HTTP Scanning: necessity, or just a security blanket?

Not scanning all memory (except by demand) but scanning as a starting file enters into memory - surely that is a less desirable scan point since it could be too late in some circumstances?

 

For me is very important because can catch threats without being on your PC...

And I'm really thinking of just using it with email scanning, and disable the active-scanner of my AV...

 

While theoretically possible, its is very very difficult due to one simple reason (aside for the fact that there is no documented way to synchronize access to memory for an AV scanner), lack of context. When scanning memory you are looking at the process's memory block as just that - a block of raw memory. You dont know about the previous blocks etc. In contrast HTTP scanners are working on the traffic arriving on the socket. They have a HTTP protocol decoder, a gzip decoder, an HTML decoder etc. They take apart each piece of traffic keeping state in the process sothey have full context to help detect an attack.

 

I've just read the whole thread again. But to me at least it seems that there is only theoretical justification of a http-scanner, as there "might" be a threat that would not be detected by real time AV scanner.

Does anyone actually know of a real life example where computers got infected while this infection could have only been prevented by a web scanner? Are there such exploits? So that someone using for example AntiVir that does not have web scanner is not properly protected at this very moment?

If there is no such threat, then for me the whole issue of web traffic scanning seems a bit overrated.

 

Since I posted in this thread, I have stopped using a real time AV scanner. I just use Avira Premium as on demand only. I don't have the Guard installed. I don't need an HTTP scanner. ALL of them slow my internet connection by more than one half and that incudes NOD32. I'm fine. I've gone years with only an on demand scanner (used Bit Defender free for two years as my sole AV). I don't get infected. What matters the most is the human typing on the keyboard. People who need HTTP scanners are folks who don't practice safe computing. That is ok if you wish to go to dangerous sites but not all of us go to porn, gambling, warez, etc. sites. It's interesting that there are some who continually have their AVs stopping viruses and others never do (except for FP's). The former may benefit from HTTP scanners. The latter don't need them.

 

the HTTP scanner in kis7.0TR doesnt slow down my internet speed.
or even if it does i dont notice it.
my dad sometimes clicks on the wrong link so the webav blocks it.
he refuses to stop using IE7 so i put the guards in place to stop the malware.
lodore

 

Whether it slows down or not - this malware that is blocked by the web scanner, is it malware that would not have been stopped otherwise by real time AV, yes or no? I am not aware of such malware that is already circulating. Therefore my question if anyone can name a specific case.

 

Neither KAV or NOD32slow my internet browsing with their HTTP scanning. I've never had a problem with that. The only problem I've run into lately with KAV, is when I went to youtube.com, and it took a veeeerrrrry long time for any of the videos to load and run. No problem like that with NOD32. I don't go to that site very often, so it's no big deal, but it is something for thought. Maybe KAV's HTTP scanner is more aggressive?

 

I made a similar thread concerning the issue of AV functions such as HTTP scanning some time ago. It might be of interest to have a look through the other thread here as there are several informative posts and links.

 

i used to have the problem of videos on youtube loading slowly.
but today they work at normal speed.
most av's have HTTP scanners now.
f-secure has it in there 2007 version.
kav has had it since version 6
bitdefender since version 10
nod32 since version 2.5
norton since 2007 version
panda in the 2008 beta.
avast since dono when.
lodore

 

actually, ive heard from experts that there are certain threats that could only be stopped by the http scanner and not real time.

dont know if this is true, dont shoot the messenger but i have read it on here

as i aint no techie, i dont know... but if the words are true, this should answer the above questions.

 

http://www.avast.com/eng/avast-4-home_pro-revision-history.html

Version 4.6.603
February 19, 2005

* added the new "Web Shield" resident provider for on-access scanning of HTTP traffic. Under NT-based systems, it should work automatically. On Win9x, you have to tell your browser to use HTTP proxy 127.0.0.1 on port 12080.

 

Hi lodore. Did you do something special with KAV/KIS to get videos on youtube to load at normal speeds? I have KIS 7, and I was at youtube yesterday. Disabling HTTP scanning didn't help. To test things out, I uninstalled KIS 7. The youtube videos loaded at normal speed. Reinstalling KIS 7, the problem is back. I've tried setting HTTP scanning at all three levels, but with the same results. No problems else where. Just youtube.

 

A verrrry interesting thread. My thanks to all who contributed, & especially to ivk, Zombini, & RejZoR.

QUESTION- If a person ONLY surfs the internet while using DeepFreeze or Sandboxie (or such), wouldn't that render a HTTP scanner unnecessary?

 

Avast with Web Shield enabled here doesn't slow me down.
I don't consider it a "security blanket."

But neccessary?
Depends on the answer to the question posed above.

It's nice to have an HTTP scanner as an option.

 

Nice link, thanks.

Here the discussion now again centers around the slowdown issue. But also with the link provided by TypicallyOffbeat I fail to see that someone incurred actual damage due to the absence of a web scanner and the danger is more of a theoretical nature. Then my conclusion would be that currently it is indeed a luxury to have (but might change in the future if malware becomes more advanced?).

 

Hi graystoke,
i havent changed the options of webav at all.
just since yesterday it shows the loading thing for like 2 seconds and then loads fine.
but before it took ages to load.
lodore

 

Honestly if HTTP scanner is as fast and as transparent as avast's Web Shield i don't care whether it's just a gimmick or an extra layer of protection (even though i know it's the second one).

 

All you have to do is:
Delete all Internet Explorer shortcuts on the Desktop , Start Menu (+in Programs) , Quick Launch tray and so on . Then , make Firefox/Opera default browser and tell your dad Microsoft bought Mozilla and from the latest Windows update the onliest default browser is Microsoft Firefox

 

avast as proven that http scanning can be implemented without any noticable drops in surfing speed, so any av that slow downs this, needs to be improved.

 

Sheer genius

To add my 0.02 to this thread, I quite like HTTP scanning in my AV. Perhaps it is not utterly necessary, to the point that you are not secure if you dont have it, as your file AV will most likely pick anything up in your brower cache.

 

I used to think that an http scanner was kinda useless, but now I don't. And if it's as transparent as Avast's web scanner for example, then it certainly can't hurt.

 

Hi lodore.

I'll head over to youtube and check it out. From what you say, sounds like it might have been some glitch with youtube.

 

I am fairly convinced that HTTP scanning has merit. 3 Q's...

Q1- AFAIK NOD & Avast offer HTTP scanning. Are there any other Antivirus programs that also do?

Q2- Going *slightly OT* --- I think OnlineArmor has HTTP scanning. Correct?

Q3- Back to my earlier (unanswered) question: If a person ONLY surfs the internet while using DeepFreeze or Sandboxie (or such), wouldn't that render an HTTP scanner unnecessary?

 

Was going to post the same thing. Nod32 doesn't make so much as a hiccup on my system, but every other AV I've used w/ HTTP scanning had a noticable effect (for the worse). In some cases crippling it to the point where surfing was like Japanese water torture.