the Significance of Web Traffic Scanning?

Discussion in 'other anti-virus software' started by betauser2, Mar 1, 2006.

Thread Status:
Not open for further replies.
  1. betauser2

    betauser2 Guest

    Since Avast (as I understand pioneered it) web traffic scanning strarted to be a feature of many AV's like Nod32, F-Sevure (Client 6) and G-Data (Antivirenkit 2006) to name a few. Kaspersky have now adopted it and are soon to release it in their 2006 product range of KAV & KIS whilst the big boys McAfee, Symantec (Norton) and (wannabe big boy) Trend have not adopted it and as far as I know are not intending to do so in the near future.

    How important is Web traffic scanning?

    If the resident module of an Anti-Virus is set to scan any new files (i.e as soon as a files is downloaded) then is web traffic scanning really necessary?

    This leads to my next question;

    Should it be a criteria when it comes to selecting an AV?

    betauser2
     
  2. RejZoR

    RejZoR Lurker

    Joined:
    May 31, 2004
    Posts:
    6,426
    The whole point of web scanning (or so called HTTP scanning) is in scanning objects before they hit the system/program dedicated for webpage rendering.

    Without HTTP scanning:
    Internet -> Browser -> Scanner

    With HTTP scanning:
    Internet -> Scanner -> Browser

    See the difference? There is and additional layer between the internet and browser, scanning everything it gets through. This way you avoid catastrophic situations even before crap hits the fan. This is especially useful for various toolbars which are harder to remove when they're installed than when they "want" to install. WMF exploit was also among these thingies where HTTP scanning could intercept it even before it could do anything.
     
  3. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    I think it's getting to be more and more important...with the way threats are evolving.

    Similar to a few years ago...when many antivirus packages evolved to include POP3/SMTP port scanning...to help in the fight against self propagating e-mail worms that came with their own SMTP engines.

    Yes in theory real time file protection should bag the bugger when it comes into your system..but think of it as an additional door to break down....an added layer, redundancy even.
     
  4. RejZoR

    RejZoR Lurker

    Joined:
    May 31, 2004
    Posts:
    6,426
    No, the idea of POP3 scanning was similar to HTTP scanning one.
    You catch stuff before it even really reaches inbox. This way you have less chances that "something" goes wrong and you even avoid malware that propagates itself through exploits (since it cannot take advantage of exploited software if it's caught before it reaches it).
    HTTP scanning is no different, except target software isn't e-mail software but browser.
     
  5. mikel108

    mikel108 Registered Member

    Joined:
    Dec 10, 2004
    Posts:
    1,057
    Location:
    SW Ontario, Canada
    Does HTTP scanning slow your browsing down that much??
     
  6. .....

    ..... Registered Member

    Joined:
    Jan 14, 2005
    Posts:
    312
    Depends on its implementation :) . Some scanners (ie Avast!) have minimal impact while others (ie Dr.Web.... still BETA..... so should improve) have quite some impact on speeds. Theoritically ALL web scanners should try to have minimal impact.
     
  7. RejZoR

    RejZoR Lurker

    Joined:
    May 31, 2004
    Posts:
    6,426
    No. I see no difference when when i use avast! Web Shield or NOD32 IMON HTTP Scanner. KAV6 had few problems but thats because it's still beta. Though it worked nearly as fast as other two. I'm running a 1024/256 ADSL.
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    It´s a nice feature because it might be able to protect you from zero day bugs, but it sometimes can also become annoying. Often you will get warnings that a site contains malware, but the thing is, these sites are trying to exploit already patched holes (most of the time), so even without AV/AT you wouldn´t get compromised. That´s why I am considering to disable web traffic scanning (realtime guard). :rolleyes:
     
    Last edited: Mar 2, 2006
  9. Fernando Villegas

    Fernando Villegas Registered Member

    Joined:
    Dec 3, 2005
    Posts:
    55
    Location:
    Santiago de Chile
    How does http scanning protect you from "Zero day bugs" ?
     
  10. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    It doesn't.:)
     
  11. RejZoR

    RejZoR Lurker

    Joined:
    May 31, 2004
    Posts:
    6,426
    Don Pelotas, it actually does. If lets say browser has some yet unpatched vulnerability. Antivirus can intercept the string by signatures right away (you need far less Q&A for signatures than properly working system patch) even before it hits the browser. So basically you protected yourself from so called zero day vulnerability or whatever you might like to call it.
    Maybe not exactly a proactive solutionbut it certably fills the gap between ITW example of malware/exploit and release of proper patch for it.
     
  12. q1aqza

    q1aqza Registered Member

    Joined:
    Jul 27, 2004
    Posts:
    312
    If possible, I'd rather have unwanted visitors stopped by my front gate rather than my front door. Unfortunately I don't have a gate to my house but I like having an HTTP scanner for my PC
     
  13. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    Hi RejZor

    Yes, but i believe "Fernando Villegas" was thinking of proactive detection, which is why i answerred like i did and i should probably have explained what i meant a little more thorough and don't think that i don't find http scan important, i do, but perhaps not as much some do.:)
     
  14. Fernando Villegas

    Fernando Villegas Registered Member

    Joined:
    Dec 3, 2005
    Posts:
    55
    Location:
    Santiago de Chile
    Nice , so KAV which does not have this cannot protect you? Time to switch to NOD or AVAST maybe.
     
  15. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    Yes, of course you're protected with Kaspersky, besides 6.0 does have http scan, i'm actually using it right now, it will be out shortly.
     
    Last edited: Mar 3, 2006
  16. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,390
    Hi RejZoR,

    I thought that Zero Day bugs were where no AV scanner yet has the signature, and if that is the case, I have to agree with Don Pelotas that web traffic scanning with an AV doesn't offer protection against it.

    I suppose the only AV scanning method that "might" potentially work is one where there is a "strong enough", i.e. robust, heuristic scanner which can detect the Zero Day bug. But, not all AVs have heuristic methods employed, and even then, only the most robust would have even a chance against wily Zero Day bugs as opposed to your average Zero Day bug.

    -- Tom
     
  17. RejZoR

    RejZoR Lurker

    Joined:
    May 31, 2004
    Posts:
    6,426
    Then it's time to separate zero day bugs with zero day malware. This is not the same thing!

    @Don Pelotas
    From that point of view, yes.
     
  18. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,390
    Hi RejZor,

    I agree! However, I'm fairly certain we all knew that we were talking about Zero Day vulnerabilities, and consequently that we all meant "Zero Day Malware" and only referred to such as a "Zero Day Bug" that had the potential to "bite" us.

    -- Tom
     
  19. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes I agree with RejZoR, there´s a difference between zero day bugs and zero day malware. A realtime scanner can protect you against a zero day bug if hackers try to install malware that´s recognized by the scanner. If it does not recognize the malware a good HIPS/Sandbox can probably still protect you. ;)
     
  20. Kye-U

    Kye-U Security Expert

    Joined:
    Jun 11, 2004
    Posts:
    481
    I'm guessing Heuristics? For example, NOD32's Advanced Heuristics.
     
  21. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    Example of 'proactive' detection: I open IE and visit web-based Hotmail/MSN mail, which lets the new variant of 'worm du jour' through because it doesn't have a signature, and finds the attachment "clean". (Which has happened MANY times.)

    Opening or d/l the as-yet unidentified payload will be stopped by a good http scanner with good heuristics at the desktop.
     
  22. iwod

    iwod Registered Member

    Joined:
    Jun 25, 2004
    Posts:
    708
    I think it is important that Home user have a Web Scanner. Since they dont have any knowledge on internet security and therefore should better protect them. Not to mention they dont update windows and they all uses IE :D

    I am using Firefox at the moment and i feel pretty safe about it without a web scanner on.

    It all depends on your habbit of surfing and your usage of your PC.
     
  23. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,390
    Hi iwod,

    Even though you are using Firefox, you should checkout the following Firefox extensions (i.e. if you don't already use them) to improve your web security:
    NoScript - allow JavaScript, Java(+other plugins) only for trusted domains of your choice (can be on a temporary basis if you select it)
    ShowIP - do you really know where you are?
    Stealther - block History and cookies
    CustomizeGoogle - check the boxes in the Privacy tab to prevent Google from cookie profiling you

    I know that there are several toolbar extensions to guard against spoofing and phishing scams and the like also.

    -- Tom
     
    Last edited: Mar 7, 2006
  24. VikingStorm

    VikingStorm Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    387
    Question, don't most browsers write the data to disk before it is rendered?

    The example JimIT gives doesn't work that well, since saving or opening attachments automatically means you are saving directly to disk before it is executed, where the real time monitor should already detect it with heuristics. Unless you are using one of the AVs that push some of the features of the RTM exclusively into the web scanner (avast's heuristics? NOD32's archive scanning?).
     
  25. RejZoR

    RejZoR Lurker

    Joined:
    May 31, 2004
    Posts:
    6,426
    No, some stuff is rendered/executed directly through memory or simply leaks through and installs it when AV detects the stuff when it's already too late.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.