Blacklisting vs Code Scanning: Which is better?

You have some good replies here already! But for me on browsers:

FF no script is the most NB.

As far as which is better an inclusive approach is best so use all methods if you can. No one method catches 100%.

1) Blacklisting exe's
2) White listing exe's ( my favourite)
3) code scanning before execution

 

Right now I can't afford to download a lot more stuff, as my monthly traffic is near the end, and then speed decreases a lot, worse than 56kbps. I also can't find a link at http://safeweb.norton.com/lite to download it.

But, I do not remember whether or not there was a search bar. All I did was to iniciate the setup and read the EULA, because I wanted to know whether or not Symantec had "killed" their Ask.com deal, after I've read somewhere their clients started complaining.

I don't know if the one that is part of the paid products has it or not. But, while reading the EULA, back then, I don't recall any mentions to Ask.com or IAC. So, my answer was based on that. I believe it should be stated in the EULA, right?
Again, I may have missed something while reading. After all, I'm prone to errors like everyone else.
But, if no mention is in the EULA and if they still partner with Ask.com, then it should be stated, that's for sure.

Edit: I found in norton's forum the EULA of Norton Safeweb (http://www.symantec.com/connect/forums/norton-safe-web-lite-beta-available). For what I can tell it's just like the one I read back then:

This is part of it, regarding Privacy:

I don't see any mentions to Ask.com or IAC. If they do partner with them, then it should be stated that users should read Ask.com privacy information, at least.

 

Do you mean this search bar is powered by ASK?

 

Did you search for Softpedia using the toolbar?

Edit: I guess you did! Stupid of me.

 

No - I stole their screenshot

 

You sneaky person.

But, I guess that Ask.com is not used, because it is, then in the result there should be some link pointing to Ask.com, no? (I can't think of anything else.)

This is coeherent with the EULA that I showed above. No mentions to Ask.com, and according to that screenshot, no search goes redirected to Ask.com.

For example, with AVG Linkscanner, if you install the toolbar, and search using it, all searches will be displayed by Yahoo.

That doesn't happen with Norton, for what the screenshot shows.

If anyone else using Norton Safe Web could shed a few lights, it would be great.

 

There's an online service by AVG, Threat Labs, which will report back current status. It says it is powered by AVG Linkscanner and with info sent by users when Linkscanner encounters a threat.

http://www.avgthreatlabs.com/sitereports

I've been testing against malwaredomainlist and Linkscanner reports a bad site:

http://linkscanner.explabs.com/link...explabs.com&CS=www.justanothersillydomain.org

and Threat Labs reports this as a green site:

http://www.avgthreatlabs.com/sitereports/domain/www.justanothersillydomain.org

That's just an example. If powered by Linkscanner it should report red in both, I guess.

 

I just installed Norton Safe Web Lite, and there's no search bar, at all.

 

So, I did a few more testing between Linkscanner and AVG Threat Labs site, which according to it, it gets results from Linkscanner, and again certain results don't match, and this is one of them:

http://www.avgthreatlabs.com/sitereports/domain/youtubeup.fileave.com

http://linkscanner.explabs.com/link...SRC=apps.explabs.com&CS=youtubeup.fileave.com

More discripancies:

http://www.avgthreatlabs.com/sitereports/domain/youka.dothome.co.kr

http://linkscanner.explabs.com/link...y&SRC=apps.explabs.com&CS=youka.dothome.co.kr

http://linkscanner.explabs.com/link...ly&SRC=apps.explabs.com&CS=www.xxxtoolbar.com

http://www.avgthreatlabs.com/sitereports/domain/www.xxxtoolbar.com

 

This is quite worrying, considering Linkscanner is suppose to prevent exploits.

AVG Threat Labs reports the following:

http://www.avgthreatlabs.com/sitereports/domain/laudbak55.info

You can see that it mentions Phoenix Exploit Kit.

Linkscanner won't even be able to scan the website:

http://linkscanner.explabs.com/link...hkOnly&SRC=apps.explabs.com&CS=laudbak55.info

But, using the application Linkscanner, it reports it clean.

Browser Defender/Norton Safe Web reports the following:

http://www.browserdefender.com/site/laudbak55.info/

Day to day, I truly don't understand what's happening to Linkscanner. If Threat Labs is based on what Linkscanner digs, shouldn't Linkscanner detect it? lol

 

Well it makes sense (its typical a case of pro's and con's of code interpretation vs blacklisting)

On day 281 Threat Labs does NOT know the site
On day 281 Linkscanner detects an exploit/risk by code scanning/interpretation
On day 281 LS reports this to Threat Labs, the IP gets listed as malware domain
On day 282 the developers discover this and decide to scramble the code in little sniplets (simply by adding some useless and harmelss stuff between the malicious stuff and may replace some code which does not influence the logic or re-arranging bits of the process flow while keeping the logic in-tact)
On day 283 LS does NOT recognise this coding pattern anymore
On day 283 Threat Labs still recognised the website on its IP-address

Regards Kees
Type error fixed

 

Yes, you're right. I never looked from that angle. It does make sense.

 

Also a fan of white listing...