HTTP Scanning: necessity, or just a security blanket?

I've had Antivir classic detect WMF exploit in realtime and it doesn't have an HTTP scanner, so I'm not sure what vlk meant by this.

 

I do agree with you that it slowed down YOUR connection, you didn't dream it. However, it doesn't necessarily mean it will slow down other people's connections. You're making out that because it did that to you, it will automatically do the same for others, and that isn't always the case.

If it doesn't slow down other's connections, one needs to find out *why* it slows down theirs.

 

DOH!!! sorry about that, vlk. They both have excellent posts

 

vlk also mentioned codered as an example which don't need to be cached in the hard drive.

btw, in the same thread, TAP also provided his experience with wmf exploit.
https://www.wilderssecurity.com/showthread.php?p=720580#post720580

 

1st: you dont have to pay for it, your product either has it or doesnt... at no extra cost.

2nd:they dont slow your internet down, not if implemented properly, if it does... dont use that AV.

3rd: "If Avira ever does this I will be so disappointed", tough.... more people will welcome the extra security, even if you dont.

you are labelling it as useless junk just because the kaspersky http scanner slows your internet down, which is already a known fact to some people already who use kaspersky.

try the others who have an http scanner, no difference in internet speed, so stop your rant about "http scanning is a worthless piece of junk", try a different company if you aint satisfied.

 

I have had some trojans blocked by SONAR (mainly Downloaders) but I haven't noticed any browsing slowdown. Email scanning may be a tad slow but faster than TMIS and FSIS. F-Secure by default had HTTP scanning disabled but when activated I couldn't tell any difference in speed. There was one AV that did noticeably slow down browsing but for the life of me I can't remember which it was (back then I was going thru a period of trying an new AV every week before F-Secure).

 

That wasn't my experience with the .wmf exploit; at the time, and before the MS patch was issued, I was running KAV 5 (which has no web-scanner) and it simply plucked the exploit out of my TIFs. There was no question of my browser (IE6) being taken over, or the exploit being launched, and none of my HIPS progs suggested anything was wrong on my system. So I don't get it!

 

Nope.

Browser cache is really just a cache, a tool to make a page load faster if you have already visited it.

A browser renders on the screen what it gets from the web server. It may also save the downloaded objects to the cache - but that is not a requirement (and can be disabled e.g. by inserting special meta-tags in the body of the HTML page) and, more importantly, is not correlated with the rendering of the page.

Now, if there's a vulnerable code loaded in the browser process (such as the system library responsible for rendering of WMF files), the malicious WMF file can cause a buffer overrun in the library and effective hijack the whole browser process. And that no matter if the WMF file is written to the cache folder (and intercepted by a file-based AV) or not.

Hope that makes sense.

Cheers
Vlk

 

sure, if your happy with an AV... why change? no matter what a test says? no matter if this other AV has X different or Y better, if your happy and its protecting you, why pay more money for another AV?

end of rant, ps3 time

 

i like the idea of the http scanners but sometimes can slow you down.
but i dont care as long as it doesnt make my internet crawl.
@chris what games ya got for ps3?
lodore

 

It makes sense, yes, just that it goes against what I've believed so far.

Time to pick up an extra book or two when I hit the library tomorrow to re-educate myself, I guess. Does anyone know the HTML tag command that vlk mentioned to disable caching? Would speed up my looking for references. I know meta tags can be used to command pages to immediately expire from the browser cache, but this is the first time I have heard of a tag that prevents objects from being downloaded at all. Thanks in advance.

 

Pragma no-cache.
See e.g. http://www.htmlgoodies.com/beyond/reference/article.php/3472881

Not being downloaded - just being placed to the cache.

 

So what does this imply? Will the objects still get downloaded, but only to a path that is not the browser cache?

Thanks for the link. I'll check it out when I get home.

 

I'm not quite sure what you mean by the word "downloaded". If by downloaded you mean "fetched from the server and saved to a local hard drive", then NO, the file won't be downloaded.

But I'd say a more common interpretation of the word "download" is simply "fetched from the server" - and, of course, this will take place (otherwise it wouldn't be too useful )

Cheers
Vlk

 

Thanks.

Something new learned today. Time to go see if some professors at uni are too busy to answer a few random questions.

 

Well, you have to download data in order to scan it. There is no other way (you can't check non existing data thats on some remote location). Though HTTP scanner will further prevent saving this downloaded data to user selected location if malware is found in it. Thats why we usually say it prevents it from even reaching users hard drive, even though it actually reaches it. Just in a secure way, out of users sight. You can treat HTTP scanner as automatic quarantine stage between internet and you. Data is first "stored" in this quarantine and automatically checked. If it's ok, it's saved wherever user selected to download the file. If it's found to be malicious, download is discarded and user gets notification that his just downloaded file contained malware.
Simple and effective

 

This is the best reason I've heard of why you need real-time HTTP traffic scanning: The browser can get infected before a file hits the disk.

But the far more important reason has been missed: by detecting the vulnerability (in this case the WMF exploit) and not the malware itself, one WMF signature can block thousands of malwares. A good HTTP scanner will detect the SetAbortProc record in the WMF file while it is still in the network traffic before the browser has even had a chance to process that traffic.

 

This is completely false.

 

Nope, but Symante Client Security which is SAVCE + Firewall + IPS includes it. The scanning is in the IPS.

 

Again completely false, lots of misinformed users around.

 

I never noticed avast! slowing down anything. NOD32 was barelly noticeable and KAV6 was more noticeable than both before. BitDefender's HTTP scanner is somewhere between NOD32 and KAV6. It's all a matter of implimentation, but a good one doesn't slow down anything. Also, some exploits are executed directly in memory through browser, without caching that data to disk. How are you suppose to detect that using On-Access scanner? You can't... Thats why you need HTTP scanner which will check the data regardless of how it will be executed later.

 

A question regarding this: if there is no HTTP scanner, would a real-time memory scanner protect equally as well in such circumstances?

 

Even though I like the idea of HTTP scanning, that's what I was thinking, as well - even if something is not written to the disk, if it's residing in memory, then...

 

....then it is running, so that cannot be good.

A web-scanner has to be better than a memory scanner surely?

 

Realtime memory scanner? There is no such thing. Just think about scanning entire memory every second... BoClean is for example an on-execution "memory" scanner. May prevent most, but probably not all. HTTP scanner will scan it regardless.