Can ExploitShield browser version be used next to avast resident av?

[CraigB]

I've been following this thread:
http://www.zerovulnerabilitylabs.com/forum/viewtopic.php?f=2&t=51&p=183#p183

And have also replicated the issue with the "Help Center".
 Z did Block and quarantine the file:OLEAUT32.dll 

I noticed this yesterday but it was only blocked for me, nothing was quarantined and right clicking the tray icon and stopping the shield allowed access for help support to work - but it all works fine for me today

[polonus]

I had one occasion that ExploitShield browser started up (as I experiened through Task Manager) but did not show up in the taskbar.
After a reboot everything went back to normal. Exploit Shield is the first to start up...
The log windows says Opera locked, but I have no Opera installed on my OS. Could this mean another user agent is being protected?
The normal logs from the program file does not mention any Opera,

polonus

P.S. Undertand Opera is just an example of what is being protected by the tool in general..

[schmidthouse]

I've been following this thread:
http://www.zerovulnerabilitylabs.com/forum/viewtopic.php?f=2&t=51&p=183#p183

And have also replicated the issue with the "Help Center".
 Z did Block and quarantine the file:OLEAUT32.dll 

I noticed this yesterday but it was only blocked for me, nothing was quarantined and right clicking the tray icon and stopping the shield allowed access for help support to work - but it all works fine for me today

Thanks craig.
I'm trying to ascertain if there will be noticeable issues from file being quarantined.
Not sure about some 'hanging'.

[CraigB]

I also had one instance of ES not being visable in the task bar polonus, i killed the proccess though taskmanager and re-started it and has been fine ever since

schmidthouse i have noticed a few hangs here and there and by removing WinPatrol Plus this morning they seem to have disappeared, no hangs for at least 18 hours so i think iv solved my own hanging problems but wheather the same applies to any of the others

I also discovered on my other test system that if Kingsoft free AV is installed with ExploitShield that system will freeze and stay frozen, hard shutdown is all that worked and removed Kingsoft in safe mode.

[schmidthouse]

Well you know what 'hangs' are like, sometimes it can just be impatience
Anyway I don't see myself uninstalling Winpatrol +.......I like it

[CraigB]

Well you know what 'hangs' are like, sometimes it can just be impatience
Anyway I don't see myself uninstalling Winpatrol +.......I like it

I dont usually have to worry about being impatient on my system's, i can sometime have over a hundred and twenty proccesses running with no slow downs ( hangs ) whatsoever, it's purely conflicts causing it.

WinPatrol will go back on it time, just troubleshooting

[polonus]

Hi folks,

You know what a beta stage is for. Going over the tool to just establish what essential functionality is missing. It is bare bones we are examining now.
If for bugs and fuzzing we have to consider Borland Delphi RTL for that the program-dll was written in. SysUtils is needed to examine the project further.
See: http://www.delphibasics.co.uk/ByUnit.asp?Unit=SysUtils
Madcodehook is being used and unfortunately this has been misused/abused in malware/adware/spyware etc. It is Win32.hooker and sometimes flagged as PUA/PUP. That is why they stopped the commercial version of that software. This could be a nuisance on uninstall for  could be worse as to get rid of a virus with drivers removed (so in that phase we might need essexboy, jeffc etc. but it is too early to contemplate such routines), I just go on to report what I grasp from the code, my friends. Microsoft's Detours API could be a good portable replacement if Madcodehook would give persistent problems.
Then we have a DEPprocessPolicy Chromium issue
With             MITIGATION_DEP |
-                   MITIGATION_DEP_NO_ATL_THUNK |
-                   MITIGATION_SEHOP;
We should have
                 mitigations = MITIGATION_STRICT_HANDLE_CHECKS |
-                MITIGATION_EXTENSION_DLL_DISABLE |
-                MITIGATION_DLL_SEARCH_ORDER;

@craigb,
Read on that bug you experienced once and I experienced this : http://borland.newsgroups.archived.at/public.delphi.rtl.win32/200711/0711282085.html
posting on Newsgroup by Anders Balslev, due to an Access violation....

That is all so far,

polonus

[polonus]

On anti malware measure taken for malcode hook:

Anti malware misuse tricks

In order to stop malware programmers from misusing madCodeHook, I've added a number of security tricks to madCodeHook 3.0:

(1) You need to sign the kernel mode drivers yourself. Most malware programmers will probably lack a valid Verisign certificate. And even if they have such a certificate, it can be revoked if it's used to create malware. And it can also be easily used as a search criterion for security applications.

(2) The driver strictly refuses to inject any dlls which were not made known to the driver at build/configuration time. This makes sure that a malware programmer can not misuse your driver to inject his own dlls.

(3) When your application tells the driver to inject a specific dll, the driver calculates a hash of your exe file and stores that together with the injection request information. The driver later only accepts a "stop injection" request from a process if the exe file has the same hash as the one which started the injection. This makes sure that a malware process can not simply hack into the application/driver communication to stop your dll from being injected.

(4) Even if you configure your driver to support being stopped (safely), a stopping request is only accepted by the driver if it was issued by the driver injection API. Stopping the driver through the normal service/driver OS APIs is blocked. Furthermore the driver accepts a stop request only if no dll injection requests are active. This should make sure that a malware process can not simply stop your driver behind your back.

quote link: http://help.madshi.net/mchInjDrv.htm  author Mathias Rauen

polonus

[polonus]

Sys file checks the Microsoft Boot Up Kernel, known to be vulnerable to w32.bolzano malware and variants....
As Panda detects W32/Bolzano.5396.A cleanses this malware (a simple file infector indeed, this is the dropper, and avast detects as Win32:Bolzano-E, but some variants were missed by Nod32 as "probably unknown WIN32 virus"), and we deal here with two former Panda coders, so I could have expected ntosklm.exe to asppear in the proggie.

Yes, my good friends, we will go on with dissecting this stand-alone beta-tool,

yours truly,

polonus

[chabbo]

more info here

http://www.wilderssecurity.com/showthread.php?t=333127

about it.

[MrMaxaMan]

I've been using it for the last few days, no problems so far.

[schmidthouse]

Some of our guys (Polonus maybe) probably have caught these possibilities( flaws) in getting by ES
Apparently fix is in next beta build.
Just interesting
http://www.zerovulnerabilitylabs.com/forum/viewtopic.php?f=13&t=61

[polonus]

Hi schmidthouse,

Apparently more development, testing and hardening will be necessary for this standalone tool.

For me it has been clear from the outset that this could only be ab additional tool to the anti-malware tools one combines

I have the following main formula, resident avast av with the avast shields, several on-demands SAS, MBAM, ongoing RUBotted,  in-browser security extensions (script blocker, KISS, specific ABP subscription list(s), GoogleSafe Browsing, Bitdefender's TrafficLight, WOT, M86 Secure Browsing, Cookie Manager, malicious sccript detector extension, web beacon detector extension, DNT like extensions,  etc. Together with a good updating routine for OS and 3rd party software and additional safehex measures and "sufficient enough grains of common sense", I think browsing could be the  pleasant experience  as it should be for everyone. So we will follow all development on Z with curiosity,

greets,

polonus

[schmidthouse]

Yup. 

Edited: Wish I knew more about writing 'code'. Just seems like a pretty basic work around to get by ES. I don't know

[polonus]

Hi schmidthouse,

Yes, fooling ExploitShield in that manner seems to be a bit elementary, to mention it politely, as that circumvention method just bypassing a "static" detection method. Booh, klutz, .....and the coders would say: "Oh my great grandfather's, what is this?....
I have sent you a PM where I explain the various problems and some particulars of "improving" on coding " __CxxFrameHandler3" with dynamic linking in mind which is not being exported, building links from ExportShield.dll to other dll's, should be reading event logs, yes should be....

pol