HTTP Scanning: necessity, or just a security blanket?

KAV also has an http scanner, but it's rather slow in my experience. NAV 2007 has an inbound firewall of sorts which scans for suspicious stuff on port 80 also.

 

Iodore already answered this question, at least in part.

 

I installed NOD32 a few minutes ago to see if I would have the same problem with NOD's HTTP scanner as I did with KAV's. No problems what so ever. I feel a little safer with an HTTP scanner, and I hate disabling important features in security software just to get something else to work properly. I like KAV, but I think I'll keep NOD32 for now.

 

i dont have any problems atm with internet speed with webav on default.
the only problem is my stupid bt home hub disconnecting.
but i cant order a new router till my dad gets back on monday.
but when the internet is disconnected youtube videos like example six minute are fully loaded when ive only watched around 45seconds.
lodore

 

I had the reverse happen.

Have minimal slowdown with Kaspersky Internet Security (especially the new 7.0) With Nod32 on the other hand, my internet connection was slowed to a crawl.

 

I've not seen any mention of AVG Free in this thread.

Does it have http scanning?

 

I've always said that if a web scanner doesn't slow you down then by all means use it. FWIW, I've experienced no slow down with the web scanner of KAV 6.0 set on the highest setting. I've also tried NOD32's http scanner with the same results as far as slow down is concerned.

 

AVG does not have http scanning. Free or paid.

 

Getting a little off-topic, but in reply to your question:

I don't think an HTTP scanner is necessary in the first place, so it's a little difficult to answer your question as written. However, I will share my thoughts about the level of protection offered by programs such as Deep Freeze.

I've been trying out Microsoft's free "Shared Computer Toolkit", which offers features similar to Deep Freeze in terms of hard drive protection. Every reboot returns drive C to its previous state, no matter what was written to that drive during the user session. (Of course, you can override this if you want to save changes. Thus, it's a very convenient way to try out new software, as well as offering pretty good protection against many internet threats.)

However, there is still a serious vulnerability to consider: There is no protection at all during the current user session, so if you happen to pick up a mean piece of malware, it will be active until the next reboot. Suppose it's a keylogger? Maybe it will steal your online banking usernames and passwords and send them to a remote server! There are plenty of other scenarios involving various types of identity theft. In other words, the user is still at risk if they store any private information on their computer or if they type in anything that ought to be kept private, such as passwords, credit card numbers, name, address and phone number, email address, and other types of information that might be entered during (for example) an online shopping transaction.

I don't see the presence or absence of an HTTP virus scanner as affecting this scenario very much, since some types of malware will still be able to get past both the online scanner (if present) and the resident scanner. None of these scanners are 100% effective.

I think of "hard drive protection" software such as Deep Freeze, Microsoft Shared Computer Toolkit, Microsoft Virtual PC, VMware, etc. as a very potent second line of defense (as are imaging programs such as Norton Ghost, Acronis TrueImage, etc.), but they still can't replace first-line products such as firewall, antivirus and anti-malware programs.

In a nutshell: These types of programs protect the hard drive and the OS, but they don't protect the user.

 

One point not mentioned so far is that web scanning is almost trivial to bypass.

Javascript can be used to either obfuscate or encrypt webpage content and unless the HTTP scanner has its own Javascript engine, it has no way of being able to handle all the possible methods. Another bypass method is to use HTTPS encryption - though the more advanced web scanners can handle this by including an HTTPS proxy, allowing them to view the unencrypted content.

In addition, the major example of an HTTP-only vulnerability (the WMF exploit) was a Windows system compromise which affected Internet Explorer, due to its use of Windows' libraries. Cross-platform browsers like Firefox and Opera will make minimal use of Windows-only functions (handling as much by themselves as possible) so their exposure to such flaws, both present and future, will remain far less than IE's.

 

Most of AVs can decode javascript or similar using its standard engine and since they use the same one for HTTP i don't see any problems. Same applies to all downloads, even those using obfuscated download links using JS. In the end you always have to get direct download and binary is transfered on way or another.
And HTTP scanner will intercept that regardless.

 

There isn't a "standard engine" for Javascript, each browser contains its own Javascript interpreter (would you be confusing Javascript with Java by any chance?) and any AV webscanner would need to do the same to handle JS obfuscation. If they did, then it would not be unreasonable to see it mentioned somewhere in their feature list (the few I've checked don't list it) and it would greatly increase the processing involved (especially with JS-heavy pages like Yahoo or Google Maps).

According to this rather old Does the IMON HTTP scanner pre-filter encoded characters? thread, NOD32's webscanner did not cover Javascript.

It is not only obfuscated links that pose a problem - any webpage-based exploit (e.g. Iframe exploits, cross-site scripting, spoofed addresses) can be hidden by JS and it is likely possible to embed small files within a page via JS, avoiding the need to download them separately.

 

With "standard engine" i meant regular scan engine or primary scan engine used by any antivirus.

 

Any file scanner most certainly won't do Javascript, nor will any memory scanner (since there's no need for it). Some AVs include a script scanner (e.g. for checking Office document macros and script files) but this will only flag certain instruction combinations rather than trying to deobfuscate code.

So it comes down to the web scan engine - and given the processing overheads involved (not so much in executing the code, but analysing the results) and the time constraints, any vendor that could implement such a feature would (or should) be shouting from the rooftops...

 

This sounds strange.... I have always thought most AV scanner do actually scan Javascript..at execution/HD saving, I have seen blocking of javascript by Norton AV, KAV, ZA AV, even the most betrayed CA VA scanner does Javascript scanning.

Or I am missing something, here?

Not sure I follow the obfuscation issue... javascript, before or later, need to run in clear on target machine... that's when it is detected by signature based AVs (if there is a signature!)

I would welcome any explanation on this...

Thanks,
Fax

 

Blocking Javascript is easy - and yes, most AVs can block scripts and firewalls can strip Javascript from web pages - some can scan scripts for "known baddies" as noted above. The difficult thing is interpreting Javascript code that attempts to obfuscate an underlying activity (like hiding a URL by building it up character-by-character within a loop, randomly adding URL or HTML entity encoding to defeat simple pattern matching).

A parallel can be drawn with programs that encrypt their contents but Javascript source code can have far more variability than a compiled executable, making automated analysis harder.

 

Ok... thanks for the explanation...
Now I understand what you mean.

Cheers,
Fax

 

If I correctly understand the most recent posts, then the answer to the topic's question (Is HTTP scanning a necessity?) is "Yes". But then again, maybe not. But then again maybe yes -- but http scanning probably can be defeated by javascript so... then again, maybe not.

Which all goes to show why I remain hip to HIPS.

 

i dont believe it is a necessity,

nor do i believe its a security blanket.

its not 'needed', but extra security is always welcome for a product.

 

Combine word ANY in this post with word MOST in my last post please...