Avast and Antivir- real time protection

Sorry to seem so naive(i am not extremely knowledgable about antiviruses), but I seem to side with Kerodo here. First of all, all unauthorized communication to a pc is blocked through a firewall. So worms exploiting windows services and vulnerabilities won't do anything if it can't access your pc since your firewall is blocking it.

There are holes though in browsers which is a problem. However, if nothing is written to the disk without my av scanning it and saying it is okay or else blocking it, what harm can happen

So these comments are not about general "tcp scanners", they are about http scanners which imo are not necessary with a well configured firewall and an antivirus that scans anything that is read, written, or executed from the disk.

Alphalutra1

 

McAfee and Norton are industry leader due to them being bundled with OEM or offered free to most newbies by ISP promos etc.doesn't make them a yardstick by any means.So many of my noob friends had troubles with these two and switched to others like Avast AntiVir Nod etc.

As for http scanning,this is how I see it,would rather stop the enemy at the gates than let it come inside my house and fight,who knows what damage it can do inside.The network IDS is excellent when you are installing firewall for the first time,for instance,CHX doesn't protect you right away after install,your system is left totally open,you have to configure and import the rules for your particular interface,its then an IDS like in Avast protects you.Also if for any reason,your firewall gets compromised,you are well protected.Same goes for mail scanner,can't call it a hype,would you rather let the mail come with an infected attachment,then open it and let the real time catch it or would you rather stop it at the gates.As for P2P module,remember,you already have incoming rights given to your P2P client,that means you are vulnerable to an extent,at this point,a dedicated client specific P2P scanner is a good layer of defence.

 

How can you block web browsers from general HTTP packets (some contains malware) by a well configured firewall if you want to surf websites?

To preventing these kind of malware by an antivirus solution, the only most effective way is, don't let the malicious HTTP packets touch the web browers (rendering in memory), so how? when a general firewalls don't scan HTTP packets for a malicious contents, but an antivirus HTTP scanner module can do, only clean HTTP packets (from known malware of particular antivirus) are sent to the web browsers.

 

Kerodo, let me explain this in a bit more detail.

There are two different modules we're talking about here.

TCP/IP-level scanner (in avast parlance, the Network Shield) works like an IDS and prevents infections coming over the network (Blaster & Sasser being excellent examples). Of course, for this to work, some TCP (or UDP) ports on your machine need to be open -- but they typically are (RPC port for example), and there's nothing wrong with that, I mean, it's a very common thing to e.g. share files or printers over the LAN etc...

You may argue that your router will block these infection attempts as it does not have the ports "open". This is a valid point, but only if you NEVER EVER allow anyone to connect BEYOND the router. For example, at my home, I have a DSL router (firewalled), beyond which is a Wi-Fi router. I have a set of MAC addresses defined on the Wi-Fi router, covering mostly my family member's laptop (no one else is allowed to connect). Yet, it has already happened that my brother-in-law actually connected his *infected* laptop to my Wi-Fi network - which started immediately sending out malicious packets. The firewall on the router was completely useless in this case, as the attacker was already INSIDE the LAN... My Network Shield became quite busy.

The strength of the HTTP scanner (in avast parlance, the Web Shield), on the other hand, is that it can guard the integrity of your browser. Web browsers have become one of the most important infection vectors (especially for spyware-type malware), and experience has shown that it makes VERY GOOD SENSE to protect them by inspecting the downloaded data, BEFORE they reach the browser.

In other words, the main goal of the web scanner is to protect you against browser exploits.

The recent WMF-exploit case is a very good example of this. Without a HTTP based scanner, the attacked was able to COMPLETELY TAKE OVER the control of Internet Explorer (the executable) running on your machine. Those who say that a regular (file-system based) AV would be able to "block" such an infector because the worm would have to drop some stuff to the HDD and hence be detected while doing that - are not correct, because the worm could do other things as well - e.g. send out all your documents to a remote server, without being detected by anyone. Simply put, once the browser is compromised (i.e. remotely injected code is executing), your AV has FAILED.

Not to mention that some worms in the past have shown that it is possible to not write to hard drive at all (CodeRed is the most notorious example).


I know, you'll now say that you're using FireFox and so such thing can't happen to you.

First, I don't think FireFox is a panacea. It seems that it is slightly less prone to this kind of attacks than IE - but this may be simply because it hasn't yet become so popular and so the bad guys don't really bother with it (and focus on what will cause the greatest harm, i.e. browser that has the largest market share).

Also, I still remember you talking about "marketing bullshit". Even if Firefox was completely flawless (which it is certainly NOT), would you call an extra protection for 80+ per cent of Internet users (yes, I mean Internet Explorer users) "bullshit"? I don't think so...


Anyway, I feel this thread is becoming off-topic (I'm sorry for that).
Gotta go to work now.


Cheers
Vlk

 

Ok, Vlk, I can better see some of your points now, thanks.. I suppose there is no harm in some extra protection, for me the Network Shield is not needed so much since I have no computers networked here, just a straight connection via wireless router to the internet. However, if remote code injection is indeed possible, then I have to admit that the Web Shield does make some sense to use as a general protection against that sort of thing. After all, new vulnerabilities are being found in all of the browsers even today. So you do have a point there..

I do tend to take some small risks in general, deeming myself a safe internet user 99% of the time. But I might just be convinced to use Avast again, I am open to all possibilities and am trying different AVs quite often. I have used Avast for several years in the past.

At any rate, we are getting off the topic, so thanks for your explanation. I appreciate the effort..

 

Also to clear something up. Exploits don't infect PC's, malware does.
Exploits are just the mean to distribute malware. Exploits itself are mostly harmless (depends on what kind of exploit we're talking about).
For example WMF exploit was completelly harmless by itself, but malware distributed through its hole was not.
So thats a difference.

 

About WMF exploit, I used to visit some web sites that have WMF explot-crafted image, with real-time file scanner-based AV (AVG Free), the WMF explot image is automatically launched by Windows Picture and Fax Viewer via web browser (IE), then it caught by AVG resident shield in IE temprary internet files folder, so I don't know how can AVG or other real-time file scanner-based AV protect its users from this exploit if an AV real-time scanner can't prevent the launch of WMF explot image, or it will catch the downloaded malware files from remote servers, if so, isn't it too late?

But with avast!, WMF explot image is caught by Web Shield in real time without a chance to cached in IE temprary internet files folder, the exploit image cannot be launched by Windows Picture and Fax Viewer.

That's a difference I've seen to prove how good of avast! Web Shield and since then, I can't feel safe with AVG and most of other real-time file scanner-based AVs when I use IE.

 

I have once again installed avast! out of curiosity. My work provides me with McAfee VSE 8.0i, but I seem to always go back to avast! for better overall system performance.

Thank you vlk for taking your time to better explain the need to these additional modules; it did indeed change my ways of thinking.

 

I always try out other AVs out there,specially the high price hyped ones,they never catch anthing on my system which had been running Avast prior to the that,I always go back to Avast for all my system,2K and 64 bit pro.

 

safe surfing habits and browser settings are also important.
I dont use p2p and dont IM with everyone.

 

Thats, ur main AV approach.

 

Because they aren't the best!

Of course that the main scanner will catch the threat, but if we catch it before open it will be much better...

 

If they fail to detect a virus, who goes to suffer with that!? You