Socket Sentinel Pro: Bi-directional TCP traffic filtering

Discussion in 'other anti-malware software' started by novirusthanks, Nov 22, 2011.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
    OK thanks :thumb:
     
  2. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,870
    After the uninstall, there were 2 files left, in the program folder.

    According to the attached screenshot, I am now running v1.1... but, shouldn't there be additional files in the folder?

    ScreenShot_NVT_SSPv1.1_install_error_02.jpg
     
  3. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,870
    I just installed over-the-top, and this time no error popup, and now have v1.2 installed, with the requisite files in the program folder. :)

    ScreenShot_NVT_SSPv1.1_install_error_03.jpg
     
  4. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    I see. :) Thank you for explaining :thumb:
     
  5. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,067
    Location:
    Italy
    Released new version:

    [01-12-2011] v1.3.0.0

    + Improved "Threats Detection Engine"
    + Show URL and Threats Engine number in popup window

    New popup window:
    http://img685.imageshack.us/img685/6433/01122011203828.jpg

    Download from:
    http://www.novirusthanks.org/product/socket-sentinel-pro/

    @SweX

    You're welcome ;)

    @CloneRanger

    Try this new version pls, when the splash screen reaches the 3 seconds it enables the label "Run Socket Sentinel Pro", if clicked it will close the splash
    screen and run SSP.

    @Tarnak

    Glad all went well.
     
  6. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,870
    You're welcome. :)


    I got my first warning popup, but not sure if it is a mistake because it crashed my AdMuncher program.

    ScreenShot_NVT_SSPv1.3beta_AdMuncher_01.jpg
     
  7. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,870
    Just happened again, except the popup only appeared briefly, so i didn't get a screenshot.

    ScreenShot_NVT_SSP_v1.3_warning_03.jpg

    Also, a request for information by AdMuncher about the exception...

    ScreenShot_AdMuncher_fault detected_04.jpg
     
  8. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
    @ novirusthanks

    Hi, sorry to report the new v still won't run, either clicking after 3 secs, or waiting for it run :(

    Just a reminder, i'm on XP/SP2 with NO updates whatsoever.

    Also, i don't think it does, but does it require .NET ? If so i don't have it or want it.
     
  9. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,067
    Location:
    Italy
    After xmas should be released a new version:

    [21-12-2011] v1.4.0.0

    + Added "Password Protect Website"
    + Password is saved encrypted
    + Added "Status" TAB
    + Added "Execute Action after X minutes of idle activity"
    + Added "Domain:" info in alert dialog
    + Added "URL:" info in alert dialog
    + Improved "Threats Detection Engine"
    + Fixed "Threats Engine 5" false positives

    Screenshot fo the Status TAB:

    http://img13.imageshack.us/img13/4663/21122011184523.jpg

    .NET is not required
     
  10. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
    @ ALL using it. Hows it going ?

    *

    @ novirusthanks

    Hi, what's the latest on the Test .exe etc ?

    TIA
     
  11. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,067
    Location:
    Italy
    @CloseRanger

    We are back to work in SSP, this is the actual changelog:

    [XX-01-2012] v1.4.0.0

    + Added "Password Protect Websites"
    + Password is saved encrypted
    + Added "Status" TAB
    + Added "Execute Action after X minutes of idle activity" (RegEx Rules)
    + Added "Domain:" info in alert dialog (RegEx Rules)
    + Added "URL:" info in alert dialog (RegEx Rules)
    + Improved "Threats Detection Engine (TDE)"
    + Fixed FPs with "Threats Engine (5)"
    + Optimized UI
    + Added "Actions" links in Status TAB
    + Added right-click option "Set Password" on Rules->Domains->Protected TAB
    + Added right-click option "Options" on RegEx Rules TAB
    + Minor fixes and optimizations

    We remain to add:

    - Decode GZIP content
    - Behavioral process analysis
    - Block download of executable files
    - Block download of PDF files with JavaScript code
    - Block download of PDF files
    - Block download of Java (JAR) files

    Some screenshots:

    Status TAB:

    http://img249.imageshack.us/img249/4830/06012012130517.jpg

    Settings TAB:

    http://img440.imageshack.us/img440/8303/06012012130506.jpg

    Settings->Stealth TAB:

    http://img259.imageshack.us/img259/4326/06012012130532.jpg

    Settings->Threats TAB:

    http://img41.imageshack.us/img41/4458/06012012134021.jpg

    Rules TAB:

    http://img15.imageshack.us/img15/9621/06012012130450.jpg

    Rules->RegEx Options:

    http://img851.imageshack.us/img851/2617/06012012133634.jpg

    Rules->Domains->Protected->Set Password:

    http://img39.imageshack.us/img39/3457/06012012133657.jpg
     
    Last edited: Jan 6, 2012
  12. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    426
    Is the "block based on http header content" functionality in place?
    If so, can someone point me to a screenshot showing the UI screen where header patterns/rules are setup?

    Does the app generate a logfile?

    I would hope to import, and maintain, separate (categorical) blocklists.
    Also, I would hope to have the ability to load/unload individual blocklists on-the-fly.

    The blocklists maintained by malwaredomainsDotCom include per-line commentary.
    I strongly believe this info (date added to list, reason, source/reporter) should be preserved,
    but according to what I see in the screenshots, Socket Sentinel Pro doesn't provide a "comments" column. Would you consider adding support for this, so that blocklists in malwaredomainsDotCom format can be directly imported?
     
  13. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
    @ novirusthanks

    Well CloseRanger was Close :p

    I was hoping to hear about the Special version you said you would make so i could try & install it. Are you any closer with it ?

    TIA
     
  14. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,067
    Location:
    Italy
    Updated changelog:

    [XX-01-2012] v1.4.0.0

    + Added "Password Protect Websites"
    + Password is saved encrypted
    + Added "Status" TAB
    + Added "Execute Action after X minutes of idle activity" (RegEx Rules)
    + Added "Domain:" info in alert dialog (RegEx Rules)
    + Added "URL:" info in alert dialog (RegEx Rules)
    + Improved "Threats Detection Engine (TDE)"
    + Optimized UI
    + Added "Actions" links in Status TAB
    + Added right-click option "Set Password" on Domains->Protected TAB
    + Added right-click option "Options" on RegEx Rules TAB
    + Minor fixes and optimizations
    + Block download of executable files
    + Block download of PDF files with JavaScript code
    + Block download of PDF files
    + Block download of Java (JAR) files
    + Block download of Wordpad (RTF) files
    + Block download of Video (AVI, FLV, MPG, MOV) files
    + Block download of Flash (SWF) files
    + Block download of ZIP and RAR files
    + Block download of Microsoft Word and Excel files
    + Block a website by TLD
    + Disable task manager when in stealth mode
    + Added "Menu"->"Disable Task Manager"
    + Added "Menu"->"Enable Task Manager"
    + Disable cmd dos prompt when in stealth mode
    + Lock all cdroms when in stealth mode
    + Added "Menu"->"Disable CMD Dos Prompt"
    + Added "Menu"->"Enable CMD Dos Prompt"
    + Added "Menu"->"Lock CD-ROMs"
    + Added "Menu"->"UnLock CD-ROMs"
    + Block download of JavaScript (JS) files
    + Block IRC traffic
    + Block FTP traffic
    + Added "Rules"->"ADS" TAB to manage regexes to block ADS links
    + Added "Threats"->Process Behavioral Analysis (Block connections of suspicious processes)

    Remained to add:

    - Decode GZIP content
    - (probably) Ask user what to do when a PE file is requested for download

    @inka

    Yes.

    I am going to write a tutorial about this in the next week, see screenshot:

    http://img39.imageshack.us/img39/4698/07012012190012.jpg -> Will block download of PDF files (set direction to IN)

    Yes, see "Events" TAB.

    This option can be added, anyway we plan to include a centralized and automated blacklists engine, I will explain more about this soon.

    I can see what can be done regarding this.

    @CloneRanger

    Sure, wait few days and I will send a test build for you ;)
     
    Last edited: Jan 7, 2012
  15. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
    @ novirusthanks

    Great, thanks :thumb:
     
  16. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,067
    Location:
    Italy
    Released new version:

    [10-01-2012] v1.4.0.0

    + Added "Password Protect Websites"
    + Password is saved encrypted
    + Added "Status" TAB
    + Added "Execute Action after X minutes of idle activity" (RegEx Rules)
    + Added "Domain:" info in alert dialog (RegEx Rules)
    + Added "URL:" info in alert dialog (RegEx Rules)
    + Improved "Threats Detection Engine (TDE)"
    + Optimized UI
    + Added "Actions" links in Status TAB
    + Added right-click option "Set Password" on Domains->Protected TAB
    + Added right-click option "Options" on RegEx Rules TAB
    + Block download of executable files
    + Block download of PDF files with JavaScript code
    + Block download of PDF files
    + Block download of Java (JAR) files
    + Block download of Wordpad (RTF) files
    + Block download of Video (AVI, FLV, MPG, MOV) files
    + Block download of Flash (SWF) files
    + Block download of ZIP and RAR files
    + Block download of Microsoft Word and Excel files
    + Block a website by TLD
    + Disable task manager when in stealth mode
    + Added "Menu"->"Disable Task Manager"
    + Added "Menu"->"Enable Task Manager"
    + Disable cmd dos prompt when in stealth mode
    + Lock all cdroms when in stealth mode
    + Added "Menu"->"Disable CMD Dos Prompt"
    + Added "Menu"->"Enable CMD Dos Prompt"
    + Added "Menu"->"Lock CD-ROMs"
    + Added "Menu"->"UnLock CD-ROMs"
    + Block download of JavaScript (JS) files
    + Block IRC traffic
    + Block FTP traffic
    + Added "Rules"->"ADS" TAB to manage regexes to block ADS links
    + Added "Threats"->Process Behavioral Analysis (Block connections of suspicious processes)
    + Added "Block all unknown websites" (allow only whitelisted domains)
    + Block IMs traffic (MSN Messenger, Y! Messenger)
    + Updated "Reset Settings"
    + Disabled "Threats Detection Engine (TDE)" (will be available in final version)
    + Minor fixes and optimizations

    Setup file can be downloaded from:
    http://www.novirusthanks.org/product/socket-sentinel-pro/

    @CloneRanger

    I sent you by PM a test build.
     
  17. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,870
  18. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,067
    Location:
    Italy
    Last edited: Jan 11, 2012
  19. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,870
    Just wondering why I keeping getting the following:

    ScreenShot_SCKTSentinelProv1.4.0.0_check for updates error_01.jpg

    ScreenShot_SCKTSentinelProv1.4.0.0_check for updates error_02.jpg
     
  20. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,067
    Location:
    Italy
    @Tarnak

    Added the update files in the server, working fine here now. Thanks for letting me know.
     
  21. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,870
    Thanks...:) It is working now..."No new version available"
     
  22. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,870
    However, just looking at a comparison of versions, I find v1.4 screenshot a little busy looking, and much prefer the earlier version, as shown in the following screenshot.

    ScreenShot_NVT_SSP_comparison_v1.2 & 1.4_01.jpg

    I consider this: "Protect the system from the beginning."

    "Make sure the application is not accidentally closed." , etc ...redundant
     
    Last edited: Jan 12, 2012
  23. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    426
    Tonight I trialed SocketSentinalPro v1.4 ~~ It installed fine under WinXP SP3

    a bug... or a point of user confusion:
    goto Setings}}Threats tab: UNcheck "Process Behavior Analysis"
    then return to Status tab and note "Process Behavioral Analysis: Enabled"
    (and clicking 'enabled' does not toggle. does nothing)

    another point of confusion, in the absence of documentation:
    in the "Directories" tab: "Set location for the web browser"
    o_O
    Why is this needed? What does it do, or control?
    Need to additionally consider path(s) of any other web browser apps which are currently installed?

    specific to the "Regex Rules Options" dialog
    unclear
    When options are set, are the option settings applied globally, across all regex patterns...
    ...or each regex pattern, individually, can have special options applied to it?

    Are we to supply POSIX regular expressions when creating rules?
    Rules}}Regex tab:
    helpdocs needed
    (or at least a few sample/example rules entries)
    (perhaps along with links to offsite regex tutorials)

    suggestion / request:
    Providing ability to perform "temporary exemptions" in order to bypass one or several individual blacklist rules is probably important functionality. As is, the app doesn't seem to accomodate this. First, a user cannot easily search/find a triggered rule within the grid/list... and, once found, do what? Delete the rule? Write the pattern on scratchpaper and try to remember to re-enter it later? Although temporarily adding a matching WHITElist pattern might be a tolerable workaround, I'm suggesting that each rule should be indivually toggle-able (active/disabled). Additionally, the GUI should permit resizing, to accomodate a flexible view of the grid/list (draggable column widths; click column headers to sort by column, especially important to float disabled items to top, for review).

    =====================

    I read the TLD pattern tutorial.
    IMO, it will be equally important to draft hostname patterns to greedily match e.g.
    whatever.virgin.whateverTLD
    whatnot.virgin.anotherTLD
    virgin.co.uk
    without also matching
    paychildsupport.virginia.state.us

    ======================

    Without regard to SocketSentinal's ability to defend itself against malicious termination, what, if any, "exposure" remains while it's running? Can a malicious app which utilizes its own stack, its own NDIS driver, still generate outbound TCP undetected? How about an app which surreptitiously utilizes the BITS service -- I hope SocketSentinal would detect that traffic.
     
  24. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,870
    I was updating the database in AVZ 4.37 and it was blocked as follows:

    Blacklisted TLD: [avz.virusinfo.info] 88.198.66.84

    Ckecked here > WHOIS
     
  25. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,067
    Location:
    Italy
    @inka

    It will be fixed in the next version.

    It is the path of the default browser that will be used to open external links, example: to search on Google for a particular IP with popup menus, it will be used the browser specified from that path.

    "Regex Rules Options" are global settings valid only for RegEx tab.

    We will provide documentation soon (when final version will be available), it is like Perl's regular expressions, examples:

    ^abc -> string begins with "abc"
    [0-9]* -> any number - zero or more
    foo(bar|foo) matchs strings 'foobar' or 'foofoo'.

    Live example:

    sub45dom56ain.abc.com -> ^[a-z]{2}[0-9]{2}[a-z]{3}[0-9]{2}[a-z]{3}\.abc\.com

    Sure, that will be added in the next version.

    SSP uses usermode hooks, so a kernel mode rootkit (if properly installed in the system) would bypass the hooks. Main functionality of SSP is to allow users to manage allowed websites to visit, reduce exploit infections (by blocking specific domains TLDs, filtering content, adding own rules to detect/block exploits/bad-code, block exploit kits, block IPs, etc). At the moment there are no plans to convert it to kernel mode, we believe SSP can be useful in usermode too.

    @Tarnak

    It means you blacklisted the TLD ".info", I would recommend you to add to the whitelist the domain "avz.virusinfo.info" and "virusinfo.info".
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.