Re: Definition of Zero Day Protection

[David Maynor <dmaynor () gmail com>]

Cisco Security Agent (CSA) and Entercept both had "0day protection."
See phrack #62 for trivial ways to bypass it. Generic methods for 0day
protection, like hooking functions called by shellcode, will always
fail. It always seemed to me the vendors that tout 0day protection are
the same vendors that do not have deep research teams to keep up with
demand.

On Mon, 09 Aug 2004 13:55:27 -0400, Ali-Reza Anghaie
<ali () packetknife com> wrote:
> On Sun, 2004-08-08 at 21:47, Teicher, Mark (Mark) wrote:
> > What is Zero Day Protection, I think I understand the definition of Zero
> > Day Exploits.  But what is Zero Day Protection?  Another marketing blurb
> > or it can vendors actually offer zero day protection?
>
> A vulnerability is frequently known before a real-world exploit/script.
> So vendors are now protecting against potentials using their home-grown
> methods. Netscreen, TippingPoint, McAfee and others are into this
> market.
>
> They call this 'zero day' protection because no canned exploit is
> available at the time of release. They can protect against future
> exploits, hopefully, by looking for traffic that resembles a workable
> exploit.
>
> Cheers, -Ali
>
> --
> OpenPGP Key: 030E44E6
> --
> Was I helpful?: http://svcs.affero.net/rm.php?r=packetknife
> --
> I consider forced-full-duplex to be a serious issue somewhere
> between "..and these cars have the brake pedal on the right" and "we
> decided to put the drinking water in the brown jugs, and the 'other'
> water in blue". You won't necessarily die right away, but it isn't
> healthy. -- Donald Becker

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------