ZeroVulnerabilityLabs ExploitShield

ZeroVulnLabs

Any compatibility issues with EMET?

 

Yes, that's a good suggestion. Please do post it at our support forum's "suggestions" section so we have it on record for the backlog.

The more open applications you have while starting/stopping ExploitShield, the longer it is going to take and may possible stay as "Not Responding" for a few seconds while it shields/unshields those open apps. Try closing all browsers and other apps (Adobe, Windows Media Player, etc.) and then repeat the start/stop operations. Do you still get a "Not Responding"?

 

Haven't tried that combination yet.

If you do test it please post back the results. In our forum you can find some malicious URLs which point to live exploit kits for testing (you need to be logged in to see them).

 

Thanks a bunch !!

PS: oops wrong user. I can see this is going to be fun!

 

is it 64 bit win7 compatible?

 

Ah split personality syndrome.

 

Now theres and idea,a double exploit protection.

 

Yes, 64bit under XP, Vista, 7 and Win8.

 

I noticed no compatibility issues with EMET but I've been on Linux most of the day. Officially back to studying so I won't be able to test it (unless I take a metasploit break tomorrow) yet.

Still, from what I've seen... props to you guys for finally putting out a security product that makes sense.

 

Thanks a bunch for that comment!

If you're going to test with metasploit take a look at the "how to test" and "what not to test" comments in the ExploitShield Browser Edition page:
http://www.zerovulnerabilitylabs.com/home/exploitshield/browser-edition/

 

I'll take a look at that. Naturally I wouldn't be testing for something like XSS or CSRF - outside of the scope of the attack.

I'd be interested in getting shell and really seeing what I can/can't do though from a compromised locked process. I have some suspicions already as to some of the very basic components of the program (again, good stuff).

Is there any significant difference in protection for an XP system vs a 7 system? An XP system is easier to test but I'd like to get the 'full' program - know what I mean?

P.S. I like the business model. Very solid that the free version provides protection against Java and Flash. Makes sense that the corporate would focus on Office Suite etc.

 

Yes the protections are the same under XP vs Win7/8.

Thanks for the comments again. Keep in mind that the Corporate Edition in addition to the office/server stuff will also include things such as advanced penetration attacks (ie shells, meterpreter, etc.). So testing reverse shells under Browser Edition is also out of score of the program.

Details of one versus the other here:
http://www.zerovulnerabilitylabs.com/home/exploitshield/

 

Thanks.

 

Ive been waiting for something like this to come around. I'd been expecting the AVs to be working on exploit detection as well.

Pbust: when you mention VLC exploits, were those in the wild or something taken from metasploit? Also what is the anticpiated hit on general performance?

Looks exciting, will follow with interest.

 

Haven't seen many VLCPlayer exploits in the wild, so most our test was with metasploit-generated ones. There's a couple of vids at our YouTube channel of ExploitShield blocking VLC, Quicktime, WindowsMediaPlayer, Word, Adobe Reader, Excel, etc exploits. Most come from in-the-wild, but a few are metasploit-generated.

Thanks for your interest!

 

One free marketing tip: to get the most out exploits and malware based fact, fear and fantasy marketing (in the security industry also revered to as 3F marketing). You will have to proove that this 3F is relevant for me. Please help me in to fact, fear and fantasy (3F) modus. I really feel left out of this paranoid exploit protection (PEP) facts , becaus I am not using IE or Java.

Add Chrome, Firefox and Safari on this lists (step 2 of 3F marketing, inject some PEP facts):

http://www.zerovulnerabilitylabs.com/home/services/security-intelligence/

Three golden rules of marketing in the security industry:
1. Communicate Fear, fright and fantasy (3F)
Base your storyline "malware and exploits exist, hence you will be doomed one day and get infected". No one can disagree with the fact that water is wet

2. Inject Paranaid Exploit Protection (PEP) facts
Provide a factual list of live exploits against which [name of your security application] protects

3. Create third party trust buzz
Ideally through on-line magazine (link building) article launch a buzz, enforce this through interactive participation on (security) forums and other security hangout places of security paranoids, support this with visual evidence by adding YouTube Tests to proove it is real and nessecary;.

 

We don't protect Safari. Only IE, FF, Chrome and Opera. Maybe in a later version we will, along with some other software (iTunes, etc.).

An entry in the table shows the last exploit blocked in a "session". By "session" I mean for example your typical visit to a Blackhole v1 or v2 kit will try to exploit different vulnerabilities (PDF, Java, Browser, WMP, etc.) depending on your config. Even within the same program such as Java it might attempt to exploit different vulnerabilities.

In the case of Firefox some versions of Firefox those exploits are shown as "Mozilla Firefox" and sometimes as Java. In the case of Chrome pretty much always they are showing up as Java as that's what the kits exploit if you visit them with Chrome.

You can put test this easily... create some test rigged pdf, avi, etc files with metasploit, upload them to your server and then visit it with Chrome/FF/Opera/IE + ExploitShield and should should see the result appear in the table so you can scare yourself

 

You nailed the fourth rule of 3F security marketing:
"provide a test intrusion" on your website so people can check whether the protection works against innoccent malware/exploits created by [name of your compamny].


On the website you are telling me you have a set and forget solution for dumbo's like me, next moment you are asking me to craft a test exploit on my own server like I would be a real pro. What is wrong in this picture?

Please note golden rule nr 5: Send consistent messages to your target audience on the themes you differentiate your application from the competition

Really only trying to help you out, but 5 golden rules is the maximum you will get for free Please contact me for the business edition of 3F marketing

 

Thanks

We do publish some URLs to live exploit kits in our forum. But you need to be registered and logged in to see them.

 

Not really into marketing discussions, ExploitShield *is* install-and-forget. What you are talking about/looking for is a different story. But if what you are looking for is diversity on the table, someone just got saved from an exploit different than IE or Java:


As you can see from the picture ExploitShield includes other protection "gems" we haven't talked about yet.

 

Ok windows script host now we are talking, paranoia mode starting to kick in ..... yes now I am interested, installed exploit shield for a test ride

 

Next to EMET I see... well its a start

 

Does Z provide same protections of EMET (so more than ASLR and ROP as mentioned in the article)

 

F-Secure used to have (no longer) a stand-alone beta anti-exploit application, and I believe it made it into their mainstream AV/IS solutions. Not sure, though...

Others may as well have other ways of preventing exploits, like AVG with their LinkScanner, which blocks exploits (also exploit kits, which bunble Flash, Java, etc exploits).

 

Interesting! But unfortunately doesn't work here, at least not the way I had expected. You see, if there is a counter "shielded applications" and I run Firefox (16 beta though?) I would expect it should show "1", right? At least after reboot? But it's most of the time "0". Before after a very (!) long time it once (!) had the count at "2" (running IE and FF) and entries in logfile (".. is now protected"), but that doesn't seem reliable to me at this point. Maybe the problem is my system with WRSA and EMET 3.5 installed. After all it is a beta at this time and I will check later as it IS definitely a very interesting project -> bookmarked.