Real-time file system protection vs. HTTP scanning

Under the Internet browsers setup item, there are a couple of paragraphs before the list of applications that can be checked. The last sentence of the first paragraph says:

"If an application is not marked as a web browser, data transfer may not be scanned". MAY? What are some example cases where it wouldn’t be scanned if I have Re-time file system protection enabled? Is it just a matter of it potentially getting scanned prior to the file being created instead of after? If so, is that a big deal as long as the Real-time scanner detects it?

Right now, I have Web access protection enabled but no applications checked in the Web browser's list. If I download a file from the Internet or even just sit and refresh Internet Explorer sitting on the Yahoo website, the File system protection counter will increment. If I try again after checking iexplorer.exe, the Web access protection counter will also increment.

Is this the same data being scanned twice; once by the HTTP scanner, then by the Real-time file system protection scanner? Is there a value to this “double” scan where one may find something that the other doesn’t?

 

If the Real time file system protection (eAMON) is enabled , it will scan the files as long as they are saved on the disk (this makes them scanned after saved) .

Web access protection can prevent exploit execute into web browser . For eAMON protection it will be too late even though it will detect it.

Yes , twice - once before saved and once after that (on-created)

 

Thank you for such a quick response. I guess this is the tradeoff you have if you effectively turn off HTTP scanning (proxy) to give more control to your firewall to prevent leaks.

I would assume that these types of exploits depend on un-patched browser and plug-in flaws. If you are religious about keeping your software up to date, I guess it reduces the risk. Worst case is that you have to clean up after eAMON detects it.

I guess that biggest loss could be if HTTP scanning would have caught it, and for some reason, eAMON misses it. I would assume that is possible due to separate implementations even working from the same basic signatures and heuristics algorithms.

I am tempted to try this configuration, particularly since I have a HW firewall that also does similar on the fly AV Scanning. Then again, it is based on ClamAV so its detection may not be as good as NOD32 for HTTP scanning.

 

Another option is to choose 'Applications marked as Internet browsers and email clients' in the Protocol Filtering section of your nod setup. Then, manually mark your email client/browser software so that they are http(s) scanned and you still pass leak tests etc.

Works well for me at least.