Web scanning - is it needed?

I think it would help if the web page had a zero-day malware which was not picked up by the scanner but the url was blacklisted in the web filter.

 

Not always the case with Av's. I've seen enough posts by people working in the field to say this.

 

When is it not the case then? I'm curious. Doesn't the web scanning shield of Avast use same definitions of File system shield?

 

Some Av's have different heuristics for web scanner and on access or so I've been told see my post#19. I don't work in the field or claim any expertise. It's simply what I've seen posted. Also I came across this post in an old thread about Web scanning https://www.wilderssecurity.com/showpost.php?p=1073294&postcount=29 In another Marcos of Eset said https://www.wilderssecurity.com/showpost.php?p=1775831&postcount=19

 

No, and that's the point. See my reply #14 above.

 

so that means avast is a special case then, otherwise there is no point in having a http scanner if you are using an on-access scanner with the same signatures (if the http scanner does not have advanced techniques)

 

Any URL blocker is basically "a different set of signatures" - as a disk-based on-access scanner looks for file content, not URLs.

But I still don't get why so many people think that the malicious content has to be saved to disk first - before being processed by the browser and possibly activated in memory, in the case of an exploit.

 

Does the browser have to have a hole for a real webvirus to work or not?

 

why wait? I think one of the benefits of having a web scanner is that it catches stuff at the web site rather than on your pc. I have seen no difference is web speed with this particular scanner(Avast) on or off. Which ever AV you use, I would not disable this particular feature. Heck, I have my browser sandboxed and still want the web shield activated. I guess I like the voice telling me something has been blocked.

Ice

 

Afaik. The browser doesn't have anything to do with the URL Blocker and HTTP Scanner. Since they are in the AV's and not in the Browser.

 

You misunderstood. I'm referring to the viruses that the experienced responders here have talked about.

Or maybe I misunderstood you, happens a lot to me.

 

Good question idk

 

nope, a url blocker is completely different from a http scanner, open dns does not have the facility to scan http traffic but it can block malicious url's, both different techniques.

obviously, using a url blocker can provide any setup with increased protection but that is not what i was debating.

 

"a url blocker is completely different from a http scanner"

true.
In my case, i have added [URL blacklist] (preventing you from access to a webpage) to the the [Web access scanner] (which uses the core ThreatSense engine, catching malicious files in the HTTP Traffic)

 

No it's not a special case at all. See what Stephan of Avira, Marcos of Eset (see links in post #29) and now Vik of Avast have said.

 

No, Avasts FileShield & other shields provide different protection & not the same protection.

I tested Avast 2 times.

1. I tried with 20 malicious urls. I pasted the urls in the browser & tested Avast.

2. I downloaded & saved the malware with the same 20 urls.

The result was different.

First test involved webshield & networkshield coz the test was performed with the browser involved i.e malicious urls were pasted in the browser & hit go.

Second test involved only Fileshield coz malware were on the system in a folder.

So the malware were same but tseted in 2 ways.

Results were different.

In the second test few malware were not blocked by the fileshield which were blocked by the network & webshiled in the first test.

This proves that in Avast's case it is not necessary that whatever webshield & networkshield blocks will also be blocked by Avasts main shield i.e fileshield.

So the protection Avast's shields provide are different & not the same.

Test it yourself & see.

Thanxx
Naren

 

are you saying the web scanner engine have more detection capabilities than realtime scanner?
I have never seen a file detected by the web scanner, but undetected by the realtime scanner.

 

Pretty sure it's that since the viruses that inject into memory work differently, different heuristic methods have to be taken into action.

 

thanks for testing

good to know it does make a difference (well in avast's case anyway)

 

They are needed, if not then why add it to the product?

I think some files are downloaded and parsed by the browser directly in memory, bypassing the filesystem scanner.

On the other hand, i have never found a file (downloaded to disk) detected by the web scanner, but undetected by the realtime scanner.

 

Why add something to a security product that may not be needed? Probably because of a perception by the average Joe or Jane Buyer that some "enhancement" is needed.

 

If you are often coming across infected webpages, then yes I'd highly recommend something to monitor or mitigate the threat of those pages.

A webfilter can block sources of malware, even if they don't know exactly what they are blocking. Why rely just on definitions? If your only line of defence is an AV, then IMO you'll get infected sooner or later.

I wouldn't recommend going overboard with various webfilter plugins, toolbars, etc though.

I've never had trouble with drive-by downloads, but I use Norton DNS & Adblock Plus (Easylist + Malware Domains list). Even at the height of the infected google images in ?April, this type of setup was enough to prevent any adverse downloads (was using Clearcloud then). Noscript would be more effective, but it does slow down browsing noticeably.

 

I added Malware Domains list to Adblock. Thank you

 

So, it all starts with the drive-by download... If you prevent/contain it, you don't have to worry about malicious files arriving to your system and your AV being able or not to stop file A and file B.

 

The only thing with NoScript is that if one whitelists a domain, such as Google's, that application won't protect you against such exploits. I realise other measures can help, but just pointing out NoScript can't help when whitelisted legitimate sites get compromised.