Exploit Labs just released these programs for public consumption. Check it out if you will: http://www.explabs.com/

great to see they have a free version, i may add it to my arsenal.

Could It be an OEM product from CallingID?

It keeps connecting to db.callingid.com before getting the result.

LinkScanner = SocketShield ?!? It's nice to see that they have Free version too. I reinstall my setup today and definitely add LinkScanner.


-MikeNAS

EDIT: I answer to my own question.

Exploit Prevention Labs is about to release a new product called LinkScanner Pro. LinkScanner Pro will replace SocketShield as our premium consumer security product. We are offering current SocketShield users an opportunity to install this new product before its official launch, which is scheduled for the week of November 27th.

Upgrading to LinkScanner Pro now, or in two weeks, is not mandatory but is highly recommended. SocketShield will continue to protect your computer and receive updates for the length of your license should you choose not to upgrade.

-{ Quote: "i may add it to my arsenal." }-
nvm. its only for Internet Explorer :(

WTF?!?! Are they so stupid and don't give Firefox/Opera support?

I have just installed LinkScanner Pro and am pleasantly surprised to see that the conflicts with both NOD32 and RegRun Platinum 4.6 have been resolved in this latest release. FYI, based upon personal experience, the former SocketShield and current LinkScanner will protect against exploits in Internet Explorer, FireFox and Opera.


Peace & Love,

CogitoErgoSum

so, is this(the free version) a competitor to SiteAdvisor?
Could interest me if they add support for third-party browsers

Hi, folks: I just installed pro version and commenced using it. I have the doubt of its usefulness and effectiveness. For an example, it flagged two popular d/l sites as Risky; majorgeeks.com and snapfiles.com. And I do not know how many others will be ended up w/ same fates. Is this piece of app worth $20.00 (after deep discount) ?::)

Hi, folks: Strange, strange. 40 minutes after my previous posting, I went back to visit those two d/l sites in question, guess what, No alerts at all. Can someone help me solving this puzzle ????

-{ Quote: "Could It be an OEM product from CallingID?

It keeps connecting to db.callingid.com before getting the result." }-

Hi,

We do OEM CallingId, although it is not the only thing we do.

Firstly, we check our own databases for our own opinion of what the site is about. These are stored locally on the pc, and are very quick. We then scan the target page using our SocketShield engine. If that's still ok, we get an opinion from CallingId.

Cheers

Roger
CTO, Explabs.com

-{ Quote: "Hi, folks: Strange, strange. 40 minutes after my previous posting, I went back to visit those two d/l sites in question, guess what, No alerts at all. Can someone help me solving this puzzle ????" }-

Hi Perman,

I checked both sites and both came up clear for me. Neither site is in our databases, and neither is likely to be throwing exploits. They might have come up from our call out to CallingID, and they might have cleared them (which they should have).

We're still tweaking stuff, and it's a dynamic web we're dealing with, so if you see something weird and can get a screen shot, feel free to send it to me and we'll sort it out.

Cheers

Roger
rthompson@explabs.com

-{ Quote: "so, is this(the free version) a competitor to SiteAdvisor?
Could interest me if they add support for third-party browsers" }-

Hi Lucas,

We are adding support for 3rd party browsers. Firefox is first. The free version will only work with IE, but the Pro version does real time scanning using SocketShield, and works with all browsers now.

Roger
CTO
Explabs.com

Hi,folks: Hi, roger, thanks for your prompt reply, especially as your capacity as a CTO. There are three updates of malsite detection already since I installed pro version 9 hours ago. This is very impressive. Nice work indeed.:thumb:

-{ Quote: "Hi Lucas,

We are adding support for 3rd party browsers. Firefox is first. The free version will only work with IE, but the Pro version does real time scanning using SocketShield, and works with all browsers now.

Roger
CTO
Explabs.com" }-
Thanks for your quick and detailed answer.
It´s a shame that you only support IE in the free version because you already have a really big competitor working on alternate browsers. Your technology is more advanced but you can´t beat free ;)
You must consider that a free version working on Firefox/Opera could give you a lot of site testing and bug reporting. This feedback might enhance your core bussines.
At this moment, this(perhaps immense) potential belongs to McAfee

I'm also not interested on it if the free version not support Firefox and Opera...

-{ Quote: "Hi,folks: Hi, roger, thanks for your prompt reply, especially as your capacity as a CTO. There are three updates of malsite detection already since I installed pro version 9 hours ago. This is very impressive. Nice work indeed.:thumb:" }-

:-)

Thanks!

-{ Quote: "Thanks for your quick and detailed answer.
It´s a shame that you only support IE in the free version because you already have a really big competitor working on alternate browsers. Your technology is more advanced but you can´t beat free ;)
You must consider that a free version working on Firefox/Opera could give you a lot of site testing and bug reporting. This feedback might enhance your core bussines.
At this moment, this(perhaps immense) potential belongs to McAfee" }-

Sorry .... slight misunderstanding there. The free version will also work with at least Firefox, when we have the Firefox module, which will be soon-ish. Dunno how far out Opera is.

What I meant was that the Pro version does real time scanning for all browsers now.

Cheers

Roger
CTO
Explabs.com

-{ Quote: "Sorry .... slight misunderstanding there. The free version will also work with at least Firefox, when we have the Firefox module, which will be soon-ish. Dunno how far out Opera is.

What I meant was that the Pro version does real time scanning for all browsers now.

Cheers

Roger
CTO
Explabs.com" }-
Great news. Firefox support is a must for me :thumb:
So:
-Free version relies only in the database. Same as SiteAdvisor
-Paid version adds real time scanning

i had the paid version of scoketshield and installed the beta of linkscanner -pro now i downlaoded the full version of linkscanner pro.my question is that xpl sent me a key for a free year of linkscanner pro for being a beta tester,now do i enter that key now or wait till my sub is over then enter the key.i still have 300 days left on my paid key.if i put in the new key will it add 1 year to my 300 days or not?or should i wait.

If you put the new key in, it will add it on top of your old key. I had beta tested, but then decided to puchase a 1 year license for SocketShield. As soon as it was installed, I got the message to upgrade to LinkScanner and decided to do it. They gave me a new key and when I entered it, I had 2 years instead of 1 year on my subscription! I was doing some searching this afternoon and already got some serious RED alerts about some search links. I find the info much better than what I used to get from Site Advisor.

I will wait for the Opera support...

-{ Quote: "Great news. Firefox support is a must for me :thumb:
So:
-Free version relies only in the database. Same as SiteAdvisor
-Paid version adds real time scanning" }-

Hi Lucas,

That's still not quite right.

Free version still scans the webpages programmaticly, as well as looking up our databases.... but only on demand.

Paid version also scans the TCPIP stream in real time.

Put another way ... if you QuickScan a webpage or do a google search with the free version, it checks out all the pages, but doesn't go to infinite depths on the links. It would take too long.

The paid version does all of that, but also watches what comes along the TCPIP stream, whether you're doing a specific search or not.

So... if you're just surfing the web, as opposed to specific searching, the Pro version is better because it's always watching.

It's the difference between on demand antivirus scanning and realtime antivirus scanning.

Does that make sense?

Roger
CTO
Explabs.com

-{ Quote: "Hi,

We do OEM CallingId, although it is not the only thing we do.

Firstly, we check our own databases for our own opinion of what the site is about. These are stored locally on the pc, and are very quick. We then scan the target page using our SocketShield engine. If that's still ok, we get an opinion from CallingId.

Cheers

Roger
CTO, Explabs.com" }-

Thanks for the reply.

I could not get my computer to work properly until I disabled SSM. I could not even uninstall Linkscanner Pro while I had SSM running. It seems to work fine now but is there some setting I need to make for SSM to run at the same time? LSP looks like a great program to have.

Thanks.

-{ Quote: "Hi Lucas,

That's still not quite right.

Free version still scans the webpages programmaticly, as well as looking up our databases.... but only on demand.

Paid version also scans the TCPIP stream in real time.

Put another way ... if you QuickScan a webpage or do a google search with the free version, it checks out all the pages, but doesn't go to infinite depths on the links. It would take too long.

The paid version does all of that, but also watches what comes along the TCPIP stream, whether you're doing a specific search or not.

So... if you're just surfing the web, as opposed to specific searching, the Pro version is better because it's always watching.

It's the difference between on demand antivirus scanning and realtime antivirus scanning.

Does that make sense?

Roger
CTO
Explabs.com" }-
Just great :thumb: :thumb:
This definitively replaces SiteAdvisor in my arsenal
Since you use AVs as a comparative I wonder if you can tell us something about your "engine"
Thanks for your time and keep up the good work

-{ Quote: "I could not get my computer to work properly until I disabled SSM. I could not even uninstall Linkscanner Pro while I had SSM running. It seems to work fine now but is there some setting I need to make for SSM to run at the same time? LSP looks like a great program to have.

Thanks." }-

Thanks! We think it'll be really helpful to keep people safe as more and more apps are put on the web.

What's SSM? I'd like to sool our QA folks onto it.

Roger

CTO
Explabs.com

-{ Quote: "Thanks! We think it'll be really helpful to keep people safe as more and more apps are put on the web.

What's SSM? I'd like to sool our QA folks onto it.

Roger

CTO
Explabs.com" }-
SSM = System Safety Monitor (http://syssafety.com/)

Yes, as Lucas said. SSM = System Safety Monitor. I had to disable SSM. That seems to have LSP working alright. Essentially, Windows froze when I tried to launch my browser (IE6) with both LSP and SSM running at the same time.

-{ Quote: "Yes, as Lucas said. SSM = System Safety Monitor. I had to disable SSM. That seems to have LSP working alright. Essentially, Windows froze when I tried to launch my browser (IE6) with both LSP and SSM running at the same time." }-

Ah... thanks Lucas and ACR .... we'll take a look at it. It probably thinks we're attacking it or something.

Cheers

Roger
CTO
ExpLabs.com

-{ Quote: "Just great :thumb: :thumb:
This definitively replaces SiteAdvisor in my arsenal
Since you use AVs as a comparative I wonder if you can tell us something about your "engine"
Thanks for your time and keep up the good work" }-

Sure.

We have an LSP driver. LSP stands for Layered Service Provider. With Winsock 2, Microsoft kindly provided an API for stream inspection and modification, which we use for exactly that. This is what SocketShield was/ is, and is still the heart of the product, but we found that most users (Wilders folks excepted) did not understand the idea of a socket, but nearly everyone understood the idea of LinkScanning.

So we have a neat LSP driver, and a scanning engine that allows us to do nice pattern matching within the TCP stream, above Winsock, but just before it reaches the browser.

My position is that most exploits are cut and pasted by the Bad Guys... they're not able to modify the machine code much, but they're able to change the payload. We don't care what the _payload_ is... we simply try to detect the exploit, and kill it. What this means is that we're able to catch lots of variations, because the "variation" is in the payload, not the exploit.

That was SocketShield... now we're expanding what we look for to include social engineering things, like fake codecs, and dialers, stuff like that.

We're not saying we're perfect, and unbeatable, or anything silly like that, but we're monitoring what the Bad Guys are doing all the time, and trying our best to interpose ourselves as quickly as possible when something comes up.

Cheers

Roger

Thanks again, I´ll read the documentation and whitepapers at your web
I believe that your application will receive a warm welcome here
Be aware that most Wilders folks use more than just AV and firewall. HIPS are very common
If you want I can post or PM you with a list of the most used security apps

Will the TCPIP stream scanning occur before or after a software firewall filter the traffic? How about AV programs that do web traffic scanning?

Thanks.

-{ Quote: "Sure.

We have an LSP driver. LSP stands for Layered Service Provider. With Winsock 2, Microsoft kindly provided an API for stream inspection and modification, which we use for exactly that. This is what SocketShield was/ is, and is still the heart of the product, but we found that most users (Wilders folks excepted) did not understand the idea of a socket, but nearly everyone understood the idea of LinkScanning.

So we have a neat LSP driver, and a scanning engine that allows us to do nice pattern matching within the TCP stream, above Winsock, but just before it reaches the browser.

My position is that most exploits are cut and pasted by the Bad Guys... they're not able to modify the machine code much, but they're able to change the payload. We don't care what the _payload_ is... we simply try to detect the exploit, and kill it. What this means is that we're able to catch lots of variations, because the "variation" is in the payload, not the exploit.

That was SocketShield... now we're expanding what we look for to include social engineering things, like fake codecs, and dialers, stuff like that.

We're not saying we're perfect, and unbeatable, or anything silly like that, but we're monitoring what the Bad Guys are doing all the time, and trying our best to interpose ourselves as quickly as possible when something comes up.

Cheers

Roger" }-

Thanks OldRebel. Did what you said and it worked.Added 1 yr on my sub.

-{ Quote: "Will the TCPIP stream scanning occur before or after a software firewall filter the traffic? How about AV programs that do web traffic scanning?

Thanks." }-

Hi Lu_Chin,

TCP scanning occurs after, and at a higher level, than a firewall. This means that firewalls can see and stop things that we can't, and vice versa. They're look at stuff at the packet level, and we're looking at the stream level.

I don't think any AV programs actually look at the stream. Despite some claims to the contrary, I think they mostly scan things as they hit the disk cache, which is after the stream has been accepted and parsed by the browser. They _say_ they're scanning html, but if there's an exploit involved, it's a bit late.

But I'm not knocking anti virus programs... they're completely necessary. We're not meant to replace anything ... av or firewall or anti spy or HIPS. We're simply an extra security layer.

Cheers

Roger

Hi Roger, I download the trial version and after installing it I lose my network connection. I have to uninstall LS Pro and reboot to get back my network connection. I am running KIS 6.0 pre-MP1 and Outpost 4.0.

Thanks.

-{ Quote: "Hi Roger, I download the trial version and after installing it I lose my network connection. I have to uninstall LS Pro and reboot to get back my network connection. I am running KIS 6.0 pre-MP1 and Outpost 4.0.

Thanks." }-

Hi Lu_chin,

Sorry to hear that, but I'm glad uninstall got it back for you. We'll take a look at it. I think we are well tested with KIS and Outpost. Is there anything else that is unusual about your setup?

Cheers

Roger

Thanks Roger. I am running Online Armor 1.1 also.

-{ Quote: "Hi Lu_chin,

Sorry to hear that, but I'm glad uninstall got it back for you. We'll take a look at it. I think we are well tested with KIS and Outpost. Is there anything else that is unusual about your setup?

Cheers

Roger" }-

-{ Quote: "Thanks Roger. I am running Online Armor 1.1 also." }-

Ahhhh... I bet that's the culprit. We'll take a look.

Cheers

Roger

Interesting product, I hope it works nicer than services like Scandoo for example, not that I´m really into these kind of apps, but still interesting. So I will check it out, and also nice that it´s free. :)

If the papers are true, this is definitively better than SiteAdvisor or Scandoo.
It´s more than just a central database.
I´ll do a limited test in the weekend but until now looks very good. There are few FP like troyanexplore.com.ar

-{ Quote: "Ah... thanks Lucas and ACR .... we'll take a look at it. It probably thinks we're attacking it or something.

Cheers

Roger
CTO
ExpLabs.com" }-

Did you find out the issue in regards to some conflicts with other programs? I would like to reinstall SSM as it is a nice program. Maybe I'll have to try another program though.

Are you aware of whether the conflicts exist with only your pro version? If so I may just try the free version until the conflict is resolved.

Thanks.

-{ Quote: "Did you find out the issue in regards to some conflicts with other programs? I would like to reinstall SSM as it is a nice program. Maybe I'll have to try another program though.

Are you aware of whether the conflicts exist with only your pro version? If so I may just try the free version until the conflict is resolved.

Thanks." }-

Hi Acr,

Still working on it.

Cheers

Roger

Two questions:
-Are you scanning links related to phising/spam?
-Can SiteAdvisor plug-ins be used together with LinkScanner Lite?

Analyze these links:
-FP

http://www.troyan.tk/
http://www.troyanexplore.com.ar/

-Very suspicious(extracted from a little collection)

hxxp://xxx.spazbox.net/
hxxp://xxx.lyricsdomain.com/
hxxp://xxx.lop.com
hxxp://xxx.amazingautossearch.com

-{ Quote: "Two questions:
-Are you scanning links related to phising/spam?
-Can SiteAdvisor plug-ins be used together with LinkScanner Lite?

Analyze these links:
-FP

http://www.troyan.tk/
http://www.troyanexplore.com.ar/

-Very suspicious(extracted from a little collection)

hxxp://xxx.spazbox.net/
hxxp://xxx.lyricsdomain.com/
hxxp://xxx.lop.com
hxxp://xxx.amazingautossearch.com
" }-

Hi Lucas,

(1) Well, we're scanning links related to phishing, but not spam.
(2) SiteAdvisor plugins can't be currently used with LinkScanner Lite, but I'll chew on that. It's an interesting thought.

I don't really understand what you are getting at with the rest of your post ... sorry.

Roger

Thanks for your attention
I was meaning that the "suspicious links" are detected as clean by LinkScanner Online. I´ve extracted these links from a Eric L. Howes research (http://www.spywarewarrior.com/uiuc/dbd-anatomy.htm)
The FP links are false positives. Troyan Explore is a legitimate company, an anti-trojan vendor. You can contact them at info[at]troyanexplore[dot]com.ar
Thanks again

-{ Quote: "Thanks for your attention
I was meaning that the "suspicious links" are detected as clean by LinkScanner Online. I´ve extracted these links from a Eric L. Howes research (http://www.spywarewarrior.com/uiuc/dbd-anatomy.htm)
The FP links are false positives. Troyan Explore is a legitimate company, an anti-trojan vendor. You can contact them at info[at]troyanexplore[dot]com.ar
Thanks again" }-

Ok.... now I understand.

There are a couple of things here.

Firsty, LinkScanner online is still only using version 1 of SocketShield, so it can only see about half of what LinkScanner Pro and Lite can see. We'll soon have it upgraded, but right now it's not. The right way to test is to install LinkScanner Pro or Lite and give that a try. Or wait until LinkScanner Online catches up.

Secondly, Eric Howes is a smart guy and a respected collegue, but I think you'll find that few of those sites are actually live now, and of those that are, none are serving up anything malicious. Some are merely parked domains, and some are search engines, but that is not enough to convict them. They might tomorrow, but are not today. This highlights the importance of real time, programmatic evaluations as opposed to database lookups. The malicious sites are really transient, and rarely last more than a couple of weeks before they're shut down. Almost any published list is relatively clean after a month or so.

And regarding troyanexplore[dot]com... all we're reporting for that, as far as I can see, is a yellow warning. That is the most minor thing we can say about a site, and it's so minor, we actually give you the option of turning those warnings off.

So, we actually have four levels... green means there's nothing that we can detect, yellow means there's something a little strange about that site, orange means you should be really careful with this site, and red means we know it's bad.

Does this make sense?

Roger

Thanks for your feedback :thumb:
You and your team have made a really nice app ;)

-{ Quote: "Thanks for your feedback :thumb:
You and your team have made a really nice app ;)" }-

Thank you very much.

:-)

Roger

My question is how does scanning the TCP stream affect overall speed of a fast broadband connection? I believe that I tested socketshield some while back, but stopped using it after my speedtests were significantly slower with it activated. (I could be wrong about this, I'm just trying to remember why)

Could you please comment on how both free and pro versions affect this?

-{ Quote: "My question is how does scanning the TCP stream affect overall speed of a fast broadband connection? I believe that I tested socketshield some while back, but stopped using it after my speedtests were significantly slower with it activated. (I could be wrong about this, I'm just trying to remember why)

Could you please comment on how both free and pro versions affect this?" }-

Hi,

Thanks for the questions.

I don't think we affect speed on a fast broadband connection. We built it for speed, and in our tests, it is never noticably slow. I think LinkScanner is just the same as SocketShield for regular surfing.

Now, for search engine searching, there _will_ be a slowdown, because it's flat out doing more work. It's accessing every site on the results page, and making an assessment of them. For most people, it's noticable but acceptable, but it does depend on the speed of the webservers being scanned.

If it's a problem in your situation, you can switch out the search engines, and just use either the QuickScan capability as you need it, or rely on the real time scanning.

The LinkScanner version of the SocketShield engine is still capable of seeing many more things than SocketShield.

Roger

Hello, regarding your statements about speed, it seems your product hinders my speedtests greatly.

I trialed Linkscanner Pro, with the search engine scanning disabled.
First, before the product was installed, ran a speedtest from speakeasy.net/speedtest and received between 19,000-20,000 kbps consistantly for my download speed. After installing your product, I received between 2,000-3,000 kbps consistantly over the span over several tests from the same server.

So, I uninstalled the product again to make sure that there were no other factors involved, and right back to 19-20k on the download speed.

Now I like the entire concept of your product line, and would love to add it to my arsenal, BUT... I'm sure you can understand that a drop in speed like what I'm experiencing is far too much a sacrifice to make for the extra security.

The only thing I can think of that may be conflicting with your product is KIS6 MP1 (6.0.1.411) web scanner. I had to adjust the web scanner's fragment buffer to 16 seconds in order to not experience a slowdown with their product (similar to the same thing that's happening with yours), but I read somewhere in this thread that you guys confirmed compatibility with KIS.

Anyways, nice job on your efforts regardless if my PC isn't playing nicely, and I would still trial for a third time if this could be resolved in the future. Take care.

Roger,

When do you think that the support for Opera will be added to the Lite version?

Regards

-{ Quote: "Hello, regarding your statements about speed, it seems your product hinders my speedtests greatly.

I trialed Linkscanner Pro, with the search engine scanning disabled.
First, before the product was installed, ran a speedtest from speakeasy.net/speedtest and received between 19,000-20,000 kbps consistantly for my download speed. After installing your product, I received between 2,000-3,000 kbps consistantly over the span over several tests from the same server.

So, I uninstalled the product again to make sure that there were no other factors involved, and right back to 19-20k on the download speed.

Now I like the entire concept of your product line, and would love to add it to my arsenal, BUT... I'm sure you can understand that a drop in speed like what I'm experiencing is far too much a sacrifice to make for the extra security.

The only thing I can think of that may be conflicting with your product is KIS6 MP1 (6.0.1.411) web scanner. I had to adjust the web scanner's fragment buffer to 16 seconds in order to not experience a slowdown with their product (similar to the same thing that's happening with yours), but I read somewhere in this thread that you guys confirmed compatibility with KIS.

Anyways, nice job on your efforts regardless if my PC isn't playing nicely, and I would still trial for a third time if this could be resolved in the future. Take care." }-

Hi Mitsu,

It might be that the structure of the speedtest tests doesn't play nicely with us. Does it _feel_ slower with normal surfing?

Thanks for the compliment anyway... we'll certainly try our hardest to resolve your issue.

Cheers!

Roger

-{ Quote: "Roger,

When do you think that the support for Opera will be added to the Lite version?

Regards" }-

Hi VC,

To be realistic, it's probably Q2 07. While it's something we'd like to do, we simply have other things that _need_ doing first, and it's already December.

Sorry,

Roger

-{ Quote: "To be realistic, it's probably Q2 07. While it's something we'd like to do, we simply have other things that _need_ doing first, and it's already December.
" }-
Thanks for the info ;)

Hi Roger,

Sorry I forgot to mention how it felt, that definitely is an important factor. Loading a very "lite" website was not noticable, but for example loading a site such as yahoo.com, where there are multiple smaller images that all need to be downloaded and rendered normally in a quick amount of time, there was a noticable slow down. I'm also using Opera as my primary browser, not sure if that has anything at all to do with what I'm experiencing, but figured I'd mention it anyways. Keep me in mind, and if you find any more information about this and need a tester, I'd be glad to assist.

-{ Quote: "Thanks Roger. I am running Online Armor 1.1 also." }-
Hello Lu_Chin,

I was wondering if you would be willing to enter a support request on our site, so I can help you resolve the loss of network connectivity, you are experiencing.

I did some testing and I installed KIS, OutPost, Online Armor, and LinkScanner Pro, (in that order) with no loss of connectivity. I would like to gather some more information from you about your system.

If you are willing to give us hand, in trying to track down this issue, please enter a support request here (http://explabs.com/support/form.asp).

These issues have been extremely sporadic and we are trying to find the common denominator, in order to resolve the issue. Any help you are willing to provide would be greatly appreciated.


Thanks to all, for your praise and feedback!!

Jon
Technical Support
Exploit Prevention Labs

I am wondering if any one has/is running Exploit Prevention Labs Linkscanner along side the CallingID Link Advisor And The CallingID Toolbar and noticed any problems?

I discovered this threda just today.
LS seems a nice application. I am using lite version( on-demand). Still waiting for Opera suport.
I think pro version might be preferable than web scanner of an AV!

Hi Guys,

How's 'LinkScanner' different than 'SiteAdvisor'? What advantages does LinkScanner have over SiteAdvisor?

Thanks
Rico

-{ Quote: "How's 'LinkScanner' different than 'SiteAdvisor'? What advantages does LinkScanner have over SiteAdvisor?" }-
LS is more than a database of good/suspicious/bad sites. It analyzes the network traffic via LSP hook and look for exploits in addition to a database provided by CallingID (?) For example, it'll find an .ANI exploit no matter if the sited is trusted or not.