HTTP scanning and real world protection provided by AVs

Discussion in 'other anti-virus software' started by Gullible Jones, May 11, 2010.

Thread Status:
Not open for further replies.
  1. Just something that came to mind today: tests of AV heuristics and signature detection might not be a good indication of how effective an AV is in real life.

    A fair amount of malware is spread by USB sticks where that sort of thing would come into play. But as far as I know, the majority of it comes from the web via driveby downloads (as I've mentioned previosly).

    So... I'm thinking the real world efficacy may depend heavily on how good the AV's HTTP scanning is. Not in the least because, once malware actually executes, it can bypass most antiviruses.

    An example: from what I understand, Avira and AVG both have HTTP scanners. Let's say Avira is the better one at recognizing malware in tests (IIRC it is). Okay, fine, it's probably better at detecting malware on the hard drive or on removable media, or maybe even nabbing it when it executes.

    But suppose Grisoft has put a lot more effort into making LinkScanner better. Couldn't this really turn the tables? If AVG is better at finding malicious scripts on web pages before they do their dirty work, it will (I think) have a higher chance of actually preventing the damage from occuring, even if it's not as good against malware on execution, or detecting inactive malware on a storage medium.

    Has anyone done tests of antiviruses based exclusively on their HTTP/web scanning ability, to ascertain what really works best for preventing badware from touching a machine in the first place? If so, what AVs came out on top? And does what I'm saying even make sense? :p
     
  2. OlegSych

    OlegSych Registered Member

    Joined:
    Jul 5, 2005
    Posts:
    43
    Location:
    Kiev, Ukraine
    +1
    What we see in 0days tests: many AV block malware by blocking whole WEB-site. But is all PE-samples from this site will be detected (for example AV was installed when system already infected)?
     
  3. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    I'd go with Avast Web Shield for HTTP scanning. ^^
     
  4. Somehow I'm not surprised.

    Re Avast I don't know how good its HTTP scanning is, it seems to be less featureful than AVG LinkScanner but beyond that I'm not sure.
     
  5. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    I guess now a days each and every AV provides you some kind of HTTP Scanning !!

    And see if anything bypasses your security setup then you can't do much things..You have to remove it then by using second opinion scanners.
     
  6. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    Avast don't show site ratings unlike AVG Linkscanner
    but based on experience Avast Webshield http scanning is better than AVG Linkscanner.
     
  7. Though really, all of them seem to be absolutely terrible against rogue AV autoinstalls. I was recently in a discussion with a fellow who got Antivirus XP 2010 or somesuch, and Avast didn't even see it coming.
     
  8. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    I think it will! If he also has Network Shield enabled. an up-to-date one!
     
  9. Ibrad

    Ibrad Registered Member

    Joined:
    Dec 8, 2009
    Posts:
    1,949
    I think it HTTP may add some protection for vendors (depending on the vendor). Trend Micro has great web protection but can't always detect the threats from the site it blocked.
     
  10. He probably did, it is enabled by default.
     
  11. mvario

    mvario Registered Member

    Joined:
    Sep 16, 2008
    Posts:
    339
    Location:
    Haddonfield, IL
    Scanning for PUPs isn't enabled by default and that may have an effect.
     
  12. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    I'd love to hear an explanation from Avira and Avast as to why neither of them enable PUP monitoring by default.o_O
     
  13. ... Yeah. So would I. To be brutally frank, that is STUPID.
     
  14. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    I have a friend who uses AVG linkscanner to stay out of risky places and really appreciates IE8 smartscreen and download checker. As AV he uses Avast (behavioral and file shield), becasue Avast has safe mode scanning and acquired a lot of knowledge of GMER. He also argues that Avira often turns out best, but he trust AVG linkscanner better for prevention, same applies on removal he has more trust in Avast safe mode scan and GMER knowledge.

    Problem with these setups is that it are intellectual exercises, it makes sense, but it is hard to find proof or tests to back this up.

    Regards Kees
     
  15. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    umm.. maybe to avoid FPs?:shifty:
     
  16. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Using Avira personal i've found it's heurisitcs are excellent at intercepting malware/scripts etc, before Anything actually gets downloaded to do any damage :thumb:

    This is without a so called HTTP scanning engine, because it's not included in the free version. Never found the need for it with Avira's heurisitcs, even when i used the Full version, so no potential slowdowns :)

    GMER, as good as it is, is only an after the fact app. Prevention is always better :D
     
  17. 0strodamus

    0strodamus Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    1,047
    Location:
    United Surveillance States
    HTTP scanning is overkill IMHO. The file scanner will intercept and prevent the creation of the malware file on disk and that is enough. Other than F-Secure's scanning method (it doesn't use a proxy), the HTTP scanner's proxy will also greatly diminish your ability to control outgoing connections with your firewall.
     
  18. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Well for anyone containing the browser (DefenseWall, Sandboxie, OA free run safer, PrevX safe online, etc) or using Chrome with --safer-plugins I agree.

    Regards Kees
     
  19. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    +1

    I agree with you, there is no need of HTTP Scanning if you have Real time file scanner because it will definitely intercept any malware which is creating himself on you hard disk drive...Secondly you can configure SRP or AppLocker to be safe from the drive-by malwares.

    No need to have HTTP Scanning it will surely slowdown your browsing...
     
  20. i_g

    i_g Registered Member

    Joined:
    Aug 30, 2006
    Posts:
    133
    But it won't prevent a malicious code, injected by an exploit on a crafted webpage into your browser's memory, from running. OK, maybe it wouldn't be able to create its files on disk to be started next time (provided the file on disk is actually detected by the antivirus - which may or may be not, independently of whether the exploit itself is detected) - but since it's running, it's able to send your private data out. But if you're OK with it... enjoy ;)

    I believe you should make clear (for yourself) what exactly is clasified as PUP first.
     
  21. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    This is why I really enjoyed the "Dynamics" test done at AV-Comparatives...do a search in their tests for Dynamics 2009. It's more "real world"....such as you suggest.

    This is also one of the reasons I believe in UTM appliances at the edge of a network, like Untangle..especially business networks. Gone are the days of just a plain NAT router. Have a UTM appliance that gets the scanning done at the gateway, using its own processor, not adding a performance hit to workstations.
     
  22. ALiasEX

    ALiasEX Registered Member

    Joined:
    Mar 30, 2010
    Posts:
    240
    I couldn't post this last night after I typed it. Here it is unchanged:

    "Has anyone done tests of antiviruses based exclusively on their HTTP/web scanning ability"

    No but they have conducted tests using all components provided by the tested products to see "what really works best for preventing badware from touching a machine in the first place?" Unfortunately, they have been limited so far.

    Only 100 samples:

    http://av-comparatives.org/comparativesreviews/dynamic-tests

    Missing some popular vendors:

    http://blogs.pcmag.com/securitywatch/2009/12/av-testorg_releases_real-world.php
     
  23. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    So here you would like to say that an HTTP Scanning will prevent you from these kind of crafted webpages and drive by malicious codes...I don't think so that this will also protect you. I am not at all agree with this....
     
  24. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    I wanted PCA to get an HTTP scanning feature so PCA get's more complete:D
    But Pbust said it wasn't going to be added any soon unfortunately:( .
     
  25. i_g

    i_g Registered Member

    Joined:
    Aug 30, 2006
    Posts:
    133
    Whether it protects you or not, that depends on the particular exploit, antivirus, etc. But it could protect you, yes.

    What I'm trying to say is that you are wrong if you think everything has to be written to disk; the malicious action may occur in memory only - where the file scanner cannot protect you, no matter how good it is.
     
Loading...
Thread Status:
Not open for further replies.