Is http scanning (WebGuard) necessary?

I like Avast a lot, but this is the general impression I got lately too, however, I'm on XP not Vista. The Avast http scanner is pretty good comparatively, but as someone above mentioned, I believe any http scanner will take it's toll to some degree... I prefer to avoid them and use a HIPS if I'm concerned about protection....

 

Its an interesting sounding product. It would be nice to have some real tests on it.

 

Thanks for all the replies, but I still don't have a clear answer I guess its a personal decision but my original question was because I have to decide whether to continue with free products or pay for Avira suite, and I still don't know if its worth it.

 

Let me rephrase it:

When you have a HTTP scanner, all malware that comes to your computer through HTTP traffic will be scanned, analysed (and blocked) *before* it is handed over to the browser. So if you are surfing on a web page with exploits on it which are directly executed in memory of the browser (such as ANI, WMF, JPG etc.), this is the only way to stop them before they activate - except using a HIPS. An on-access guard will eventually catch these files aswell - AFTER the browser has parsed, displayed and executed them - too late! The on-access scanner only sees the browser cache files, not the traffic before.

And guys, every HTTP scanner slows down your system. Stop that silly arguing! More scanning means more slow down. If you have a fast, modern machine with lots of RAM you might not notice it. But it is impossible to scan so many additional files without having an impact on your system. As a side note, the few HTTP scanners I tested so far cause the browser files to be scanned twice: first, the HTTP scanner module scans them and afterwards, the on-access guard again, when the browser stores the files into its cache. There is no good way to corelate these files, as the browser sometimes "adjusts" or manipulates the content it downloads.

 

In case AV lab already knows its signature.

 

Not necessarily; there is another way to stop them: using an Intrusion Prevention System, or a firewall with IPS.
Case in point: Snort can be implemented in some open-source hardware e.g OpenWRT. Or using a personal firewall which supports Snort rules, e.g Sunbelt/Kerio with NIPS.

Now the question

can only be answered by proof of concept, or a demo where a specific exploit is stopped by such mechanism.
Until that day, IMHO it is not necessary.

 

Again, this would seem to imply that numerous antivirus products - including renowned contenders such as Symantec, McAfee, Trend Micro, AVG, Avira (which was then WebGuard-less) etc etc - were unable to stop the recent ANI exploit, among other things, since it'd already be "too late" when the resident scanners caught them. Strangely enough, this was not the case.

There is, as far as I can see, a discrepancy between the claims of some AV experts and what I can observe is actually happening. I must be missing something here.

 

I remember a similar discussion in another security community, where one member made a thread and uploaded a blank .jpg, supposed to be a malware but I couldn't verify this, as at the time I was reading the thread I had a fully updated windows PC with a router and KIS with only File AV, Proactive and FW and I was browsing with latest firefox with only adblock ext (without noscript)

Other members complained but I hadn't had any abnormality. Nowadays my arsenal is far more complete but I am often browsing with above setup and I would really appreciate to point me where I can test the above light setup with a jpg malware

 

Stefan, it's also very important HOW you scan the stuff. And not just in terms of file content scanning but how you handle for example large amounts of small JPG images, HTML files with bunch of javascripts and so on.
You can scan them fast but if the parser is badly designed it's just as fast as the one with slow base scanner... something like multithreaded page scanning and forwarding to the browser.

 

In my personal experience, all I've got from enabling various HTTP scanners (I've used many different AV products with such scanner built-in) is a noticeable decrease in network performance. Every browser-related exploit/malware (especially the ones that use iframe property) that I have personally experienced was always detected and stopped by a standard memory-resident scanner. So for me the webscanner (or any other kind of network scanner) is simply a yet another redundant feature that the AV manufacturers try to add to their product just to distinguish it from the competitor's product and to attract more simple-minded customers (who base their purchasing opinion only on the list of the features that the particular product has). Of course that's just my personal subjective opinion based only on my own experience and you're free to disagree with it

 

are http scanners necessary?

no, i dont think they are.

---------
does http scanners add extra security?

yes, they do.

i think most AV's will add http scanners, its inevitable.

Drweb will add one in their eagerly awaited V5.

 

The answer is basically the same as the one to "are antivirus programs necessary?". Sure, you can do without, if you carefully obey other precausions...

 

It's a different question entirely, I think. With HTTP scanners, you already have a realtime scanner in place. The question is, aside from detecting stuff earlier, if HTTP scanners add more security, and why.

I like to think that folks in the antivirus industry are very pragmatic people out of necessity; they're not only in competition with the bad guys, but with each other as well. If all these talk about shellcodes and malicious code executed directly in memory by the browser are true and are as serious as they are implied to be, I would expect to see the major vendors incorporating a HTTP scanner by now, and the ones that don't, such as Symantec and McAfee, fail against a good number of exploits (in fact, make that ALL ITW exploits) and be well on their way to being out of business. For some reason, that scenario isn't happening - which brings into question whether the lack of a HTTP scanner has any effect on overall security and the effectiveness of an antivirus product.

 

I've always felt that what is necessary or unnecessary depends on how one uses their machine. Simple as that. Some find extra features and protection necessary where others wouldn't. The http scanners seem to add a little more protection in that they may catch something trying to exploit an unpatched browser vulnerability, and they also can keep the offending stuff off the HD completely by stopping it before it hits the browser cache. Whether one needs this is always up to each individual user.

 

I don't know about McAfee, but Symantec Norton does have some sort of web scanner. I do not do any details, I could hardly find information about it. I think it scans only executable. You can check with eicar file, it will be block immediately when you click on it. In 08 they also have something called "Browser Protection" that should protect you from exploits, I believe. But as I said, there is hardly information on how it works (at least I cannot find it), maybe as to not give to much info to malware authors? Maybe also because Symantec is more supposed for non-tech guys.

 

NAV actually incorporates a portion of the firewall that you see in NIS and with that in place it then filters port 80 traffic looking for nasties.

 

The answer to the question is simple.
It's an individual's choice.
Needs will vary.

 

Its been said that I can be infected from a jpg file, just by browsing. I think it is not correct if I have updated windows, an updated browser, file AV and a firewall.

 

A lot of things are said, but I wouldn't lose any sleep over most of them. Odds are good that you're 99.9% fine, particularly if your internet habits are relatively safe and you don't go looking for trouble.

 

That's correct. But keeps these things in mind:
- Almost all sites hosting drive-by exploits belong to the "dark-side" of the Internet. However, the number of legitimate sites which get hacked is increasing (Dolphins' website, Avast's forums, etc).
- Most exploits target patched vulnerabilities and IE.
- Most exploits use obfuscated JS to download executables.
So, having an updated OS and applications (web browsers, mail clients, Java, media players, etc) and avoiding shady sites and IE (Opera and/or Firefox+NoScript) will keep you far away from encountering live exploits.
Then, the tool you choose to protect against drive-bys (sandboxes, HIPS, web scanning) becomes of little relevance.

 

If this is the vulnerability to which you are referring, then you're mostly correct. Some Microsoft applications (such as Office, Visio, etc.) also need to be updated.

 

Here is how the WebGuard windows look like, if someone is interested. The websites are loading for me as fast as before with just a little hang of about one second right after I click the "Go" button.

 

^^ The site name is visible in the first screen shot

 

So if the browser and the rest of the system are fully patched, wouldn't that make HTTP scanning much less necessary? Valuable for that time between when a vulnerability is discovered and is actively being exploited, and when the browser and/or system can be patched?

 

I believe so, http scanning is useful only before the browser is patched to defend the malware.

Suppose that half of the AVs include http scanning and half do not.

The browsers' developers are aware of the fact that some of the users have not http scanning, but they don't state that these users are vulnerable, because updates (for the browser and the OS) are released to defend these vulnerabilities

Otherwise the http scanning would have been essential, now is an extra precaution.