Microsoft Security Essentials

yes it does, but still, according to vlk an exploit can be run separate of the rendering of the page?

maybe im just misinterpreting it, but it sounds like it doesnt have to be run on the users machine?

 

You didn't misinterpret anything but my answer to your question.

The same way you cannot physically view a page without data packets coming down your line telling you what to view is the same way you cannot run anything without data packets coming down your line telling you what to run. You always have something stored locally telling your CPU what to do.

 

I just installed the beta on my Win XP machine. I'll report back here and to M$ if all is ok with the updating.

Ice

 

Thank you. I find this somewhat disturbing.
Avira's web guard can slow down browsing, so most of the time I don't use it.
It's time to change that.

 

The exploit is hosted on a 'web server' and will check for vulnerable code loaded in your browser. If there is a vulnerability, BO will occur regardless if the exploit is cached or not. Even if it is cached and detected it is already too late. The vulnerable code has already been exploited.

An AV with an http scanner won't allow an exploit to execute a vulnerable library like gdi but those without http scanning will let the library execute before showing a detection. It's like a seeing a guy with a knife pointed at you but only scream/run after being stabbed.

 

This is laughable really, everything you said is completely correct, but you still don't seem to understand you cannot execute code without it being on your machine.

PLEASE help me here, what am I saying wrong? This is like basics 101 you learn at primary school. Load code into memory, execute code.

 

The exploit on the server is exploiting the vulnerable code (gdi) already present in your machine. MSE will only react after the exploit has accessed the code. Without http how can MSE detect the attempt of the exploit hosted on the server to hijack the code (without scanning http)?

 

You are partially correct, but again to take advantage of an exploit on your machine, your machine needs to run code, to do that, it needs to download code so IT KNOWS what to run. Understand? The server is telling your machine what to run, to do that, it's sending the code instructions to your machine. There is no magical way you can take advantage without the server sending the code down the line to you.

 

And it is sending the codes thru http... So MSE is kinda late on jumping in compared to those with http. It only detects the exploit once it has accessed the code.

 

To my knowledge, Avira's WebGuard and most HTTP scanners, install as proxies, so the http stream coming down the wire is not passed directly to the browser until it gets through the proxy.

It seems to me that, other than a possible drop in browsing performance, this does provide additional protection to a product like MSE where the browser gets the data directly.

In addition, the proxy may be able to detect virus behaviour in the http stream before the code actually gets to the hard disk.

 

Yes, the web guard caches and scans the whole web page before displaying it to the browser. This way, traffic will be checked for malicious code that tries to exploit vulnerabilities present if ever in the browser.

 

Semi-correct, yes HTTP scanning is faster, no it is not to late, after it arrives via HTTP it needs to be re constructed from data packets (written) and can be suspended or removed before execution. Usually this happens during reconstruction as MSE can detect it before it's finished.

 

I'd rather have a web scanner and have it blocked originally; if access is denied, there's no chance that it gets through. Plus, it blocks other possible infections when the page is blocked. An AV might detect one file on a page, but not another one.

My preference is web scanner; we can use what we want.

 

As I mentioned 2 pages ago, all it boils down to is personal preference, I'd rather keep it nice and light with no overhead from a web scanner, you'd rather be extra safe with a web scanner.

I'm not saying I avoid AV's with web scanners, bit I generally like the simplistic approach MS have took with MSE.

 

Admittedly, some web scanners slow me down (Kaspersky's, Avira's, Panda's, BitDefender's), but I don't notice a slowdown with Avast's or Eset's. Do you know why there's a difference?

 

No idea sorry, I assume it's just implemented differently, for example I know ESET use Microsofts already available Filtering Platform which should speed things up. But generally there will be a slowdown since you have an extra program processing that data, although it may or may not be noticeable.

edit: I never "noticed" a slowdown using ESET during my time. Although it's obviously going to be there even if it's 1ms.

 

Probably just is implementation - thanks.

Without mentioning other AVs, in your experience, how does MSE's detection stack up overall?

 

I think your thinking about conventional malware that needs to be downloaded and executed. I believe exploits just check for vulnerable code and send in packets of data to crash the browser/application and take control of it (use it to download payload, send data, etc).

@mvdu
I believe it's with the implementation - what is scanned, etc.

EDIT: @elapsed, @mvdu
Oops. I wasn't able to read your post.

 

No I'm not, you need to think about it in the grand scheme of this, all data needs to be reformed and executed no matter what it is. 1's and 0's mean nothing without context. Computing 101.

"Room for Improvement"

Yes it's generally good, yes the heuristics are really good, but they have a good challenge if they want to match Avira.

 

Generally an interesting thread.
I have a question about these threats.
Irregardless of which av/am I use, wouldn't products like Sandboxie or Shadow Defender prevent a problem from anything that was able to get past the av I would be using?

 

As I understand it, programs like these serve to isolate areas on your computer from the rest of the system. If malware bypasses AV protection, a reboot (as in the case of Shadow Defender) or automatic/manual deletion of the sandbox (as with Sandboxie) should remove the infection.

 

This is a very interesting thread. I think alot of these questions would be answered with a some study on the technical details of coding and how web servers and clients interact. Asking some people involved with the Metasploit project would be a great start. Then find out where in that process the antivirus software can interfere. This may be more work than people are will to put in for this answer to the question. Reading marketing literature on different products does not help. When I get some time, I am going to dive in and see what I learn, and share.

 

This thread has covered many bases, but one persistent problem has been with automatic updates.

There is a simple registry tweak which will be a good workaround until MSFT fixes the updating bug - a link to a post I made on dslreports:

http://www.dslreports.com/forum/r23234446-

You can combine this with a command line update run thru Task Scheduler, or tweak the registry to check for updates every hour.

My experience is that there are 2 or 3 per day - a 2 hour or 3 hour interval will get them all.

If your box is hibernating, I am without a clue - mine go on in the AM and off in the PM w/o hibernation.

Suggestion - run a command line update at 10 AM and set the interval at 2 hours - this should cover.

 

Relative to the need for or not web guard/scanners, do Mamutu or ThreatFire provide protection from the exploits being discussed in this thread?