Introduction
In the arena of computer security and exploitation world, we come across many security tools. Some of them are quite useful; for some, you have to plug them in and out in a few days. However, the antivirus company F-Secure developed an application called Exploit Shield, which is mainly prioritizing for giving dynamic protection to Zero-Day vulnerabilities. I won’t go that much of a deep analysis of its internal mechanism but I will be discussing an overview of this tool, how this works etc., in the next phase. A good vulnerability management tool can also assist in maintaining a secure environment.
Overview of exploit shield
F-Secure Exploit Shield is a tool developed completely in C and C++ (using GFx libraries), designed to protect the machines responsively and proactively. And the scheme/type of detection and defense method can be set by the end user. If the user wants to keep track of the attack logs only or if the user wants to protect the machine immediately once it detects any malicious activities, which can be customized through this tool. This tool is currently in development for Windows Box, and it’s in Beta state as lots of new features adding and lots of bugs need fixing! This product downloading from their lab’s page for free. It comes with a straightforward installer and installs in less than one minute. Once you install the application in your win box, it takes less resources from your CPU and hooks itself into the system. Vulnerability Management System can help protect your organization.
Tech Overview of exploit shield
Once the application installation into the system, it becomes hooked into the system APIs. Then it starts monitoring the user’s activities and alerts/blocks any unknown client-side vulnerabilities which may affect the system. It checks for generic shellcode patterns and malicious IE/Firefox objects affecting system security. It also monitors the user’s browsing activities, and if any malicious code is present on the current web page, then either it blocks the attack by showing an alert in the victim’s web browser (IE/Firefox) or it will log the attack details in a log file which can be verified by the user later and take proper actions against it.
As it hooks into the system APIs so it slightly slows down the rendering speed of pages as it works as a MITM (Man-in-the-middle) communication between the user and the browser, but the page rendering speed is quite insignificant and can be ignoring as security matters at the end of the day! Once the exploit shield blocks any attacks, it shows the browser alert immediately, having the exploit type and its details. This tool is basically aiming at blocking most of the browser vulnerabilities. And as per the current Microsoft Security Advisory (961051), which declares a critical vulnerability, this tool does well in blocking those vulnerabilities.
Pros
- Real-time monitoring of user browsing activities and immediate action on the detected attack.
- Installer and Application are very user-friendly and self-explanatory.
- Updates the attack detection modules automatically from the F-Secure server so that the end-user doesn’t have to care about updating it manually as some application does.
- Catches most of the known IE and Firefox vulnerabilities in real time.
- Feature to detect malicious ActiveX controls and apply the hot patches immediately so that the user doesn’t have to follow the manual processes to set the registry to kill bit values to block that exact ActiveX object execution in Internet Explorer.
Cons
- While uninstalling, the application reboots Windows immediately without any alerts, whereas it should let
the user reboots the system at a later time or immediately.
Conclusion for exploit shield
As we know, the tool is still in a Beta state. So many new features and modifications are still in requirement. Which is present in the next releases. But this tool should be a must-have for everyone concerned about security as it’s very lightweight and user-friendly.
Sujit Ghosal
[email protected]
Security Research Analyst