Cisco Security Agent (CSA) and Entercept both had "0day protection."
See phrack #62 for trivial ways to bypass it. Generic methods for 0day
protection, like hooking functions called by shellcode, will always
fail. It always seemed to me the vendors that tout 0day protection are
the same vendors that do not have deep research teams to keep up with
demand.
On Mon, 09 Aug 2004 13:55:27 -0400, Ali-Reza Anghaie
<ali@packetknife.com> wrote:
On Sun, 2004-08-08 at 21:47, Teicher, Mark (Mark) wrote:
What is Zero Day Protection, I think I understand the definition of Zero
Day Exploits. But what is Zero Day Protection? Another marketing blurb
or it can vendors actually offer zero day protection?
A vulnerability is frequently known before a real-world exploit/script.
So vendors are now protecting against potentials using their home-grown
methods. Netscreen, TippingPoint, McAfee and others are into this
market.
They call this 'zero day' protection because no canned exploit is
available at the time of release. They can protect against future
exploits, hopefully, by looking for traffic that resembles a workable
exploit.
Cheers, -Ali
--
OpenPGP Key: 030E44E6
--
Was I helpful?: http://svcs.affero.net/rm.php?r=packetknife
--
I consider forced-full-duplex to be a serious issue somewhere
between "..and these cars have the brake pedal on the right" and "we
decided to put the drinking water in the brown jugs, and the 'other'
water in blue". You won't necessarily die right away, but it isn't
healthy. -- Donald Becker
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to
learn more.
--------------------------------------------------------------------------
