Anti-exploit testing

Did some testing and no conflict so far. Only issue is, AVG's own site don't provide the standalone LinkScanner.

 

i just wrote what to point out - waste of time and making money (wether for free or not).

it does not need additional software - any additional security software spread the possibilities to attack a system. people need to know at first that windows itself offers enough options to secure a system. the hosts file is used by windows dns service - it is already present and only need some "food".

so malware need to disable this service - hard to make as LUA.

WOT failed - WOT is based on user opinions, no manually edited list.
McAfee site advisor same, some more.
AVG Linkscanner is additional code which can be compromised - source code is closed. is it bullet proof? i would say that windows dns service is more secure that this piece of bits and bytes.

people need to know what their system can already do before they install any additional software.

rejecting obfuscated javascript in firefox
http://www.dslreports.com/forum/r26131393-NoScript-Trick-Kills-Obfuscated-Javascript-Exploits-Dead
bad eval
http://stackoverflow.com/questions/86513/why-is-using-the-javascript-eval-function-a-bad-idea

noscript is elemental here like adblock (plus or edge)

i dont care about internet explorer, its blocked

BTW i am no security expert, just experienced with some security

 

Please, not that snob song again.

 

@Brummelchen

AVG Linkscanner is nor WOT or McFee it filters javascript, that is something different as filtering URL's. There is one website for every living human on earth. So a URL filter with 6 million bad URL's only covers 0.1% of all websites on earth. AVG Linkscanner has less than 3000 fingerprints. That is why AVG Linkscanner has an advantage over URL filters. This does not mean that AVG has an advantage over other AV's Avast for instance also had a script filter which is now integrated in the webshield. The innnovation of Exploit Labs (bought by AVG) now problably is used by most premium (and/or) innovative AV's.

Same numbers game is reason why EMET/MBAE/HMPA have an advantage over AVG Linkscanner, they block maybe 5 types of intrusions head on and guard may be 20 or so road blocks which exploits have to pass to succeed in their intrusion. The cost of developing a new evasion around a road block is high in terms of knowledge and research hours (it is really hard to exploit a bug in a predictable way). The cost of developing a new way to trigger an exploit(kit) is less, but as my test indicates: people using the exploit-kits have script-kiddy like knowledge, no deep hard core hacking skills. So in practice a javascript filter is pretty effective (Linkscanner with jan 2013 sigs still blocked 90% of the exploits of october 2015).

1. URL-filter: prevents known malware websites which host malware (= 70 to 75% coverage of known malware sites by microsoft and google, as said a numbers game, so Ms and Google are best, next Avast and BD based on number of users)
2. Only allowing scripts from a few high-level domains (e.g. allow only COM, EU, NL domains in Chrome) blocks 80 percent of the URL's listed in Malware Domains for instance (depending on your home URL = 80-90% coverage of known URL's).
3. Sanatizing javascript: AVG linkscanner like solutions prevents known ways to trigger an exploit-kit (90-95% coverage)


Difference between AVG linkscanner and for instance WOT and other Webbrowser based plug-in: the javascript is filtered in Linkscanner before it is executed in the browser. That is the reason AVG also throws a warning for exploits which don't work in a specific setup (tested with Chromium it popped-up for active X exploits for instance).

Intercepting EVAL is only one of the ways. Sanatizing javascript code is a well known way to reduce the attack surface: research.microsoft.com/pubs/141930/tr-1-11-11.pdf So extra code is extra attack surface does not apply herre since script sanatizing is a attack surface reduction mechanism and I don't see how active content (e.g. Javascript) in the browser would get access to AVG Linkscanner.

 

@ Windows_Security

So what are you saying, do you prefer AVG LinkScanner over tools like MBAE and HMPA?

 

No, the numbers game is in their advantage

Best is code hooking (30 or so 'roadblock' to watch)
MBAE, EMET and HMPA are best (the limited number of roadblocks they have to watch) in blocking all known exploits

Better is script filtering (3000 script codelets to watch)
When you don't want MBAE because you prefer another solution more (f.i. SBIE), script filtering is pretty effective in blocking all known triggers to exploit-kits. In theory this can be easily circumvented, but the badguys using exploit-kits don't seem to be able to obfuscate/alter the javascript samples accompanying the exploit-kit. Proof is that AVG Linkscanner with 1.5 year old sigs is still able to block 90% of the samples of f.i. malware domains. Other AV's might also have implemented this (Avast f.i. had a separate script filter).

Good is URL filtering (3.000.0000 bad URL's to watch)
In numbers they have a more difficult game to play (there are over 6.000.0000.000 websites).They still manage to block 70-80% of the known bad URLs, which is pretty good. When an URL filter has 3 million URL's, it still only covers a fraction of the possible threat vectors. We don't know what we don't know but it is to good to not use it.

 

@ Windows_Security

Thanks for the feedback. Personally, I'm not into real-time scanners and URL filtering at all, so I'm sticking with tools like HMPA/MBAE.

 

One could also just whitelist the URL's they want and default-deny the rest. Of course the inconvenience of trying to manage this is not practical for most, but for those with spartan needs, this approach would be by far the most secure. Maybe this could work for your 74 yr old Aunt?

 

@wat0114

I am glad she is on Ubuntu with XP skin/impersonation and uBlock, Bitdefender TrafficLight and Chrome's build in features. Was complicated enough to steer move away from XP and Office 2000

 

Nice setup for her. Chrome on Linux' sandbox with uBlock extension will alone provide tremendous security.

 

Could not agree more. Am using Emet 5.0, all configured, max security settings, web browser is Mozilla with No Script, and Sandboxie, I really do think that I am just as well off as I would be using Linux......I have clicked on some risky web sites on purpose, just to see what would happen. Nothing happened. I have checked with a variety of things, like Kaspersky TDSS killer, for instance. Always comes up clean.

 

Okay going to do a long test, with this setup:

- Windows Image and SynbackFree data backup to NAS for disaster recovery
- Firewall 2way, disabled risk-ware services (no remote/no assistance/no shared)
- UAC block unsigned, GPO block user autoruns, SRP block user space/script execution
- Harden rich content processing applications with EMET and NSA/SANS GPO templates
- Open DNS phising filter, Chrome/IE safe browsing URL filter, AVG Linkscanner script filter

 

https://secureaplus.secureage.com/Main/index.php

nothing gets passed. i use the no av version and even then nothing gets passed. i recommend installing this and calling it a day

noticeable performance loss is zero with no av version

 

From paper "Evaluating the Effectiveness of Current Anti-ROP Defenses" (2014):

Download: hxxp://www.hgi.ruhr-uni-bochum.de/media/emma/veroeffentlichungen/2014/05/09/TR-HGI-2014-001_1_1.pdf .

----------

From paper "Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection" (2014):

Download: hxxps://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-davi.pdf .

----------

"Test the Effectiveness of the Enhanced Mitigation Experience Toolkit Using Well-known Attacks on Well-known Binaries" (2014)

 

Don't need EMET in Chromium, with these precautions they problably don't reach the javascript engine, ofcourse HTTPS or Noscripts have a default block, but I don't want to spend time whitelisting websotes, these extensions provide a set and forget security layer.

 

@Windows_Security From where can we download the latest version of standalone AVG LinkScanner?

I downloaded it from http://www.majorgeeks.com/files/details/avg_linkscanner.html



Is it OK?

 

Yep is the latest (I am also having no Data Base version displayed) you could add Script Blocker for Chrome and use only one non-intrusive part of its functionality

 

Is there a similar setting for NoScript on Firefox?

 

Did AVG discontinue the support for AVG Link Scanner?Has the project been abandoned altogether?

http://forums.avg.com/in-en/avg-forums?sec=thread&act=show&id=211448#post_211448

 

AVG safe search was part of AVG Linkscanner which made it kind of slow down the browsing experience. AVG has made safe search a search engine (powered by Google) to use power of its DNS server parc (using no computer power). AVG Linkscanner is offered as a fall down scenario (when you de-install AVG). It is a stand alone program based on a defense module (version 2015 proves it is still developed IMO).

 

One of the benefits of NoScript was that it also filtered third party scripts. When you use NoScript your thirdparty scripts should be handled and taken care of. Nice thing of ScriptBlocker is that is a simplified version of NoScript. I am using only one feature which is as simple to use as blocking third party cookies, needs no white listing and does not break browsing functionality (normally you don't need third party scripts).

Brummelchen, did install an additional add-on to protect against EVAL function, see http://www.dslreports.com/forum/r26131393-NoScript-Trick-Kills-Obfuscated-Javascript-Exploits-Dead I would really consider changing browser, Chrome does this by default, https://developer.chrome.com/apps/contentSecurityPolicy) This post explains it all http://www.howtogeek.com/165264/heres-why-firefox-is-still-years-behind-google-chrome/

 

Reading back it says SCRIPTS, very clearly, preconditioned mind (had just read a paper on 1 pixel tracking tags), obviously enabling uBlock third column, blocks third party scripts as shown in the picture, my bad

 

My issue is I can't break any pages. Too many people here depend on too many pages. So I need to take network level precautions when possible, and ensure nothing is broken all the while. Popups won't work around here as well.

 

I couldn't find a stand alone link for a new version of LinkScanner so I downloaded the 2015 anti-virus and then couldn't see how to disable the anti virus portion, so I went to uninstall it in programs and features because it doesn't show up in RevoUninstaller.

Anyway when uninstalling it it pops up and says why not just keep LinkScanner so I did and it installed LinkScanner only which is what I wanted.

It doesn't slow down my browsing at all. I also use MBAE beta no conflicts.

 

Kees I decided to use uBlock to block scripts. The third box from the left. I have them both dull red and for comments on some sites I have to turn the top box gray to allow those scripts.

So do I have that correct? There also is turn the top box dark red but I'm not sure exactly what that is.

Are frames such an issue? Should I have those also dull red as you do? I notice on this site for instance blocking frames makes the page all messed up size wise.

Thanks