LinkScanner Free & Pro released

Just great
This definitively replaces SiteAdvisor in my arsenal
Since you use AVs as a comparative I wonder if you can tell us something about your "engine"
Thanks for your time and keep up the good work

 

Re: Linkscanner Pro issue with SSM?

Thanks! We think it'll be really helpful to keep people safe as more and more apps are put on the web.

What's SSM? I'd like to sool our QA folks onto it.

Roger

CTO
Explabs.com

 

Re: Linkscanner Pro issue with SSM?

SSM = System Safety Monitor

 

Yes, as Lucas said. SSM = System Safety Monitor. I had to disable SSM. That seems to have LSP working alright. Essentially, Windows froze when I tried to launch my browser (IE6) with both LSP and SSM running at the same time.

 

Ah... thanks Lucas and ACR .... we'll take a look at it. It probably thinks we're attacking it or something.

Cheers

Roger
CTO
ExpLabs.com

 

Sure.

We have an LSP driver. LSP stands for Layered Service Provider. With Winsock 2, Microsoft kindly provided an API for stream inspection and modification, which we use for exactly that. This is what SocketShield was/ is, and is still the heart of the product, but we found that most users (Wilders folks excepted) did not understand the idea of a socket, but nearly everyone understood the idea of LinkScanning.

So we have a neat LSP driver, and a scanning engine that allows us to do nice pattern matching within the TCP stream, above Winsock, but just before it reaches the browser.

My position is that most exploits are cut and pasted by the Bad Guys... they're not able to modify the machine code much, but they're able to change the payload. We don't care what the _payload_ is... we simply try to detect the exploit, and kill it. What this means is that we're able to catch lots of variations, because the "variation" is in the payload, not the exploit.

That was SocketShield... now we're expanding what we look for to include social engineering things, like fake codecs, and dialers, stuff like that.

We're not saying we're perfect, and unbeatable, or anything silly like that, but we're monitoring what the Bad Guys are doing all the time, and trying our best to interpose ourselves as quickly as possible when something comes up.

Cheers

Roger

 

Thanks again, I´ll read the documentation and whitepapers at your web
I believe that your application will receive a warm welcome here
Be aware that most Wilders folks use more than just AV and firewall. HIPS are very common
If you want I can post or PM you with a list of the most used security apps

 

Will the TCPIP stream scanning occur before or after a software firewall filter the traffic? How about AV programs that do web traffic scanning?

Thanks.

 

Thanks OldRebel. Did what you said and it worked.Added 1 yr on my sub.

 

Hi Lu_Chin,

TCP scanning occurs after, and at a higher level, than a firewall. This means that firewalls can see and stop things that we can't, and vice versa. They're look at stuff at the packet level, and we're looking at the stream level.

I don't think any AV programs actually look at the stream. Despite some claims to the contrary, I think they mostly scan things as they hit the disk cache, which is after the stream has been accepted and parsed by the browser. They _say_ they're scanning html, but if there's an exploit involved, it's a bit late.

But I'm not knocking anti virus programs... they're completely necessary. We're not meant to replace anything ... av or firewall or anti spy or HIPS. We're simply an extra security layer.

Cheers

Roger

 

Hi Roger, I download the trial version and after installing it I lose my network connection. I have to uninstall LS Pro and reboot to get back my network connection. I am running KIS 6.0 pre-MP1 and Outpost 4.0.

Thanks.

 

Hi Lu_chin,

Sorry to hear that, but I'm glad uninstall got it back for you. We'll take a look at it. I think we are well tested with KIS and Outpost. Is there anything else that is unusual about your setup?

Cheers

Roger

 

Thanks Roger. I am running Online Armor 1.1 also.

 

Ahhhh... I bet that's the culprit. We'll take a look.

Cheers

Roger

 

Interesting product, I hope it works nicer than services like Scandoo for example, not that I´m really into these kind of apps, but still interesting. So I will check it out, and also nice that it´s free.

 

If the papers are true, this is definitively better than SiteAdvisor or Scandoo.
It´s more than just a central database.
I´ll do a limited test in the weekend but until now looks very good. There are few FP like troyanexplore.com.ar

 

Did you find out the issue in regards to some conflicts with other programs? I would like to reinstall SSM as it is a nice program. Maybe I'll have to try another program though.

Are you aware of whether the conflicts exist with only your pro version? If so I may just try the free version until the conflict is resolved.

Thanks.

 

Hi Acr,

Still working on it.

Cheers

Roger

 

Two questions:
-Are you scanning links related to phising/spam?
-Can SiteAdvisor plug-ins be used together with LinkScanner Lite?

Analyze these links:
-FP

Code:

http://www.troyan.tk/
http://www.troyanexplore.com.ar/

-Very suspicious(extracted from a little collection)

Code:

hxxp://xxx.spazbox.net/
hxxp://xxx.lyricsdomain.com/
hxxp://xxx.lop.com
hxxp://xxx.amazingautossearch.com

 

Hi Lucas,

(1) Well, we're scanning links related to phishing, but not spam.
(2) SiteAdvisor plugins can't be currently used with LinkScanner Lite, but I'll chew on that. It's an interesting thought.

I don't really understand what you are getting at with the rest of your post ... sorry.

Roger

 

Thanks for your attention
I was meaning that the "suspicious links" are detected as clean by LinkScanner Online. I´ve extracted these links from a Eric L. Howes research
The FP links are false positives. Troyan Explore is a legitimate company, an anti-trojan vendor. You can contact them at info[at]troyanexplore[dot]com.ar
Thanks again

 

Ok.... now I understand.

There are a couple of things here.

Firsty, LinkScanner online is still only using version 1 of SocketShield, so it can only see about half of what LinkScanner Pro and Lite can see. We'll soon have it upgraded, but right now it's not. The right way to test is to install LinkScanner Pro or Lite and give that a try. Or wait until LinkScanner Online catches up.

Secondly, Eric Howes is a smart guy and a respected collegue, but I think you'll find that few of those sites are actually live now, and of those that are, none are serving up anything malicious. Some are merely parked domains, and some are search engines, but that is not enough to convict them. They might tomorrow, but are not today. This highlights the importance of real time, programmatic evaluations as opposed to database lookups. The malicious sites are really transient, and rarely last more than a couple of weeks before they're shut down. Almost any published list is relatively clean after a month or so.

And regarding troyanexplore[dot]com... all we're reporting for that, as far as I can see, is a yellow warning. That is the most minor thing we can say about a site, and it's so minor, we actually give you the option of turning those warnings off.

So, we actually have four levels... green means there's nothing that we can detect, yellow means there's something a little strange about that site, orange means you should be really careful with this site, and red means we know it's bad.

Does this make sense?

Roger

 

Thanks for your feedback
You and your team have made a really nice app

 

Thank you very much.



Roger

 

My question is how does scanning the TCP stream affect overall speed of a fast broadband connection? I believe that I tested socketshield some while back, but stopped using it after my speedtests were significantly slower with it activated. (I could be wrong about this, I'm just trying to remember why)

Could you please comment on how both free and pro versions affect this?