Test of web browser extensions XI 2018 (AVLab)

Hello everybody. There was an interesting discussion, so let me explain.

First, how we collect the malware database?
We use real Windows and Linux systems to collect information about attacks. These are URLs, IP addresses and downloaded files. There are many free honeypots on GitHub, e.g. Dionaea, Thug, Shiva, but also we use real SMTP traps (real e-mail addresses with VPN's root accesing to extract malicious attachments or domain from encrypted messages. We use Mailcow as a mail server: https://github.com/mailcow/mailcow). There are also some commercial ones like CAWS (from NSS Labs). We share with the malware samples after the test with the producers. Never before.

But before we use a sample, it must be tested to be able to infect Windows 10. As you know, it is not always possible. Many factors influence this. It is very important for the producers to know that we are testing on actually malicious malware, not for an example, on a downloader that does not download anything.

Second, how malware are copying to machines?
Via real Chrome browser with parameter to URL with malware. Sometimes we use URLs, and sometimes we use own DNS server to create a different domains for downloading each malware sample. It depend on test. This time we know that some software like uBlock Origin is protecting users based on domain reputation (malicious or clean), so we had to download malware from malicious real URLs.

Third, regarding with uBlock Origin
Software was tested on default settings + enabled lists: Malvertising filter list by Disconnect, Malware Domain List, Malware domains, Spam404.

If you have additional question, I will try to answer.

 

Thanks for participating. Unfortunately, what you wrote here is not what the report on your website says. So it's still confusing for me.

 

You forgot to comment the rest...……

 

in other words, from URL's not included in any of the enabled filter lists? Besides, uBlockO with Advanced dynamic filtering enabled is a far more powerful beast against malicious or compromised sites than if it's simply used in its default state as an ad and malware domain blocker. I, like some others in this thread, was confused as to why it was included especially in only its default state, in the tests.

 

I will think about it to describe the algorithm in a different words.

I accept your arguments, but it seems to me that you have a grudge against uBlockO that software did not live up to the test. You should complain to publishers of malicious domains that they did not have up-to-date information about malicious domains in the wild. Or maybe these publishers changed something in the API parameters, so uBlockO can not get the current data? Or maybe developer of uBlockO should consider change suppliers of malicious websites? I do not know the answer to these questions. Tests showed that lists: Malvertising filter list by Disconnect, Malware Domain, Spam404 and Malware Domain List are weak to protect users.

 

I assure you no grudge here. I don't rely that much on the malware filters anyway. It's the ad blocking and 3rd party frame blocking that matters most to me. There are other browser and system hardening mechanisms I harness as well. uBlockO is not a malware defense extension; it's a wide spectrum blocker against ads, malware domains and optional advanced dynamic features to block scripts and frames.

 

OK, so you didn't download malware from honeypots, but directly from malicious websites? Then I guess you're right.

 

uBlock origin is primarily an adblocker, what are you guys arguing about, seriously.....

 

What is uBlock origin secondarily.

 

@anon:
I guess you already know the answer:
A addon to reduce exposure to third parties

 

whatever you choose to use it for, but dont expect it to exceed in its secondary porpuse you set it to be.
adding static block lists doesn't make it a replacement for a web filter for malware/phising, that's what AVs and web filter browser extensions are for..
it is pretty dumb to use ublock origin as your sole anti-malware/phising web security.

 

Description on author's site:

I'm also curious why it achieved 0/1870, even when malware lists were used. IMO it's just unlikely that this would happen with updated list.

 

I'm not asking, just I replied to mekelek question:

"uBlock origin is primarily an adblocker, what are you guys arguing about,"
->
"[They are arguing about] what is uBlock origin secondarily."

 

I agree 100%

 

if their test cases included 0 sites on blocklists...then it would have shown 0%. not a hard thing to do considering the hundreds of thousands of compromised hosts active at any given point.

 

ATM there are 30.000 + entries in those 4 lists. Even with hundred of thousands compromised hosts I think it is unlikely that there was no blacklisted host included in test. Somebody with better knowledge of statistics could calculate likelihood of that happening. IMO it's small.

 

i feel like people are arguing about why ublock isnt a good web anti-malware, which kinda implies that people think it's main porpuse is that.
if i'm assuming it wrong, then dont mind me.

 

IMO you're right and I also don't think that it's main purpose is that.
But it was still tested together with dedicated anti-malware solutions. It seems like they were comparing oranges and apples.