HTTP scanning and real world protection provided by AVs

The same can apply to HTTP Scanners too...It really depends upon the the particular exploit or code.

 

So you're saying that the antivirus itself can be vulnerable... well, sure, but if you trust the antivirus scanner less than your browser, then you should probably change your antivirus

Scanning of the HTTP stream for viruses certainly contains less code (i.e. less possibilities of an exploitable bug) than the whole browser (where the vulnerability can occur anywhere "higher", not just in the HTTP processing - in the rendering of the HTML elements, in JavaScript engine, in any plugins or addons loaded into the browser's process - Flash, Acrobat, ...) - so I'd rather take the chances with the antivirus scanner.

 

See, what i want say that even a good HTTP scanner can be bypassed...This is not a rocket science for malware writers. And once their code bypass this thing they can do what they want to do....A very good example are fuds and crypters which a are very well written to bypass all these scanners and sanboxes...

 

Bypass scans yes. Bypass sandboxes, not so easily AFAIK. An encrypted trojan may be able to avoid detection by an AV scan but if it's executed in a sandbox, it's still in the sandbox when it runs, encrypted or not.

 

right

 

... Or not. I just read a raymond.cc article mentioning "crypters" that could force their way out of a sandbox. Probably not ITW but

 

They cannot bypass them, but refuses to run inside them....