ZeroVulnerabilityLabs ExploitShield

Interesting. Would all the known issues be fixed in this version or would they still be pending further investigation? Just curious...

 

Yes there's a few known issue fixed, but mostly the ones related to engine and IPC communication issues.

 

Just would like to say I have the beta running along side avast and winpatrol and am loving this setup, light as a feather and I feel as secure as a rock

I would like to report though (dont know if it has been or not) before when I was running CIS6 I couldnt use Exploitshield. No browser would run. The browser process would be created and then terminated after about 5 sec.

 

Hello,

I searched this thread before posting this question.

I'm hoping to install Exploit Shield but before I do so, I was wondering if there are any known or potential conflicts with Sophos Endpoint v.10.2?

Thanks.

 

None that we are aware of. We keep a live compatibility list at http://www.zerovulnerabilitylabs.com/forum/viewtopic.php?f=2&t=173. Any feedback you can provide re: Sophos compatibility would be greatly appreciated. In order to verify that ExploitShield is working, install it, open a browser and using ProcessExplorer from SysInternals or similar tool search to make sure ExploitShield.dll or ExploitShield64.dll is injected in the browser's process.

 

Thank you - both for the link to the compatibility list and for the suggestion about using ProcessExplorer.

I'll check these out and provide feedback accordingly.

 

I've not had a bit of trouble with version 9.0. I use Firefox and Internet Explorer as my browsers. My full-time security app is Webroot Secureanywhere. The Exploitshield dll is injected into the Firefox browser reliably to date. This is the only program that I've check so far.

 

Would this program replace or be comparable to Winpatrol or spyware blaster?

 

I'm not very familiar with those products so I couldn't say, but I think they are two completely different type of programs with different objectives. Somebody please correct me.

 

Setup cleanup (skip redundant protection)

1.Spyware blaster
a. Prevent the installation of ActiveX-based spyware and other potentially unwanted programs. ==> usefull when you use Internet Explorer 6 or older, doubtfull benefits for IE7, obselete with enhanced settings of IE8, IE9, IE10

b. Block spying / tracking via cookies.
Avast, Do Not Track, IE9 and up, Chrome safe Browsing, ABP make this obselete

c.Restrict the actions of potentially unwanted or dangerous web sites.
Avast, MBAM Pro, IE9 and up, Chrome safe Browsing, Traffic Light make this obselete


2. WinPatrol Plus
Everything WinPatrol Plus does, does OA Free better, WP is Intrusion Detection based on Win95 vulnabilities, OA Free is Intrusion Prevention based on current attack vectors.


3. When Use Avast Adblock or ABP see http://techdows.com/2013/02/avast-ad-blocker-powered-by-adblock-plus.html, I would opt for ABP

4. Do not track, add this anti-cooking tracking list in ABP, drop DNT

5 TrafficLight, both IE/Chrome have build in, on top Avast MBAM Pro have this. Tripple protection bij browser, Avast and MBAM Pro would be sufficient IMO, so drop Traffic light



So drop WinPatrol, Spyware Blaster, DNT, Traffic Light

Keep Avast free, OA Free, MBAM Pro, ABP, consider ExploitShield free

 

0.9.1 beta doesn't recognise Palemoon sadly, but the previous version appeared to (as Firefox).

 

No ExploitShield version ever supported Palemoon. If the previous ES version recognized it and now it doesn't, it may be because the Palemoon executable or plugin wrapper has changed names.

Btw the discussion thread for ES 0.9 is over at https://www.wilderssecurity.com/showthread.php?t=344265.

 

ZeroVulnLabs,
It would be nice if LibreOffice's equivalent of Word, Excel, and PowerPoint were added to your Shields list. Other than that a very nice and needed application. Besides, if Kees (Windows_Security...lost your password, eh? ) uses it it's gotta be good.

Thanks.

Later...

Bob

 

Understood. I won't get much use out of it currently - good luck with the development.

 

Thanks Windows, gives me something to think about.

 

The criteria we are following in selecting application shields for ExploitShield are that the application needs to be popular enough (ie large install base) and targeted regularly in-the-wild by exploits. There's no indicators or evidence for that being the case yet with LibreOffice, but if it ever happened we could add protection for it fairly quickly.

 

Yesterday a website tried to nail me with "malicious toolkit variant download 11." NIS 2013 caught it immediately. I was using the .8 ver. of ExploitShield at the time. I have since upgraded to the .9 ver. when I received notification from ExploitShield the .8 ver. was no longer supported.

My question is should there be a real time exclusion in NIS 2013 for Exploitshield? Appears it lets NIS 2013 to its thing without any exclusions. Just want to make sure NIS will not prevent ExploitShield from doing its thing.

 

running ExploitShield

 

It depends on the type of NIS detection. Normally those will be detected by a URL filter which is based on blacklisting certain known malicious sites. If that's the case then its normal for NIS or other AV to block access to the site first. However if NIS or other AV do not know the URL and don't block it, then ExploitShield would prevent the exploit from successfully compromising your computer.

In terms of seeing if ExploitShield is protecting your browser and apps with NIS also enabled, open the browser and from ProcessExplorer search for ExploitShield.dll or ExploitShield64.dll. If it is found under the browser's process then you are OK.

 

On the general tab, it's said 'Shielded Applications'.

How to know those shielded applications protected by your apps ? In my case, I've just installed it a few hours ago and I have 9 Shielded Applications. Which are those ?

 

In the LOG tab of the program you will see a view of the applications which ExploitShield protects. If you open and close one of those apps multiple times, only 1 entry will be recorded in the LOG tab.

For a list of applications which ExploitShield protects, check the SHIELDS tab of the program.

 

If I have 10 'Shielded Applications' and under Log tab, I only have 1 program appeared, that means that Firefox for i.e is protected.

It doesn't protect Media Player Classic, MPC and others few media players Pot Player, ...

 

Some browsers have helper or sub processes when they run. Firefox has plugin-container.exe, Opera has opera_plugin_wrapper.exe and IE & Chrome open multiple instanances of their processes when running. So even though you have only one browser open it might be seen as multiple "shields".

Also there's an open issue with ExploitShield where it doesn't reset the counter correctly when a process is closed inappropriately and you might see more or less "shielded apps" than really running (known issue #2 at http://www.zerovulnerabilitylabs.com/forum/viewtopic.php?f=2&t=197).

To manually verify exactly how many apps ExploitShield is protecting you can open ProcessExplorer or ProcessHacker and search for ExploitShield.dll and/or ExploitShield64.dll and you will get a listing of apps which ExploitShield is injected into.

 

Thanks for all details

It will be great that under Shields tab, the user can also add its customized programs (others than those coming with your program) on these list. I don't know if it's possible or even realistic.