBIE/ES to work together.

    Still observing here.

    Nice work there pBust you the man! :thumb:
     

    Attached Files:

Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.