SocketShield / protection against zero-day exploits

Trial version for 15-days, damn! Now I am glad I beta tested Socketshield and got myself a free 90 day key.

dja2k

 

For those of you who would like to trial SocketShield and minimize installation problems, I have the following advice for you. If you are running RegRun Platinum 4.6 or a similar app. set to maximum security, I highly recommend that you disable all of its "active" and "real-time" features before and after the installation of SocketShield. By doing so, it will allow SS to install properly and prevent WINSOCK from being corrupted, disabled or unloaded. On the other hand, what I have found is that depending on your system or resident security apps., NOD32 and Windows may or may not need to be rebooted after installing SS.


Peace & Love,

CogitoErgoSum

 

Does SS look at all tcp and udp packets? Or does it only examine packets intended for certain ports (e.g. 80)? How about SSL transactions? Also, if I shutdown the SS monitor program, will network traffic not be examined by SS?

Thanks.

 

Hi lu_chin,

Thanks for your questions. SS is an LSP driver. What this means is that we get to see all tcp and udp traffic... not just certain ports. Having said that, we would not be able to do anything with SSL transactions, because we're not an endpoint.

We're not meant to be a 100% solution... just 98 or 99%. The point is that most exploits are simply cut and pasted from the original proofs of concept... mostly they just change the payload, and leave the exploit the same. We don't try to handle the 300+ exploits that are announced each month, because most of them never become a problem to the world. Instead we try to guess (or discover using our Intelligence Network) which ones are _really_ in use, and then protect against those.

An analogy is that you might get hit by a meteor, which would be devestating if you did, but no one goes around building meteor shelters. It's more important to worry about the things that have some chance of happening.

A case in point is the current excel 0-day. We have a signature for that, but we're reluctant to release it. The exploit in this case is tightly targeted... it's not widespread at all. So far, there is just a single case. We could release this signature, and tell everyone we have them safe, but the truth is that it would be pointless. Most people will never see this anyway. Now, if the excel 0-day goes into wide use, or becomes used in a worm, then we'll release the signature.

Regarding the SS Monitor program ... it doesn't have to be running at all to provide protection. LSP drivers are automatically loaded by Winsock, whenever Winsock is accessed. The SS Monitor is just there to provide a visible interface.

Cheers

Roger
ExpLabs.com

 

Hi Roger, thanks for the quick and informative reply. I am trying out SS with some security programs which use their own LSP to monitor http traffic. I am checking if any conflicts or slowness due to this LSP chaining exist.

Cheers.

 

Ahhh .... well, good luck, and please let us know if you have any problems.



Roger

 

I'd also like to know whether SocketShield is anything like the HTTP scanners offered by some AV's (eg. KAV, NOD32 etc) ?