Exploit Shield
Introduction
In the arena of computer security and exploitation world, we come across with many security tools. Some of them are quite useful and some of them you just have to plug it in and plug it out in few days. However, currently the antivirus company, F-Secure has developed an application called Exploit Shield which is mainly prioritized on giving dynamic protection to Zero-Day vulnerabilities. I won’t go that much of deep analysis for its internal mechanism but I will be discussing an overview of this tool, how this works etc. in the next phase.
Overview
F-Secure Exploit Shield is a tool developed completely in C and C++ (using GFx libraries), designed to protect the machines responsively and proactively. And the scheme/type of detection and defence method can be set by the end user. If user wants to keep track of the attack logs only or if the user wants to protect the machine immediately once it detects any malicious activities which can be customized through this tool. This tool is currently developed for Windows box and its in Beta state as lots of new features has to be added and lots of bugs are to be fixed yet! This product can be downloaded from their labs page in free. It comes with a straight forward installer and gets installed in less than one minute. It takes less resource from your CPU and hooks itself into the system once you install the application in your win box.
Tech Overview
Once the application gets installed into the system it makes itself hooked into the system APIs. Then it starts monitoring the user’s activities and alerts/blocks any unknown client side vulnerabilities which may affect the system. It checks for some generic shellcode patterns, malicious IE/Firefox objects which affects the system security. It also monitors the user’s browsing activities and if any malicious code is found in the current web page then either it blocks the attack by showing an alert in the victim’s web browser (IE/Firefox) or it will log the attack details in a log file which can be verified by the user later and take proper actions against it. As it hooks into the system APIs so it slightly slows down the rendering speed of pages as it works as a MITM (Man-in-the-middle) communication between the user and the browser, but the page rendering speed is quite insignificant and can be ignored as security matters at the end of the day! Once it blocks any attacks then it shows the alert in the browser itself immediately having the exploit type and its details. This tool is basically aimed at blocking most of the browser vulnerabilities. And as per the current Microsoft Security Advisory (961051), which is declared as a critical vulnerability, this tool does the job very well against blocking those vulnerabilities.
Pros
- Real time monitoring of user browsing activities and immediate action on the detected attack.
- Installer and Application is very user-friendly and self-explanatory.
- Updates the attack detection modules automatically from the F-Secure server so that the end-user doesn’t have to care about updating it manually as some application does.
- Catches most of the known IE and Firefox vulnerabilities in real-time.
- Feature to detect malicious ActiveX controls and applying the hot patches immediately so that the user doesn’t have to follow the manual processes to set the registry kill bit values to block that exact activex object execution in Internet Explorer.
Cons
- While uninstalling, the application reboots Windows immediately without any alerts where as it should let
the user reboot the system at later time or immediately.
Conclusion
As we know the tool is still in Beta state, so still there are lots of new features and modifications required which will be added in the next releases. But this tool should be a must have for everyone who is really concerned about security as its very light weight to use and very user friendly also.
Sujit Ghosal
sghosal@secpod.com
Security Research Analyst