Can ExploitShield browser version be used next to avast resident av?

[mchain]

As I am now scanning for possible Gen:Variant.Tdss14 files, this post will be updated when that is done.

I did kill ExploitShield.exe process before I attempted to uninstall via Add/Remove:  I did not use Revo Uninstaller for the very reasons listed above.

An additional note:  It was very easy to kill the ExploitShield.exe process just by exiting the Z icon in the system tray.  Whether this was by design or not, it would seem that some hardening of the running process would need to be made to ensure that it would continue to run in case a system was attacked by malware designed to stop this process.

Also found a registry key (invalid) pointing to _ui14D2N.tmp found by CCleaner, removed that as well today.

As I am doing an extended search (hidden files/hidden folders) (edit: also system files and folders) for files listed here, it is going to take a bit of time:  http://v.tw.virscan.org/Gen:Variant.Tdss.14.html

EDIT:  Yes, virSCAN scan dates are 04/18/2010.  No detections by Avast! at that time.

Will report back when search is complete.

EDIT:  As MSASCui.exe is a process run by Windows Defender, it is present in certain logs.  No other files were found.

More recent detections here:  https://www.virustotal.com/file/8850adafa94ed654693ddad951668b668536033d74c5089498f7914700e3872f/analysis/

Pol, thanks for the software link.

[ZeroVulnLabs]

Wow. lots of activity since my last post. Some clarifications on the triailofbits and other bypass analysis of ExploitShield:

1- There are 2 main parts of ExploitShield: interception and exploit detection algorithms. The objective of beta1 is to proof that the exploit detection algorithms work as expected against exploits in the wild. So we did the interception quickly in user-land so we can proof the concept of ExploitShield in the wild. From what we are seeing every day the exploit detection algorithms work. And they work very well. People however are concentrating on trash-talking and getting publicity by bypassing the interception, which (a) is not important now and (b) will be re-done as it should in a future beta and before final release. So rest assure in a future beta all those "issues" will be fixed. Right now we are not concentrating on that part simply because its not time for it yet.

2- Software will ALWAYS be able to be bypassed. The same or similar techniques that everybody is using to rant about ExploitShield can be used to bypass pretty much any antivirus or any security software. If someone publicizes some bypass technique that's all good and dandy, but most of the bypass techniques that are discovered never get used by malware because they rarely target a single product. That's why a layered approach is always more beneficial.

3- Even in its infancy ExploitShield is able to protect against all exploits which we have tested against, which are quite a few (over 5000 unique in-the-wild exploit kit URLs from all types if Kits as well as hundreds of canned exploits).

4- Even though Win7/8 and EMET offer some exploit mitigation, ExploitShield uses completely different techniques. So its possible that an exploit that bypasses EMET in the future will be caught by ExploitShield.

5- ExploitShield is still beta1 and there are more beta versions to come before final release. Things like interception, uninstaller, etc. are still being worked on.


PS: is there a way to get notified from the forum for replies to a thread? There doesn't seem to be a configuration option for that in this forum. Never mind, found it.

[luisx]

I thought this was an Avast forum

[polonus]

@ZeroVulnLabs,

Thanks for this reply. I think you will appreciate the serious way in which we started to dissect the first beta of Exploit Shield Browser Tool. What you tell me is no surprise as that was what I also gathered from background info  EP_X0FF provided about kernel level protection tools and the way they are being "brewed".
I think it is even better when developers will have this info at an early beta stage to harden the tool better in various ways.
I think tools lkike this could have a place in layered defense next to a resident av solution like avast in this case. It is good it is a stand alone and a fine addition as it can prove itself in the anti-malware arena. It should always come in combination with safe practices like having EMET, working a normal user account and likewise procedures. I hope it does not end as a wallflower tool like RUBotted or SpywareBlaster....

@luisx
This is the general section of the avast forum. Why cannot we discuss standalone tools that come supportive of and are hardening our resident av solution of choice: avast? In your opinion nothing outside avast can be discussed in extension? Do you think about avast like symantec's that took everything aboard and became unworkable for some for that very reason?

@mchain,  _ui14D2N.tmp is a URLSearchHook leftover ...the clean up tool did not do the full job here...
Did you send that _ui14D2N.tmp to virus AT avast dot com to be checked?

polonus

[Asyn]

I thought this was an Avast forum

It is. If you're not interested in further security related discussions, just ignore them.

[polonus]

Some questions about the tool?
Is the tool robust against  ‘instruction re-ordering’?.
Does it care about the order of instructions?
Is it also robust against ‘junk-instruction insertion’ and against "instruction replacement?"
Does this also count when ‘most frequently used’ instructions are being replaced )
for example by other instructions.
Is it also robust against 'register-renaming and memory re-ordering,location"?
Are these being considered or not?. Are these locations readable or not?
Can they be inserted by junk-code?, Wat locations are reachable at run-time?
Does the disassembly algorithm apply recursive traversal, which is robust to this
kind of obfuscation?
Some proposed methods: http://www.stanford.edu/~stinson/paper_notes/stat_anal/obfus_bins.txt (link article by By: Linn, Debray (AZ) In: CCS 2003)

If we can have some positive answers here to the above questions,
we could have landed at a tool that can detect almost all exploit code...

polonus

[luisx]

I am an Avast old timer. I just read these forums usually. I just joined today.

Bh the way i have seen many times avast evenaglist asking people to stop writing about other antivirus or security software many times even though it was to emprove security.

Sounds hipocritcal.

[CraigB]

I am an Avast old timer. I just read these forums usually. I just joined today.

Bh the way i have seen many times avast evenaglist asking people to stop writing about other antivirus or security software many times even though it was to emprove security.

Sounds hipocritcal.

Antiviruses are not usually discussed on the forum as that would be in direct competition with avast and this is the avast forum though programs such as ExploitShield are not Antiviruses - mearly extra protection layers which can be beneficial to one's security.

[bob3160]

@ luisx
Since ExploitShield is not a stand alone AV program but is actually designed to work with your current AV to make it
better, it's perfectly suited to be discussed in the general topic.
It's not a product that competes with Avast and is very similar to us discussing the advantages of using such other
products like Malwarebytes, Win Patrol, etc.

[Chris Thomas]

@ luisx
Since ExploitShield is not a stand alone AV program but is actually designed to work with your current AV to make it
better, it's perfectly suited to be discussed in the general topic.
It's not a product that competes with Avast and is very similar to us discussing the advantages of using such other
products like Malwarebytes, Win Patrol, etc.

+1

[polonus]

Hi bob3160,

Thanks for being clear about this. In this thread I just want to come to a conclusion.
Either ExploitShield Browser Tool is a valid addition to be used next to resident avast av solution
or ExploitShield Browser Tool beta can de demasked as at least overhyped
and in the worst scenario as fud snakeoil &"too good to be true".
To achieve that goal I did some explorations and I tried to get insights from comments made here and elsewhere.
So all will be clear when the tool will stand the time.
Either we go thumbs up or go thumbs down on this.
Too early for the final verdict....
The best you can hope for that ExploitShield Browser Tool would be as good a concept as NoScript in browser security.
That works now and it works in the future against existing malcode and against future malcode,
 because it blocks and the concept is 100% functionable.
There are also exploit detecting tools as we describe here that work on that basis.
They do inspection and then filter code out and alert -
an example is the DExtor concept and this is rather failproof.
So I think a discussion about these issues can be rather valuable for the avast users,

polonus

[Chris Thomas]

I have been using ExploitShield for a while now. From the time I read the article on Cnet http://download.cnet.com/8301-2007_4-57521983-12/exploitshield-appears-to-live-up-to-its-name/ thats Sept 28.

I just want to test the next version and ExploitShield Corporate Edition.

The only bug I have come across is when I launch Spotflux, it catches a Java exploit which is a false positive.

www.spotflux.com/

[schmidthouse]

Hi bob3160,

Thanks for being clear about this. In this thread I just want to come to a conclusion.
Either ExploitShield Browser Tool is a valid addition to be used next to resident avast av solution
or ExploitShield Browser Tool beta can de demasked as at least overhyped
and in the worst scenario as fud snakeoil &"too good to be true".
To achieve that goal I did some explorations and I tried to get insights from comments made here and elsewhere.
So all will be clear when the tool will stand the time.
Either we go thumbs up or go thumbs down on this.
Too early for the final verdict....
The best you can hope for that ExploitShield Browser Tool would be as good a concept as NoScript in browser security.
That works now and it works in the future against existing malcode and against future malcode,
 because it blocks and the concept is 100% functionable.
There are also exploit detecting tools as we describe here that work on that basis.
They do inspection and then filter code out and alert -
an example is the DExtor concept and this is rather failproof.
So I think a discussion about these issues can be rather valuable for the avast users,

polonus

Any time security minded people and users of security software can discuss a software program that can add another layer of protection that is not redundant then this is a good thing.
I also intend to continue my testing/running of this little tool through the beta stages and I agree (in general) with the accounting and explanation provided by ZerovulnLabs.
Edit: I also think the analysis provided be Polonus about the inners of ES is very enlightening and valuable.

[polonus]

About the loader executable, considering

Code: [Select]

asInvoker requested execution level
would
 

Code: [Select]

"Replace a process level token"
/SE_ASSIGNPRIMARYTOKEN_NAME/SeAssignPrimaryTokenPrivilege
"Adjust memory quotas for a process"
/SE_INCREASE_QUOTA_NAME/SeIncreaseQuotaPrivilege
will give permission to all of the drive?

polonus

[ZeroVulnLabs]

Thanks for the comments and for reporting the false positive. We have been working for some time on reducing those false positives and the solution will be integrated either in beta2 or beta3.

As for the techniques you outline polonus, I wouldn't worry about it now. At least for the next version or two we will be focused on engine improvements and won't get to interception improvements until later on. But we will take all your mentions into consideration once we get to that part.