SocketShield / protection against zero-day exploits

Hi,

Protection is automatic.

When you talk about the app not starting with windows, you are referring to the Control Panel. It doesn't start because it doesn't need to. You only need it for interface.

_Protection_ is actually provided by an LSP driver, which is always invoked automatically when winsock is loaded by anything, and updating is handled by Monitor, which loads from the Windows Run key, into the system tray.

Cheers

Roger

 

Hi Roger, thank you for your PROMPT reply. This is THE kind of service we,as viewers, have longed for ALWAYS. Your reply Indeed serves an EYE-OPENER for me. Now I totally understand how your masterpiece works! Thanks. My words of mouth will be an asset to your success. Good luck.

 

Hi Rodger

Is SS able to prevent the IE vulnerability/flaw described here https://www.wilderssecurity.com/showthread.php?t=129618&page=2

Thanks


StevieO

 

H downloaded SocketShield today works ok with nod32, IE7, Windows Defender, and live one care.
When it installed just had to let computer restart itself then once nod32 kicked in had to restart again but now every thing working ok.

 

Hi Perman,

Thank you very much for your kind words.



Roger

 

Ummmm.... when i click the link, it takes me to half way thru this thread... are you having a joke, or am I missing something?



Roger

 

Hi thedon57,

Thanks for the info... we've seen that with McAfee too... they seem to want to have control of the LSP chain, but a couple of restarts seem to sort it out.

Roger

 

It was your review I read very full it was too, well done that is what made my mind up to install it so again I thank you.

 

Roger

Having a joke ? no not at all. Sorry I now realise I pasted the same link in my post here earlier to you my mistake, which was only meant to go in the one below. This is the one i wanted you to take a look at and comment on

https://www.wilderssecurity.com/showthread.php?t=129907


StevieO

 

Ah... gotcha.

No, we don't protect against it _yet_, because (1) as far as I can see, no publically available proof of concept exists _yet_ , and (2) no websites are serving it _yet_.

But, it is a very attractive target for the Bad Guys, and no doubt the race is on to discover what Secunia and Mike Z. already know.

This is definitely our territory, and as soon as we find something, we'll update everyone.

Thanks for the question

Roger

 

I have installed socketshield as well with no problems or slowdowns. I am running KIS 2006 beta 6.0.1.309, Ewido 4 Beta, OA AV+ 1.1.1.760 (av not active), RegRun Gold 4.5, and Ghost Security Appdefend\Regdefend. All I see in my LSP viewer in Ewido are only socketshield LSP's. I have not seen it block anything yet. Anyone know any specific site to test to see if it blocks it?

dja2k

 

I didn't post the domain names/URLs of the sites, but the IP addresses were visible in the SocketShield screenshots. I don't generally post dangerous sites in public forums because there's always a risk that someone will inadvertantly get infected and I don't want to be responsible for that.

If you want dangerous domains, check Webhelper's lists of CoolWebSearch sites -- there are plenty to be found there.

http://webhelper4u.com/CWS/index.html

Regarding testing other anti-malware tools, I do that when time permits, but I never make promises on when or what.

 

Thanks for the kind words and you're welcome.

 

First, Thanks for your blog's post, suzi, that's very interesting .

I did try it on a few malicious sites last night, and it did block one CreateTextRange exploit, with 4 malicious sites blocked. But I must say I don't have the feeling to understand exactly how it does protect : After theses 5 events, nothing was showed as blocked or prevented later, while going on surfing on other bad websites - though I did insist, and had lots of warnings from the AV. (But after I've closed and reloaded IE, it was still fully "functional", as you said in your blog).

Thus I don't know if the last exploits I've got were "old-fashioned" one, not prevented by Socketshield because they're supposed to be prevented by a MS patch, or not


Then I did remember what you said somewhere in your blog, about the fact that Socketshield didn't prevent some adware to creep in. That's anyway a complement to other protection programs, as anti-spyware, and is not meant to be a substitute to them; but maybe people could "understand" this program better if there was a something as a list of exploits Socketshield can prevent, viewable in the program's GUI (I mean before they occur).

And what about exploits once the official patch is available? Are they removed from Socketshield's protection list?

Btw, this program is running fine for me (with Jetico FW).

Cheers,
nicM

 

Hi nicM,

(1) You said you went to other sites, about which we didn't warn. That means one of two things... either they weren't serving exploits, or they were but we didn't recognise them (that's possible, it's still beta after all). If you'd like to provide the URLs to me in a private email (either rog2002@bellsouth.net or rthompson@explabs.com is fine), and I'd be glad to check them out and see what's what.

(2) List of exploits that we protect against... that's a good idea, and we'll work on that.

(3) and you asked "Do we remove exploits once a patch is out". Our intention is to block all exploits that we know to be in the wild, whether a patch is available or not.

Cheers

Roger

 

Waited a bit and decided to give it a go.

I Run FF and IE through Sandboxie which aren't flagged by SShield whilst sandboxed.

FF and IE are flagged outside the sandbox so it seems SShield offers me no extra protection.

Other than that no startup slowdown.Using about 7meg of mem.

Now for the uninstall.Will I be ghosting.Fingers crossed.

Edit:
Uninstalled fairly clean.Found 17 reg entries,an empty folder and a coupla files.

 

Hi Roger,

Thanks for your reply, I wasn't sure about the third point, and am glad to know protection will work this way.

I don't know what other people think about this "protection list", but that's definitely something I would like to see somewhere in the program.

As for the bad sites, unfortunately I did theses tests very quickly and not in a very methodical way (plus I'm aware the program is still a beta anyway)... But I still have some urls and will redo the tests tonight, then will mail you about it.

Cheers,

nicM

 

Hi Roger!

Thanks for your (fast) reaction

At this time i'm very busy, but upcoming weekend i will sort out things for you.
I will send you an email with occured problems and all specs asked by you.

I hope that will be a help to make your program more stabile, because again, IMO it's a great piece of software and when it will do what it promises us, i can and will for sure recommend it.

At this time i don't recommend it 'cause it's not stable enough, when it is, no problem anymore too me to give it the predicat "highly recommended"

BTW: please don't pin you at an official release date in June.

Better some more development then bringing a final version that didn't sorted out the bugs in the beta version.

Best,

Smokey

 

nicM, thanks for the kind words.

I did turn off the malicious sites protection for a bit because it was blocking one site (which is good under normal circumstances) that I wanted to try and that's probably when the adware got in.

Roger wrote:

I think that's an excellent idea. One of the ZDNet readers is convinced that SocketShield is "just another anti-virus program" and I'd like to be able to point him/her to a comparison of the features of SocketShield and AV apps.

I went to the same site using nothing but Avast (free version) with all shields enabled for protection and my virtual machine almost froze due to malware. Avast wasn't able to stop much. I ended up with several trojans and the TCP/IP settings were changed, which showed up like this in the HijackThis log.

O17 - HKLM\System\CCS\Services\Tcpip\..\{47917229-B09A-4170-BF20-C5BD8E2F1B30}: NameServer = 85.255.116.150,85.255.112.70
O17 - HKLM\System\CCS\Services\Tcpip\..\{49F1F183-C925-49DB-AF94-33F119007082}: NameServer = 85.255.116.150,85.255.112.70
O17 - HKLM\System\CCS\Services\Tcpip\..\{60518FBC-40AF-49FE-B533-4CAA490363CA}: NameServer = 85.255.116.150,85.255.112.70

And that was just from the first site I went to with SocketShield. With Avast, I couldn't get to any other sites after being infected from the first one.

Nothing against Avast, mind you, it's just not the same as SocketShield.

 

Thanks for the info Suzi, the only problem is that most of these sites seem to be doing absolutely nothing, with this I mean that I´m not getting any alerts from my security tools and my virtual system seems to stay clean even after visiting these sites. So perhaps I´m out of "luck" or something.

 

Are you going to the sites on a fully patched machine? If so, you might not see much activity. They are generally targeting users with unpatched machines. Most of my vm are XP Pro with no service packs so I can get hit with all the exploits to see what the bad guys are up to.

Also, the CWS sites rotate content pretty quickly, so one that's not active this week might be active next week. If you keep going through Webhelper's list, I'm sure you'll hit some bad ones eventually.

 

Thank you again suzi been running SocketShield now for 3 days and it is so nice knowing that it works well with all my other antiviruses etc I have installed.
So there you are you have made me very happy and I always read your posts incase you mention anything else that I need to know.

 

Well, I use partially patched machines, but you´re right, I think I should probably just install a fully unpatched virtual machine. But since you do seem to have success, I hope you can perhaps test more anti malware tools, because strangely enough nobody else is doing this.

 

No... that's not the problem. If you were going to the right places, nearly all of them would _try_ to hit you, regardless of whether or not you're patched. If you're patched, they can't hurt you, but they'll still try. And SocketShield would pick them up anyway.

It must be something else.

Roger

 

That's not really correct. Much of the exploit sites I've seen lately won't even try if, say, you're not running IE (meaning that they can't determine server-side that you're using IE). If they detect IE, they load the page full of exploits, if they can't it's just an empty page with no content at all. I've seen only on exception, a web site serving exploits also for old versions or Firefox (it's reported in Sunbelt's blog), but this STILL "sniffed" the browser and wouldn't serve anything if it didn't correspond to a vulnerable version.

Lately it's the "normal" behavior of the traffdollar.biz and similar exploit droppers, who seem by far the most active around.

The most puzzling example I've seen lately seems to involve the usual javascript obfuscation bode, but apparently coded in a way that it doesn't work in Firefox at all (at least 1.5), while it apparently works in IE. This meaning that even if you "mask" the browser by changing the user agent string, you won't be able to reproduce the javascript's behavior in Firefox. I'm not sure this is the case, but it seems so. If this is the case, now it's a really discomforting example of how much effort these criminals are putting into this kind of job: they're actually testing the scripts so that the behavior is different not only server-side, but client-side as well.