SocketShield / protection against zero-day exploits

Hi Notok,

After all the problems with SocketShield, i had no appetite anymore in the program.
But Roger\XPL had read in this thread about my problems, and suggested me to contact him by email to solve the problems.

He sent me a LSP utility to discover the (probably) cause, and made suggestions too.

Like I already assumed, it was a LSP driver conflict because SocketShield use a LSP driver.
Finally, i discovered the guilty LSP drivers on my machine that caused the conflicts with SocketShield:

-F-Secure AV Client Security v6
-Internet Download Manager v5

Uninstalled both, installed SocketShield, but next problem was there:
most of the taskbar icons were missing.
Repair didn't solved this problem, did an alternative trick, and it worked.

Everything is running smoothly at the moment, and SocketShield is running now without any problems.

I must say: XPL was very responsive in their reaction.

Now i drink 5 bottles of cold beer, to calm down my damaged nerves.

Ciao,

Smokey

 

Suzi? or anyone else for that matter, have you tried socket shield at Spycar.org yet?


Thanks

controler

 

This program protects from remote exploits, Spycar.org does not contain remote exploits, only "tests" you run from your own machine.

 

Ok thanks TNT after rereading the spycar site, it was indeed created to test anti-spyware not browser exploits
I am only running Boclean, Jetico firewall,NOD32 and socketshield all set to max on this test machine and a bunch of shall we call them system exploits still got through.


controler

 

Well, unless you block them at network level the exploit attempts do get through, but that doesn't mean they actually work. Did they actually infect you?

EDIT: sorry, I missed that you used SocketShield (so they should have been blocked at network level). What exploits were these?

 

Hi Controler,

What do you mean "System exploits still got through", please?

Roger

 

rogert30062

Have you ran the tests at Spycar?

Please run them and show your results.

controler

 

But .... Controler... there are _no_ exploits there! For each and every thing, you have to agree to install a program and run it. That's not an exploit. That is only useful for testing configuration monitors.


Now, we don't _claim_ to detect all possible exploits .... there are 100's every month, but there are only ever one or two that are actually used by the Bad Guys. Part of what we do is to find the ones actually in use, and to try to prevent them, and more importantly, to monitor for the brand new ones, and provide protection against them until people can patch. So while it's completely possible to find actual proof of concept exploits (if they change from Proof Of Concept to In The Wild, we _will_ detect them) that we don't detect, Spycar doesn't have them.

Thanks for the question though.


Cheers

Roger

 

While to some it's symantics....it 's not just for anti-spyware. If you run any of the Autostart Tests executables....it attempts to drop an executable file to a certain location and then adds a string value to one of the Run keys with a data value referencing that dropped executables location.

If you run one of their Internet Explorer Config Change Tests executables....it's sole purpose is to make a registry change for whichever test executable you executed.

If anything this is more of a registry protection test than a anti-spyware test because not many anti-spyware programs cover policies section of IE which is what most of those IE tests is changing. Granted....TeaTimer, SpywareGuard....etc....should alert you to the Home page\Search page which can be much more troublesome than one of the IE policy tests....especially for the hard working HJT log cleaner uppers

What is gained from these tests ?
Everyones mileage will vary but to me they are keen to popup stopper tests which is not a bad thing. We all have to start somewhere in learning and if user A learns something thru these tests then it was worth while.

 

The more I read about this product, the more it seems to me that it should be part of a firewall.

 

I think there's a lot of posibilities for what this program could be integrated with. I fear it won't be long before they're bought out.

 

i tried to install but always getting a 'window installer' error? btw,i had enable window installer in the service to start auto.any suggestion?

 

Hi Korb,

What OS are you running? If it's 98 or ME, sorry, but we don't currently install on them.

Regards

Roger

 

hi rogert,thanks for your fast reply. i have just managed to install it by enabling some window services.it now running along with appdefend,jetico,prevx r1 and regrun 4.5. just 1 qn,if XPL block bad ip, then does it become redundant to secure my host file since i use hostman to block bad ip too.
and i'm also using 'socketlock' from GRC which lock raw socket in window.do they conflict?

 

Hi Korb,

I have no idea if they conflict, I'm sorry. It sounds like you've got some great utilities though... we're working on a nice, safe test exploit, that we'll put on our web pages soon ... probably tomorrow... that'll tell whether there's an issue or not.



I'll post here as soon as it's public!

Cheers, and thanks for giving it a try, and thanks (to everyone) for your feedback,

Roger

 

Hi Korb,

It was late last night when I answered your post and I didn't notice your question about blocking bad IPs... I don't think it would be redundant. For one thing, we probably block a different set from that which hostman blocks, and secondly, we probably block at a lower level than they do.

Cheers

Roger

 

SocketShield blocked IFramers launcher script exploit on my computer when I visited one website.

-- Tom

 

Hi Tom,

That's excellent ... it's how it's supposed to work.

Cheers

Roger

 

Hi Roger,

SocketShield detected and stopped an exploit attempt by WMF CVE-2005-2124 with known payload containing the SetAbortProc feature with a known malicious payload. This construct is used for remote execcution of the payload.

This happened when surfing and whois identified the website as in Ukraine.

Good catch!

-- Tom

P.S. My WinXP Pro SP2 machine is up-to-date with all critical MS security patches.

 

hi roger,thanks again it clear my doubt now.what i think is hostman block most ad server while yours block dangerous site. great.enjoy XPL protection now.

 

How can we know that SocketShield "works" unless it there is a way to actually test it against the kind of threat it is designed to protect against? It's rather like Geico's commercial which proclaims: "So easy a caveman can do it." Ah, but where does one find a caveman nowadays?

 

Well, a good way to test it is to surf on some nasty sites, to sit and to watch the alerts .

http://img530.imageshack.us/img530/509/socket10hm.th.jpg

I must say Socketshield was pretty efficient during the few tests I did, when you visit again a site where exploits were blocked, but this time without Socketshield (with both protections disabled), you get the payload going with the exploits.

And btw another way to check its efficiency is to uncheck the "block malicious sites" box : thus you can see that sites which were blocked as "malicious sites" before are now blocked through their exploits (if there are).

It doesn't replace totally an anti-spyware, but that's a nice addition to have along.

Cheers,
nicM

 

I see that Beta version 0.9.6 of SocketShield is now available. Does anyone know if you can install the newer version over top of the Beta 0.9.5 version or do you have to uninstall the older version first, then install the new version?

Tia,

-- Tom

 

Just download and run. It will guide you through the install proces.

Gerard

 

As of now SocketShield 0.9.6 is out of beta and can not be downloaded anymore.
However you can download a free 15-day trial copy (version 1.0.0).

http://www.explabs.com/ss/index.html

Gerard