ExploitShield: new anti-exploit software for Windows
Traditional options to protect a computer from malware and exploits often rely on knowledge of the exploit or an exploit family to detect it. While that is effective to some degree, it usually falls short when it comes to new types of malware that signature or heuristic based applications can't detect until they are discovered. Most computer users and companies shy away from installing advanced protection technologies that protect the system via sandboxing or whitelisting from unidentified exploits. While effective, they are usually not that easy to set up and maintain.
ExploitShield by ZeroVulnerabilityLabs has made the round in the last 24 hour period. The available beta version protects popular web browsers, including Google Chrome, Mozilla Firefox, Opera and Internet Explorer automatically when it is running on the system.
You may ask yourself what it is doing exactly, and this is where things get blurry. The developers claim that it shields applications against exploit attacks against software vulnerabilities, but do not go into detail how this is achieved. All that is revealed is that it is not relying on blacklisting, whitelisting or sandboxing. This suggests some form of exploit mitigation technology similar to what Microsoft's EMET does.
Exploitshield in particular is said to
- protect against all known and unknown zero-day arbitrary code execution vulnerability exploit attacks.
- shields applications in a way that it cannot be exploited through any of its present or future zero-day vulnerabilities.
- be malware agnostic, meaning that it will block exploits coming from malware that traditional antivirus solutions do not know yet.
Those are bold claims that need to be verified by trusted third parties. The beta version only protects web browsers, Java, and web browser components - which means plugins - from being exploited. A corporate edition furthermore adds programs such as Microsoft Office, Adobe Reader or Acrobat to the list of shielded applications.
ExploitShield protects the programs against exploits that result "in complete system compromise by running arbitrary malicious code and which are normally used by cyber criminals to infect users with financial-driven malware, botnet infections or corporate espionage malware". The program blocks the execution of malicious code once it detects exploitation attempts. The affected application will be closed for stability purposes, and information about the attack attempt are uploaded to company servers for statistical analysis. According to the FAQ, no personally identifiable information are sent to the server.
ExploitShield is an install and forget type of application that works silently in the background once it is running on the system. The program is fully compatible with all recent versions of Windows, from XP to Windows 8.
Here is a video released by the company that is showing how exploits are blocked by the program.
I will keep an eye on the progress the company makes, and any third party research or validation of the claims that are made by the company. For now, I'd take the claims with a grain of salt until they have been confirmed by independent research. (via Techdows)
Advertisement
“protect against all known and unknown zero-day arbitrary code execution vulnerability exploit attacks.”
Bullpuckey. The only way to do that is to turn off the computer and disconnect it from all networks.
I agree one hundred percent with Morely Dotes above: The claim is one hundred percent ruminant evacuation.
Of course, it’s not surprising that this sort of “security snake oil” is being touted; this is common in the infosec industry where every day some new appliance is released which claims to make your network “secure” against everything.
The reality, as has been established by numerous talks at infosec conferences by penetration testers and security researchers, is that most of these things not only do not protect you from “everything”, they can usually be bypassed fairly easily, and worse, frequently provide an even GREATER “attack surface” than you had to begin with!
^^^
LUA + SRP has been 100% effective against all known 0-day and drive bys since it was introduced in XP Pro. That’s an undeniable fact. It’s successor SUA + Applocker is even better. POCs have been discovered but never exploited in the wild. It’s too bad the security theater is so loud because real security is actually built in, you just need to turn it on.
This software looks like it’s effectively sandboxing apps. Sandboxie, GeSWall and Defensewall do something similar.
Nice find, thanks Martin. Gonna head over to Wilders and see what’s what.
I downloaded it 09/28/12, it seemed to work fine insofar as test/wild exploits I found; I read at Wilder’s some issues re drivers, so on lark I downloaded a few video/file downloaders; of them, indeed, “Express Files” when opened immediately knocks out ExploitShield and the little “Z” tray icon; try as I might ExploitShield would not re-open at all until Express Files was removed from 64 bit Windows 7 Home Premium machine. Considering although Express Files isn’t an exploit per se but can deliver everything that IS exploitable, plus so easily foils ExploitShield, perhaps it might be better to say it’s 100% effective only if you use an internet device as it comes off the shelf.
Nothing against any attempts to fight the actions of highly defective, evil minds that are unable to do anything good: the hackers who dedicate their lives to doing harm to as many people’s systems they can reach, just for perverted, insane ‘pleasure’.
I support ExploitShield by ZeroVulnerabilityLabs and all antivirus and Internet security products. We are better off with them.
But, just as a constructive feedback, I need to tell ExploitShield has caused 32-bit Internet Explorer 9 on my 64-bit Windows 7 Professional to come up blank right after started. I needed to keep the blank display and call IE again to get to the site I wanted. This consistently happened until I uninstalled ExploitShield. Then, IE returned to normality.
The 64-bit version of IE9 has always worked fine with ExploitShield.