ExploitShield - A brand-new security program...

A new company called ZeroVulnerabilityLabs says that it has solved the Gordian knot of exploits, slicing through the complicated, Hydra-headed problem with a single stroke from a software weapon it calls ExploitShield.

Available exclusively today from Download.com, the first ExploitShield Browser Edition beta (download) appears to stop all manner of exploits, from those affecting browsers directly to browser plug-ins like PDF readers, Flash, and Java, to Microsoft Office components, to a handful of media players. The potential for raising the level of computer security here is huge, as a vast number of threats are actually mutations of malware, sold in kits like BlackHole, exploiting the same security holes in the same security programs.

The Windows-only ExploitShield is freeware for individuals and non-profits, part of ZeroVulnerabilityLabs’ attempt to prove that the technology is so important that it’s worth giving away. The company is working on a licensed version for businesses, although they don’t have a timeline for its release yet.

Read more: CNET: Product reviews, advice, how-tos and the latest news

How is this different from EMET ???

Both EMET and ExploitShield have different approaches and techniques to prevent software vulnerability exploits. Ideally you should use both to have the best available protection against malicious exploits. Everybody should install EMET as well as ExploitShield to have the highest level of protection against exploit kits. - Zerovulnerabilitylabs

You can check their website for more details:


I can’t give you an easy answer as the company won’t tell you how it really works but it is very similar to Kaspersky exploit protection. You can search more details on EMET and ExploitShield and find many forums about it. Hope this helps.

New very good info about it:


It is still not clear to me how it works. I would expect it to protect against buffer overflows.

Same here. As I said they are not keen to share info on how their technology works for now. All they say it works with everything including EMET and it’s a must have and I agree. It’s install and forget application. My personal understanding on how it works so far? Just like AV only against exploits in real-time protection on the web (unlike EMET on the system) by finding complicated malicious algorithms and blocking them.

To answer some of the questions posted:

  • ExploitShield is not at all like Kaspersky exploit prevention. In fact Kaspersky’s exploit prevention uses some of EMET’s techniques if I’m not mistaken. So its more similar to EMET than to ExploitShield.

  • Yes it does protect against buffer overflows and other types of exploits.

  • Regarding explaining how it works there are many reasons not to do so (competition, patent-pending limitations, bad guys, etc.). For example I’m sure Comodo doesn’t publish details of its unpacking algorithms, behavioral decision trees, emulation engine or generic signatures for competitors and bad guys to study them, do they?

Finally! I wanted to invite you guys to post here! And here you are before I even done anything! You are so proactive! I saw you across the whole net posting in many forums! Well-done! You really care about your product. Thank you for your time and answers.

Well it seems to have been tested…

Thanks for the link but I don’t agree with that guy. First of all ExploitShield is in BETA. It’s a wrong time to test just like CIS 6. A lot of improvements are coming. Also he just looks at ExploitShield as the only thing which protect your system wrong! The best security is layered security! Can the exploit beat CIS, EMET and ExploitShield together? It will be very hard.

I don’t think they were testing it in that sense, they seem to have decompiled it and attempted to analyse it.

Wrong time? I think the article is clear about the motivation…

.. ExploitShield has been marketed as offering protection “against all known and unknown 0-day day vulnerability exploits, protecting users where traditional anti-virus and security products fail.” ..
.. they seemed to be looking at overall approach behind that claim. Will that change because of the release status? :-\

Thanks for the comments Seany007. From our perspective there are a lot of wrong assumptions on the part of Trail of Bits:

1- Most of the critique is directed at the interception mechanism and its bugs. While their conclusions in this respect are mostly correct, as Seany007 said this is beta and the interception mechanism is the least of our worries right now. The objective of this beta is to test the protection algorithms in real-life against exploits in the wild, which seem to be doing its job correctly as per the results at http://www.zerovulnerabilitylabs.com/home/services/security-intelligence/

2- The critique by Trail of Bits of the protection algorithms, which is the important part of ExploitShield, is actually completely incorrect. When they reversed engineered ExploitShield they made some mistakes which resulted in reaching the wrong conclusions. More details at the end of our reply at http://www.zerovulnerabilitylabs.com/home/the-objective-of-exploitshield-beta/

3- Finally Trail of Bits concludes that ExploitShield will never be useful as it can be bypassed. Such a generalist comment belongs in a yellow journalism type magazine rather than a serious researcher. Of course any software can be bypassed. ANY SOFTWARE. By the same token if we listen to Trail of Bits then users should not be using antivirus, HIPS, firewalls or any other security mechanism as they can be bypassed as well. ExploitShield, as we’ve always said, is designed to be used alongside other security mechanisms such as antivirus and EMET in a layered approach in order to provide a higher level of security.

Replaced short url, as those are against forum policy.

Edit zerovulnlabs:
“lot” vs “log” 1st paragrpah.
Thanks kail for PM and improvements to the account. For some reason I can’t reply to your PM. Says I already sent a PM 1 second ago (which is not correct).
Thanks Ronny for clarifying policy of short URLs.

Hi zerovulnlabs,

Thanks for your time and clarifications (including posts I’ve read in other forums)

As for “1 second” message we can get it not only in PM area but in the main forums here as well
That is just a lil bug in this forum Software.
The best way to “fix it” is to clear browser’s cache, log in and post/PM again

Best wishes

Thanks for the tip SiberLynx! :-TU

Thank you for visiting and spilling some of the beans and further explanation.

A question I would like to see answered how does ExploitShield compare to the BO detection of CIS? Does it add, does it overlap and how do the two perform when getting the same exploits to handle?

I’m sorry I’m not familiar with CIS BO protection so I can’t really speak of the differences. I can say that ExploitShield protects against a lot more types of exploits than just BO-based.

Can you elaborate a bit more on what other attack vectors it protects (without unveiling the underlying (patent pending) technologies)? I am curious to whether some of those functions would be present in CIS HIPS.

May be one day a tester compares (CIS with) BO and Exploit Shield. I am just curious to learn more about this product, how it works, how it compares with and differs from CIS.

You can’t really compare it against protections which focus on the vulnerability itself such as BO protections or IDS signatures. In the case of ExploitShield we protect the application itself, by preventing the exploit from dropping and running the payload on the system. As such we don’t really care about the vulnerability itself and whether it is a BO, heap spray, sandbox bypass, etc. That’s why our philosophy is to protect against any and all types of remote code execution vulnerabilities (even though that’s a strong sentence) without having to worry about identifying each type of vulnerability or each malware payload binary.

CIS does not have an IDS but an IPS (Intrusion Prevention instead of Intrusion Detection). It protects executables from both system and regular application with HIPS and BO detection (and signature based when having cloud lookup enabled in D+ or with the AV enabled).

CIS and Exploit Shield are kindred spirits in the sense that they prevent the infection by not using signatures but by keeping a keen eye on what happens beneath the Windows surface and being able to stop the infection proactively and not after the fact. After the fact handling is how signature based solutions like AV and IDS work.

Needless to say that as Comodo user I prefer preventing an infection by proactive technology over reactive signature based solutions.

How can you analyze something without testing esp security products? That’s simply called speculating.