Review: A Tool For Shielding Against Zero-Day Attacks

SocketShield monitors incoming and outgoing IP traffic by using a combination of technologies, including automated probes and filters. It works well, but is meant to be used as part of a multilayered security strategy, not as the only means of defense on a PC.

July 6, 2006

4 Min Read

To a security administrator, the phrase "zero-day attack" creates an important question: Is the network in question prepared to counterattack any threat? Unfortunately, in many instances, the answer is no, simply because many security products and solutions are not equipped to deal with an unidentified attack.

Exploit Prevention Labs (XPL) aims to provide that final line of defense against zero-day attacks with SocketShield, a software security product that monitors all incoming and outgoing IP traffic.

SocketShield uses a new approach to combating exploits and overcomes the usual problems associated with other technologies, such as firewalls that tend to be blind to many security threats because exploits often use trusted browser connections. Also, many antivirus and antispyware programs on the market detect exploits after the damage has been done, which usually is because the signature databases are updated after a zero-day attack.

SocketShield overcomes these obstacles by integrating several different technologies to protect a network system. Initially, XPL's product is tied into a network of automated probes that detect the latest exploits and help to build an exploit repository. Then, the product uses a "site-reputation filter," which compares sites visited with a scored list of rated sites. This feature prevents users from visiting phishing sites.

All of the human and automated exploit information that is gathered into reports comes together in realtime, thanks to XPL's Correlation Engine. Every user of SocketShield is automatically tied into the community intelligence network, bringing the power of thousands of exploit scanners together to beat threats.

Administrators will need to install SocketShield on each local PC, and the product can be treated as the final layer in a layered defense against intrusions. The product is not suitable to be used as the only defense against malicious acts, however, and should be bundled with other security applications. For example, an ultimately secure network should consist of a firewall or security appliance at the edge, a filtering appliance at the edge, a software security product at the server level, an antimalware application at the mail server level, an antivirus/antimalware product at the PC level, and then a product such as SocketShield to catch any exploits that have made it past those other technologies. For the mobile worker, SocketShield should be used in tandem with a desktop antivirus/antimalware/antispam product.

Installation of the product is relatively straightforward, although a reboot is needed after the initial install is completed. For the most part, SocketShield proves to be fully automated and requires very little user interaction for it to properly and effectively function.

An attractive monitor screen feature is offered for administrators wishing to know what's going on behind the scenes. The monitor screen provides information on all processes running that require an IP socket and also offers a list of exploits prevented and a list of malicious sites blocked. The product has minimal impact on performance, and the options are easy to locate and set.

The information presented by the traffic monitor/control panel applet is concise and eliminates most of the jargon associated with Internet security.

The product automatically updates and checks for problems in realtime. If an exploit is encountered, SocketShield can be set up to generate a pop-up message that offers impressive security options. One feature, for example, allows an administrator or user to immediately trace where the exploit originated because the software provides the IP address and a 'WhoIs' inquiry, which traces the owner of the site.

The product also offers a detailed description of the exploit by automatically connecting to the SocketShield online knowledge base. Although it is quite effective on a PC, those using virtual PCssuch as Microsoft Virtual PC and VMware workstationwill find that virtual sessions will bypass SocketShield if the product is only installed on the host system. Users relying on virtual technology will have to install the product into their virtual machines to offer protection.

A useful feature XPL could add to SocketShield would be for the product to actively protect virtual machines from the host system without requiring an additional installation. A network version that works with a proxy server or integrates into Microsoft's ISA server also would be a very welcome addition.

The product is sold based upon a yearly subscription. Typically, first-year subscriptions are $29.95 per year and $19.95 per year thereafter. However, due to a current promotion, a two-seat version with a first year of support and updates is priced at $19.95.

Volume discounts also are available and with the protection the product offers, SocketShield proves to be a bargaineven without any of the discounts.

Exploit Prevention Labs is in the process of creating and implementing a channel program. XPL will be aggressively seeking partners once its channel program is in place. By involving the channel, offering more options and signing with distributors, XPL could transform SocketShield into a major security player. Integrators interested in taking a closer look at the software can download a free 15-day trial from

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights