ExploitShield - A brand-new security program...

giraffe · December 21, 2012, 6:24pm

I have Java disabled in my browsers (Opera and IceDragon - IE isn’t used and is blocked in Comodo’s firewall), but need Java for TV Browser.
Just installed ExploitShield, no problem with it and Comodo (so far), but TV Browser can’t start as ExploitShield doesn’t like jcom.dll which is in TV Browser.
Other than that, it doesn’t seem to affect performance.

zerovulnlabs · December 21, 2012, 6:52pm

Yes this is a known FP. There’s no simple fix for now except to stop and start ExploitShield when running TV Browser. For future versions we will add a local file/directory exclusion feature to manage these FPs.

Mrarnold · December 21, 2012, 7:54pm

Can applications be manually inserted into exploitshield to be protected?

zerovulnlabs · December 22, 2012, 2:16am

Not yet. In future versions you will.

giraffe · December 22, 2012, 10:11am

That’s good - thanks.
It shows no sign of shielding Thunderbird Portable or Comodo IceDragon Portable (Firefox), but your later post about being able to add apps. might address this issue.

treefrogs · December 22, 2012, 11:22am

I have just found this thread :o
I have a compatability issue between ES, CIS 6 and waterfox
I followed EricJH’s advice

If people are still facing problems with ExploitShield after they let it run as a Trusted File they can try adding ExploitShield executable (or the complete installation folder of ES) to the Exclusions of Detect shellcode injections (i.e. Buffer overflow protection).

unfortunately the conflict remains - waterfox slows/crashes visiting several sites ie youtube, malwaretips.com etc
IMO after CIS, ES is the most valuable app on my box so a resolution to this conflict is been great anticipated here
CIS 6 and ES perfect partners ;D

giraffe · December 22, 2012, 2:11pm

A bit more on IceDragon: it would appear that ES does start a shield and logs Firefox as being protected after starting Private Browsing.

More on TV Browser: when starting this, Comodo D+ tells me that tvbrowser.exe is trying to access ExploitShield.exe in memory, clicking on OK to allow this brings up D+ again with tvbrowser.jar trying to do the same thing. OK then gives ES’ notice that an exploit has been blocked BUT, earlier today, TVB was able to start after these warnings.
The log tells me that jcom.dll was sent to the quarantine folder and that it was also blocked from executing through Java (in that order), but the file in quarantine is jcom.dll_20121221-181120.zvl of zero bytes.
I can’t copy and paste the log as it doesn’t have the same information in it - is this intentional?

zerovulnlabs · December 22, 2012, 3:00pm

I’m not familiar with IceDragon at all, but it you rename the exacutable to firefox.exe then ExploitShield should protect it when it starts. Same goes for the plugin-container.exe sub-process which should also be protected by ES.

In regards to the TVBrowser and the FP behaviour you are describing, it is a known issue. Simply stop ES before running TVB and then start it again afterwards.

giraffe · December 22, 2012, 4:57pm

Thanks for that - the shield is on immediately when “Firefox” is used and, to my surprise, there don’t seem to be any paths pointing at icedragon.exe that are broken by the change.

ad18 · December 27, 2012, 4:34am

I was wondering if Comodo Internet Security 6 Behavior Blocker protected from exploits like exploit shield. I am not sure if you need the HIPS enabled to protect from exploits. Anyone know about this? Thanks for any clarification.

Seany007 · December 27, 2012, 10:48am

Not all. I “hear” that Java exploit can bypass CIS 6. So you need some other back up such as EMET and ExploitShield. Use HIPS or BB. They both protect you at the same level for the majority of the exploits. But don’t use both from what I know so far. Also don’t forget CIS 6 is a new kid on the block so it needs more time to fix few security and stability bugs, etc.

ad18 · December 27, 2012, 4:35pm

Thanks for answering my question Seany007. I was not sure if Comodo handled any exploits. I do not use java so I guess I don’t have to worry about java exploits. It is just nice to know that Comodo protects from most exploits. I chose to enable the Behavior Blocker with sandboxing set to limited.

Seany007 · December 27, 2012, 5:00pm

You are welcome. Good choice you are well protected with this setting.

Citizen_K · December 28, 2012, 12:52am

For people who have the latest Java installed JRE 1.7.10 you can disable the use of Java in browsers or when using it in browsers set restrictions. This will surely help to reduce attack surface.

treefrogs · January 5, 2013, 9:51pm

I have added ES to trusted files
CD isn’t supported yet, is there a tweak/work around that anyone has used to successfully add CD to ES ?

D_Bone · January 5, 2013, 10:10pm

Change the name of “dragon.exe” to “chrome.exe”

treefrogs · January 5, 2013, 10:15pm

Thanks :-TU

treefrogs · January 5, 2013, 10:22pm

OK after changing dragon.exe to chrome.exe CD won’t start either virtual or non ???

giraffe · January 5, 2013, 10:31pm

Have you changed the name of the .exe. file to firefox.exe in the path in the shortcut as well?

treefrogs · January 5, 2013, 10:47pm

No I only changed the actual .exe name, how do I change the name of the .exe file to chrome/firefox.exe in the path in the shortcut as well ?
Thanks