ExploitShield: new anti-exploit software for Windows

Traditional options to protect a computer from malware and exploits often rely on knowledge of the exploit or an exploit family to detect it. While that is effective to some degree, it usually falls short when it comes to new types of malware that signature or heuristic based applications can't detect until they are discovered. Most computer users and companies shy away from installing advanced protection technologies that protect the system via sandboxing or whitelisting from unidentified exploits. While effective, they are usually not that easy to set up and maintain.

ExploitShield by ZeroVulnerabilityLabs has made the round in the last 24 hour period. The available beta version protects popular web browsers, including Google Chrome, Mozilla Firefox, Opera and Internet Explorer automatically when it is running on the system.

You may ask yourself what it is doing exactly, and this is where things get blurry.  The developers claim that it shields applications against exploit attacks against software vulnerabilities, but do not go into detail how this is achieved.  All that is revealed is that it is not relying on blacklisting, whitelisting or sandboxing. This suggests some form of exploit mitigation technology similar to what Microsoft's EMET does.

Exploitshield in particular is said to

• protect against all known and unknown zero-day arbitrary code execution vulnerability exploit attacks.
• shields applications in a way that it cannot be exploited through any of its present or future zero-day vulnerabilities.
• be malware agnostic, meaning that it will block exploits coming from malware that traditional antivirus solutions do not know yet.

Those are bold claims that need to be verified by trusted third parties. The beta version only protects web browsers, Java, and web browser components - which means plugins - from being exploited. A corporate edition furthermore adds programs such as Microsoft Office, Adobe Reader or Acrobat to the list of shielded applications.

ExploitShield protects the programs against exploits that result "in complete system compromise by running arbitrary malicious code and which are normally used by cyber criminals to infect users with financial-driven malware, botnet infections or corporate espionage malware". The program blocks the execution of malicious code once it detects exploitation attempts. The affected application will be closed for stability purposes, and information about the attack attempt are uploaded to company servers for statistical analysis. According to the FAQ, no personally identifiable information are sent to the server.

ExploitShield is an install and forget type of application that works silently in the background once it is running on the system.  The program is fully compatible with all recent versions of Windows, from XP to Windows 8.

Here is a video released by the company that is showing how exploits are blocked by the program.

I will keep an eye on the progress the company makes, and any third party research or validation of the claims that are made by the company. For now, I'd take the claims with a grain of salt until they have been confirmed by independent research. (via Techdows)

Advertisement