Is there any reason to run Avast's Web Shield? Doesn't the antivirus resident shield take care of any malware collected from browsing the web? Sorry, if this has been discussed before but I could find this question on the search.

SourMilk out

"Lemons into lemonade, sour milk into cheese"

-{ Quote: "Is there any reason to run Avast's Web Shield? Doesn't the antivirus resident shield take care of any malware collected from browsing the web? Sorry, if this has been discussed before but I could find this question on the search.

SourMilk out

"Lemons into lemonade, sour milk into cheese"" }-

THe idea of the web shield is to prevent it from ever reaching your machine.

Pete

But, wouldn't your realtime scanner pick up on the infection? I use FirstDefense-ISR and try out new software on an experimental snapshot. I've found that going to suspicious websites (like crackz, etc.) on purpose to court trojans, the resident scanner alerts me before the trojan downloads. Is this the same as the Web Shield purports to do?

Not necessarily, no. Webshield detects a variety of browser based exploits. New malware could exploit these and install themself onto your PC if you have this disabled. Standard shield wouldnt detect them if no signature has been released.

Okay. I see now why Avast has a web shield. It makes me wonder how they are able to catch new malware before the signatures are released. If they use a behavior scheme it would seem they would also use it in their antiviral programs. Who knows? Maybe they do and we don't know about it. Non-heuristic signature only antivirus programs (like Avast) are old fashioned but still work well. Perhaps they will incorporate the behavioral coding into the main scanner someday. Anyway, thanks for the responses. I know now that the Web Shield function of Avast indeed has a purpose.

SourMilk out

Web shield is a nice feature. If u are using Avast, u must keep it turned on, except if it slows ur surfing.

There was a good talk about the advantage to use Avast's web-shield, here (http://www.wilderssecurity.com/showthread.php?p=720580#post720580). (link on 2nd page, discussion is already about the web-shield on the 1st page though).


nicM

Main purpose of Web Shield (or any other HTTP scanner) is interception of exploits before they can hit the browser. "Byproduct" of this is that it can also detect everything else before it hits browser (like malicious plugins and stuff that autoloads). Sure real-time scanner would in general pick most of stuff but there is quiet a lot stuff that executes in browser without actually being cached to disk. SUch stuff can only be detected by Web Shield (HTTP scanners).

-{ Quote: "Main purpose of Web Shield (or any other HTTP scanner) is interception of exploits before they can hit the browser. "Byproduct" of this is that it can also detect everything else before it hits browser (like malicious plugins and stuff that autoloads). Sure real-time scanner would in general pick most of stuff but there is quiet a lot stuff that executes in browser without actually being cached to disk. SUch stuff can only be detected by Web Shield (HTTP scanners)." }-


Surely RT scanners would catch the malware when in memory and wouldn't need a disk write? Or am I wrong here?

If this is not the case then surely Avast is a better choice than Antivir even though Antivir has a higher detection rate in most tests.

Thanks,
Fairy

im not sure. the realtime scanner of an AV scans ur disk not memory.

BOClean (an antitrojan) on the other hand, would catch malware when its in memory.

I'm reading that other thread, very interesting. It suggests to me that in the real world the lower detection rate of Avast! may be made up for by it's having ah HTTP scanner. This is something that most existing tests don't seam to cover. Thoughts anyone?

-{ Quote: "im not sure. the realtime scanner of an AV scans ur disk not memory." }-

U mean all the AV,s don,t scan the memory as real time protection? I thought they do.

-{ Quote: "in the real world the lower detection rate of Avast! may be made up for by it's having ah HTTP scanner. " }-

how....?

-{ Quote: "U mean all the AV,s don,t scan the memory as real time protection? I thought they do." }-
im not too sure about av realtime protection.

but i do know ewido and kav let u scan ur memory on-demand.

in addition, avast and nod32 automatically perform a memory scan when u start their on-demand scanner. avast lets u disable the memory scan tho.
-{ Quote: "how....?" }-
i remember someone said that the http scanner can detect some stuff without signatures. zero-day protection maybe?

idk, its something like that.

-{ Quote: "

i remember someone said that the http scanner can detect some stuff without signatures. zero-day protection maybe?

idk, its something like that." }-

so same threats can be detected on didk via heuristics as well.

lol. idk = i dont know.

-{ Quote: "so same threats can be detected on didk via heuristics as well." }-

Really? ???
I didnt know that.

-{ Quote: "how....?" }-

If as explained in other posts RT scanners only scan when written to disk and therefore malware that injects code into your browser and runs in memory (or other possibilities through exploits like buffer overruns) wouldn't detect them when they first arrive. So even if malware later dropped files to disk if it initially stayed silent and just copied personal details entered in the browser or sent your tax returns and personal records to a criminal's ftp server you would be defenceless with disk scanning but Avast could protect you before the damage is done.

This would be doubly true if this sort of attack becomes more common.

Fairy

I was half expecting someone to point out the flaws in my logic which are a product of my ignorance. Go on! You know you want to ;D

I am not an expert in AV but I have the following questions in mind.

- any kind of web shield will have some heuristics or signatures to scan for a threat, e.g. WMF exploit in order to detect it. The same heuristics or signatures will be needed for a real-time scanner to detect it. So the sucess of both webshield and real-time scanner to detect the threat hinges on either one or both of these two things.

- will a real-time scanner scan objecs in memory too? If a real-time scanner scans objects in memory and it has heuristics or signatures to detect the exploit, will it be able to stop it? Also, will IE cache objects downloaded into memory on disk as temporary files too and will a real-time scanner catch the same threat there?

Thanks.

Only way to scan stuff in memory in realtime is by using full emulator (like BitDefender B-HAVE for example). There is no other way where you could do this in realtime in physical memory.

You should check Avast! Forum for some of these answers.

On a basic level, the web shield is better than the standard shield - because scanning archives is default on the web shield. I assume that is still true? Told to me By master VLK of all that is anti-virus.

Http scanning is necessary because malware can take hold via browser holes before anything hits your hard drive. Further, not all browser caches are created equal - some are one huge file or several as opposed to thousands of individual pieces making clean up rediculously hard, if not impossible (perhaps with some collateral damage) - ie. think Giant inboxes and trying to remove a single file from OutLook - let alone Eudora, Opera, Thunderbird, Pegasus etc etc. - Thus >Email scanners<. Web shield is the same principle.

Why you might be better off running the email and webshield, and shutting off the real time scanner and taking your chances ;) (remember to duct tape your DVD/CD and Floppy drives shut first.)

Yes, archive scanning is still present in Web Shield.

-{ Quote: "Really? ???
I didnt know that." }-
I was just guessing. I don,t know exactly.