Web scanning - is it needed?

I searched for threads and couldn't find an up-to-date one.

What is your opinion? The web scanners of AV software, needed or just another footprint? I'm talking for example shields of premium versions of AVG and Avira and what's included in all Avast! editions.


I need your insight

 

Protects you from Drive-by.. my experience using Avast!

 

If it is implemented well and you don't experience any slowdowns when browsing, then for sure.

 

I agree with this.

It is a good method to pick up threats earlier and thereby improve prevention.

 

Web scanning. Needed?
If No Browsing Slow Downs come up, then, Why Not?

 

I'm tempted to say use a DNS provider that blocks bad sites.

 

I can say so much that I would NOT use an AV/Suite that didn't include one, that's says a little about how important I think they are, period.

Now "Web Scanning" is a general term since we have URL Blocking, and then we have the HTTP scanner. The URL Blocking works like this that it shows a blockpage when ever you try to ener an URL that's on the Vendors Block list.
So it blocks access to the malicious site before one can enter in an proactive way.

But the HTTP scanner actually scans HTTP data in real-time using both sigs, heuristics etc.. in an proactive way as well.

Instead that I continue to explain why it's so important I would like you to watch this test of ESET V5 RC to see exactly what I explained above. 20 test links compressed into 1:50 mins.(I must say that I really like how this guy edits he's videos )
And please don't see this as my "promotion" for ESET, I just want you to watch this so you can see how well the technology really works.

-http://www.youtube.com/watch?v=uMuxBOWPIWo
Block page = URL Blocker.
Notification windows lower right corner = HTTP Scanner.

And out of the products I have used I haven't felt any slowdowns by leaving the "web scanners" on.
But it will of course differ from product to product

 

would the on access scanner not pick up any threats when they reach the real system? i cant see how the http scanner would provide any benefit when any threat that gets on the system would be picked up by the on access scanner? and if the on access scanner misses the threat then the http would have missed it to na?

can someone clarify this for me and tell me please? i want to know how avast with http + on access scanner is more secure then avast with just an on access scanner enable only.

thanks

 

The benefit is that the threat wouldn't get into the system in the first place. Wich is what I prefer.

Now idk what techniques the Avast HTTP scanner uses but I would assume that at least heuristics are in use. So No, the http scanner can still detect threats in the downloads by using heuristics.

Let's see if vlk can answer this one. Though I guess the first answer would answer this too.

 

Choose an AV with good Realtime i.e Onaccess Protection. Coz its the real strength of any AV coz its an alround scanner & detects malware coming from any channel web, mail, pendrive, etc. All the other shields are bonus, for specific purpose only.

Just my thought & not a statement.

Thanxx
Naren

 

use sandboxie, give only internet explorer or your browser start /run access, i find you will find many tuts in the web and no malware will start.
its more secure as an scanner.
an scanner have to know the bad urls, sandboxie or other sandboxes not.

 

Maybe if you use an insecure browser.

 

Well I use the stable release of Chrome so you tell me.

EDIT: Scratch that, will give Chrome Beta release a spin, too tempting.

 

Absolutely. It's no mystery.
You have to realize that no AV will ever detect/block all binary malware files. Therefore, it's useful to use other protection layers - layers that are ideally independent of the scanning engine that's responsible for the detection/blocking of the binary malware (i.e. the overlap isn't too big).

Avast's Web Shield is an example of that. With 90+ per cent of today's malware coming from web sites, it makes perfect sense to put additional protection layers to the HTTP stack. In avast's case, we use an advanced javascript detection engine, combined with a sophisticated HTML analyzer and URL blocker -- and in practice, these modules are able to detect the vast majority of malware even without ever seeing the corresponding binaries.

Also, the WebShield allows us to track the sources (source URLs) of binaries that are later executed, and these sources are then taken into account by the heuristics engine (generally, files coming from high-profile sites are less likely to be malware than files that are coming from unknown/dodgy sites).

Thanks
Vlk

 

I have to say that I find a web scanner pointless, but keep in mind that it's just my case.

 

Chrome beta is my favorite and you don't have to worry about exploits so why bother scanning a page for exploits?

Scanning a page for malicious links is meh... you're way better off with an AV.

 

I have a question about this whole web scanning. Let's say an infected page tries to download several different types of malware in a single download. What happens if your av recognizes some of the download as malicious but not all of the download? For instance a drive by download tries to send malicious install app A and malicious install app B in one drive by attack. Your av recognizes app A as malicious and blocks the install but does not recognize app B. Will app B also be blocked by the av's web shield or will it pass on through to the hard drive? I suppose it matters whether app A and B are in the same file?

And what about this scenario when there is no web scanner? Would the drive by install of A and B both be stopped or just app A?

I ask this because I have read that a single drive by can attempt to install several malicious programs onto a computer. Whether these are all contained in a single file or multiple file would be important I suppose. Any one know for sure?

 

As Vlk of avast explains a good javascript and html analyser of awebshield looks at the program code putting the actual executable someswhere on your hard disk where it survives reboot. The on access shield looks at those executables when they are written to your harddisk or when executed.
microsoft has done tests called nozzle using a javascript anomaly analysis engine which seemed to be effective against 70% of the webbased malware. So using a webshield with the avast features makes sense.

 

Can't answer your question exactly but it's possible for app A to be blocked by the web shield and app B to be blocked by the on access scanner due to different heuristics or so I've been told.

 

it does not make any difference which browser...
scanning web content makes sense due to some sepcific behavior of some browsers.
you have to know that on-access wont help on firefox - firefox first load
content into ram - then onto harddrive. so any bad content would touch firefox
first before any av w/o web scan could scan it. thats one reason i dont promote
avira free - it has NO web guard.

although avira offers webrep it has also the ability to warn when browser demands listed sites.

PS i use ad muncher and a nice hosts file from calendar of updates (COU)

 

Actually, Avira Free has webguard now, if you accept the installation of the Ask Toolbar.

 

But the AV's does have both the HTTP Scanner and URL blocker.
And the OP was talking about that it's included in the AV's such as Avast but wasn't sure if they are effective enough to use them, afaik.

 

and w/o stupid ask bar? ► http://www.avira.com/en/avira-free-antivirus
no webguard.

btw technically - how can the installation of ask bar add some feature to avira free?
aint really possible - otherwise tell me more please.

 

Been using Avast for over 4yrs on and off and I can say without a doubt most of the stuff (malware) that I have come across personally, the web shield picked up on some rogue site. So yeah, I would say it's useful.

Ice

 

the point i was trying to make was that the avast on access scanner would have picked it up anyway if the exe got on the real system