Have read this morning at the XPL Labs website:

"Zero-day exploits are traded online for financial reward. International cyber-gangs cruise the web, constantly on the lookout for software vulnerabilities to exploit. Actively seeking to make money by defrauding computer users, these gangs lurk behind the scenes on legitimate websites and use drive-by download techniques to deliver their poisonous payloads – without your knowledge or permission.

Software vulnerabilities are a fact of life. What's needed is a way to prevent the bad guys from exploiting the risk window — the time between discovery and patching of a vulnerability. This risk window is getting wider as the criminals get smarter — zero-day exploits can be in circulation within minutes of a vulnerability being announced, while software companies take an average of two months to distribute a fully-tested patch.

SocketShield stops exploits from getting on to computers during the risk window. Easy to use, it protects vulnerable systems against drive-by-downloads and other web-based zero-day exploits. Developed by the people behind PestPatrol and ZoneAlarm, SocketShield delivers the first truly effective protection against zero-day exploits."

(XPL Exploit Prevention Labs (http://www.explabs.com/index.html) is a new company, founded by Thompson and Bob Bales, two former executives at PestPatrol).

Sound good, but will SocketShield do what XPL is promising us?

What is your opinion?

No opinion yet ;)
But have a screenshot.
Low in mem, no cpu.

Gerard

-{ Quote: "No opinion yet ;)
But have a screenshot.

Gerard" }-
Thanks for the screenshot, but i already have seen it on XPL's website itself:)

Anyway, for the other thread readers is the posted screenshot okay, at least they get a (very small) impression i'm talking about;)

But what it actually does and how it works? Will be interesting if some body can do some testing over it!

-{ Quote: "But what it actually does and how it works? Will be interesting if some body can do some testing over it!" }-
I have tried to install the stuff today.

Lot of conflicts with my ATI-drivers, and was conflicting too with some other drivers.

At the moment my DSL connection was demolated, i've stopped to try the install.

IMO a pity, because i think the program has a lot of potential.
What i understand, it's the very first beta version, i guess that's the reason for all the problems (problems on my machine, for sure other people haven't any problems at all).

So far it's playing well with others and doesn't run with scissors ;D Doing remarkably well here so far.

-{ Quote: "At the moment my DSL connection was demolated, i've stopped to try the install." }-It installs a bunch of LSP's, likely something happened. Perhaps something else that uses LSP's that doesn't like being disturbed? You could probably use something like LSPFix, or another tool that resets the LSP chain, to get it working. I'd definitely let them know, though.

-{ Quote: "I have tried to install the stuff today.

Lot of conflicts with my ATI-drivers, and was conflicting too with some other drivers.

At the moment my DSL connection was demolated, i've stopped to try the install.

IMO a pity, because i think the program has a lot of potential.
What i understand, it's the very first beta version, i guess that's the reason for all the problems (problems on my machine, for sure other people haven't any problems at all)." }-

ATI here as well and a 6Mb dsl connection, no issues yet but also dunno what this app is protecting me from.
Done some settings regarding ewido 4 pikes my system runs now on 94% idle and low RAM.
Well, I try everything on this box.

Gerard

-{ Quote: "So far it's playing well with others and doesn't run with scissors ;D" }-
:blink: >:( ::) :)

-{ Quote: "It installs a bunch of LSP's, likely something happened. Perhaps something else that uses LSP's that doesn't like being disturbed? You could probably use something like LSPFix, or another tool that resets the LSP chain, to get it working. I'd definitely let them know, though." }-
Yep, i know.
I have played the whole afternoon with it, have tried to find the real cause, eliminated some other potential trouble-makers, but no positive results at all.
At that specific terrain i'm for sure not a dumbo, i know a lot about the subject, but after 6 hours of experimenting i have surrended myself::)

-{ Quote: "no issues yet but also dunno what this app is protecting me from." }-It seems to be a filter, along the lines of Proxomitron with Kye-U's filters, but it filters all traffic and blocks by website as well. Check out the "Settings" tab, it makes a little more sense of it.

-{ Quote: "Done some settings regarding ewido 4 pikes my system runs now on 94% idle and low RAM." }-Strange, no probs w/ Ewido v4 here..

-{ Quote: "Well, I try everything on this box." }-Hehe, welcome to the club ;D

-{ Quote: "At that specific terrain i'm for sure not a dumbo, i know a lot about the subject" }-Just thought I'd throw that out there, one never knows where someone else is at.. especially when you're not dealing with them in person :) If you contact them, will you let us know how responsive they are?

-{ Quote: "Just thought I'd throw that out there, one never knows where someone else is at.. especially when you're not dealing with them in person :) If you contact them, will you let us know how responsive they are?" }-
I know, your intentions are (like always) okay and highly appreciated:)

I will wait 'till the second beta is there, will start then the fuss again and when the program is messed up again my machine i will contact them.
Because Gerardwil has no ATI driver issues like i have, IMO i better wait on the second beta.
I keep you informed;D

Other SocketShield issue: they will release in June the final version.
Sound weird to me, this actual beta is the first one, how will they fix all the bugs in the program in such a short time?
Not a very reliable sign to me....8)

But maybe i'm to pessimistic::)

-{ Quote: "
Strange, no probs w/ Ewido v4 here..

Hehe, welcome to the club ;D

" }-

Some have them some don't ???
It's ok here now after checking with filemon (sysinternals) and ignoring some dll's, ewido now max. 0.49% cpu. I am sure the guys in Erlangen will solve this issue sooner or later.
I'll see in a week when I am back home, tomorrow morning airplane to Scotland for a week hiking and taste some whisky's. (hmm take my laptop with me :wacko:)
Sorry mods for being off topic here :thumb:

Gerard

-{ Quote: "Some have them some don't ???
" }-
Like the ATI drivers issue...:wacko:

-{ Quote: "Like the ATI drivers issue...:wacko:" }-Have those drivers too. :-\
Installing that app freezed Spy Sweeper from loading too at startup.
As for Ewido 4 the guard was de-activated.

Tried to uninstall it, but something wrong with that uninstaller or else
some other app interfering with it. It really didn't work. :'(

Rebooted and restored my image from yesterday, so I was back up and
running in 15 minutes. :D

It shows promise, but they really need to iron out those bugs.
Like to try out new apps/betas, but no this one at present. :P

-{ Quote: "Rebooted and restored my image from yesterday, so I was back up and
running in 15 minutes. :D " }-
You lucky one!;D

Only 1 image restore?

I have restored 3 times:blink:
And now it's enough, they have to do a lot of work to fix all the problems.

-{ Quote: "It shows promise, but they really need to iron out those bugs.
Like to try out new apps/betas, but no this one at present. :P" }-
See my remarks about the presumed release date of the final version...8)

-{ Quote: "You lucky one!;D
Only 1 image restore?
I have restored 3 times:blink:
And now it's enough, they have to do a lot of work to fix all the problems." }-Yikes, that's a lot. :-\
They sure need fix all those problems prior to release. -{ Quote: "See my remarks about the presumed release date of the final version...8)" }-Already read it, but that means rushing it out of the door, which isn't a good sign.
Or perhaps they have super programmers. ::)

intersting software and its light on resources. meanwhile, time will tell if it does anything.

Geez, this is crazy.. normally I'm the one with all the issues, but I've got a few betas on this machine now, and not a single problem! SocketShield is working perfectly for me.. :(

Just installed SocketShield. First reboot took a long time. Got a NOD32 message that IMON settings had been changed. Second reboot was normal. So far, no conflicts and low on resources.

So basically this isn´t a HIPS but nothing more than a bad URL blocker, sort of like a supercharged SiteAdvisor? Personally I don´t really like this approach plus what if they don´t recognize a malicious website, will you still be protected by this tool then? ???

No, it filters out specific exploits from your internet traffic, just like Proxomitron with Kye-U's filters except that it automatically filters all traffic.

Hello

I have not tried it yet but this link explains how this program works.

For unknown exploits, it gathers the evidence from your computer and sens it back to the correlation engine to then distribute the patch back to other users, where it actualy closes that socket the exploit is on.
They combine this with their Reputation Filter.

http://www.explabs.com/ss/index.html

Requires a Pentium 1.2 gig or higher. This tells me it would be a resource hog wouldn't it?
Dang I don't have anything that fast.


controler

This link shows what an alert looks like.

http://www.explabs.com/support/commonQA.html#6

Isn't there a new exploit website starting up today?

Maybe you can test it there.

controler

-{ Quote: "This tells me it would be a resource hog wouldn't it?" }- my experiences are the same as the others noted in this thread.. :)
-{ Quote: "So far, no conflicts and low on resources." }-
-{ Quote: "intersting software and its light on resources" }-
-{ Quote: "Low in mem, no cpu." }-

(screenshot below from Process Explorer.. for those not familiar with it, "working set" is physical memory usage, "private bytes" is virtual memory usage)

-{ Quote: "Low in mem, no cpu." }-
Of course it uses CPU. Given that it uses drivers, the CPU used by SocketShield will not be charged to the process associated with its interface.

This program will remain free?

-{ Quote: "I have tried to install the stuff today.

Lot of conflicts with my ATI-drivers, and was conflicting too with some other drivers.

At the moment my DSL connection was demolated, i've stopped to try the install.

IMO a pity, because i think the program has a lot of potential.
What i understand, it's the very first beta version, i guess that's the reason for all the problems (problems on my machine, for sure other people haven't any problems at all)." }-

Hey Smokey,

Thanks for the kind thoughts. We think it's got some potential too. :-)

We tested it pretty hard, and don't know about too many problems, so I'd like to try to fix yours too.

What OS are you running? What av and antispy are you running? What firewall?

If you don't want to answer on list, please feel free to contact me directly.

rthompson@explabs.com.

Thanks in advance

Roger

-{ Quote: "Have those drivers too. :-\
Installing that app freezed Spy Sweeper from loading too at startup.
As for Ewido 4 the guard was de-activated.

Tried to uninstall it, but something wrong with that uninstaller or else
some other app interfering with it. It really didn't work. :'(

Rebooted and restored my image from yesterday, so I was back up and
running in 15 minutes. :D

It shows promise, but they really need to iron out those bugs.
Like to try out new apps/betas, but no this one at present. :P" }-

Hi Eldar,

At first guess, I'd say a conflict with SpySweeper caused some problem. We've tested lots with SpySweeper, but it might easily depend on what's been selected.

However... we do install an LSP driver, so it's quite possible for any antispy to think it's under attack, and thus cause some conflicts.

Sorry you had to re-image. We'll check it out some more.

Roger

-{ Quote: "This program will remain free?" }-
No. According to this article (http://www.pcworld.com/news/article/0,aid,125595,00.asp):

-{ Quote: "The first nonbeta version of SocketShield will ship in June and will cost $29.95 for a one-year subscription. Renewals will cost $19.95 per year." }-

-{ Quote: "So basically this isn´t a HIPS but nothing more than a bad URL blocker, sort of like a supercharged SiteAdvisor? Personally I don´t really like this approach plus what if they don´t recognize a malicious website, will you still be protected by this tool then? ???" }-

No, it's not just a bad URL blocker. The LSP driver actually looks for exploits and kills them on the TCPIP stream, no matter which website it's coming from.

Actually, we don't block by URL, but by the IP address that it resolves to. When we know a server throws exploits, it makes sense to flat out block it.

We're not even saying we're always 100%... there'll always be ways to get past us... but my position is that _most_ of the time, the exploit code and shell code is simply cut and pasted, and just the payload (the program it delivers) is changed, and you can stop an awful lot of it without too much effort, and you can provide cover for people _until_ they can patch.

If you look at the WMF exploit from December as an example, within a few days of its release, there were arguably 3000 websites that we knew about serving WMFs, and no patch from Microsoft, and yet the exploits were all really similar.... a simple scan and kill took care of them all.

Cheers

Roger

-{ Quote: "
Other SocketShield issue: they will release in June the final version.
Sound weird to me, this actual beta is the first one, how will they fix all the bugs in the program in such a short time?
Not a very reliable sign to me....8)

But maybe i'm to pessimistic::)" }-

Nah... we _want_ to release in June, but it's completely dependant on how well the beta goes. We're in no hurry. Software is ready when it's ready.

Our _biggest_ problem is the various anti virus and anti spy programs that think they're under attack.

:-)

Roger

-{ Quote: "Of course it uses CPU. Given that it uses drivers, the CPU used by SocketShield will not be charged to the process associated with its interface" }-Nevertheless, it's as negligible as it gets. There's no appreciable difference in overall CPU usage with or without it. There doesn't seem to be a device driver like with a lot of the other security apps around here, though.

-{ Quote: "Nevertheless, it's as negligible as it gets. There's no appreciable difference in overall CPU usage with or without it." }-
How did you measure "overall CPU usage"?

-{ Quote: "There doesn't seem to be a device driver like with a lot of the other security apps around here, though." }-
Of course it wouldn't use a device driver. It isn't a device.

So you've used it and found it to put a strain on your system?

I installed SocketShield on a virtual machine running XP Pro, unpatched with no service packs, also running Spy Sweeper, Sygate free firewall, WinPatrol and CounterSpy. The vm has 384 MB RAM. I didn't have any conflicts or problems at all.

I went to some websites known for running exploits and sure enough, SocketShield stopped them. :thumb:

I wrote a review and included some screenshots showing it stopped the exploits in my blog at ZDnet.

http://blogs.zdnet.com/Spyware/?p=816

Hi Suzi! Ur first post, just after joining, and on a very new software with a well sopporting post-- makes me to think something!... may be I am wrong anyhow.
Welcome to Wilders!
I also wonder y u run Spysweeper and Counterspy together? What about ur AV?
Can u please tell us the details of these sites and exploits!
Edit: have not still read ur blog.

Hi Suzi & welcome to Wilders, :D
Good to see you again.
Hope everything going smooth at Spyware Warrior forum. :)

Nice to hear you didn't run into trouble like me.
Great review you've made there. :thumb:
I'm sure I'll give it another shot when it's out of beta.
See you around. ;)

Aigle and Eldar,

Thanks for the warm welcome. :)

Aigle, yes, you can run Spy Sweeper and CounterSpy on the same machine, no problems. I've never heard of any problems, at least. I don't have an anti-virus on the virtual machine, but from what I read SocketShield does not conflict with AV apps. I wouldn't hesitate to try it. The answer to your questions about the sites and exploits is in my blog post. ;)

Eldar, thanks for the kind words. I always try out something new on a virtual machine first and in this case I wanted to test it against live exploits, which I'd wouldn't do on my real machine.

Best,

Suzi

Looked at some of the info available on the site, and well... sorry but, yawn. ::)

How does this "protect from 0-day exploits"? You don't find "0-day exploits" through signatures like this program does, you can only prevent 0-day exploits by hardening a system.

The WMF vulnerability was a 0-day because it was actively being used by crackers before it was actually known in the computer security professionals world.

I see on their site:-{ Quote: "zero-day exploits can be in circulation within minutes of a vulnerability being announced" }-Rubbish. 0-days exploits are not "announced before and then start being used in the real world". They are announced because they are being actively used in the real world. They could have been in circulation for weeks before they're even public knowledge.

This could well be a good protection product. But the "0-day" stuff is quite misleading.

TNT, where this program's zero day exploit protection will be useful is in a case like the WMF exploit. The WMF exploit was announced on Dec. 27 or 28 as I recall, and it had already been in use for at least a few days because I know someone who got hit with it on Christmas day.

How long did it take Microsoft to release a patch? I belive it was January 4, someone correct me if I'm wrong.

The exploit code was publicly available for at about a week before the MS patch was released. And the malware pushers were jumping on the bandwagon quickly -- people were getting infected because of the WMF exploit. One tactic malware pushers are using is to hack normal websites and use them for running exploits, like in this case, and for phishing. I've lost count of the hacked websites I've seen in the last month.

If SocketShield had been available then, it could have stopped lot of people from getting hit with the WMF exploit before Microsoft issued the patch.

How long did it take MS to release the patch for the CreateTextRange exploit? The exploit code for that one was published on the web, too. It was announced on March 23 and the patch was released on the next regular patch day, which was April 11.

I don't work for the company or anything -- I just think a lot of people don't really get the significance of having an app to protect from expoits, especially zero day exploits when the exploit code has been made public, but no patch from Microsoft is available yet.

As I unerstand, SS is the signature-based tool if it removes malware from the net stream. So it can not be accepted as the real 0-day attacks protection (as an AV's, for instance). There are sandbox HIPS for that and for all the browser/e-mail/P2P -based malware (known and unknown).

-{ Quote: "Aigle and Eldar,
Aigle, yes, you can run Spy Sweeper and CounterSpy on the same machine, no problems. I've never heard of any problems, at least. I don't have an anti-virus on the virtual machine, but from what I read SocketShield does not conflict with AV apps. I wouldn't hesitate to try it. The answer to your questions about the sites and exploits is in my blog post. ;)
Suzi" }-

Hi Suzi, I am sorry that part of my post was wrong as I did not know u and did not read the blog. I will take back my words.
BTW, both antispywares u run in real time, still I will not do it unless for testing and comparing the two. Anyhow it,s ur job and u know better than me.
Thanks

Thanks for the feedback Notok and rogert30062. But I still don´t see how this solution differs from other anti-malware tools who scan websites for exploits in realtime. And how will this tool protect you from zero day malware? Isn´t that the real challenge nowadays? ::)

And btw @ Suzi, I went to the test sites (on my virtual machine) but the sites did not work, are they offline at the moment? And since you seem to have access to these exploit sites, perhaps you can also test other anti malware tools to see how they perform? ;)

-{ Quote: "Thanks for the feedback Notok and rogert30062.
And btw @ Suzi, I went to the test sites (on my virtual machine) but the sites did not work, are they offline at the moment? And since you seem to have access to these exploit sites, perhaps you can also test other anti malware tools to see how they perform? ;)" }-

Hi Rasheed,

You wrote ...

>But I still don´t see how this solution differs from other anti-malware tools >who scan websites for exploits in realtime.

Which tools?

>And how will this tool protect you from zero day malware? Isn´t that the >real challenge nowadays? ::)

By 0-day malware, if you mean 0-day viruses and trojans, it's not meant to protect you from that... that's what anti virus and anti spy software is for.

SocketShield is not meant to compete with or replace any av or as... it's meant to be another layer of protection until you can patch.

The problem is this....

All software has vulnerabilities, and when an exploit is found, at some point you have to patch. Until you can patch, there is a Risk Window.

However, sometimes a patch is not available, and sometimes a patch is available but you can't use it for some other reason (for example, if you've got 10,000 pcs, you can't patch every month) In those cases, the risk window is really big, and it sucks.

Now, if the exploit is being used, as was the case with WMF and CreateTextRange, SocketShield is able to provide a way to kill the exploits on the stream, before it even reaches the application it is targetting.

The point is that exploits are mostly re-used by simply cutting and pasting and changing the payload (the file it delivers), so often, a single sig for the exploit catches all the websites using it, no matter how many different trojans and backdoors are plugged into it.

Another point is not all exploits are created equal... there are hundreds announced each month, and yet only two or three are actually used, but the ones that _are_ used are _widely_ used, and are really important. Nearly all of them deliver rootkits, btw.

A large part of what we do is figure out which are the important ones (the ones actually being used), and we do this with our backend intelligence network.

We're _not_ saying we're perfect or unbeatable.... what we're saying is that a large amount of problems can be solved with a small amount of effort if you
know which are the important problems.

Roger

Hi TNT,

You wrote ...
>How does this "protect from 0-day exploits"? You don't find "0-day exploits" >through signatures like this program does, you can only prevent 0-day >exploits by hardening a system.

Actually, you can also protect against 0-day exploits by blocking the IP address of the server, which is something we do when we think a server address is static.

We block by exploit and we block by blacklist IP. To get past us, it needs to be a new exploit _and_ a new server. That's absolutely possible, but as soon as we find either one (the exploit or a server), we'll add it, and everyone will be automatically updated within a few minutes. So yes, some folks might get nailed, but most will be safe.

By the way, _if_ the exploit is based around something that has been announced in the different security lists, chances are we'll have added that prior to it being used In The Wild.

>This could well be a good protection product. But the "0-day" stuff is quite >misleading.

Well, we don't mean to be misleading. It's always hard to convey all aspects of meanings in a few words... there are always exceptions. For example, there are at least two definitions of 0-day exploit... a strict security based one, and one that most of the public probably accepts, which is "Something bad for which there is no patch, and it remains a 0-day until there's a patch, even if it's a month old."

Cheers

Roger

-{ Quote: "As I unerstand, SS is the signature-based tool if it removes malware from the net stream. So it can not be accepted as the real 0-day attacks protection (as an AV's, for instance). There are sandbox HIPS for that and for all the browser/e-mail/P2P -based malware (known and unknown)." }-It takes out the exploit that causes the silent install of malware, rather than the malware itself. By tackling the exploit before they get a chance to use it, you can head off 0day attacks.

-{ Quote: "Hi Suzi, I am sorry that part of my post was wrong as I did not know u and did not read the blog. I will take back my words.
BTW, both antispywares u run in real time, still I will not do it unless for testing and comparing the two. Anyhow it,s ur job and u know better than me.
Thanks" }-

Aigle, No need to apologize. No problem at all. :)

@ rogert30062

First of all, can you please use the quoting system in the future (maybe you can edit your posts), because it´s a bit hard to read your posts at the moment. ;)

-{ Quote: "Which tools?" }-

I´m talking about tools like Kaspersky AV and other AV´s with http scanning. Isn´t the concept about the same? If KAV and other tools recognize malware they will block access to your system. Can SocketShield (SS) be compared to these tools?

But I now understand that it´s not meant to protect against zero day malware, it´s more a protection tool that will try to protect you against the newest (known) exploits (targetting unpatched holes). I guess it´s a nice tool especially because it does not seem to be heavy on resources, but is it worth the bucks? I´m not sure about that if I´m hounest. ::)

-{ Quote: "And btw @ Suzi, I went to the test sites (on my virtual machine) but the sites did not work, are they offline at the moment? And since you seem to have access to these exploit sites, perhaps you can also test other anti malware tools to see how they perform?" }-

Suzi, any comments? ???

Hi, folks. I have d/l and tried it for three days. It seems functioning very well within current system(KAV 6,outpost 3.51,ewido 4). However, I still have one little puzzle needed to be sovled. This so-called prevention of zero day attack, when does it commence to protect you? the moment your window startup(24/7 dsl connection) or the time you acturally logon internet and surf ? This app DOES NOT start with window starup for the FACT.(because I could not find the OPTION) and has to be initiated manually. Strange indeed. Any one can solve this puzzle? Thanks. :isay:

-{ Quote: "Suzi, any comments? ???" }-
Hi Rasheed,

I think Suzi's blog only showed the IP address of someof the exploiters. I expect she gave the warning about going there to keep the unwary safe because sometimes just going to the IP address _might_ trigger something, but _mostly_ the exploiters are too cunning for that.

Generally, the only people who come directly to their servers are people like me hunting for them, or googlebots and spiders trying to index them, so they don't generally trigger that way. Instead, you have to do something like ... find the exact URL, including sub directories, or find some of their lure sites and come in from there.

Cheers

Roger

-{ Quote: "Hi, folks. I have d/l and tried it for three days. It seems functioning very well within current system(KAV 6,outpost 3.51,ewido 4). However, I still have one little puzzle needed to be sovled. This so-called prevention of zero day attack, when does it commence to protect you? the moment your window startup(24/7 dsl connection) or the time you acturally logon internet and surf ? This app DOES NOT start with window starup for the FACT.(because I could not find the OPTION) and has to be initiated manually. Strange indeed. Any one can solve this puzzle? Thanks. :isay:" }-

Hi,

Protection is automatic.

When you talk about the app not starting with windows, you are referring to the Control Panel. It doesn't start because it doesn't need to. You only need it for interface.

_Protection_ is actually provided by an LSP driver, which is always invoked automatically when winsock is loaded by anything, and updating is handled by Monitor, which loads from the Windows Run key, into the system tray.

Cheers

Roger

Hi Roger, thank you for your PROMPT reply. This is THE kind of service we,as viewers, have longed for ALWAYS. Your reply Indeed serves an EYE-OPENER for me. Now I totally understand how your masterpiece works! Thanks. My words of mouth will be an asset to your success. Good luck.:thumb:

Hi Rodger

Is SS able to prevent the IE vulnerability/flaw described here http://www.wilderssecurity.com/showthread.php?t=129618&page=2

Thanks


StevieO

H downloaded SocketShield today works ok with nod32, IE7, Windows Defender, and live one care.
When it installed just had to let computer restart itself then once nod32 kicked in had to restart again but now every thing working ok.

-{ Quote: "Hi Roger, thank you for your PROMPT reply. This is THE kind of service we,as viewers, have longed for ALWAYS. Your reply Indeed serves an EYE-OPENER for me. Now I totally understand how your masterpiece works! Thanks. My words of mouth will be an asset to your success. Good luck.:thumb:" }-
Hi Perman,

Thank you very much for your kind words.

:-)

Roger

-{ Quote: "Hi Rodger

Is SS able to prevent the IE vulnerability/flaw described here http://www.wilderssecurity.com/showthread.php?t=129618&page=2

Thanks


StevieO" }-

Ummmm.... when i click the link, it takes me to half way thru this thread... are you having a joke, or am I missing something?

:-)

Roger

-{ Quote: "H downloaded SocketShield today works ok with nod32, IE7, Windows Defender, and live one care.
When it installed just had to let computer restart itself then once nod32 kicked in had to restart again but now every thing working ok." }-

Hi thedon57,

Thanks for the info... we've seen that with McAfee too... they seem to want to have control of the LSP chain, but a couple of restarts seem to sort it out.

Roger

-{ Quote: "I installed SocketShield on a virtual machine running XP Pro, unpatched with no service packs, also running Spy Sweeper, Sygate free firewall, WinPatrol and CounterSpy. The vm has 384 MB RAM. I didn't have any conflicts or problems at all.

I went to some websites known for running exploits and sure enough, SocketShield stopped them. :thumb:

I wrote a review and included some screenshots showing it stopped the exploits in my blog at ZDnet.

http://blogs.zdnet.com/Spyware/?p=816" }-

It was your review I read very full it was too, well done that is what made my mind up to install it so again I thank you.

Roger

Having a joke ? no not at all. Sorry I now realise I pasted the same link in my post here earlier to you my mistake, which was only meant to go in the one below. This is the one i wanted you to take a look at and comment on

http://www.wilderssecurity.com/showthread.php?t=129907


StevieO

-{ Quote: "Roger

Having a joke ? no not at all. Sorry I now realise I pasted the same link in my post here earlier to you my mistake, which was only meant to go in the one below. This is the one i wanted you to take a look at and comment on

http://www.wilderssecurity.com/showthread.php?t=129907


StevieO" }-

Ah... gotcha.

No, we don't protect against it _yet_, because (1) as far as I can see, no publically available proof of concept exists _yet_ , and (2) no websites are serving it _yet_.

But, it is a very attractive target for the Bad Guys, and no doubt the race is on to discover what Secunia and Mike Z. already know.

This is definitely our territory, and as soon as we find something, we'll update everyone.

Thanks for the question

Roger

I have installed socketshield as well with no problems or slowdowns. I am running KIS 2006 beta 6.0.1.309, Ewido 4 Beta, OA AV+ 1.1.1.760 (av not active), RegRun Gold 4.5, and Ghost Security Appdefend\Regdefend. All I see in my LSP viewer in Ewido are only socketshield LSP's. I have not seen it block anything yet. Anyone know any specific site to test to see if it blocks it?

dja2k

-{ Quote: "-{ Quote: "Quote:
And btw @ Suzi, I went to the test sites (on my virtual machine) but the sites did not work, are they offline at the moment? And since you seem to have access to these exploit sites, perhaps you can also test other anti malware tools to see how they perform? " }-

Suzi, any comments? ??? " }-

I didn't post the domain names/URLs of the sites, but the IP addresses were visible in the SocketShield screenshots. I don't generally post dangerous sites in public forums because there's always a risk that someone will inadvertantly get infected and I don't want to be responsible for that.

If you want dangerous domains, check Webhelper's lists of CoolWebSearch sites -- there are plenty to be found there. ;)

http://webhelper4u.com/CWS/index.html

Regarding testing other anti-malware tools, I do that when time permits, but I never make promises on when or what. :)

-{ Quote: "It was your review I read very full it was too, well done that is what made my mind up to install it so again I thank you." }-

Thanks for the kind words and you're welcome. :)

First, Thanks for your blog's post, suzi, that's very interesting ;) .

I did try it on a few malicious sites last night, and it did block one CreateTextRange exploit, with 4 malicious sites blocked. But I must say I don't have the feeling to understand exactly how it does protect : After theses 5 events, nothing was showed as blocked or prevented later, while going on surfing on other bad websites - though I did insist, and had lots of warnings from the AV. (But after I've closed and reloaded IE, it was still fully "functional", as you said in your blog).

Thus I don't know if the last exploits I've got were "old-fashioned" one, not prevented by Socketshield because they're supposed to be prevented by a MS patch, or not ???


Then I did remember what you said somewhere in your blog, about the fact that Socketshield didn't prevent some adware to creep in. That's anyway a complement to other protection programs, as anti-spyware, and is not meant to be a substitute to them; but maybe people could "understand" this program better if there was a something as a list of exploits Socketshield can prevent, viewable in the program's GUI ??? (I mean before they occur).

And what about exploits once the official patch is available? Are they removed from Socketshield's protection list?

Btw, this program is running fine for me (with Jetico FW).

Cheers,
nicM

Hi nicM,

(1) You said you went to other sites, about which we didn't warn. That means one of two things... either they weren't serving exploits, or they were but we didn't recognise them (that's possible, it's still beta after all). If you'd like to provide the URLs to me in a private email (either rog2002@bellsouth.net or rthompson@explabs.com is fine), and I'd be glad to check them out and see what's what.

(2) List of exploits that we protect against... that's a good idea, and we'll work on that.

(3) and you asked "Do we remove exploits once a patch is out". Our intention is to block all exploits that we know to be in the wild, whether a patch is available or not.

Cheers

Roger

Waited a bit and decided to give it a go.

I Run FF and IE through Sandboxie which aren't flagged by SShield whilst sandboxed.

FF and IE are flagged outside the sandbox so it seems SShield offers me no extra protection.

Other than that no startup slowdown.Using about 7meg of mem.

Now for the uninstall.Will I be ghosting.Fingers crossed.

Edit:
Uninstalled fairly clean.Found 17 reg entries,an empty folder and a coupla files.

-{ Quote: "

(2) List of exploits that we protect against... that's a good idea, and we'll work on that.

(3) and you asked "Do we remove exploits once a patch is out". Our intention is to block all exploits that we know to be in the wild, whether a patch is available or not." }-

Hi Roger,

Thanks for your reply, I wasn't sure about the third point, and am glad to know protection will work this way.

I don't know what other people think about this "protection list", but that's definitely something I would like to see :) somewhere in the program.

As for the bad sites, unfortunately I did theses tests very quickly and not in a very methodical way (plus I'm aware the program is still a beta anyway)... But I still have some urls and will redo the tests tonight, then will mail you about it.

Cheers,

nicM

-{ Quote: "Hey Smokey,

Thanks for the kind thoughts. We think it's got some potential too. :-)

We tested it pretty hard, and don't know about too many problems, so I'd like to try to fix yours too.

What OS are you running? What av and antispy are you running? What firewall?

If you don't want to answer on list, please feel free to contact me directly.

rthompson@explabs.com.

Thanks in advance

Roger" }-
Hi Roger!

Thanks for your (fast) reaction:)

At this time i'm very busy, but upcoming weekend i will sort out things for you.
I will send you an email with occured problems and all specs asked by you.

I hope that will be a help to make your program more stabile, because again, IMO it's a great piece of software and when it will do what it promises us, i can and will for sure recommend it.

At this time i don't recommend it 'cause it's not stable enough, when it is, no problem anymore too me to give it the predicat "highly recommended";)

BTW: please don't pin you at an official release date in June.

Better some more development then bringing a final version that didn't sorted out the bugs in the beta version.

Best,

Smokey:)

nicM, thanks for the kind words. :)

I did turn off the malicious sites protection for a bit because it was blocking one site (which is good under normal circumstances) that I wanted to try and that's probably when the adware got in.

Roger wrote:
-{ Quote: "List of exploits that we protect against... that's a good idea, and we'll work on that." }-

I think that's an excellent idea. One of the ZDNet readers is convinced that SocketShield is "just another anti-virus program" and I'd like to be able to point him/her to a comparison of the features of SocketShield and AV apps.

I went to the same site using nothing but Avast (free version) with all shields enabled for protection and my virtual machine almost froze due to malware. Avast wasn't able to stop much. I ended up with several trojans and the TCP/IP settings were changed, which showed up like this in the HijackThis log.

O17 - HKLM\System\CCS\Services\Tcpip\..\{47917229-B09A-4170-BF20-C5BD8E2F1B30}: NameServer = 85.255.116.150,85.255.112.70
O17 - HKLM\System\CCS\Services\Tcpip\..\{49F1F183-C925-49DB-AF94-33F119007082}: NameServer = 85.255.116.150,85.255.112.70
O17 - HKLM\System\CCS\Services\Tcpip\..\{60518FBC-40AF-49FE-B533-4CAA490363CA}: NameServer = 85.255.116.150,85.255.112.70

And that was just from the first site I went to with SocketShield. With Avast, I couldn't get to any other sites after being infected from the first one.

Nothing against Avast, mind you, it's just not the same as SocketShield.

Thanks for the info Suzi, the only problem is that most of these sites seem to be doing absolutely nothing, with this I mean that I´m not getting any alerts from my security tools and my virtual system seems to stay clean even after visiting these sites. So perhaps I´m out of "luck" or something. ::)

Are you going to the sites on a fully patched machine? If so, you might not see much activity. They are generally targeting users with unpatched machines. Most of my vm are XP Pro with no service packs so I can get hit with all the exploits to see what the bad guys are up to.

Also, the CWS sites rotate content pretty quickly, so one that's not active this week might be active next week. If you keep going through Webhelper's list, I'm sure you'll hit some bad ones eventually.

Thank you again suzi been running SocketShield now for 3 days and it is so nice knowing that it works well with all my other antiviruses etc I have installed.
So there you are you have made me very happy and I always read your posts incase you mention anything else that I need to know.

-{ Quote: "Are you going to the sites on a fully patched machine? If so, you might not see much activity. They are generally targeting users with unpatched machines. Most of my vm are XP Pro with no service packs so I can get hit with all the exploits to see what the bad guys are up to. " }-

Well, I use partially patched machines, but you´re right, I think I should probably just install a fully unpatched virtual machine. But since you do seem to have success, I hope you can perhaps test more anti malware tools, because strangely enough nobody else is doing this. ;)

-{ Quote: "Well, I use partially patched machines, but you´re right, I think I should probably just install a fully unpatched virtual machine. But since you do seem to have success, I hope you can perhaps test more anti malware tools, because strangely enough nobody else is doing this. ;)" }-

No... that's not the problem. If you were going to the right places, nearly all of them would _try_ to hit you, regardless of whether or not you're patched. If you're patched, they can't hurt you, but they'll still try. And SocketShield would pick them up anyway.

It must be something else.

Roger

-{ Quote: "No... that's not the problem. If you were going to the right places, nearly all of them would _try_ to hit you, regardless of whether or not you're patched. If you're patched, they can't hurt you, but they'll still try. And SocketShield would pick them up anyway." }-That's not really correct. Much of the exploit sites I've seen lately won't even try if, say, you're not running IE (meaning that they can't determine server-side that you're using IE). If they detect IE, they load the page full of exploits, if they can't it's just an empty page with no content at all. I've seen only on exception, a web site serving exploits also for old versions or Firefox (it's reported in Sunbelt's blog), but this STILL "sniffed" the browser and wouldn't serve anything if it didn't correspond to a vulnerable version.

Lately it's the "normal" behavior of the traffdollar.biz and similar exploit droppers, who seem by far the most active around.

The most puzzling example I've seen lately seems to involve the usual javascript obfuscation bode, but apparently coded in a way that it doesn't work in Firefox at all (at least 1.5), while it apparently works in IE. This meaning that even if you "mask" the browser by changing the user agent string, you won't be able to reproduce the javascript's behavior in Firefox. I'm not sure this is the case, but it seems so. If this is the case, now it's a really discomforting example of how much effort these criminals are putting into this kind of job: they're actually testing the scripts so that the behavior is different not only server-side, but client-side as well.

-{ Quote: "If you contact them, will you let us know how responsive they are?" }-
Hi Notok,

After all the problems with SocketShield, i had no appetite anymore in the program.
But Roger\XPL had read in this thread about my problems, and suggested me to contact him by email to solve the problems.

He sent me a LSP utility to discover the (probably) cause, and made suggestions too.

Like I already assumed, it was a LSP driver conflict because SocketShield use a LSP driver.
Finally, i discovered the guilty LSP drivers on my machine that caused the conflicts with SocketShield:

-F-Secure AV Client Security v6
-Internet Download Manager v5

Uninstalled both, installed SocketShield, but next problem was there:
most of the taskbar icons were missing.
Repair didn't solved this problem, did an alternative trick, and it worked.

Everything is running smoothly at the moment, and SocketShield is running now without any problems.

I must say: XPL was very responsive in their reaction.

Now i drink 5 bottles of cold beer, to calm down my damaged nerves.

Ciao,

Smokey

Suzi? or anyone else for that matter, have you tried socket shield at Spycar.org yet?


Thanks

controler

-{ Quote: "Suzi? or anyone else for that matter, have you tried socket shield at Spycar.org yet?" }-??? This program protects from remote exploits, Spycar.org does not contain remote exploits, only "tests" you run from your own machine.

Ok thanks TNT after rereading the spycar site, it was indeed created to test anti-spyware not browser exploits;)
I am only running Boclean, Jetico firewall,NOD32 and socketshield all set to max on this test machine and a bunch of shall we call them system exploits still got through.


controler

-{ Quote: "Ok thanks TNT after rereading the spycar site, it was indeed created to test anti-spyware not browser exploits;)
I am only running Boclean, Jetico firewall,NOD32 and socketshield all set to max on this test machine and a bunch of shall we call them system exploits still got through." }-Well, unless you block them at network level the exploit attempts do get through, but that doesn't mean they actually work. Did they actually infect you?

EDIT: sorry, I missed that you used SocketShield (so they should have been blocked at network level). What exploits were these?

-{ Quote: "Ok thanks TNT after rereading the spycar site, it was indeed created to test anti-spyware not browser exploits;)
I am only running Boclean, Jetico firewall,NOD32 and socketshield all set to max on this test machine and a bunch of shall we call them system exploits still got through.


controler" }-

Hi Controler,

What do you mean "System exploits still got through", please?

Roger

rogert30062

Have you ran the tests at Spycar?

Please run them and show your results.

controler

-{ Quote: "rogert30062

Have you ran the tests at Spycar?

Please run them and show your results.

controler" }-

But .... Controler... there are _no_ exploits there! For each and every thing, you have to agree to install a program and run it. That's not an exploit. That is only useful for testing configuration monitors.


Now, we don't _claim_ to detect all possible exploits .... there are 100's every month, but there are only ever one or two that are actually used by the Bad Guys. Part of what we do is to find the ones actually in use, and to try to prevent them, and more importantly, to monitor for the brand new ones, and provide protection against them until people can patch. So while it's completely possible to find actual proof of concept exploits (if they change from Proof Of Concept to In The Wild, we _will_ detect them) that we don't detect, Spycar doesn't have them.

Thanks for the question though.


Cheers

Roger

-{ Quote: "it was indeed created to test anti-spyware not browser exploits" }-While to some it's symantics....it 's not just for anti-spyware. If you run any of the Autostart Tests executables....it attempts to drop an executable file to a certain location and then adds a string value to one of the Run keys with a data value referencing that dropped executables location.

If you run one of their Internet Explorer Config Change Tests executables....it's sole purpose is to make a registry change for whichever test executable you executed.

If anything this is more of a registry protection test than a anti-spyware test because not many anti-spyware programs cover policies section of IE which is what most of those IE tests is changing. Granted....TeaTimer, SpywareGuard....etc....should alert you to the Home page\Search page which can be much more troublesome than one of the IE policy tests....especially for the hard working HJT log cleaner uppers :-\

What is gained from these tests ?
Everyones mileage will vary but to me they are keen to popup stopper tests which is not a bad thing. We all have to start somewhere in learning and if user A learns something thru these tests then it was worth while.

The more I read about this product, the more it seems to me that it should be part of a firewall.

I think there's a lot of posibilities for what this program could be integrated with. I fear it won't be long before they're bought out.

i tried to install but always getting a 'window installer' error? btw,i had enable window installer in the service to start auto.any suggestion?

-{ Quote: "i tried to install but always getting a 'window installer' error? btw,i had enable window installer in the service to start auto.any suggestion?" }-

Hi Korb,

What OS are you running? If it's 98 or ME, sorry, but we don't currently install on them.

Regards

Roger

hi rogert,thanks for your fast reply. i have just managed to install it by enabling some window services.it now running along with appdefend,jetico,prevx r1 and regrun 4.5. just 1 qn,if XPL block bad ip, then does it become redundant to secure my host file since i use hostman to block bad ip too.
and i'm also using 'socketlock' from GRC which lock raw socket in window.do they conflict?

-{ Quote: "hi rogert,thanks for your fast reply. i have just managed to install it by enabling some window services.it now running along with appdefend,jetico,prevx r1 and regrun 4.5. just 1 qn,if XPL block bad ip, then does it become redundant to secure my host file since i use hostman to block bad ip too.
and i'm also using 'socketlock' from GRC which lock raw socket in window.do they conflict?" }-

Hi Korb,

I have no idea if they conflict, I'm sorry. :-) It sounds like you've got some great utilities though... we're working on a nice, safe test exploit, that we'll put on our web pages soon ... probably tomorrow... that'll tell whether there's an issue or not.

:-)

I'll post here as soon as it's public!

Cheers, and thanks for giving it a try, and thanks (to everyone) for your feedback,

Roger

-{ Quote: "hi rogert,thanks for your fast reply. i have just managed to install it by enabling some window services.it now running along with appdefend,jetico,prevx r1 and regrun 4.5. just 1 qn,if XPL block bad ip, then does it become redundant to secure my host file since i use hostman to block bad ip too.
and i'm also using 'socketlock' from GRC which lock raw socket in window.do they conflict?" }-

Hi Korb,

It was late last night when I answered your post and I didn't notice your question about blocking bad IPs... I don't think it would be redundant. For one thing, we probably block a different set from that which hostman blocks, and secondly, we probably block at a lower level than they do.

Cheers

Roger

SocketShield blocked IFramers launcher script exploit on my computer when I visited one website.

-- Tom

-{ Quote: "SocketShield blocked IFramers launcher script exploit on my computer when I visited one website.

-- Tom" }-

Hi Tom,

That's excellent ... it's how it's supposed to work.

Cheers

Roger

Hi Roger,

SocketShield detected and stopped an exploit attempt by WMF CVE-2005-2124 with known payload containing the SetAbortProc feature with a known malicious payload. This construct is used for remote execcution of the payload.

This happened when surfing and whois identified the website as in Ukraine.

Good catch!

-- Tom

P.S. My WinXP Pro SP2 machine is up-to-date with all critical MS security patches.

-{ Quote: "Hi Korb,

It was late last night when I answered your post and I didn't notice your question about blocking bad IPs... I don't think it would be redundant. For one thing, we probably block a different set from that which hostman blocks, and secondly, we probably block at a lower level than they do.

Cheers

Roger" }-

hi roger,thanks again it clear my doubt now.what i think is hostman block most ad server while yours block dangerous site. great.enjoy XPL protection now.

How can we know that SocketShield "works" unless it there is a way to actually test it against the kind of threat it is designed to protect against? It's rather like Geico's commercial which proclaims: "So easy a caveman can do it." Ah, but where does one find a caveman nowadays?

-{ Quote: "How can we know that SocketShield "works" unless it there is a way to actually test it against the kind of threat it is designed to protect against?
" }-

Well, a good way to test it is to surf on some nasty sites, to sit and to watch the alerts ;D .

http://img530.imageshack.us/img530/509/socket10hm.th.jpg (http://img530.imageshack.us/my.php?image=socket10hm.jpg)

I must say Socketshield was pretty efficient during the few tests I did, when you visit again a site where exploits were blocked, but this time without Socketshield (with both protections disabled), you get the payload going with the exploits.

And btw another way to check its efficiency is to uncheck the "block malicious sites" box : thus you can see that sites which were blocked as "malicious sites" before are now blocked through their exploits (if there are).

It doesn't replace totally an anti-spyware, but that's a nice addition to have along.

Cheers,
nicM

I see that Beta version 0.9.6 of SocketShield is now available. Does anyone know if you can install the newer version over top of the Beta 0.9.5 version or do you have to uninstall the older version first, then install the new version?

Tia,

-- Tom

-{ Quote: "I see that Beta version 0.9.6 of SocketShield is now available. Does anyone know if you can install the newer version over top of the Beta 0.9.5 version or do you have to uninstall the older version first, then install the new version?

Tia,

-- Tom" }-

Just download and run. It will guide you through the install proces.

Gerard

As of now SocketShield 0.9.6 is out of beta and can not be downloaded anymore.
However you can download a free 15-day trial copy (version 1.0.0).

http://www.explabs.com/ss/index.html

Gerard

-{ Quote: "As of now SocketShield 0.9.6 is out of beta and can not be downloaded anymore.
However you can download a free 15-day trial copy (version 1.0.0).

http://www.explabs.com/ss/index.html

Gerard" }-


Trial version for 15-days, damn! Now I am glad I beta tested Socketshield and got myself a free 90 day key. :D

dja2k

For those of you who would like to trial SocketShield and minimize installation problems, I have the following advice for you. If you are running RegRun Platinum 4.6 or a similar app. set to maximum security, I highly recommend that you disable all of its "active" and "real-time" features before and after the installation of SocketShield. By doing so, it will allow SS to install properly and prevent WINSOCK from being corrupted, disabled or unloaded. On the other hand, what I have found is that depending on your system or resident security apps., NOD32 and Windows may or may not need to be rebooted after installing SS.


Peace & Love,

CogitoErgoSum

Does SS look at all tcp and udp packets? Or does it only examine packets intended for certain ports (e.g. 80)? How about SSL transactions? Also, if I shutdown the SS monitor program, will network traffic not be examined by SS?

Thanks.

-{ Quote: "Does SS look at all tcp and udp packets? Or does it only examine packets intended for certain ports (e.g. 80)? How about SSL transactions? Also, if I shutdown the SS monitor program, will network traffic not be examined by SS?

Thanks." }-

Hi lu_chin,

Thanks for your questions. SS is an LSP driver. What this means is that we get to see all tcp and udp traffic... not just certain ports. Having said that, we would not be able to do anything with SSL transactions, because we're not an endpoint.

We're not meant to be a 100% solution... just 98 or 99%. The point is that most exploits are simply cut and pasted from the original proofs of concept... mostly they just change the payload, and leave the exploit the same. We don't try to handle the 300+ exploits that are announced each month, because most of them never become a problem to the world. Instead we try to guess (or discover using our Intelligence Network) which ones are _really_ in use, and then protect against those.

An analogy is that you might get hit by a meteor, which would be devestating if you did, but no one goes around building meteor shelters. It's more important to worry about the things that have some chance of happening.

A case in point is the current excel 0-day. We have a signature for that, but we're reluctant to release it. The exploit in this case is tightly targeted... it's not widespread at all. So far, there is just a single case. We could release this signature, and tell everyone we have them safe, but the truth is that it would be pointless. Most people will never see this anyway. Now, if the excel 0-day goes into wide use, or becomes used in a worm, then we'll release the signature.

Regarding the SS Monitor program ... it doesn't have to be running at all to provide protection. LSP drivers are automatically loaded by Winsock, whenever Winsock is accessed. The SS Monitor is just there to provide a visible interface.

Cheers

Roger
ExpLabs.com

Hi Roger, thanks for the quick and informative reply. I am trying out SS with some security programs which use their own LSP to monitor http traffic. I am checking if any conflicts or slowness due to this LSP chaining exist.

Cheers.

-{ Quote: "Hi lu_chin,

Thanks for your questions. SS is an LSP driver. What this means is that we get to see all tcp and udp traffic... not just certain ports. Having said that, we would not be able to do anything with SSL transactions, because we're not an endpoint.

We're not meant to be a 100% solution... just 98 or 99%. The point is that most exploits are simply cut and pasted from the original proofs of concept... mostly they just change the payload, and leave the exploit the same. We don't try to handle the 300+ exploits that are announced each month, because most of them never become a problem to the world. Instead we try to guess (or discover using our Intelligence Network) which ones are _really_ in use, and then protect against those.

An analogy is that you might get hit by a meteor, which would be devestating if you did, but no one goes around building meteor shelters. It's more important to worry about the things that have some chance of happening.

A case in point is the current excel 0-day. We have a signature for that, but we're reluctant to release it. The exploit in this case is tightly targeted... it's not widespread at all. So far, there is just a single case. We could release this signature, and tell everyone we have them safe, but the truth is that it would be pointless. Most people will never see this anyway. Now, if the excel 0-day goes into wide use, or becomes used in a worm, then we'll release the signature.

Regarding the SS Monitor program ... it doesn't have to be running at all to provide protection. LSP drivers are automatically loaded by Winsock, whenever Winsock is accessed. The SS Monitor is just there to provide a visible interface.

Cheers

Roger
ExpLabs.com" }-

-{ Quote: "Hi Roger, thanks for the quick and informative reply. I am trying out SS with some security programs which use their own LSP to monitor http traffic. I am checking if any conflicts or slowness due to this LSP chaining exist.

Cheers." }-

Ahhh .... well, good luck, and please let us know if you have any problems.

:-)

Roger

-{ Quote: "@ rogert30062
I´m talking about tools like Kaspersky AV and other AV´s with http scanning. Isn´t the concept about the same? If KAV and other tools recognize malware they will block access to your system. Can SocketShield (SS) be compared to these tools?" }-I'd also like to know whether SocketShield is anything like the HTTP scanners offered by some AV's (eg. KAV, NOD32 etc) ?