Is http scanning (WebGuard) necessary?

Discussion in 'other anti-virus software' started by Defcon, Sep 6, 2007.

Thread Status:
Not open for further replies.
  1. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,969
    I like Avast a lot, but this is the general impression I got lately too, however, I'm on XP not Vista. The Avast http scanner is pretty good comparatively, but as someone above mentioned, I believe any http scanner will take it's toll to some degree... I prefer to avoid them and use a HIPS if I'm concerned about protection....
     
  2. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    Its an interesting sounding product. It would be nice to have some real tests on it.
     
  3. Defcon

    Defcon Registered Member

    Joined:
    Jul 5, 2006
    Posts:
    333
    Thanks for all the replies, but I still don't have a clear answer :( I guess its a personal decision but my original question was because I have to decide whether to continue with free products or pay for Avira suite, and I still don't know if its worth it.
     
  4. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    702
    Let me rephrase it:

    When you have a HTTP scanner, all malware that comes to your computer through HTTP traffic will be scanned, analysed (and blocked) *before* it is handed over to the browser. So if you are surfing on a web page with exploits on it which are directly executed in memory of the browser (such as ANI, WMF, JPG etc.), this is the only way to stop them before they activate - except using a HIPS. An on-access guard will eventually catch these files aswell - AFTER the browser has parsed, displayed and executed them - too late! The on-access scanner only sees the browser cache files, not the traffic before.

    And guys, every HTTP scanner slows down your system. Stop that silly arguing! :) More scanning means more slow down. If you have a fast, modern machine with lots of RAM you might not notice it. But it is impossible to scan so many additional files without having an impact on your system. As a side note, the few HTTP scanners I tested so far cause the browser files to be scanned twice: first, the HTTP scanner module scans them and afterwards, the on-access guard again, when the browser stores the files into its cache. There is no good way to corelate these files, as the browser sometimes "adjusts" or manipulates the content it downloads.
     
  5. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    In case AV lab already knows its signature.
     
  6. Nubiatech

    Nubiatech Registered Member

    Joined:
    Aug 19, 2007
    Posts:
    50
    Location:
    IL, USA
    Not necessarily; there is another way to stop them: using an Intrusion Prevention System, or a firewall with IPS.
    Case in point: Snort can be implemented in some open-source hardware e.g OpenWRT. Or using a personal firewall which supports Snort rules, e.g Sunbelt/Kerio with NIPS.

    Now the question
    can only be answered by proof of concept, or a demo where a specific exploit is stopped by such mechanism.
    Until that day, IMHO it is not necessary.
     
  7. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Again, this would seem to imply that numerous antivirus products - including renowned contenders such as Symantec, McAfee, Trend Micro, AVG, Avira (which was then WebGuard-less) etc etc - were unable to stop the recent ANI exploit, among other things, since it'd already be "too late" when the resident scanners caught them. Strangely enough, this was not the case.

    There is, as far as I can see, a discrepancy between the claims of some AV experts and what I can observe is actually happening. I must be missing something here.
     
  8. mike21

    mike21 Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    416
    I remember a similar discussion in another security community, where one member made a thread and uploaded a blank .jpg, supposed to be a malware but I couldn't verify this, as at the time I was reading the thread I had a fully updated windows PC with a router and KIS with only File AV, Proactive and FW and I was browsing with latest firefox with only adblock ext (without noscript)

    Other members complained but I hadn't had any abnormality. Nowadays my arsenal is far more complete but I am often browsing with above setup and I would really appreciate to point me where I can test the above light setup with a jpg malware
     
  9. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Stefan, it's also very important HOW you scan the stuff. And not just in terms of file content scanning but how you handle for example large amounts of small JPG images, HTML files with bunch of javascripts and so on.
    You can scan them fast but if the parser is badly designed it's just as fast as the one with slow base scanner... something like multithreaded page scanning and forwarding to the browser.
     
  10. randomness

    randomness Registered Member

    Joined:
    Aug 18, 2007
    Posts:
    9
    In my personal experience, all I've got from enabling various HTTP scanners (I've used many different AV products with such scanner built-in) is a noticeable decrease in network performance. Every browser-related exploit/malware (especially the ones that use iframe property) that I have personally experienced was always detected and stopped by a standard memory-resident scanner. So for me the webscanner (or any other kind of network scanner) is simply a yet another redundant feature that the AV manufacturers try to add to their product just to distinguish it from the competitor's product and to attract more simple-minded customers (who base their purchasing opinion only on the list of the features that the particular product has). Of course that's just my personal subjective opinion based only on my own experience and you're free to disagree with it :D
     
  11. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    are http scanners necessary?

    no, i dont think they are.

    ---------
    does http scanners add extra security?

    yes, they do.

    i think most AV's will add http scanners, its inevitable.

    Drweb will add one in their eagerly awaited V5.
     
  12. i_g

    i_g Registered Member

    Joined:
    Aug 30, 2006
    Posts:
    133
    The answer is basically the same as the one to "are antivirus programs necessary?". Sure, you can do without, if you carefully obey other precausions...
     
  13. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    It's a different question entirely, I think. With HTTP scanners, you already have a realtime scanner in place. The question is, aside from detecting stuff earlier, if HTTP scanners add more security, and why.

    I like to think that folks in the antivirus industry are very pragmatic people out of necessity; they're not only in competition with the bad guys, but with each other as well. If all these talk about shellcodes and malicious code executed directly in memory by the browser are true and are as serious as they are implied to be, I would expect to see the major vendors incorporating a HTTP scanner by now, and the ones that don't, such as Symantec and McAfee, fail against a good number of exploits (in fact, make that ALL ITW exploits) and be well on their way to being out of business. For some reason, that scenario isn't happening - which brings into question whether the lack of a HTTP scanner has any effect on overall security and the effectiveness of an antivirus product.
     
    Last edited: Sep 8, 2007
  14. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,969
    I've always felt that what is necessary or unnecessary depends on how one uses their machine. Simple as that. Some find extra features and protection necessary where others wouldn't. The http scanners seem to add a little more protection in that they may catch something trying to exploit an unpatched browser vulnerability, and they also can keep the offending stuff off the HD completely by stopping it before it hits the browser cache. Whether one needs this is always up to each individual user.
     
  15. Abeltje

    Abeltje Registered Member

    Joined:
    Aug 24, 2006
    Posts:
    156
    Location:
    Netherlands
    I don't know about McAfee, but Symantec Norton does have some sort of web scanner. I do not do any details, I could hardly find information about it. I think it scans only executable. You can check with eicar file, it will be block immediately when you click on it. In 08 they also have something called "Browser Protection" that should protect you from exploits, I believe. But as I said, there is hardly information on how it works (at least I cannot find it), maybe as to not give to much info to malware authors? Maybe also because Symantec is more supposed for non-tech guys.
     
  16. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,969
    NAV actually incorporates a portion of the firewall that you see in NIS and with that in place it then filters port 80 traffic looking for nasties.
     
  17. the Tester

    the Tester Registered Member

    Joined:
    Jul 28, 2002
    Posts:
    2,854
    Location:
    The Gateway to the Blue Hills,WI.
    The answer to the question is simple.
    It's an individual's choice.
    Needs will vary.
     
  18. mike21

    mike21 Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    416
    Its been said that I can be infected from a jpg file, just by browsing. I think it is not correct if I have updated windows, an updated browser, file AV and a firewall.
     
  19. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,969
    A lot of things are said, but I wouldn't lose any sleep over most of them. Odds are good that you're 99.9% fine, particularly if your internet habits are relatively safe and you don't go looking for trouble.
     
  20. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    That's correct. But keeps these things in mind:
    - Almost all sites hosting drive-by exploits belong to the "dark-side" of the Internet. However, the number of legitimate sites which get hacked is increasing (Dolphins' website, Avast's forums, etc).
    - Most exploits target patched vulnerabilities and IE.
    - Most exploits use obfuscated JS to download executables.
    So, having an updated OS and applications (web browsers, mail clients, Java, media players, etc) and avoiding shady sites and IE (Opera and/or Firefox+NoScript) will keep you far away from encountering live exploits.
    Then, the tool you choose to protect against drive-bys (sandboxes, HIPS, web scanning) becomes of little relevance.
     
  21. Dogbiscuit

    Dogbiscuit Guest

    If this is the vulnerability to which you are referring, then you're mostly correct. Some Microsoft applications (such as Office, Visio, etc.) also need to be updated.
     
  22. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Here is how the WebGuard windows look like, if someone is interested. :) The websites are loading for me as fast as before with just a little hang of about one second right after I click the "Go" button.
     

    Attached Files:

  23. kalpik

    kalpik Registered Member

    Joined:
    May 26, 2005
    Posts:
    369
    Location:
    Delhi, India
    ^^ The site name is visible in the first screen shot ;)
     
  24. Dogbiscuit

    Dogbiscuit Guest

    So if the browser and the rest of the system are fully patched, wouldn't that make HTTP scanning much less necessary? Valuable for that time between when a vulnerability is discovered and is actively being exploited, and when the browser and/or system can be patched?
     
    Last edited by a moderator: Sep 10, 2007
  25. mike21

    mike21 Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    416
    I believe so, http scanning is useful only before the browser is patched to defend the malware.

    Suppose that half of the AVs include http scanning and half do not.

    The browsers' developers are aware of the fact that some of the users have not http scanning, but they don't state that these users are vulnerable, because updates (for the browser and the OS) are released to defend these vulnerabilities

    Otherwise the http scanning would have been essential, now is an extra precaution.
     
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.