IMON's HTTP compatability settings...

Discussion in 'NOD32 version 2 Forum' started by Joliet Jake, Apr 5, 2006.

Thread Status:
Not open for further replies.
  1. Joliet Jake

    Joliet Jake Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    911
    Location:
    Scotland
  2. vince35

    vince35 Registered Member

    Joined:
    Apr 15, 2005
    Posts:
    55
    Location:
    France (Breizh)
    Hi

    it is strongly recommended to set all these components to "Higher Efficiency" .

    With "Higher Efficiency mode", NOD will scan with more accuracy for trojans,dialers and other backdoors... :thumb:

    "Higher compatibility" is only required if you encounter issues with an application, but it decreases NOD's accuracy :thumbd:
     
  3. Joliet Jake

    Joliet Jake Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    911
    Location:
    Scotland
    Thanks Vince. :)
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    I wouldn't set streaming media players and possible download managers to HE mode or they won't work properly.
     
  5. Caine

    Caine Registered Member

    Joined:
    Nov 11, 2005
    Posts:
    63
    If the recommended safest setting is for everything (with small exceptions like marcos pointed out) to be higher efficency then how come the default appears to be higher compatability?

    Would it not be better to switch the default to the safer setting and if problems appear then the setting can be sought and switched?

    Just saying, since as a newbie, I only noticed that nearly all the entries in mine were 'higher compatability' and would have gone unnoticed had I not happened on this thread.
     
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    They used to be set to HE by default with the exception of some streaming players and download managers, but a lot of users were complaining about it.
     
  7. Caine

    Caine Registered Member

    Joined:
    Nov 11, 2005
    Posts:
    63
    Weird that you would complain about a setting that's inherently safer. Surely it's better to be too safe, rather than sorry, no? Well I've set them all to HE now.

    If it's not too much trouble could someone give a list of the entries that appear which would benefit from being at HC rather than HE? Please? :D
     
  8. Joliet Jake

    Joliet Jake Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    911
    Location:
    Scotland
    OK, thanks, switched them back.
     
  9. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    Because "Higher efficiency" mode can cause a lot of problems, such as images and/or web pages failing to load for no apparent reason.
     
  10. Elwood

    Elwood Registered Member

    Joined:
    Sep 12, 2005
    Posts:
    205
    Location:
    Mis'sippi
    I don't see the need for higher efficiency mode in Gecko based browsers, they rename files as they are cached anyway. "IE only" scripts have no effect on Firefox.
     
  11. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    Firefox, et. al. can still get hit by malicious JavaScript and other files. They aren't invulnerable.
     
  12. Elwood

    Elwood Registered Member

    Joined:
    Sep 12, 2005
    Posts:
    205
    Location:
    Mis'sippi
    All I can say is that it hasn't happened to me since I've used Gecko based browsers, since mid 2001.

    I do keep current with versions as they come out and I don't allow Java (I know it isn't javascript) to run except when I wish it to.

    Send me to a site via pm that can exploit Firefox. I've yet to see it.

    [added]

    Probably about to call it a day, I'll be here in the morning. ;)
     
    Last edited: Apr 6, 2006
  13. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    It's great that it hasn't happened to you, but please, don't try telling me that Firefox or Mozilla is impenetrable. Firefox has had a number of vulns related to JavaScript. Just a few of them are:

    http://secunia.com/advisories/18700/
    http://secunia.com/advisories/17934/
    http://secunia.com/advisories/16911/
    http://secunia.com/advisories/16043/
    http://secunia.com/advisories/15549/
    http://secunia.com/advisories/15489/
    http://secunia.com/advisories/15292/
    http://secunia.com/advisories/14938/
    http://secunia.com/advisories/14654/
    http://secunia.com/advisories/14160/

    I also know of a URL that can crash your system within seconds, using a malicious JavaScript that runs in Firefox or MSIE. What it does is very simple (it uses "fork bomb" loops, launching many mailto: links at a time), but that can be enough to ruin your day. I'm not going to post or send this URL, even via PM, for obvious reasons (I can't believe you asked me to do so!). But you can find it by searching for "last measure" on Wikipedia. (Incidentally, last I checked, NOD32 didn't catch "Last Measure", even though Eset knows about it.)
     
  14. Elwood

    Elwood Registered Member

    Joined:
    Sep 12, 2005
    Posts:
    205
    Location:
    Mis'sippi
    My isp is having trouble this morning, but if what I suspect is true, all those vulnerabilities are old and were fixed within days of their discovery and most if not all had almost immediate workarounds that would prevent their exploitation.

    No software is perfect, AFAIK, but SeaMonkey and Firefox are very safe.

    After my isp fixes their problems, I'll search for your browser crasher exploit, but I think this was fixed when 1.5 was released (now at 1.5.0.1). This to me would not be serious unless there is a way to execute code via the vulnerability and I don't think anyone knows how to do that even if it can crash Firefox or SeaMonkey (1.0); which I'm not at all sure of.
     
  15. beenthereb4

    beenthereb4 Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    568
    Exactly correct, Secunia only shows two current unpatched vulnerabilities of low criticality.
     
  16. Elwood

    Elwood Registered Member

    Joined:
    Sep 12, 2005
    Posts:
    205
    Location:
    Mis'sippi
    I looked up "Last Measure", I don't plan to visit the site to find out, but I feel sure this pref negates the "vulnerability":

    privacy.popups.disable_from_plugins

    You could add this integer pref in any version of Firefox from 0.7 onward and set the value to 2 to disallow this type of exploit, but 1.5+ has this as a default setting.

    Seems to be a very distasteful site from what I read.

    Yep and one of those is Mac version only and is minor and the other is very minor and if you know how to handle cookies, it's of no consequence whatsoever. There is evern argument, I believe, whether this "cookie" one is a vulnerability at all.
     
  17. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    My only point was that there is a reason to use anti-malware software that can catch malicious web content before it is passed to Firefox. How fast the Mozilla team responds to known vulns is absolutely beside the point. Your original statement was not that Firefox doesn't need malicious web content defense because they patch their flaws quickly. Rather, you said:

    Which, sorry, was incorrect. Malicious JavaScript can affect Firefox, and renaming and caching have nothing to do with it.

    Then, you said:

    I have now shown you one, but the argument has shifted from how important "High-efficiency mode" is to "they patch their browser holes quickly".

    That setting alone does not prevent the "Last Measure" exploit. My setup is with privacy.popups.disable_from_plugins set to 2 (which does seem to be the default), yet I was able to reproduce the exploit with Firefox 1.5.0.1. Disabling JavaScript does prevent the exploit. This is good to know, but again, that's beside the point. I know it's a good practice to surf with JavaScript disabled, but the point isn't browser configuration, it is the fact that detecting malicious web content before it is passed to Firefox can be beneficial.

    Maybe the aforementioned setting would help if you have popup-blocking enabled in Firefox. I do not have Firefox configured that way, because I hate the way Firefox screws up requested popups. I use Ad Muncher to block popups. Again, browser configuration is beside the point. The fact that blocking this malicious web content before it gets to Firefox makes undeniable sense is the point.

    No, it affects 1.5.0.1 as well.

    It can easily crash your entire system, causing data loss, stress, and aggravation. (Not to mention how bad it can make you look if it does manage to send those malicious email and news postings out.)

    Here's a nice bottom line: When I tested the "Last Measure" exploit with Firefox 1.5.0.1 and Kaspersky Anti-Virus 6.0 beta, the script was stopped before doing any harm. With NOD32/IMON and "High-efficiency mode", the result probably would have been the same, had NOD32 detected the script (which it did not). But with NOD32/IMON and "High-compatibility mode", the script would have run and done its harm, even if NOD32 did detect it.
     
  18. Elwood

    Elwood Registered Member

    Joined:
    Sep 12, 2005
    Posts:
    205
    Location:
    Mis'sippi
    I'm not going to argue semantics with you. I only know from experience, you probably won't have any malware problems, if you have a little common sense and use Gecko based browsers.

    I'll probably search up Last Measure again. I didn't really want to even see the site, but I guess I have to.

    [added]

    All I get is "Firefox has prevented this site from opening pop ups" (or similar).
     
    Last edited: Apr 7, 2006
  19. SSK

    SSK Registered Member

    Joined:
    Nov 28, 2004
    Posts:
    976
    Location:
    Amsterdam
    Firefox is no end-all fix for malware picked up by surfing the internet. It has less known exploits, is targeted less and is less integrated into the OS, but is is still vulnerable to some extent. Therefore, it is advisable to set your browser to higher efficiency as long as it does not interfere to much with your surfing speed.
     
  20. Elwood

    Elwood Registered Member

    Joined:
    Sep 12, 2005
    Posts:
    205
    Location:
    Mis'sippi
    Okay, guys, I give up.

    Almost 5 years without any malware problems or any detected proves nothing.

    A storm approaches, check y'all later.
     
  21. SSK

    SSK Registered Member

    Joined:
    Nov 28, 2004
    Posts:
    976
    Location:
    Amsterdam
    I have the same experience with IE :)
    Indeed, it proves nothing in general. It proves that we are carefull (even when surfing the dark side :D ).
     
  22. Elwood

    Elwood Registered Member

    Joined:
    Sep 12, 2005
    Posts:
    205
    Location:
    Mis'sippi
    I don't use any "kill bit" setters (SpywareBlaster, SSD's immunize function), no anti-spyware protection at all. I don't even know how to use IE's zones, LOL! :D

    I'm not that careful, I don't disable active scripting, the only thing I'm careful at all about is Java.

    I do research programs I plan to install for the possibility that they contain malware before installing them. That's it.

    I run AdAware and Spybot scans from time to time, also an online scan once in a great while, nothing is ever found. :)
     
  23. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    I wasn't arguing semantics at all. I just wanted to point out that blocking malware before it is rendered is a good idea, regardless of browser, and didn't want the focus to change from that to a discussion of how you could potentially configure your way around the malware instead. (Configuration is obviously a worthwhile topic, but it was nonetheless beside the point.)

    Firefox 1.5.0.2 has just been released. While some of you were talking about known, announced vulnerabilities, and saying there is no need to block JavaScript before it gets to the rendering engine, here are the JavaScript-related vulns that were in fact present in Firefox 1.5.0.1, known to some people--but not us--and only just now fixed in 1.5.0.2:

    Crashes with evidence of memory corruption (rv:1.8.0.2) (Critical)
    http://www.mozilla.org/security/announce/2006/mfsa2006-20.html

    CSS Letter-Spacing Heap Overflow Vulnerability (Critical)
    http://www.mozilla.org/security/announce/2006/mfsa2006-22.html

    Privilege escalation using crypto.generateCRMFRequest (Critical)
    http://www.mozilla.org/security/announce/2006/mfsa2006-24.html

    Privilege escalation through Print Preview (Critical)
    http://www.mozilla.org/security/announce/2006/mfsa2006-25.html

    Security check of js_ValueToFunctionObject() can be circumvented (Critical)
    http://www.mozilla.org/security/announce/2006/mfsa2006-28.html

    -----

    Please don't feel like I'm getting on anyone's case. I'm not. There are no ad-hominem attacks here, and it isn't personal. Anyone who has read my stuff much knows I've said more than my share of stupid stuff... But this isn't one of them.
     
  24. Elwood

    Elwood Registered Member

    Joined:
    Sep 12, 2005
    Posts:
    205
    Location:
    Mis'sippi
    You also said that the Last Measure page could crash Firefox and/or my system which it couldn't. I've already installed 1.5.0.2. It's sensible to stay up to date.
     
Thread Status:
Not open for further replies.