ZeroVulnerabilityLabs ExploitShield

peter apguard is anti-executable so it will prevent any download instalation in real time so no left overs to remove

 

I know this question isn't directed towards me, but I figured I would reply anyway...

AppGuard in Lockdown Mode = Locks down/prevents the system from all file executions (Globally), unless set otherwise
ExploitShield Browser Edition = Blocks many types of Exploits through your browser

Those are the differences between the two

 

Interesting suggestion! In the example you mention the ES protection is loaded correctly but it is then unloaded by WRSA or other security HIPS (Comodo D+ and Rapport for example). In some cases it is completely blocked from loading, but as you mention the parent process is still allowed to be protected so that the ES log "IE is protected" is in fact misleading. We have been thinking about this for some time and will probably add a hook lower into the kernel to prevent these incompatibility problems with other security products. That might take some time however. The best for now is to send as many requests as possible to these security vendors (Webroot, Comodo, Trusteer) to white-list ES. Webroot & Trusteer have been very responsive so far. Comodo seems a little more complex for them to add a digital sig to their white-list.

 

ExploitShield also "removes" the payload EXE and moves it to the ES quarantine as well as makes it harmless.

 

AppGuard and other similar apps such as EXERadar, etc. are white-listing approaches to security. This is very good approach and I use it personally alongside ExploitShield. But those white-listing security apps are not for everybody. For example I could not install them on my mom's or sister's computers as they would be calling me everyday asking what to do with the prompts. ExploitShield is designed to be install-and-forget so that it can be installed on a regular gramma PC who doesn't have any knowledge of security or computers for that matter. It's a perfect companion to existing & established security apps such as anti-malware.

 

(re-post from Comodo forum)

We've been running some tests under Win7 x64 with CIS and ES and here are our findings:

* First install ES and then default install of CIS (ie HIPS not enabled)
* ZeroVulnerabilityLabs digital signature is included in the Comodo Trusted Vendor List by default
* IE still crashes when opening
* Added ExploitShield folder and process to CIS behavioural engine exceptions
* IE still crashes when opening
* Added ExploitShield folder and process to CIS shellcode injection exceptions
* IE still crashes when opening
* Added ExploitShield folder and process to CIS unknown/untrusted sandbox exceptions
* IE still crashes when opening

The same results may be experienced with other browsers. Comodo contact does not provide a solution. Seems to me that the CIS behavioural exceptions are not working as expected. Anyone know of a different approach to solve these issues?

 

Not as of yet, I'm looking for a solution myself. I have ExploitShield installed on my system, but have it turned off at the moment, due to this issue with Comodo. I'll let you know if I figure it out or not.

 

Never really used Appguard, but you can get a very good idea about what ExploitShield does and what it does not by reading these 2 pages:
http://www.zerovulnerabilitylabs.com/home/technology/zerovulnerabilitylabs-technology/
http://www.zerovulnerabilitylabs.com/home/technology/frequently-asked-questions/

Good suggestion about Quarantine. You're right that it does not remove the payload. ES simply copies it to Quarantine but also makes it inactive (ie not able to run). Since it is beta for now we figured testers might want to access the blocked payload. In future versions we might simply delete the payloads and make quarantine an advanced option.

 

ZeroVulnLabs: - So, for now, Exploit Shield could ideally be paired with some light Virtualisation (say Shadow Defender for example) to remove remnants ?

- cheers,
feandur

 

We haven't tested it with SD but if you do, check to make sure that the ExploitShield DLL gets correctly injected into the browser when running alongside SD. To do this, simply run ProcessExplorer from SysInternals and search for ExploitShield.dll/ExploitShield64.dll to make sure it is listed under the browsers' process space.

 

I wouldn't think there really would be any remnants, would there? It should stop the initial payload from running, so there wouldn't be any leftovers.

Granted there's nothing wrong with using them together in theory, and it could help with malware that enters by other means.

On that note, I do wish that the free version would at least cover Outlook and maybe Thunderbird. I haven't really kept up lately, but Outlook especially has been a favorite target in the past.

 

ZeroVulnLabs: - thanks for the tip.


One question on a different matter....
...is it true that, for now, ES only works in the Admin account [speaking XP here] and will not work in Limited user accounts?

That could be a deal breaker for me.

- cheers,
feandur.

 

That was the 0.7 version. As of v0.8 it works under limited accounts as well.

 

It appears that if you use the MS Security Configuration Manager and apply the settings with localgpo, then it will block one of the scripts toward the end with the log entry "audiopol.exe blocked from executing through Windows Script Host" (and the process fails).

 

Most likely an FP. Will investigate it asap. In the meantime simply deactivate ExploitShield while running those operations. What OS are you running? 32 or 64?

 

Yup, and done

I'm on Windows 8 Pro x64.

 

Brilliant !

Thanks ZeroVulnLabs !

definitely will give this a go.

- cheers.

feandur

 

I switched to this from EMET Tech Preview. I'll give it a month or so trial and see how it goes. It's funny, I passed this discussion up because, like most new products discussed here, I thought it was one of those new, expensive start-ups. Nor did I have any idea PBust got it going.

 

Thanks for testing!

In regards to expensive start-up, nothing could be further from the truth. It's just two of us doing what we love to do

 

Do you have any plans to support alternative browsers like Maxthon and such? I'm sure it makes more business sense to support that which is in use more, but I figured I'd ask. It's a bit of a shame that programs like Reader aren't supported for free, since programs like that are pretty good targets. But I appreciate what you do give for free.

 

Reader is actually supported as long as its opened within the browser. Same goes for pretty much everything within the browser (Java, ppt, Flash, Shockwave, etc.).

In the future as we develop more features we will add them to the free Browser Edition, such as for example the ability to configure by yourself shields for other apps such as alternative browsers, different PDF readers, etc. But it's still early, we are only on our second beta version of Browser Edition.

 

Well that's cool, normally I disable PDF plugins within the browser for security purposes, but if they are protected that's great I totally understand keeping things simple while you're still in testing mode.